Managing IOCs (Indicators of Compromise) involves the following tasks:
IOC File Generation
Obtain IOC files from your peers and other security experts. Open the Control Manager management console and go to Administration > Indicators of Compromise to add the IOC files.
If, for some reason, a suspicious object from Deep Discovery Analyzer 5.1 or Deep Discovery Inspector 3.8 does not display in the Virtual Analyzer Suspicious Objects screen (Administration > Suspicious Objects > Virtual Analyzer Objects), download the corresponding suspicious object investigation package from the managed product's console. This investigation package (available as a single compressed file), contains IOC-compliant files and other investigation resources.
As Control Manager only requires IOC files for impact assessment, extract the .ioc files from the compressed file and then add them to Control Manager. It is not possible to add the compressed file.
After extracting and adding the .ioc files, delete the compressed file from the computer as it contains potentially malicious files.
Initiate impact assessment to check for suspicious activities based on the indicators listed in the IOC files. Endpoints with suspicious activities are considered at risk.
Go to Administration > Indicators of Compromise and run an impact assessment on one or several IOC files to determine at-risk endpoints.
Impact assessment requires Deep Discovery Endpoint Sensor . The minimum required version is 1.5.
This product only performs assessment and does not take action on at-risk endpoints.
Isolate an affected endpoint to perform a detailed investigation. To perform this task, navigate to Administration > Indicators of Compromise, go to the At Risk column and click a number representing the number of at-risk endpoints.
Only endpoints with OfficeScan agents can be isolated. The minimum required version is 11 SP1. The agents' firewall must be enabled.
For more information, see Endpoint Isolation and Connection Restoration.