Kaspersky Endpoint Detection and Response Expert
- Kaspersky Endpoint Detection and Response Expert Help
- About Kaspersky Endpoint Detection and Response Expert
- Licensing of Kaspersky Endpoint Detection and Response Expert
- Data provision
- Getting started
- User management
- Alerts
- Incidents
- Threat hunting
- About threat hunting
- Building and running queries for threat hunting
- About syntax in threat hunting queries
- Creating IOA rules from queries
- Viewing and configuring the event list
- Configuring the event table
- Viewing event details
- Viewing a tree of events
- Viewing information about related events in a tree of events
- Custom rules
- About custom rules
- Viewing and configuring custom rules list
- Viewing custom rule details
- About custom rule details
- Configuring custom rules table
- Creating custom IOA rules
- Creating exclusions from Kaspersky IOA rules
- Editing custom rules
- Enabling and disabling custom rules
- Deleting IOA custom rules
- Deleting exclusions
- Response actions
- About network isolation
- About moving file to quarantine
- Viewing a list of quarantined files
- Specifying settings for storing files in the Quarantine
- About deleting files
- About running critical areas scan
- About IOC scan
- About execution prevention
- About process start task
- About terminating process task
- About getting file task
- Monitoring and reporting
- Contact Customer Service
- Termination of the Kaspersky Endpoint Detection and Response Expert solution usage
- Sources of information about the application
- Glossary
- Known issues
- Information about third-party code
- Trademark notices
Creating IOA rules from queries
You can create IOA rules based on the built queries.
To create an IOA rule:
- In the main menu, go to MONITORING & REPORTING → THREAT HUNTING.
- Enter a query in the query search box.
- Click the Create IOA rule button under the search box.
The New rule window opens.
- Specify the following details:
- Name
The name of the rule that you specify when creating the rule. This is a mandatory field. The name appears in event details. You can use the name in queries for threat hunting.
- State
Use of the rule in events database scans:
- Enabled (the rule is used).
- Disabled (the rule is not used).
- Severity
An estimate of the probable impact of the event on assets of the organization as specified by the user when creating the rule:
- Low
- Medium
- High
- Confidence
The level of confidence depending on the likelihood of false alarms as defined by the user when creating the rule:
- Low
- Medium
- High
- Action
The action that is applied to the event which triggered the rule:
- Mark event and create alert
- Only mark event
- Description
Any details related to the rule as specified when creating the rule.
- Recommendations
Recommended actions as specified when creating the rule.
- Possible false positives
Description of possible false positives as specified when creating the rule.
- Query
Displays the query that is used in the rule. This is a mandatory field. You can click the Edit query button to change the search conditions. The query opens in the Threat hunting section.
- Name
- Click the Create button.
An IOA rule with the searched conditions is created. You can check your IOA rules in the Custom rules section. If an IOA rule is triggered by an event, the name of the rule is displayed in the event details.