About custom rules
March 20, 2024
ID 221346
IOA (Indicator of Attack) rules allow detection of suspicious events in the organization's infrastructure and allow creating alerts automatically. New custom rules can also be created by using a query in the Threat Hunting section.
Kaspersky Endpoint Detection and Response Expert has two types of rules: custom IOA rules and Kaspersky rules. Custom IOA rules are created by the specialists of your organization. Kaspersky rules are pre-defined rules that are uploaded automatically. If you want to exclude an event which triggers a Kaspersky rule from the list of suspicious events, you can add an exclusion to the Kaspersky rule.
The table below shows the differences between custom IOA rules and Kaspersky IOA rules.
Comparison table of custom rules and Kaspersky rules
Feature | Custom IOA rules | Kaspersky IOA rules |
Recommendations on responding to the event | No. | Yes (you can view recommendations in alert details). |
Correspondence to techniques in MITRE ATT&CK database | No. | Yes (you can view the description of the technique according to the MITRE database in alert details). |
Display in the custom rules list | Yes. | No. |
Ability to disable database lookup for this rule | Disabling rules. | Adding rules to exclusions. |
Ability to delete or add the rule | You can delete or add a rule. | Rules are updated together with application databases, and you cannot delete these rules. |
