In the program web interface window, select the IOC/IOA Analysis section, IOA Analysis subsection.
The table of IOA rules opens.
Select the IOA rule whose information you want to view.
This opens a window containing information about the IOA rule.
The window contains the following information:
Events. Clicking the link opens the Threat Hunting section with the search condition containing the selected IOA rule.
Alerts. Clicking the link opens the Alerts section with the filter condition containing the selected IOA rule.
IOA ID. Clicking this link shows the ID that the program assigns to each rule.
IDs cannot be modified. You can copy the ID by clicking the Copy value to clipboard button.
State – use of the rule in events database scans.
The Details tab shows the following information:
Name is the name of the rule that you specified when you added the rule.
Description is any additional information about the rule that you specified.
Importance is an estimate of the probable impact of the event on the security of computers or the corporate LAN as specified by the user when the rule was added.
Confidence is the level of confidence depending on the likelihood of false alarms as defined by the user when the rule was added.
Type is the type of the rule depending on the role of the server which generated it:
Global—Created on the PCN server. These IOA rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the organization which the user is managing in the program web interface (in the distributed solution and multitenancy mode).
Operation mode in which the program can be used to protect the infrastructure of several organizations simultaneously.
Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a master control server (Primary Central Node (PCN)) and slave servers (Secondary Central Nodes (SCN)).
Apply to – name of servers with the Central Node component on which the rule is applied.
The Query tab displays the source code of the query being checked. By clicking the link with the text of the query you can navigate to the Threat Hunting section and view all events matching the given search criteria.