TAA (IOA) rules created by Kaspersky experts contain indicators of suspicious behavior of an object in the corporate IT infrastructure. Kaspersky Anti Targeted Attack Platform scans the events database of the program and creates alerts for events that match behaviors described by TAA (IOA) rules. If you do not want the program to create alerts for events generated as part of host activity that is normal for your organization, you can add a TAA (IOA) rule to exclusions.
TAA (IOA) rule modes added to exclusions can work in the following modes:
In this case, Kaspersky Anti Targeted Attack Platform does not mark events as matching the TAA (IOA) rule and does not create alerts based on that rule.
In this case, the TAA (IOA) rule is supplemented by conditions in the form of a search query. Kaspersky Anti Targeted Attack Platform does not mark events that match specified conditions as matching the TAA (IOA) rules. For events that match the TAA (IOA) rule, but do not satisfy the conditions of the applied exclusion, the program marks the events and creates alerts.
If you are using the distributed solution and multitenancy mode, TAA exclusions can have the following types:
Users with the Senior security officer role can create, edit, and delete exclusions for tenants to whose data they have access.
Users with the Security auditor and Security officer roles can only view the list of TAA exclusions and the properties of a selected exclusion.
For each TAA (IOA) rule, you can create only one local or global exclusion.
If one TAA (IOA) rule has exclusions created both on an SCN server and the PCN server, Kaspersky Anti Targeted Attack Platform processes events in accordance with exclusion settings on the PCN server.