Searching for indicators of compromise

IoC (Indicators of Compromise) scans make it possible to measure the extent of an incident or attack on a workstation by searching for indicators of compromise. Indicators may be, for example, malware signatures, specific IP addresses, malicious file hashes, suspicious URLs or text files. They can be searched for in DNS requests, Windows named objects or event logs for example.

Indicators may reveal the tools used and the perpetrators of the attack.

In order to search for indicators on users' workstations, you must first import lists of indicators into the analysis units in SES Evolution. The scan can then be triggered automatically when a security rule detects or blocks unusual behavior and generates a log. To protect workstations from potential attacks, you can also schedule the scan to run regularly and for a set period of time or run it on demand.

The logs generated from the IoC scans are then used to perform remediation actions to remove the detected malware. For more information, see the section Managing remediation tasks.

Even though SES Evolution has been designed to limit their impact on workstations, IoC scans may still affect the performance of scanned agents. The impact of such scans depends on the number of IoCs and their type. For more information, refer to the section Choosing the priority of Yara and IoC analyses.