Users with the Senior security officer role can create, import, delete, enable or disable TAA (IOA) rules, and exclude Kaspersky TAA (IOA) rules from scanning. Users with the Security officer or Security auditor roles can use TAA (IOA) rules to search for signs of targeted attacks, infected and possibly infected objects in the database of events and alerts, and to view the TAA (IOA) rule table and TAA (IOA) rule information.
The differences between user rules and Kaspersky rules are summarized in the following table.
Comparison of TAA (IOA) rules
Characteristic |
User-defined TAA (IOA) rules |
Kaspersky TAA (IOA) rules |
---|---|---|
Recommendations on responding to the event |
No |
Yes You can view recommendations in |
Correspondence to technique in MITRE ATT&CK database |
No |
Yes You can view the description of the |
Display in the в TAA (IOA) rule table |
Yes |
No |
Ability to disable database lookup for this rule |
||
Ability to delete or add the rule |
You can delete or add a rule in the web interface of the program |
Rules are updated together with program databases |
Searching for alerts and events in which TAA (IOA) rules were triggered |
Using Alerts and Events links in the TAA (IOA) rule information window |
Using Alerts and Events links in the alert information window |
Depending on the program operating mode and the server on which the TAA (IOA) rules are created, user-defined TAA (IOA) rules can have one of the following types: