Adding a TAA (IOA) rule to exclusions

You can add to exclusions only TAA (IOA) rules made by Kaspersky. If you do not want to apply a custom TAA (IOA) rule for scanning events, you can disable that rule or delete it.

To add a TAA (IOA) rule to exclusions from the Alerts section:

Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
Click the link in the Technologies column to open the filter configuration window.
In the drop-down list on the left, select Contain.
In the drop-down list on the right, select the (TAA) Targeted Attack Analyzer technology.
Click Apply.
The table displays alerts generated by the TAA technology based on TAA (IOA) rules.
Select an alert for which the Detected column displays the name of the relevant rule.
This opens a window containing information about the alert.
Under Scan results, click the link with the name of the rule to open the rule information window.
To the right of the TAA exclusions setting name, click Add to exclusions.
This opens a window that allows you to add the TAA (IOA) rule to exclusions.
In the Exclude rule field, select the exclusion operating mode:
- Always if you do not want the application to create alerts for events that match the selected TAA (IOA) rule.
- Based on conditions if you do not want the application to create events only for events that match specified conditions. Alerts are created for events that match the TAA (IOA) rule with the configured exclusion conditions taken into account.
  If you selected Based on conditions:
  1. Click Configure additional conditions to open the event search form.
  2. If you are using the distributed solution and multitenancy mode and want to enable the display of events for all tenants, turn on the Search in all tenants toggle switch.
    Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.
    
    Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).
  3. Perform an event search in design mode.
    A table is displayed of events that match the TAA (IOA) rule given the specified exclusion criteria.
    
    If you are using the distributed solution and multitenancy mode, found events are grouped in tiers: Server – Tenant names – Server names.
  4. Click the name of the server for which you want to view events.
    The host table of the selected server is displayed. Event grouping levels are displayed above the table.
    
    If necessary, you can change event search conditions.
  5. Click Add exclusion.
If you are using the distributed solution and multitenancy mode, in the Apply to servers* field, select check boxes for tenants and servers to which the rule must be applied.
Click Add.

The TAA (IOA) rule is added to exclusions and is displayed in the exclusion list in the Settings section, Exclusions subsection on the TAA exclusions tab in the application web interface. This rule is no longer used for creating alerts.

To add a TAA (IOA) rule to exclusions from the Threat Hunting section:

Select the Threat Hunting section in the application web interface window.
This opens the event search form.
Define the search conditions and click the Search button. For example, you can select event search criteria in the TAA properties group in design mode.
The table of events that satisfy the search criteria is displayed.
Select an event.
To the right of the IOA tags setting, click the name of the rule.
This opens a window containing information about the rule.
To the right of the TAA exclusions setting name, click Add to exclusions.
This opens a window that allows you to add the TAA (IOA) rule to exclusions.
In the Exclude rule field, select the exclusion operating mode:
- Always if you do not want the application to create alerts for events that match the selected TAA (IOA) rule.
- Based on conditions if you do not want the application to create events only for events that match specified conditions. Alerts are created for events that match the TAA (IOA) rule with the configured exclusion conditions taken into account.
  If you selected Based on conditions:
  1. Click Configure additional conditions to open the event search form.
  2. If you are using the distributed solution and multitenancy mode and want to enable the display of events for all tenants, turn on the Search in all tenants toggle switch.
  3. Perform an event search in design mode.
    A table is displayed of events that match the TAA (IOA) rule given the specified exclusion criteria.
    
    If you are using the distributed solution and multitenancy mode, found events are grouped in tiers: Server – Tenant names – Server names.
  4. Click the name of the server for which you want to view events.
    The host table of the selected server is displayed. Event grouping levels are displayed above the table.
    
    If necessary, you can change event search conditions.
  5. Click Add exclusion.
Click Add.

When creating a search query to be saved as an exclusion criterion, avoid using the following fields:

IOAId.
IOATag.
IOATechnique.
IOATactics.
IOAImportance.
IOAConfidence.

These fields are only displayed after Kaspersky Anti Targeted Attack Platform marks events as matching TAA (IOA) rules.

Users with the Security auditor and Security officer roles cannot add TAA (IOA) rules to exclusions.