Configuring indicators of attack (IOA)

Accessing the settings

From the top menu, select Settings. From the side menu, select Indicators of attack (IOA).
Click Add. The Add settings page opens.

You can assign indicators of attack (IOA) settings profiles to Windows, Linux, and macOS workstations and servers.

Required permissions

Permission	Access type
Configure indicators of attack (IOA)	Create, edit, delete, copy, or assign indicators of attack (IOA) settings profiles.
View indicators of attack (IOA) settings	View the indicators of attack (IOA) settings profiles defined.
Permissions required to access the indicators of attack (IOA) settings

Indicators of attack (IOA) settings options

To enable and disable the IOAs that you want to monitor, use the corresponding toggle:

Field	Description
Brute-force attack against RDP Credentials compromised after brute-force attack on RDP	Detects large numbers of remote login attempts over the RDP protocol.
Other IOAs	Cytomic periodically updates the list of indicators of attack to reflect the new strategies used by cybercriminals.
Advanced indicators of attack	List of the advanced indicators of attack you want to search for on workstations and servers. Available only for Windows computers.
Types of indicators available in the indicators of attack (IOA) settings

Enabling and disabling advanced IOA technology

Advanced IOA generation leverages new technologies and collects more telemetry data from devices. This technology could affect device performance on multi-user servers and in specific situations. To disable this technology completely, disable the Advanced IOA toggle.

Disabling advanced IOAs individually does not disable the technology and does not substantially improve performance.

Information associated with IOAs

From the Indicators of attack (IOA) list, click the icon next to the name of an IOA. A dialog box opens that shows information about the IOA (name, risk, description, recommendations, MITRE, etc.). For more information, see Fields on the IOA Details page.

Automatic response to RDP attacks

Field	Description
Response on workstations	Report and block RDP attacks: Generates an IOA and blocks RDP attacks. See Detection and protection against RDP attacks. Report only: Generates an IOA.
Response on servers	Report and block RDP attacks: Generates an IOA and blocks RDP attacks. See Detection and protection against RDP attacks. Report only: Generates an IOA.
Automatic response actions to RDP IOAs

Trusted IPs

Enter a list of IP addresses for computers you consider secure. RDP connections whose sources are in this list are not blocked, but generate indicators on the Indicators of Attack (IOA) dashboard. You can enter individual IP addresses separated by commas, or IP address ranges separated by a dash.