Changing the state of a collection of Sigma rules

By default, a collection of Sigma rules is enabled after it is added — the toggle button to the left of the collection name is in the Enabled position. You can change the state of a collection of Sigma rules.

To change the state of a collection of Sigma rules:

Do one of the following:
- for a group of protected devices, open the application policy properties window.
  1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
  2. Select the policy you want to configure.
  3. In the <Policy name> window that opens, select the Application settings tab.
- for an individual protected device, open the application settings for the device.
  1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
  2. Select the device for which you want to configure application settings.
  3. In the <Device name> window that opens, select the Applications tab.
  4. Select Kaspersky Endpoint Agent.
  5. In the Kaspersky Endpoint Agent window that opens, select the Application settings tab.
In the Anomaly Detection using Sigma rules section, change the position of the toggle button to the left of the name of the collection of Sigma rules whose state you want to change:
- Enabled — the collection is enabled and is used for detecting anomalies.
- Disabled — the collection is disabled and is not used for anomaly detection.
Click the Save button.

Kaspersky Endpoint Agent searches for anomalies using the collections of Sigma rules that are enabled.

Page top