The name of the rule that you specify when creating the rule. This is a mandatory field. The name appears in event details. You can use the name in queries for threat hunting.
Displays the query that is used in the rule. This is a mandatory field. You can click the Edit query button to change the search conditions. The query opens in the Threat hunting section.
Actions available in custom IOA rule details:
Find events. Click the link to display the telemetry events table in the Threat hunting section. The table is filtered by the rule name.
Go to Alerts marked by the rule. Click the link to view alerts generated by the IOA rule triggering. The list of alerts is in the Alerts section.
Go to incidents marked by the rule. Click the link to view incidents generated by the IOA rule triggering. The list of incidents opens in the Incidents section.
Editing details of the rule.
Exclusions from Kaspersky rules
An exclusion from Kaspersky contains the following fields:
Always. The Kaspersky rule is used in events database scans.
With exclusions. The Kaspersky rule is used with exclusions in events database scans. Choosing this value opens a field for entering a condition or editing it.
Never. The Kaspersky rule is not used in events database scans.
By default, the Always value is set. If you change the value in the field, an exclusion from Kaspersky rule is created.
Description of possible false positives as specified by the user when the rule was added.
Actions available in exclusion details:
Find events. Click the link to display the telemetry events table in the Threat hunting section. The table is filtered by rule name.
Go to Alerts marked by the rule. Click the link to view alerts generated by the IOA rule triggering. The list of alerts opens in the Alerts section.
Go to incidents marked by the rule. Click the link to view incidents generated by the IOA rule triggering. The list of incidents opens in the Incidents section.