You can import an IOC format file and use it to scan events and create Targeted Attack Analyzer alerts.
It is highly recommended that you test custom TAA (IOA) rules in a test environment before you import them. Custom TAA (IOA) rules may cause performance issues, in which case stable performance of Kaspersky Anti Targeted Attack Platform is not guaranteed
To import a TAA (IOA) rule:
In the window of the program web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
Click Import.
This opens the file selection window on your local computer.
Select the file that you want to upload and click Open.
This opens the New TAA (IOA) rule window.
Set the State toggle switch to Enabled if you want to enable the rule for scanning the event database.
On the Details tab, in the Name field, enter the name of the rule.
In the Description field, enter any additional information about the rule.
In the Importance drop-down list, select the importance level to be assigned to alerts generated using this TAA (IOA) rule.
Low.
Medium.
High.
In the Confidence drop-down list, select the level of confidence of this rule based on your estimate:
Low.
Medium.
High.
Under Apply to, select check boxes corresponding to servers on which you want to apply the rule.
On the Query tab, verify the defined search conditions. Make changes if necessary.
Click Save.
The user-defined TAA (IOA) rule is imported into the program.
You can also add a TAA (IOA) rule by saving events database search conditions in the Threat Hunting section.