Changing Network Anomaly Detection rule

You can fine-tune created Network Anomaly Detection rules by changing their settings. For example, you can change the threshold values in the SQL query variables or specify other dictionaries for them. If a rule is still linked to a selected built-in template (in other words, a User-defined template is not specified), you cannot change the event registration settings and the SQL query text is not available in this rule. If you want to use the rule with other event registration settings or with a different SQL query, you can disable the current rule and create a new rule with the necessary settings.

Users with the Senior security officer role can manage network anomaly detection rules.

To change the settings of a network anomaly detection rule:

  1. In the application web interface, go to the Intrusion detection section, Network Anomaly Detection subsection.
  2. Select the rule that you want to modify.

    The details area is displayed in the right part of the web interface window.

  3. Click Edit.
  4. Enter the rule name and description.
  5. Use the Search depth setting to specify the duration of the time interval for searching for network anomalies among the protocol attributes received in the database. You can specify the time interval in seconds, minutes, hours, or days.
  6. To run the rule according to a schedule, enable the Run job according to schedule option and configure the schedule settings:
    1. In the Frequency drop-down list, select how often to run the job: By the second, Minutely, Hourly, Daily, Weekly, Monthly.
    2. Depending on the selected option, specify the values for the settings to define the precise job start time.
  7. If you need to change the time period after which Kaspersky Anti Targeted Attack Platform will re-register a rule triggering event, turn on the Change default value toggle switch and specify the necessary event regeneration period.
  8. In the Main event registration settings block, check the settings for registering an event when the rule is triggered, and configure the settings if necessary. The settings are locked and cannot be edited if a built-in template is selected for the rule.

    If the settings can be edited, you can specify values for the following settings of the event that the application will register when the rule is triggered:

    • Event title and description.

      When you enter a title or description for an event, tooltips or selectable General variables automatically appear next to the cursor.

    • Event score value.
  9. Select the SQL-specific query tab.
  10. If necessary, test how the SQL query works with the database. To do so, click the Perform button.

    The Verify completion of SQL query window is displayed with a table of results of testing the SQL query. To control the display of the window, use the buttons in the upper-right corner.

  11. If necessary, fine-tune the SQL query by changing the values of the variables used in it. The variables are displayed under Utilized variables. You can define the values of variables explicitly or by using previously added dictionaries. To substitute the value of a variable from the dictionary, click List icon. opposite the variable and select the correct directory.

    You can use directories for variables with the "date", "time", "IP", "port", "string", or "weekday" data types. Dictionaries are not supported for variables with the "int" data type.

  12. In the SQL-specific query field, review and, if necessary, edit the text of the SQL query. The text of the SQL query is locked and cannot be edited if a built-in template is selected for the rule.

    After generating the text of the SQL query, perform steps 10–11 again.

  13. Click Save.

The settings of the network anomaly detection rule are modified.

Page top