Event chain scanning by Kaspersky TAA (IOA) rules

Some cyberattacks can be detected only by looking at a certain sequence of events. If the event chain scanning functionality is enabled, Kaspersky Anti Targeted Attack Platform marks events arriving at the Central Node server in accordance with Kaspersky TAA (IOA) rules and, when it detects a suspicious sequence of events, an alert is recorded in the table of alerts.

You can view events marked by a Kaspersky TAA (IOA) rule in one of the following ways:

• By creating a search query to the event database with the following criteria: IOATag, IOAImportance, IOAConfidence.
• While viewing events and alerts.

Kaspersky TAA (IOA) rules cannot be edited. If you do not want the application to create alerts for events generated as part of host activity that is normal for your organization, you can add a TAA (IOA) rule to exclusions. Only one exclusion can be created per Kaspersky TAA (IOA) rule.

In distributed solution and multitenancy mode, you must enable the event chain scanning functionality on each Central Node server on which you want to use it. If the Central Node component is deployed as a cluster, you can enable the functionality on any server in the cluster.

Using TAA (IOA) rules that scan chains of events causes higher usage of system resources. If you encounter performance problems with the application, we recommend disabling this functionality.

Special considerations for displaying event chain information in widgets

The top 10 widgets display information only about events that triggered a TAA (IOA) rule. Widgets do not take into account events that occurred earlier and participate in the event chain, but did not trigger a rule. For this reason, the number of events reported by the widget may not match the number of events in the selection displayed when you click the link with the host name and the name of the TAA (IOA) rule.

Page top