Creating a user-defined TAA (IOA) rule based on event search conditions

To create a custom TAA (IOA) rule based on event search conditions:

1. Select the Threat Hunting section in the program web interface window.

   This opens the event search form.

2. Perform an event search in design mode or source code mode.
3. Click Save as TAA (IOA) rule.

   This opens the New TAA (IOA) rule window.

4. In the Name field, type the name of the rule.
5. Click Save.

The event search condition will be saved. In the TAA (IOA) rule table in the User rules section, TAA subsection of the web interface, the new rule is displayed with the specified name.

If you want to save event search conditions as a user-defined TAA (IOA) rule, avoid using the following fields:

• IOAId.
• IOATag.
• IOATechnique.
• IOATactics.
• IOAImportance.
• IOAConfidence.

At the time of saving the user-defined TAA (IOA) rule, the program might not have any events containing data for these fields. When events with this data turn up, the user-defined field that you have created earlier will be unable to mark events by these fields.

Users with the Security auditor and Security officer roles cannot create TAA (IOA) rules based on event search conditions.

See also Managing user-defined TAA (IOA) rules Importing a user-defined TAA (IOA) rule Viewing the TAA (IOA) rule table Viewing custom TAA (IOA) rule details Searching for alerts and events in which TAA (IOA) rules were triggered Filtering and searching TAA (IOA) rules Resetting the TAA (IOA) rule filter Enabling and disabling TAA (IOA) rules Modifying a user-defined TAA (IOA) rule Deleting user-defined TAA (IOA) rules

Page top