Adding an IOA rule to the white list

Only Kaspersky Lab IOA rules can be added to the white list. If you do not want to apply a user-defined IOA rule for scanning the events database, you can disable that rule or delete it.

To add an IOA rule to the white list from the Alerts section:

Select the Alerts section in the window of the program web interface.
The table of alerts opens.
Click the link in the Technologies column to open the filter configuration window.
In the drop-down list on the left, select Contains.
In the drop-down list on the right, select (IOA) IOA Analysis.
Click the Apply button.
The table displays alerts generated by IOA rules.
Select an alert for which the Detected column shows the name of the relevant IOA rule.
This opens a window containing information about the alert.
Under Scan results, click the link with the name of the rule to open the rule information window.
Click Add to white list.
This opens a window containing information about the rule.
Click the Add button.

The IOA rule is added to the white list. This rule will be skipped during events database scans.

To add an IOA rule to the white list from the Threat Hunting section:

Select the Threat Hunting section in the program web interface window.
The event search form opens.
Define the search conditions and click the Search button.
You will see a list of servers on which events meeting the defined criteria were detected.
Select the relevant server.
Select the event in the table containing the search results.
This opens a window containing information about the event.
Click the link in the IOA tags field.
This opens a window containing information about the alert.
Click Add to white list.
This opens a window containing information about the rule.
Click the Add button.

The IOA rule is added to the white list. This rule will be skipped during events database scans.