Viewing the list of TAA (IOA) rules added to exclusions

To view the list of TAA (IOA) rules added to exclusions:

In the main window of the program web interface, select the Settings section, Exclusions subsection, TAA exclusions.

The table of excluded TAA (IOA) rules is displayed. You can filter the rules by clicking links in column headers.

The table contains the following information:

•  —Importance level that is assigned to an alert generated using this TAA (IOA) rule.

  The importance level can have one of the following values:

  •  – Low.
  •  – Medium.
  •  – High.
• Type is the type of the rule depending on the role of the server which generated it in distributed solution mode:
  • Global – the rule was created on the PCN server.
  • Local – the rule was created on an SCN server.
• Confidence – level of confidence depending on the likelihood of false alarms caused by the rule:
  • High.
  • Medium.
  • Low.

  The higher the confidence level, the lower the likelihood of false alarms.

• Exclude rule is the operating mode of the rule that is added to exclusions.
  • Always means the rule is always excluded. In this case, Kaspersky Anti Targeted Attack Platform does not mark events as matching the TAA (IOA) rule and does not create alerts based on that rule.
  • Based on conditions means the rule is excluded if a condition is added. In this case, the TAA (IOA) rule is supplemented by conditions in the form of a search query. Kaspersky Anti Targeted Attack Platform does not mark events that match specified conditions as matching the TAA (IOA) rules. For events that match the TAA (IOA) rule, but do not satisfy the conditions of the applied exclusion, the program marks the events and creates alerts.
• Name is the name of the rule.

See also Adding a TAA (IOA) rule to exclusions Viewing a TAA (IOA) rule added to exclusions Removing a TAA (IOA) rule from exclusions

Page top