Creating scheduled IoC scans

Scheduled scans make it possible to automatically run IoC on user workstations at regular intervals. For further information, refer to Searching for indicators of compromise.

To schedule scans, you must first create analysis units. For more information, refer to the section Creating IoC analysis units.

  1. In the Scheduled tasks tab of the selected agent group, go to the section Scheduled scans and click on Schedule a scan > Schedule an IoC scan.
  2. Enter a name for the scan in the Schedule a scan window.

  3. Click on Add analysis units and select the analysis units that you want to include in your IoC scan. Click on Next.

  4. Click on Log settings to determine the severity and destination of the SES Evolution logs generated during the IoC scan.
    The sections displayed below depend on the type of indicators in the analysis units selected in the previous step.

  5. For Text indicators, you can disable the IoC scan in files, processes or event logs by unselecting the Text search checkboxes.
  6. In File scan parameters, select Default scan to run a recursive scan on the folder\\.\EsaRoots\SystemDrive and exclude the folders \\.\EsaRoots\SystemRoot, \\.\EsaRoots\ProgramFiles and \\.\EsaRoots\ProgramFilesX86. Otherwise, select Custom scan:
    • Analyze the image file of running processes: checks whether the .exe file in the processes contains the indicators you are looking for. This option also allows you to shut down any malicious processes identified on agents during the IoC scan, and/or exclude from the scan any processes run by Windows administrator and/or system accounts.
    • File extensions: Restricts scans to the indicated extensions.
    • Included files and folders: runs the scan on indicated files and folders with or without recursion.
    • Excluded files and folders: excludes from the scan indicated files and folders with or without recursion. Click on the + icon to add another path.
  7. In the Process scan parameters, select Default scan to run a memory scan of all the processes being executed on the workstation, otherwise, select Custom scan:
    • Shut down the process detected: Stops dangerous processes identified during the IoC scan.
    • Exclude processes run by: Excludes from the analysis the processes that were run with the indicated integrity levels (administrator and/or system).
    • Directory of excluded processes: Excludes from the analysis the processes for which the executable files are located in the indicated folders. Click on the + icon to add another path.

  8. In the Event logs section, select the types of logs to scan and from which date.

  9. In the DNS request parameter section, indicate the date from which you want to analyze DNS requests.

  1. Fill in the information about the scheduled scan:
    • Period for which the scheduled scan will be active,
    • Frequency with which the scheduled scan will be run,
    • Time at which the scan starts. If the agent is not running at the indicated time, the scan will be launched as soon as the agent is restarted.
  2. You can import all the settings of a scheduled scan that was exported earlier in JSON format.
  3. Click on OK.

  4. To deploy the scheduled scan on all agents in the group so that they apply it, go to the Security > Deployment menu and click on Deploy.

  5. Read the agent's logs to ensure that the scans were run. You can also refer to the section on Looking up IoC scan usage.