Creating Network Anomaly Detection rule

You are advised to use the appropriate built-in templates for the Network Anomaly Detection rules that you create. The templates contain configured settings (including ready-made SQL queries) for detecting typical anomalies. In most cases, after selecting a built-in template, you may only need to perform minor fine-tuning of some values for the created rule. For example, fine-tuning of template values may only be required for SQL query variables to change threshold values or specify created dictionaries.

To create a Network Anomaly Detection rule:

1. Connect to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface using an Administrator or Security Officer account.
2. In the Detection rules → Network Anomaly Detection section, open the details area by clicking Add rule.
3. In the Template drop-down list, select the required template for the created rule.

   The values of rule settings will be defined according to the selected template.

   If you leave the User-defined template selected, you will need to configure the rule settings entirely manually (including writing the SQL query text to search for protocol attributes in the database).

4. Enter the rule name and description.
5. Use the Search depth parameter to specify the duration of the time interval for searching for network anomalies among the protocol attributes received in the database. You can specify the time interval in seconds, minutes, hours, or days.
6. To run the rule according to a schedule, enable the Run job according to schedule option and configure the schedule settings:
   1. In the Frequency drop-down list, select how often to run the job: Every second, Every minute, Hourly, Daily, Weekly, Monthly.
   2. Depending on the selected option, specify the values for the settings to define the precise job start time.
7. If you need to change the time period after which Kaspersky Industrial CyberSecurity for Networks will re-register a rule triggering event, turn on the Change the default value toggle switch and specify the necessary event regeneration period.
8. In the Main event registration settings block, check the settings for registering an event when the rule is triggered, and configure the settings if necessary. The settings are locked and cannot be edited if a built-in template is selected for the rule. In this case, to change the values of these settings, you must first click the Unlock all template values button above the field containing the selected template.

   After clicking the Unlock all template values button, the link between the created rule and the selected built-in template is broken. The User-defined template is specified instead of the previously selected template for the rule.

   In the Main event registration settings block, you can specify values for the following settings of the event that the application will register when the rule is triggered:

   • Event title and description.

     When you enter a title or description for an event, tooltips or selectable General variables automatically appear next to the cursor.

   • Event score value.
9. Click the SQL-specific query tab.

   The contents of the tab depend on the template that was selected at step 3:

   • If a built-in template was selected, the SQL-specific query tab contains the text of the SQL query loaded from this template. The variables specified in the SQL query are listed in the Utilized variables block.
   • If the User-defined template was selected, the tab contains no data. In this case, manually generate the text of the SQL query (see step 12).
10. If the SQL-specific query tab contains the SQL query text, test how this query works with the database. To do so, click the Perform button.

    The Verify completion of SQL query window appears and shows a table containing the results of the SQL query verification. To control the display of the window, use the buttons in the upper-right corner.

11. If necessary, fine-tune the SQL query by changing the values of the variables used in it. The variables are displayed in the Utilized variables settings block. You can define the values of variables explicitly or by using previously added dictionaries. To substitute the value of a variable from the dictionary, click opposite the variable and select the correct directory.

    You can use directories for variables with the "date", "time", "IP", "port", "string", or "weekday" data types. Dictionaries are not supported for variables with the "int" data type.

12. In the SQL-specific query field, check the text of the SQL query and generate any necessary text. The text of the SQL query is locked and cannot be edited if a built-in template is selected for the rule. In this case, to change the text, you must first click the Unlock all template values button above the field containing the selected template.

    After clicking the Unlock all template values button, the link between the created rule and the selected built-in template is broken. The User-defined template is specified instead of the previously selected template for the rule.

    After generating the text of the SQL query, perform steps 10–11 again.

13. Click Save.

Page top