Adding an IOA rule

To add an IOA rule:

1. In the program web interface window, select the IOC/IOA Analysis section, IOA Analysis subsection.

   The table of IOA rules opens.

2. Click the Upload button.

   The file selection window opens on your local computer.

3. Select the file that you want to upload and click the Open button.

   The New IOA rule window opens.

   Click the Events link to view a list of threats in the events database matching the criteria defined in the file.

4. Select or clear the State check box to apply the rule when scanning the events database.
5. In the Name field, enter the name of the rule.
6. In the Description field, enter any additional information about the rule.
7. In the Importance drop-down list, select the importance level to be assigned to alerts generated using this IOA rule.
   • Low.
   • Medium.
   • High.
8. In the Confidence drop-down list, select the level of confidence of this rule based on your estimate:
   • Low.
   • Medium.
   • High.
9. Under Apply to, select check boxes corresponding to servers on which you want to apply the rule.
10. On the Query tab, verify the defined search conditions. Make changes if necessary.
11. Click the Save button.

The IOА rule is added.

You can also add an IOA rule by saving events database search conditions in the Threat Hunting section.

See also Viewing the IOA rule table Viewing information about an IOA rule Enabling or disabling an IOA rule Editing an IOA rule Deleting an IOA rule Viewing an IOA white list Viewing information about an IOA rule in the white list Adding an IOA rule to the white list Removing an IOA rule from the white list Viewing the IOA analysis results Filtering and searching IOA rules Clearing an IOA rules filter

Page top