Creating a user-defined TAA (IOA) rule based on event search conditions

To create a user-defined TAA (IOA) based on event search conditions:

  1. Select the Threat Hunting section in the program web interface window.

    This opens the event search form.

  2. Perform an event search in design mode or source code mode.
  3. Click the Save as TAA (IOA) rule button.

    This opens the New TAA (IOA) rule window.

  4. In the Name field, type the name of the rule.
  5. Click Save.

The event search condition will be saved. In the TAA (IOA) rule table in the User rules section, TAA subsection of the web interface, the new rule is displayed with the specified name.

If you want to save event search conditions as a user-defined TAA (IOA) rule, avoid using the following fields:

At the time of saving the user-defined TAA (IOA) rule, the program might not have any events containing data for these fields. When events with this data turn up, the user-defined field that you have created earlier will be unable to mark events by these fields.

See also

Managing user-defined TAA (IOA) rules

Viewing the TAA (IOA) rule table

Viewing the information of a user-defined TAA (IOA) rule

Searching for alerts and events in which TAA (IOA) rules were triggered

Filtering and searching TAA (IOA) rules

Resetting the TAA (IOA) rule filter

Importing a user-defined TAA (IOA) rule

Enabling and disabling TAA (IOA) rules

Modifying a user-defined TAA (IOA) rule

Deleting user-defined TAA (IOA) rules

Page top