The table of user-defined TAA (IOA) rules contains information about TAA (IOA) rules that are used to scan events and create alerts; the table is in the User rules section, TAA subsection of the program web interface window.
The table contains the following information:
—Importance level that is assigned to an alert generated using this TAA (IOA) rule.
The importance level can have one of the following values:
– Low.
– Medium.
– High.
Type is the type of the rule depending on the role of the server which generated it in distributed solution mode:
Global – the rule was created on the PCN server.
Local – the rule was created on an SCN server.
Confidence – level of confidence depending on the likelihood of false alarms caused by the rule:
High.
Medium.
Low.
The higher the confidence, the lower the likelihood of false alarms.
Name – name of the rule.
Servers – name of the server with the Central Node component on which the rule is applied.
Generate alerts – requirement to store information on alerts based on matching an event from the database with criteria of the rule.
Enabled – a record is created for the event in the alerts table with Targeted Attack Analyzer (TAA) technology specified.
Limited functionality – not displayed in the alert table.
State – usage status of the rule in event scans:
Enabled – the rule is being used.
Limited functionality – the rule is not being used.