Viewing the list of TAA (IOA) rules added to exclusions
To view the list of TAA (IOA) rules added to exclusions:
In the main window of the program web interface, select the Settings section, Exclusions subsection, TAA exclusions.
The table of excluded TAA (IOA) rules is displayed. You can filter the rules by clicking links in column headers.
The table contains the following information:
—Importance level that is assigned to an alert generated using this TAA (IOA) rule.
The importance level can have one of the following values:
– Low.
– Medium.
– High.
Type is the type of the rule depending on the role of the server which generated it:
Local—Created on the SCN server. These exclusions apply only to hosts that are connected to this SCN server. Exclusions belong to the tenant which the user is managing in the program web interface.
Global—Created on the PCN server. Exclusions apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Exclusions belong to the tenant which the user is managing in the program web interface.
Confidence – level of confidence depending on the likelihood of false alarms caused by the rule:
High.
Medium.
Low.
The higher the confidence level, the lower the likelihood of false alarms.
Exclude rule is the operating mode of the rule that is added to exclusions.
Always means the rule is always excluded. In this case, Kaspersky Anti Targeted Attack Platform does not mark events as matching the TAA (IOA) rule and does not create alerts based on that rule.
Based on conditions means the rule is excluded if a condition is added. In this case, the TAA (IOA) rule is supplemented by conditions in the form of a search query. Kaspersky Anti Targeted Attack Platform does not mark events that match specified conditions as matching the TAA (IOA) rules. For events that match the TAA (IOA) rule, but do not satisfy the conditions of the applied exclusion, the program marks the events and creates alerts.