Managing user-defined rules

You can configure additional security for the IT infrastructure of the company using TAA, IDS, IOC, and YARA rules.

Users with the Senior security officer role can work with custom TAA, IDS, IOC, and YARA rules: load and delete rule files, view lists of rules, and edit the selected rules.

Users with the Security auditor role can view the lists of custom TAA, IDS, IOC, and YARA rules and properties of selected rules without the possibility of editing.

Users with the Security officer role can view the lists of custom TAA, IOC, and YARA rules and properties of selected rules without the possibility of editing.

Using indicators of compromise (IOC) and attack (IOA) for Threat Hunting

Kaspersky Anti Targeted Attack Platform uses two types of indicators for threat hunting: IOC (Indicator of Compromise) and IOA (Indicator of Attack).

An IOC is a set of data about a malicious object or malicious activity. Kaspersky Anti Targeted Attack Platform uses IOC files conforming to the

An IOA (also referred to as a "TAA (IOA) rule") is a rule containing the description of a suspicious activity in the system that could be a sign of a targeted attack. Kaspersky Anti Targeted Attack Platform scans the Events database of the program and marks events that match behaviors described by TAA (IOA) rules. The streaming scan technology is used, which involves continuous real-time scanning of objects being downloaded from the network.

TAA (IOA) rules created by Kaspersky experts are used by the TAA (Targeted Attack Analyzer) technology and are updated alongside the program databases. They are not displayed in the interface of the program and cannot be edited.

You can add user-defined IOC and TAA (IOA) rules using IOC files in the OpenIOC format as well as create TAA (IOA) rules based on event database search conditions.

The following table contains a comparative analysis of indicators of compromise (IOC) and attack (IOA).

Comparison of IOC and IOA indicators

If you are using the

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy mode

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Managing user-defined IOC rules

You can use IOC files to search indicators of compromise in the event database and on computers with Kaspersky Endpoint Agent installed. For example, if you have received third-party information about a piece of malware spreading, you can:

1. Upload an IOC file containing indicators of compromise corresponding to the malware to Kaspersky Anti Targeted Attack Platform.
2. Find events corresponding to the criteria of the selected IOC file.

   You can view such events, and if you want Kaspersky Anti Targeted Attack Platform to generate alerts for selected events, you can create a TAA (IOA) rule.

3. Enable automatic use of the selected IOC file to search indicators of compromise on Kaspersky Endpoint Agent computers.

   If while scanning the computers, Kaspersky Anti Targeted Attack Platform discovers indicators of compromise, Kaspersky Anti Targeted Attack Platform generates an alert.

4. Configure the schedule for searching for indicators of compromise using IOC files on Kaspersky Endpoint Agent computers.

In distributed solution and multitenancy mode, IOC files can have the following types:

• Local—IOC files uploaded to an SCN server. These IOC files are used to search for indicators of compromise on Kaspersky Endpoint Agent hosts connected to the SCN server.
• Global—IOC files uploaded to the PCN server. These IOC files are used to search for indicators of compromise on Kaspersky Endpoint Agent hosts connected to the PCN server and all SCN servers connected to the PCN server.

To view the list of supported OpenIOC indicators of compromise, you can download this file.

Users with the Senior security officer role can import, delete, download IOC files to their computer, enable or disable the search of indicators of compromise using IOC files, as well as configure the schedule for searching indicators of compromise on computers with Kaspersky Endpoint Agent program installed.

Users with the Security officer and Security auditor roles can view the list of IOC files and information about the selected file, and export IOC files to their computer.

Viewing the table of IOC files

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

The table of IOC files contains information about IOC files used for scanning on computers with the Kaspersky Endpoint Agent program installed; you can find the table in the Custom rules section, IOC subsection of the program web interface window.

The table of IOC files contains the following information:

1.  —Importance level that will be assigned to an alert generated using this IOC file.

   The importance level can have one of the following values:

   •  – Low importance.
   •  – Medium importance.
   •  – High importance.
2. Type—Type of IOC file depending on the program operating mode and the server to which the IOC file was uploaded:
   • Local—IOC files uploaded to an SCN server. These IOC files are used to search for indicators of compromise on Kaspersky Endpoint Agent hosts connected to the SCN server.
   • Global—IOC files uploaded to the PCN server. These IOC files are used to search for indicators of compromise on Kaspersky Endpoint Agent hosts connected to the PCN server and all SCN servers connected to the PCN server.
3. Name—Name of the IOC file.
4. Servers—Name of the server with the Central Node component.
5. Autoscan—The IOC file is used when automatically scanning Kaspersky Endpoint Agent hosts:

   Host scanning using this IOC file can have one of the following statuses:

   • Enabled
   • Disabled

Viewing information about an IOC file

To view IOC file details:

1. In the window of the program web interface, select the Custom rules section, IOC subsection.

   This opens the table of IOC files.

2. Select the IOC file for which you want to view information.

This opens a window containing information about the IOC file.

