Viewing and configuring custom rules list

The table of custom rules contains information about custom rules that are used to scan events and create alerts. Custom rules are divided into custom IOA rules and exclusions from Kaspersky rules.

To view custom rules:

In the main menu, go to MONITORING & REPORTING → CUSTOM RULES.
The custom rule section is divided into two tabs.
Go to the Custom IOA rules or Exclusions from Kaspersky rules tab.

The list of custom rules is displayed.

Table columns

The custom rules table has the following columns:

Name
The name of the rule that you specify when creating the rule. This is a mandatory field. The name appears in event details. You can use the name in queries for threat hunting.
State
Use of the rule in events database scans:
- Enabled (the rule is used).
- Disabled (the rule is not used).
Severity
An estimate of the probable impact of the event on assets of the organization as specified by the user when creating the rule:
- Low
- Medium
- High
Confidence
The level of confidence depending on the likelihood of false alarms as defined by the user when creating the rule:
- Low
- Medium
- High
Action
The action that is applied to the event which triggered the rule:
- Mark event and create alert
- Only mark event
Description
Any details related to the rule as specified when creating the rule.
Recommendations
Recommended actions as specified when creating the rule.
Possible false positives
Description of possible false positives as specified when creating the rule.

Sorting the values

To sort values in a custom rules table:

In the main menu, go to MONITORING & REPORTING → CUSTOM RULES.
The custom rule section is divided into two tabs.
Go to the Custom IOA rules or Exclusions from Kaspersky rules tab.
Click the name of a column, and then choose descending or ascending order.

The values are sorted. The arrow next to the column name shows the sort direction. The sorting parameters are saved for further use.

Page top