Managing indicators of attack

Enabling and configuring the detection of IOAs

By default, Advanced EDR assigns an indicators of attack (IOA) settings profile to all computers on the network, with all types of IOAs enabled. To disable the detection of a specific type of IOA:

• From the top menu, select Settings. From the side menu, select Indicators of attack (IOA).

• Click the Add button. The Add settings page opens.

• Select the IOAs that Advanced EDR must search for in the telemetry generated by the computers.

  To select specific advanced indicators of attack, you must enable all of them by clicking the toggle.

• Select the computers that you want to receive the new settings profile. Click OK.

For more information about how to manage settings profiles, see Managing settings.

Detection grouping

To prevent too many detections in customer consoles, the security solution groups two or more detections of the same IOA into one detection. The number of actual occurrences shows in the Detected occurrences field of the IOA details page (see Details page). To group two or more detections, they must be:

• For the same IOA.

• Detected on the same computer.

• Detected close to each other in time.

The grouping algorithm that is used depends on the type of IOA and whether the computer is in Audit mode. For more information about how to enable or disable Audit mode, see Audit mode.

Detection grouping algorithm for standard IOAs

• The security software logs the first detection and sets the Detected occurrences field to 1.

• Equal detections made in the six hours after the first detection was logged are grouped together. The security software sends a detection at the end of each six-hour interval. (The Detected occurrences field indicates the total number of detections made.).

• If the security software does not log an equal detection within a six-hour interval, then it does not send a detection for the interval.

• After four intervals (24 hours), the process starts again.

Detection grouping algorithm for advanced IOAs

• The security software logs the first detection and sets the Detected occurrences field to 1.

• Equal detections made every hour after the first detection was logged are grouped together. The security software sends a detection at the end of each one-hour interval. (The Detected occurrences field indicates the total number of detections made.).

• If the security software does not log an equal detection within the hour interval, then it does not send a detection for the interval.

• After 24 hours, the process starts again.

Detection grouping algorithm for advanced IOAs with Audit mode enabled

Detections are not grouped if the computer is in Audit mode. The security software sends each detection with the Detected occurrences field set to 1.

Detection grouping algorithm for RDP attack IOAs

For more information about the network attack detection algorithm, see Detection and protection against RDP attacks.

Advanced EDR reports a maximum of 50 detections of the same network attack IOA every 24 hours for each computer. For two detections of a network attack IOA to be considered the same, these conditions must be met:

• The target computer must be the same.

• The process involved on the target computer must be the same. Depending on the stage of the attack, this is the process that listens for the operating system RDP requests or any other process that is run remotely on the computer after a successful login preceded by multiple failed login attempts.

Showing all IOA detections on the network

• From the top menu, select Status. From the side menu, select Indicators of attack (IOA).

• At the top of the page, select the time period for which you want to show data.

• The Threat Hunting Service widget shows the events, indicators, and indicators of attack detected during the selected time period.

• Click the Indicators of attack area. The Indicators of attack (IOA) list opens and shows all IOAs detected during the selected time period.

For more information about this widget, see Threat Hunting Service.

Searching for all computers with a specific detection

• From the top menu, select Status. From the side menu, select Indicators of attack (IOA).

• In the Detected indicators of attack (IOA) or Indicators of attack (IOA) mapped to the MITRE ATT&CK matrix panel, click a type of IOA.

• The Indicators of attack (IOA) list opens filtered by the selected type of attack.

For more information about these widgets, see Indicators of attack (IOA) mapped to the MITRE ATT&CK matrix and Indicators of attack (IOA).

Searching for all detections on a computer

• From the top menu, select Status. From the side menu, select Indicators of attack (IOA).

• In the Indicators of attack (IOA) by computer panel, select a computer. The Indicators of attack (IOA) list opens filtered by the selected computer.

For more information about this widget, see Indicators of attack (IOA) by computer.

Searching for computers and related IOAs

Each detection that appears in the Indicators of attack (IOA) list has a context menu with these options:

• View the IOAs detected on this computer : Shows the Indicators of attack (IOA) list filtered by the Computer field.

• View the computers on which this IOA was detected : Shows the Indicators of attack (IOA) list filtered by the Indicator of attack field.

For more information about these lists, see Indicators of attack (IOA) module lists.

Archiving one or more detections

When the cause for a detection is resolved, or the detection is a false positive, you can archive it:

• From the top menu, select Status. From the side menu, in My lists, click the Add link. The Add list dialog box opens and shows the available templates.

• In the Security section, select the Indicators of attack (IOA) template. The list of IOAs detected opens with no filters applied.

• Set the required filters and click the Filter button.

• Click the context menu for the detection you want to archive. Select Archive IOA . The detection status changes to Archived.

Or:

• Select the checkboxes for the detections you want to archive.

• In the toolbar, click Archive IOA . The detection status changes to Archived.

Marking one or more detections as pending

Advanced EDR marks the detections it adds as pending to indicate they require attention. Additionally, when you have not analyzed or resolved the cause of a detection, you can mark it as pending further review. You can also change an archived detection to pending.

• From the top menu, select Status. From the side menu, in My lists, click the Add link. The Add list dialog box opens and shows the available templates.

• In the Security section, select the Indicators of attack (IOA) template. The list opens with no filters applied.

• Set the required filters and click the Filter button.

• Click the context menu for the detection you want to investigate. Select Mark IOA as pending . The status of the indicator of attack changes to Pending.

Or:

• Select the checkboxes for the detections you want to investigate.

• In the toolbar, click Mark IOA as pending . The detection status changes to Pending.

Showing a detection details and recommendations for resolution

• From the top menu, select Status. From the side menu, in My lists, click the Add link. The Add list dialog box opens and shows the available templates.

• In the Security section, select the Indicators of attack (IOA) template. The list opens with no filters applied.

• Set the required filters and click the Filter button.

• From the list, select an indicator of attack. The Details page opens. See Details page.