Difference between KES block and add IoC by ourselves.

[Asiatic Fiber Corporation]

Hi friends:

I have read the following online help about indicators of compromise: https://support.kaspersky.com/KESWin/11.7.0/en-US/213408.htm

Hi Kaspersky:

 

We have Kaspersky EDR optimum which let us add IoC from security center.

I have questions:

 

1. If KES can detect and block a certain malicious code or activity. Do we need to add it to IoC?

2. What's the difference between KES block and IoC block?

 

In my opinion, if a certain malicious code is found by our team but KES has not detect it, we should add IoC in our organization so it will be blocked ASAP. If we wait until KES block, it will casue some damage. Also, some activities is not KES responsibilities like "unsuccessful attempts to sign in". These suspicious activities should be blocked by people.

 

Is this true?

[THask]

Hello Asiatic Fiber Corporation,

so far you're right. unsuccessful attempts to sign in could be also real users so this is not detected or blocked by default. Yes if KES with all Components does not detect something maliscious and you find it, it is faster to create an IoC Scan task to block it before anything else is affected. 

IoC is additional for preventing infections with doing actions like isolate Device from network.

 

[Asiatic Fiber Corporation]

Hi THask:

Thank you for your reply tovaritch.😀