You can add to exclusions only TAA (IOA) rules made by Kaspersky. If you do not want to apply a user-defined TAA (IOA) rule for scanning events, you can disable that rule or delete it.
To add a TAA (IOA) rule to exclusions from the Alerts section:
This opens the table of alerts.
The table displays alerts generated by the TAA technology based on TAA (IOA) rules.
This opens a window containing information about the alert.
This opens a window that allows you to add the TAA (IOA) rule to exclusions.
If you selected Based on conditions:
A table is displayed of events that match the TAA (IOA) rule given the specified exclusion criteria.
If you are using the distributed solution and multitenancy mode, found events are grouped in tiers: Server – Tenant names – Server names.
The host table of the selected server is displayed. Event grouping levels are displayed above the table.
If necessary, you can change event search conditions.
The TAA (IOA) rule is added to exclusions and is displayed in the exclusion list in the Settings section, Exclusions subsection on the TAA tab in the application web interface. This rule is no longer used for creating alerts.
To add a TAA (IOA) rule to exclusions from the Threat Hunting section:
This opens the event search form.
The table of events that satisfy the search criteria is displayed.
This opens a window containing information about the rule.
This opens a window that allows you to add the TAA (IOA) rule to exclusions.
If you selected Based on conditions:
A table is displayed of events that match the TAA (IOA) rule given the specified exclusion criteria.
If you are using the distributed solution and multitenancy mode, found events are grouped in tiers: Server – Tenant names – Server names.
The host table of the selected server is displayed. Event grouping levels are displayed above the table.
If necessary, you can change event search conditions.
The TAA (IOA) rule is added to exclusions and is displayed in the exclusion list in the Settings section, Exclusions subsection on the TAA tab in the application web interface. This rule is no longer applied when scanning events.
When creating a search query to be saved as an exclusion criterion, avoid using the following fields:
These fields are only displayed after Kaspersky Anti Targeted Attack Platform marks events as matching TAA (IOA) rules.
Users with the Security auditor and Security officer roles cannot add TAA (IOA) rules to exclusions.