Kaspersky Endpoint Detection and Response Expert

Creating exclusions from Kaspersky IOA rules

Expand all | Collapse all

You can create exclusions from rules made by Kaspersky from alert details and event details. If you do not want to use a created exclusion for scanning events, you can delete it.

To create an exclusion from alert details:

1. Do one of the following:
   • In the main menu, go to MONITORING & REPORTING → Alerts, and then open the details of the alert that is triggered by the Kaspersky IOA rule.
   • In the main menu, go to MONITORING & REPORTING → Threat hunting, and then open the details of the event that is triggered by the Kaspersky IOA rule.
2. Make the necessary changes in the following fields:
   • Use

     Use of the rule in events database scans:

     • Always. The Kaspersky rule is used in events database scans.
     • With exclusions. The Kaspersky rule is used with exclusions in events database scans. Choosing this value opens a field for entering a condition or editing it.
     • Never. The Kaspersky rule is not used in events database scans.

     By default, the Always value is set. If you change the value in the field, an exclusion from Kaspersky rule is created.

   • Action

     The action that is applied to the event which triggered the rule:

     • Mark event and create alert.
     • Only mark event.

     By default, the Mark event and create alert value is set. If you change the value in the field, an exclusion from Kaspersky rule is created.

3. Click the Save button.

The exclusion is created. You can view and manage exclusions in the Custom rules section.