Searching for IOCs on the network

IOC search tasks are compatible with Windows computers.

Advanced EPDR enables you to use its task engine to configure and run IOC searches on the computers on your network. You can access this engine from the IOC gallery, or from the Tasks page. For more information about how to manage tasks in Advanced EPDR, see Tasks.

Permissions required to manage Detect IOCs tasks

To manage Detect IOCs tasks, the user account used to access the web console must have the Search for and manage IOCs permission assigned to its role. For more information about the permission system, see Understanding permissions.

Accessing the IOC search

You can perform searches only with approved IOCs.

From the Tasks page

  • From the top menu, select Tasks. Click Add task. Select Search for IOCs.

From the IOC gallery

  • In the top menu, select Settings. From the side menu, select IOC gallery.

  • Select the checkboxes for the IOC or group of IOCs you want to search for.

  • To search for IOCs, if you have selected a single item, click the computer context menu and select Search for IOCs. If you have selected more than one IOC, select Search for IOCs in the toolbar above. A new IOC search task is created. For more information about how to configure it, see Configuring an IOC search task.

Configuring an IOC search task

  • Enter general details about the task in the Name and Description fields.

  • In Recipients, click the No recipients selected link. A page opens where you can select the computers and devices to search.

  • Select the types of computers to search: Workstation, Laptop, or Server.

  • Click to add individual computers or computer groups. Click to remove them.

  • Click View computers to review a list of the computers that will receive the task..

  • Select when the task will start:

    • Starts: Specify the task start date/time.

    • Value Description

      As soon as possible (selected)

      To start the task as soon as possible within the time interval selected. The computer must be turned on and accessible from the cloud.

      As soon as possible (cleared)

      The task runs on the date selected in the calendar. Specify whether the time is based on the computer local time or the Advanced EPDR server time.

      If the computer is turned off

      If the computer is turned off or cannot be accessed, the task will not run. You can specify the task expiration time, from 0 (the task expires immediately if the computer is not available) to infinite (the task is always active and waits indefinitely for the computer to be available).

      • Do not run: The task is immediately canceled if the computer is not available at the selected time.

      • Run the task as soon as possible, within: Specify a time interval during which the task will run if the computer becomes available.

      • Run when the computer is turned on: There is no time limit. The solution waits indefinitely for the computer to be available to run the task.

      Task launch parameters

    • Maximum run time: Select how long to retain the task when the computer is off or not available. After that time, the task is canceled returning an error.

    • Value Description

      No limit

      There is no time limit for the task to complete.

      1, 2, 8, or 24 hours

      There is a time limit for the task to complete. After that time, if the task has not finished, it is canceled returning an error.

      Task duration parameters

    • Click Save. The task is added to the list of configured tasks. The status shows as Unpublished and it is not yet active.

    • To publish a task, click the Publish button. The task is added to the Advanced EPDR task scheduler, which runs it based on its settings.

IOC search task priority

Task Behavior

Detection of IOCs

Waits for the search task in progress to finish and then the new task runs.

Patch installation

Runs concurrently with the patch installation task. The patch installation task is not interrupted as this could represent a risk for the integrity of the system.

Scan or disinfection

The scan or disinfection task is canceled and the IOC search task runs.

Scan or disinfection tasks created when there is an IOC search task running are not run until the IOC search task is complete.

Cytomic Data Watch search

Runs and does not cancel or stop the Cytomic Data Watch task.

Cytomic Data Watch indexing

Runs and temporarily stops the Cytomic Data Watch task.

Priority order when you run IOC search tasks

IOC search task behavior with respect to system restarts

IOC search tasks are automatically canceled and restarted (if possible) on user computers when:

  • The administrator requests a restart of the computer from the web console.

  • The client user requests a restart of the computer locally from the computer.

  • The computer restarts automatically to update any components of the installed security software.

Behavior if you manually stop the IOC search task

If you manually stop the IOC search task from the web console, then:

  • The IOC search stops as soon as possible on the target computer.

  • Detection results up until the time of cancellation are recorded