Viewing custom TAA (IOA) rule details

To display information about the TAA (IOA) rule:

1. In the window of the program web interface, select the User rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Select the rule for which you want to view information.

This opens a window containing information about the rule.

The window contains the following information:

• Alerts Click the link to display the Alerts table in a new browser tab. The alerts are filtered by the Technologies and Details columns, that is, the Targeted Attack Analyzer technology and the name of the TAA (IOA) rule that you are working on.
• Find events. Click the link to display the Threat Hunting events table in a new browser tab. The table is filtered by rule name.
• Run query. Click the link to display the Threat Hunting events table in a new browser tab. The table is filtered by rule name. The event search conditions are populated with information from the TAA (IOA) rule that you are working on. For example, EventType=Process started AND FileName CONTAINS <name of the rule you are working on>. You can edit the event search query.
• IOA ID. Clicking this link shows the ID that the program assigns to each rule.

  IDs cannot be modified. You can copy the ID by clicking the Copy value to clipboard button.

• State – use of the rule in events database scans.

The Details tab shows the following information:

• Name is the name of the rule that you specified when you added the rule.
• Description is any additional information about the rule that you specified.
• Importance is an estimate of the probable impact of the event on the security of computers or the corporate LAN as specified by the user when the rule was added.
• Confidence is the level of confidence depending on the likelihood of false alarms as defined by the user when the rule was added.
• Type is the type of the rule depending on the role of the server which generated it:
  • Global—Created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the organization which the user is managing in the program web interface (in the distributed solution and multitenancy mode).

    Operation mode in which the program can be used to protect the infrastructure of several organizations simultaneously.

    Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a master control server (Primary Central Node (PCN)) and slave servers (Secondary Central Nodes (SCN)).

  • Local—Created on the SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the organization which the user is managing in the program web interface (in the distributed solution and multitenancy mode).
• Apply to – name of servers with the Central Node component on which the rule is applied.

The Query tab displays the source code of the query being checked. Click the Run query link in the upper part of the window to go to the Threat Hunting section and run an event search query.

See also Creating a user-defined TAA (IOA) rule based on event search conditions Importing a user-defined TAA (IOA) rule Viewing the TAA (IOA) rule table Searching for alerts and events in which TAA (IOA) rules were triggered Filtering and searching TAA (IOA) rules Resetting the TAA (IOA) rule filter Enabling and disabling TAA (IOA) rules Modifying a user-defined TAA (IOA) rule Deleting user-defined TAA (IOA) rules

Page top