IOC Detection App

Bad actors are constantly changing their techniques to avoid detection by traditional endpoint protection solutions.  The techniques and tactics they use still leave behind breadcrumbs that can indicate that they have accessed a system and are preparing for are in process of reconnaissance and/or execution of their objectives.  The IOC Detection App is designed to detect those Indicators of Compromise(IOCs) to alert you to potential unauthorized access using known exploits.

 

What This App Does

This app runs detections curated by our threat research team and can be updated as needed with no action required by the Admin or user.

The detections are informed by multiple threat intel sources and our own research on emerging threats.

This allows for near-instant deployment of detections for new threats, as well as adjusting existing detections based on the changing techniques of bad actors.

The SOC will monitor these detections and treat them with high priority, and the threat research team will continue to monitor detection metrics to adjust for false positives or false negatives.

 

For the first release, this app will be made available to all customers, but will be in the "off" position as we fine tune the results based on the telemetry received from those who opt to enable it.  Once the tuning process is complete, we will enable it for all tenants in late November.  But, you can enable it now to start feeding telemetry to us- read below to see how.

 

Note- this app is releasing with functionality for Windows only, other operating systems will follow in the coming months.

 

How to Enable this App

From the left hand navigation(while at the Provider level), select App Store 

blobid0.png

 

 

Scroll down to the IOC Detection App and switch it to "On"

mceclip0.png

 

 

Note: This enables the app for all customers under the Provider.  If you wish to only enable the app for some customers, you can navigate to the customer level, and enable the app only for those customers.

 

Now events will start to appear in the App. The events are categorized on a 1-10 confidence level, and are translated into our Verdict levels.

1-4 = Informational - these events can be viewed in the Triage view of the app

5-9 = Suspicious- these events can be viewed in the Triage view and the SOC will be notified and may create an incident if it is warranted

10= Malicious –these events are also viewable in Triage view, the SOC  is notified, and an automatic Incident ticket is created

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us
Provide feedback for the Documentation team!