The window contains the following information:

• Clicking the Find alerts link opens the Alerts section with the filter condition populated with the name of your selected IOC file.
• Clicking the Find events link opens the Threat Hunting section with the search condition populated with indicators of compromise of your selected IOC file.
• Clicking the Download link opens the IOC file download window.
• Autoscan—The IOC file is used when automatically scanning Kaspersky Endpoint Agent hosts.
• Name—Name of the IOC file.
• Importance—Importance level that will be assigned to an alert generated using this IOC file.

  The importance level can have one of the following values:

  •  – Low importance.
  •  – Medium importance.
  •  – High importance.
• Apply to—Displays the name of the tenant and the names of servers associated with events scanned based on this IOC file (in distributed solution and multitenancy mode).
• XML—Displays the IOC file contents in XML format.

Uploading an IOC file

IOC files having UserItem properties for domain users are not supported.

To upload an IOC file:

1. In the window of the program web interface, select the Custom rules section, IOC subsection.

   This opens the table of IOC files.

2. Click Upload.

   This opens the file selection window on your local computer.

3. Select the file that you want to upload and click Open.
4. Specify the following parameters:
   1. Autoscan—The IOC file is used when automatically scanning Kaspersky Endpoint Agent hosts:
      • Enabled
      • Disabled
   2. Name—Name of the IOC file.
   3. Importance—Importance level that will be assigned to an alert generated using this IOC file:
      • Low.
      • Medium.
      • High.
   4. Apply to—Name of the tenant and names of the servers which you want to scan using this IOC file (in distributed solution and multitenancy mode).
5. Click Save.

The IOC file will be uploaded in XML format.

Downloading an IOC file to a computer

You can download a previously uploaded IOC file to a computer.

To download an IOC file:

1. In the window of the program web interface, select the Custom rules section, IOC subsection.
2. This opens the IOC file table. Select the IOC file that you want to download.

   This opens a window containing information about the IOC file.

3. Depending on your browser settings, click the Download link to save the file to the default folder or specify a folder in which to save the file.

The IOC file will be saved to the computer in the browser's downloads folder.

Enabling and disabling the automatic use of an IOC file when scanning hosts

You can enable or disable the automatic use of an IOC file for searching for indicators of compromise on Kaspersky Endpoint Agent hosts.

To enable or disable the automatic use of an IOC file for searching for indicators of compromise on Kaspersky Endpoint Agent hosts:

1. In the window of the program web interface, select the Custom rules section, IOC subsection.

   This opens the table of IOC files.

2. In the row containing the IOC file whose use you want to enable or disable, in the State column, set the toggle switch to one of the following positions:
   • Enabled
   • Disabled

Automatic use of an IOC file for searching for indicators of compromise on Kaspersky Endpoint Agent hosts is enabled or disabled.

Users with the Security auditor and Security officer roles cannot enable or disable automatic application of an IOC file when scanning events.

Deleting an IOC file

To delete an IOC file:

1. In the window of the program web interface, select the Custom rules section, IOC subsection.
2. This opens the IOC file table. Select the IOC file that you want to delete.

   This opens a window containing information about the IOC file.

3. Click Delete.

The IOC file will be deleted.

Users with the Security auditor and Security officer roles cannot delete IOC files.

Searching for alerts in IOC scan results

To find and view scan results for the selected IOC file:

1. In the window of the program web interface, select the Custom rules section, IOC subsection.

   This opens the table of IOC files.

2. Select the IOC file for which you want to view scan results.

   This opens a window containing information about the IOC file.

3. Go to the alert database by clicking Find alerts.

   The alert table is opened in a new browser tab.

You can also view scan results for all IOC files by filtering alerts by technology name.

Searching for events using an IOC file

To view events found using an IOC file:

1. In the window of the program web interface, select the Custom rules section, IOC subsection.

   This opens the table of IOC files.

2. Select the IOC file to use for searching for events in the event database.

   This opens a window containing information about the IOC file.

3. Go to the event database by clicking Find events.

   The event table is opened in a new browser tab.

Filtering and searching IOC files

To filter or search for IOC files by required criteria:

1. In the window of the program web interface, select the Custom rules section, IOC subsection.
2. This opens the IOC file table. Do the following depending on the filtering criterion:
   • By importance
     1. Click the icon to open the filter configuration window for IOC files.
     2. Select one or several of the following importance levels:
        • Low.
        • Medium.
        • High.
     3. Click Apply.
   • By file name
     1. Click the Name link to open the IOC file filter configuration window.
     2. Enter one or several characters of the IOC file name.
     3. Click Apply.
   • By the state of the automatic scan (enabled / disabled)
     1. Click the Autoscan link to open the filter configuration window for IOC files.
     2. Select one of the following options:
        • Enabled
        • Disabled

The table of IOC files will display only IOC files that match the filter criteria you have set.

You can use multiple filters at the same time.

Clearing an IOC file filter

To clear the IOC file filter for one or more filtering criteria:

1. In the window of the program web interface, select the Custom rules section, IOC subsection.
2. This opens the IOC file table. Click to the right of the header of the IOC file table column for which you want to clear the filtering conditions.

   If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.

The selected filters are cleared.

The table of IOC files will display only IOC files that match the filter criteria you have set.

