Creating a user-defined TAA (IOA) rule based on event search conditions

To create a user-defined TAA (IOA) based on event search conditions:

  1. Select the Threat Hunting section in the program web interface window.

    This opens the event search form.

  2. Perform an event search in design mode or source code mode.
  3. Click Save as TAA (IOA) rule.

    This opens the New TAA (IOA) rule window.

  4. In the Name field, type the name of the rule.
  5. Click Save.

The event search condition will be saved. In the TAA (IOA) rule table in the User rules section, TAA subsection of the web interface, the new rule is displayed with the specified name.

If you want to save event search conditions as a user-defined TAA (IOA) rule, avoid using the following fields:

At the time of saving the user-defined TAA (IOA) rule, the program might not have any events containing data for these fields. When events with this data turn up, the user-defined field that you have created earlier will be unable to mark events by these fields.

Users with the Security auditor and Security officer roles cannot create TAA (IOA) rules based on event search conditions.

See also

Events database threat hunting

Searching events in source code mode

Searching events in design mode

Sorting events in the table

Changing the event search conditions

Searching events by processing results in EPP programs

Uploading an IOC file and searching for events based on conditions defined in the IOC file

Page top