Bad actors are constantly changing their techniques to avoid detection by traditional endpoint protection solutions. The techniques and tactics they use still leave behind breadcrumbs that can indicate that they have accessed a system and are preparing for are in process of reconnaissance and/or execution of their objectives. The IOC Detection App is designed to detect those Indicators of Compromise(IOCs) to alert you to potential unauthorized access using known exploits.
What This App Does
This app runs detections curated by our threat research team and can be updated as needed with no action required by the Admin or user.
The detections are informed by multiple threat intel sources and our own research on emerging threats.
This allows for near-instant deployment of detections for new threats, as well as adjusting existing detections based on the changing techniques of bad actors.
The SOC will monitor these detections and treat them with high priority, and the threat research team will continue to monitor detection metrics to adjust for false positives or false negatives.
For the first release, this app will be made available to all customers, but will be in the "off" position as we fine tune the results based on the telemetry received from those who opt to enable it. Once the tuning process is complete, we will enable it for all tenants in late November. But, you can enable it now to start feeding telemetry to us- read below to see how.
Note- this app is releasing with functionality for Windows only, other operating systems will follow in the coming months.
How to Enable this App
From the left hand navigation(while at the Provider level), select App Store
Scroll down to the IOC Detection App and switch it to "On"
Note: This enables the app for all organizations under the Provider. If you wish to only enable the app for some organizations, you can navigate to the organization level, and enable the app only for those organizations.
Now events will start to appear in the App. The events are categorized on a 1-10 confidence level, and are translated into our Verdict levels.
1-4 = Informational - these events can be viewed in the Triage view of the app
5-9 = Suspicious- these events can be viewed in the Triage view and the SOC will be notified and may create an incident if it is warranted
10= Malicious –these events are also viewable in Triage view, the SOC is notified, and an automatic Incident ticket is created