Changing Network Anomaly Detection rule

You can fine-tune created Network Anomaly Detection rules by changing their settings. For example, you can change the threshold values in the SQL query variables or specify other dictionaries for them. If a rule is still linked to a selected built-in template (in other words, a User-defined template is not specified), you cannot change the event registration settings and the SQL query text is not available in this rule. If you want to use the rule with other event registration settings or with a different SQL query, you can disable the current rule and create a new rule with the necessary settings.

Users with the Administrator or Security Officer role can change the Network Anomaly Detection rules.

To change the settings of a network anomaly detection rule:

1. Connect to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface using an Administrator or Security Officer account.
2. Under Detection rules → Network Anomaly Detection, select the rule that you want to edit.

   The details area appears in the right part of the web interface window.

3. Click Edit.
4. Enter the rule name and description.
5. Use the Search depth parameter to specify the duration of the time interval for searching for network anomalies among the protocol attributes received in the database. You can specify the time interval in seconds, minutes, hours, or days.
6. To run the rule according to a schedule, enable the Run job according to schedule option and configure the schedule settings:
   1. In the Frequency drop-down list, select how often to run the job: Every second, Every minute, Hourly, Daily, Weekly, Monthly.
   2. Depending on the selected option, specify the values for the settings to define the precise job start time.
7. If you need to change the time period after which Kaspersky Industrial CyberSecurity for Networks will re-register a rule triggering event, turn on the Change the default value toggle switch and specify the necessary event regeneration period.
8. In the Main event registration settings block, check the settings for registering an event when the rule is triggered, and configure them if necessary. The settings are locked and cannot be edited if a built-in template is selected for the rule.

   If the settings can be edited, you can specify values for the following settings of the event that the application will register when the rule is triggered:

   • Event title and description.

     When you enter a title or description for an event, tooltips or selectable General variables automatically appear next to the cursor.

   • Event score value.
9. Click the SQL-specific query tab.
10. If necessary, test how the SQL query works with the database. To do so, click the Perform button.

    The Verify completion of SQL query window appears and shows a table containing the results of the SQL query verification. To control the display of the window, use the buttons in the upper-right corner.

11. If necessary, fine-tune the SQL query by changing the values of the variables used in it. The variables are displayed in the Utilized variables settings block. You can define the values of variables explicitly or by using previously added dictionaries. To substitute the value of a variable from the dictionary, click opposite the variable and select the correct directory.

    You can use directories for variables with the "date", "time", "IP", "port", "string", or "weekday" data types. Dictionaries are not supported for variables with the "int" data type.

12. In the SQL-specific query field, check the text of the SQL query and generate any necessary text. The text of the SQL query is locked and cannot be edited if a built-in template is selected for the rule.

    After generating the text of the SQL query, perform steps 10–11 again.

13. Click Save.

Page top