Managing user-defined TAA (IOA) rules

Custom TAA (IOA) rules are created based on event databased search criteria. For example, if you want Kaspersky Anti Targeted Attack Platform to generate alerts for events when an application that you consider unsafe is started on computers with the Endpoint Agent component, you can:

  1. Generate a search query for the event database.
  2. Create a custom TAA (IOA) rule based on event search conditions.

    When Central Node server receives events matching the created TAA (IOA) rule, Kaspersky Anti Targeted Attack Platform generates alerts.

You can also create a TAA (IOA) rule based on one or multiple event search criteria from the selected IOC file. To do so:

  1. Upload an IOC file containing indicators of compromise corresponding to the malware to Kaspersky Anti Targeted Attack Platform.
  2. Find events corresponding to the criteria of the selected IOC file.
  3. Create a TAA (IOA) rule based on one or more event search criteria from the selected IOC file.

In distributed solution and multitenancy mode, TAA (IOA) rules can have one of the following types:

The differences between user rules and Kaspersky rules are summarized in the following table.

Comparison of TAA (IOA) rules

Characteristic

User-defined TAA (IOA) rules

Kaspersky TAA (IOA) rules

Recommendations on responding to the event

No

Yes

You can view recommendations in
alert information

Correspondence to technique in MITRE ATT&CK database

No

Yes

You can view the description of the
technique according to the MITRE database in alert information

Display in the TAA (IOA) rule table

Yes

No

Ability to disable database lookup for this rule

Disable rule

Add rule to TAA exclusions

Ability to delete or add the rule

You can delete or add a rule in the web interface of the application

Rules are updated together with application databases
and cannot be deleted by the user

Searching for alerts and events in which TAA (IOA) rules were triggered

Using Alerts and Events links in the TAA (IOA) rule information window

Using Alerts and Events links in the alert information window

Users with the Senior security officer role can create, import, delete, enable or disable TAA (IOA) rules, and exclude Kaspersky TAA (IOA) rules from scanning. Users with the Security officer or Security auditor roles can use TAA (IOA) rules to search for signs of targeted attacks, infected and possibly infected objects in the database of events and alerts, and to view the TAA (IOA) rule table and TAA (IOA) rule information.

In this section

Viewing the TAA (IOA) rule table

Creating a TAA (IOA) rule based on event search conditions

Importing a TAA (IOA) rule

Viewing custom TAA (IOA) rule details

Searching for alerts and events in which TAA (IOA) rules were triggered

Filtering and searching TAA (IOA) rules

Resetting the TAA (IOA) rule filter

Enabling and disabling TAA (IOA) rules

Modifying a TAA (IOA) rule

Deleting TAA (IOA) rules

Page top