About custom rule details

Support

Support for business applications

Kaspersky Endpoint Detection and Response Expert

Custom rules

March 20, 2024

ID 228437

Custom rules details contain information about a custom rule.

Custom IOA rule details

Custom IOA rule details contain the following fields:

Name
The name of the rule that you specify when creating the rule. This is a mandatory field. The name appears in event details. You can use the name in queries for threat hunting.
State
Use of the rule in events database scans:
- Enabled (the rule is used).
- Disabled (the rule is not used).
Severity
An estimate of the probable impact of the event on assets of the organization as specified by the user when creating the rule:
- Low
- Medium
- High
Confidence
The level of confidence depending on the likelihood of false alarms as defined by the user when creating the rule:
- Low
- Medium
- High
Action
The action that is applied to the event which triggered the rule:
- Mark event and create alert
- Only mark event
Description
Any details related to the rule as specified when creating the rule.
Recommendations
Recommended actions as specified when creating the rule.
Possible false positives
Description of possible false positives as specified when creating the rule.
Query
Displays the query that is used in the rule. This is a mandatory field. You can click the Edit query button to change the search conditions. The query opens in the Threat hunting section.

Actions available in custom IOA rule details:

Find events. Click the link to display the telemetry events table in the Threat hunting section. The table is filtered by the rule name.
Go to Alerts marked by the rule. Click the link to view alerts generated by the IOA rule triggering. The list of alerts is in the Alerts section.
Go to incidents marked by the rule. Click the link to view incidents generated by the IOA rule triggering. The list of incidents opens in the Incidents section.
Editing details of the rule.

Exclusions from Kaspersky rules

An exclusion from Kaspersky contains the following fields:

Name
The name of the exclusion that you specify when adding the rule. This is a mandatory field.
Use
Use of the rule in events database scans:
- Always. The Kaspersky rule is used in events database scans.
- With exclusions. The Kaspersky rule is used with exclusions in events database scans. Choosing this value opens a field for entering a condition or editing it.
- Never. The Kaspersky rule is not used in events database scans.
By default, the Always value is set. If you change the value in the field, an exclusion from Kaspersky rule is created.
Severity
An estimate of the probable impact of the event on assets of the organization as specified by the user when the exclusion was added:
- Low.
- Medium.
- High.
Confidence
The level of confidence depending on the likelihood of false alarms as defined by the exclusion when the rule was added:
- Low.
- Medium.
- High.
Action
The action that is applied to the event which triggered the rule:
- Mark event and create alert.
- Only mark event.
By default, the Mark event and create alert value is set. If you change the value in the field, an exclusion from Kaspersky rule is created.
Description
Detailed description of the rules specified by the user when the rule was added.
Recommendations
Recommended actions as specified by the user when the rule was added.
Possible false positives
Description of possible false positives as specified by the user when the rule was added.

Actions available in exclusion details:

Find events. Click the link to display the telemetry events table in the Threat hunting section. The table is filtered by rule name.
Go to Alerts marked by the rule. Click the link to view alerts generated by the IOA rule triggering. The list of alerts opens in the Alerts section.
Go to incidents marked by the rule. Click the link to view incidents generated by the IOA rule triggering. The list of incidents opens in the Incidents section.
Editing details of the rule.