Create an IOC Search Task
Applies To: WatchGuard Advanced EPDR
Create a task to search the computers and devices on your network for approved IOCs.
When you import IOCs into WatchGuard Advanced EPDR, you must manually approve them from the IOC Gallery before you can create a search task. For more information, go to Manage IOCs.
Task Priority
When WatchGuard Advanced EPDR runs an IOC search task on a user computer, there could be tasks already in progress. The IOC search task runs according to the behavior described in this table.
Task in Progress | Search Task Behavior |
IOC detection |
Waits for the IOC detection task to finish and then runs the new search task. |
Patch installation |
Runs concurrently with the patch installation task. The patch installation task is not interrupted as this could represent a risk for the integrity of the system. |
Scan or disinfection |
The scan or disinfection task is canceled and the IOC search task runs. |
Data Control search |
Runs and does not cancel or stop the Data Control task. |
Data Control indexing |
Runs and temporarily stops the Data Control task. |
IOC search tasks are automatically canceled and restarted (if possible) on user computers when:
-
The administrator requests a restart of the computer from the management UI.
-
The client user requests a restart of the computer locally from the computer.
-
The computer restarts automatically to update any components of the installed security software.
When WatchGuard Advanced EPDR starts a task and an IOC search task is already in progress, it completes the new task according to the behavior described in this table.
New Task | Task Behavior |
Detection of IOCs | Waits for the search task in progress to finish and then the new task runs. |
Patch installation |
Task starts to run while the IOC search task runs. |
Scan or disinfection |
Task does not start to run until the IOC search task has finished. |
Data Control search |
Task starts to run while the IOC search task runs. |
Data Control indexing |
Task does not start to run until the IOC search task has finished. |
If you manually stop the IOC search task from the management UI, then:
-
The IOC search stops as soon as possible on the target computer.
-
Detection results up until the time of cancellation are recorded.
Create an IOC Search Task
You can create an IOC search task from the IOC Gallery, or from the Tasks page. For information about the IOC Gallery, go to About the IOC Gallery.
To create an IOC search task, from the Tasks page:
- In WatchGuard Cloud, select Monitor > Endpoints.
- Select Tasks.
- Click Add Task > Search for IOCs.
The New Task dialog box opens.
- In the Name text box, type a name for the task.
- In the Description text box, type a description of the task.
- Select when the task will start.
- To start the task as soon as possible within the time interval selected, select the check box. The computer must be turned on and accessible from the cloud.
- To start the task at a specific time, select the date and time.
-
To specify the time based on the time on the computer, select the Computer's Local Time check box.
If you do not select this check box, the time is based on WatchGuard Cloud server time. - If the computer is turned off or cannot be accessed, the task will not run. You can specify the task expiration time, from 0 (the task expires immediately if the computer is not available) to infinite (the task is always active and waits indefinitely for the computer to be available).
- From the Maximum Run Time drop-down list, select how long to retain the task when the computer is off or not connected to the WatchGuard Cloud at the selected time.
- In the Check for the Following IOCs text box, click +.
The Add IOCs dialog box opens.
- Select the IOCs you want to search for.
The list displays all IOCs registered in the IOC Gallery. If the list is long, you can search for an IOC in the search box. - Click Add.
- In the upper-right corner, click Save.
- On the Tasks page, select the task.
- In the Recipients text box, to add computers and devices to search, click No recipients selected yet.
The Recipients page opens. - To add computer groups, above the box, click .
The Add Group dialog box opens.- Select the computer groups you want to search.
- Click Add.
The selected groups show in the box. Click to remove them.
- To run the task only on a particular type of computer and device, select the check boxes for the device types you want to include (for example, Workstation, Laptop, Server, Mobile Device).
The type of computer or device that can receive a task depends on the task to run. - To add additional computers and devices, above the box, click .
The Add Computers dialog box opens.- Select the individual computers you want to search.
- Click Add.
The selected computers and devices show in the list. Click View Computers to review a list of the computers that will receive the task.
- Click Back.
- Click Save.
The task is available to publish. For more information, go to Publish a Task.
IOC Search Results
After you publish the search task and it runs, you can review the search results in the IOC Detected list and on the IOC dashboard. For more information, go to Indicators of Compromise Dashboard. The more files that there are to search, the more time it takes Endpoint Security to complete the search task. Search tasks with MD5 or Yara rules can require more time to complete.
To help prevent an overload of the network in the event of an infection of many files on each computer on the network, WatchGuard Advanced EPDR restricts the depth and reporting of searches.
-
Simple IOCs or IOCs with one YARA rule — Searches for a single attribute with a specific value. IOCs return up to 10 results per computer, after which the search stops.
-
Complex IOCs — Searches for several attributes or an attribute with several values. IOCs return the first result found on each computer, after which the search stops.