You can import an IOC format file and use it to scan events and create Targeted Attack Analyzer alerts.
It is highly recommended to test custom TAA (IOA) rules in a test environment before you import them. Custom TAA (IOA) rules may cause performance issues, in case of which stable performance of Kaspersky Anti Targeted Attack Platform is not guaranteed
To import a TAA (IOA) rule:
In the window of the program web interface, select the User rules section, TAA subsection.
This opens the TAA (IOA) rule table.
Click Import.
This opens the file selection window on your local computer.
Select the file that you want to upload and click Open.
This opens the New TAA (IOA) rule window.
Select or clear the State check box if you want to change the usage status of the rule when scanning the events database.
On the Details tab, in the Name field, enter the name of the rule.
In the Description field, enter any additional information about the rule.
In the Importance drop-down list, select the importance level to be assigned to alerts generated using this TAA (IOA) rule.
Low.
Medium.
High.
In the Confidence drop-down list, select the level of confidence of this rule based on your estimate:
Low.
Medium.
High.
Under Apply to, select check boxes corresponding to servers on which you want to apply the rule.
On the Query tab, verify the defined search conditions. Make changes if necessary.
Click Save.
The user-defined TAA (IOA) rule is imported into the program.
You can also add a TAA (IOA) rule by saving events database search conditions in the Threat Hunting section.