By default, a collection of Sigma rules is enabled after it is added — the toggle button to the left of the collection name is in the Enabled position. You can change the state of a collection of Sigma rules.
To change the state of a collection of Sigma rules:
In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
Click the name of the Kaspersky Industrial CyberSecurity for Nodes policy.
The policy properties window opens.
Select the Application settings tab.
In the Anomaly Detection using Sigma rules section, change the position of the toggle button to the left of the name of the collection of Sigma rules whose state you want to change:
Enabled — the collection is enabled and is used for detecting anomalies.
Disabled — the collection is disabled and is not used for anomaly detection.
Click Save.
Kaspersky Industrial CyberSecurity for Nodes searches for anomalies using the collections of Sigma rules that are enabled.