Configuring Anomaly Detection using Sigma rules in the command line

To configure anomaly detection using Sigma rules through the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the kavshell.exe file is located.

    For example, enter the command cd C:\Program Files (x86)\Kaspersky Lab\Kaspersky Industrial CyberSecurity for Nodes.4.5.0 and press ENTER.

  3. Enter the following command:

    kavshell.exe sigma /<enable|disable|add|remove|show> [/collection:<rat|deltav|uac|siemens|yokogawa|custom>] [/name:<collection name>] [/source:<full path to the folder with the YAML files>] [/login:<name of the current user account>] [/pwd:</login password or KLAdmin password if /login is not specified>

  4. Press the ENTER key.

    Command parameters for managing Anomaly Detection using Sigma rules

    Parameter

    Description

    sigma /<enable|disable|add|remove|show>

    Required argument.

    Specifies one of the following actions:

    • enable – enable Anomaly Detection using Sigma rules
    • disable – disable Anomaly Detection using Sigma rules
    • add – add a collection of Sigma rules
    • remove – remove a collection of Sigma rules
    • show – display the current settings of Anomaly Detection using Sigma rules

    /collection:<rat|deltav|uac|siemens|yokogawa|custom>

    This parameter is required if sigma /<add|remove> is specified.

    Specifies the type of Sigma rule collection to add or remove:

    • rat – collection of rules for detecting administration tools (Remote Administration Tool, RAT)
    • deltaV – collection of rules for analyzing DeltaV logs
    • uac – collection of rules for analyzing user activity logs (User Account Control, UAC)
    • siemens – collection of rules for analyzing the logs of Siemens SCADA systems
    • yokogawa – collection of rules for analyzing the logs of Yokogawa SCADA systems
    • custom – collection of custom rules

    You can also specify test. One rule designed for internal testing at AO Kaspersky Lab is added or removed.

    /name:<collection name>

    This parameter is required if sigma /<add|remove> and /collection:custom are specified.

    Specifies the name of a collection of custom Sigma rules.

    /source:<full path to the folder with the YAML files>

    This parameter is required if sigma /add and /collection:custom are specified.

    Specifies the full path to the folder with the YAML files that describe the custom Sigma rules.

Page top