Filtering Sigma rules within a collection of rules

If the number of Sigma rules in a collection is large and you need to display a list of Sigma rules with certain parameters, you can use a filter.

To filter the Sigma rules in a collection:

Do one of the following:
- for a group of protected devices, open the application policy properties window.
  1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
  2. Select the policy you want to configure.
  3. In the <Policy name> window that opens, select the Application settings tab.
- for an individual protected device, open the application settings for the device.
  1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
  2. Select the device for which you want to configure application settings.
  3. In the <Device name> window that opens, select the Applications tab.
  4. Select Kaspersky Endpoint Agent.
  5. In the Kaspersky Endpoint Agent window that opens, select the Application settings tab.
In the Anomaly Detection using Sigma rules section, use the check box next to the name of a collection to select the collection to which you want to apply the rule filter.
Click Edit.
The Modifying the collection rules window opens.
Click the Filter button.
A window with filtering criteria opens.
Specify the values of the filtering criteria you need:
- The А rule contains the text criterion selects rules based on a case-insensitive match of the fragment. You can enter any rule attribute and/or its value.
- The Rule state criterion selects rules based on their state.
- The Availability of exclusions criterion selects rules based on the presence of exclusions.
  This criterion is available only for filtering rules in a collection supplied by Kaspersky.
Click OK.
The rules that match the filtering criteria are displayed in the list of rules in the collection.

Page top