Managing user-defined TAA (IOA) rules

Custom TAA (IOA) rules are created based on event databased search criteria. For example, if you want Kaspersky Anti Targeted Attack Platform to generate alerts when a program that you consider unsafe is started on Kaspersky Endpoint Agent computers, you can:

Generate a search query for the event database.
Create a custom TAA (IOA) rule based on event search conditions.
When Central Node server receives events matching the created TAA (IOA) rule, Kaspersky Anti Targeted Attack Platform generates alerts.

You can also create a TAA (IOA) rule based on one or multiple event search criteria from the selected IOC file. To do so:

Depending on the program operating mode and the server on which the TAA (IOA) rules are created, user-defined TAA (IOA) rules can have one of the following types:

Global—Created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the organization which the user is managing in the program web interface (in the distributed solution and multitenancy mode).
Operation mode in which the program can be used to protect the infrastructure of several organizations simultaneously.

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a master control server (Primary Central Node (PCN)) and slave servers (Secondary Central Nodes (SCN)).
Local—Created on the SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the organization which the user is managing in the program web interface (in the distributed solution and multitenancy mode).

The differences between user rules and Kaspersky rules are summarized in the following table.

Comparison of TAA (IOA) rules

Characteristic	User-defined TAA (IOA) rules	Kaspersky TAA (IOA) rules
Recommendations on responding to the event	No	Yes You can view recommendations in alert information
Correspondence to technique in MITRE ATT&CK database The MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) database contains descriptions of hacker behavior based on the analysis of real attacks. It is a structured list of known hacker techniques represented as a table.	No	Yes You can view the description of the technique according to the MITRE database in alert information
Display in the в TAA (IOA) rule table	Yes	No
Ability to disable database lookup for this rule	Disable rule	Add rule to TAA exclusions
Ability to delete or add the rule	You can delete or add a rule in the web interface of the program	Rules are updated together with program databases and cannot be deleted by the user
Searching for alerts and events in which TAA (IOA) rules were triggered	Using Alerts and Events links in the TAA (IOA) rule information window	Using Alerts and Events links in the alert information window

Users with the Senior security officer role can create, import, delete, enable or disable TAA (IOA) rules, and exclude Kaspersky TAA (IOA) rules from scanning. Users with the Security officer or Security auditor roles can use TAA (IOA) rules to search for signs of targeted attacks, infected and possibly infected objects in the database of events and alerts, and to view the TAA (IOA) rule table and TAA (IOA) rule information.

In this Help section

Creating a user-defined TAA (IOA) rule based on event search conditions

Importing a user-defined TAA (IOA) rule

Viewing the TAA (IOA) rule table

Viewing custom TAA (IOA) rule details

Searching for alerts and events in which TAA (IOA) rules were triggered

Filtering and searching TAA (IOA) rules

Resetting the TAA (IOA) rule filter

Enabling and disabling TAA (IOA) rules

Modifying a user-defined TAA (IOA) rule

Deleting user-defined TAA (IOA) rules

Page top