Configuring an IOC scan schedule

You can configure the schedule for searching for indicators of compromise using IOC files on Kaspersky Endpoint Agent hosts.

To configure the schedule for searching for indicators of compromise using IOC files on Kaspersky Endpoint Agent hosts:

1. In the window of the application web interface, select the Settings section, Endpoint Agents subsection, IOC scanning schedule section.
2. In the Start time drop-down lists, select the start time of the indicator of compromise search.
3. In the Maximum scan duration drop-down list, select a time limit for completing the indicator of compromise search.
4. Click Apply.

The new schedule for searching for indicators of compromise using IOC files on Kaspersky Endpoint Agent hosts becomes active immediately after changes are saved. Results of the indicator of compromise search are displayed in the alert table.

Users with Security auditor and Security officer roles cannot configure the schedule for searching for indicators of compromise using IOC files on Kaspersky Endpoint Agent hosts.

Managing user-defined TAA (IOA) rules

Custom TAA (IOA) rules are created based on event databased search criteria. For example, if you want Kaspersky Anti Targeted Attack Platform to generate alerts for events when a program that you consider unsafe is started on Kaspersky Endpoint Agent computers, you can:

1. Generate a search query for the event database.
2. Create a custom TAA (IOA) rule based on event search conditions.

   When Central Node server receives events matching the created TAA (IOA) rule, Kaspersky Anti Targeted Attack Platform generates alerts.

You can also create a TAA (IOA) rule based on one or multiple event search criteria from the selected IOC file. To do so:

1. Upload an IOC file containing indicators of compromise corresponding to the malware to Kaspersky Anti Targeted Attack Platform.
2. Find events corresponding to the criteria of the selected IOC file.
3. Create a TAA (IOA) rule based on one or more event search criteria from the selected IOC file.

In distributed solution and multitenancy mode, TAA (IOA) rules can have one of the following types:

• Global—Created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the tenant which the user is managing in the program web interface.
• Local—Created on the SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the tenant which the user is managing in the program web interface.

The differences between user rules and Kaspersky rules are summarized in the following table.

Comparison of TAA (IOA) rules

Users with the Senior security officer role can create, import, delete, enable or disable TAA (IOA) rules, and exclude Kaspersky TAA (IOA) rules from scanning. Users with the Security officer or Security auditor roles can use TAA (IOA) rules to search for signs of targeted attacks, infected and possibly infected objects in the database of events and alerts, and to view the TAA (IOA) rule table and TAA (IOA) rule information.

Viewing the TAA (IOA) rule table

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

The table of user-defined TAA (IOA) rules contains information about TAA (IOA) rules that are used to scan events and create alerts; the table is in the Custom rules section, TAA subsection of the program web interface window.

The table contains the following information:

1.  —Importance level that is assigned to an alert generated using this TAA (IOA) rule.

   The importance level can have one of the following values:

   •  – Low.
   •  – Medium.
   •  – High.
2. Type is the type of the rule depending on the operating mode of the program and the role of the server which generated the rule:
   • Global—Created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the tenant which the user is managing in the program web interface.
   • Local—Created on the SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the tenant which the user is managing in the program web interface.
3. Confidence is the level of confidence depending on the likelihood of false alarms caused by the rule:
   • High.
   • Medium.
   • Low.

   The higher the confidence, the lower the likelihood of false alarms.

4. Name – name of the rule.
5. Servers – name of the server with the Central Node component on which the rule is applied.
6. Generate alerts – requirement to store information on alerts based on matching an event from the database with criteria of the rule.
   • Enabled – a record is created for the event in the alerts table with Targeted Attack Analyzer (TAA) technology specified.
   • Disabled – not displayed in the alert table.
7. State – usage status of the rule in event scans:
   • Enabled – the rule is being used.
   • Disabled – the rule is not being used.

Creating a TAA (IOA) rule based on event search conditions

To create a TAA (IOA) rule based on event search conditions:

1. Select the Threat Hunting section in the program web interface window.

   This opens the event search form.

2. Perform an event search in design mode or source code mode.
3. Click Save as TAA (IOA) rule.

   This opens the New TAA (IOA) rule window.

4. In the Name field, type the name of the rule.
5. Click Save.

The event search condition will be saved. In the TAA (IOA) rule table in the Custom rules section, TAA subsection of the web interface, the new rule is displayed with the specified name.

If you want to save event search conditions as a user-defined TAA (IOA) rule, avoid using the following fields:

• IOAId.
• IOATag.
• IOATechnique.
• IOATactics.
• IOAImportance.
• IOAConfidence.

At the time of saving the user-defined TAA (IOA) rule, the program might not have any events containing data for these fields. When events with this data turn up, the user-defined TAA (IOA) rule that you have created earlier will be unable to mark events by these fields.

Users with the Security auditor and Security officer roles cannot create TAA (IOA) rules based on event search conditions.

Importing a TAA (IOA) rule

You can import an IOC format file and use it to scan events and create Targeted Attack Analyzer alerts.

It is highly recommended that you test custom TAA (IOA) rules in a test environment before you import them. Custom TAA (IOA) rules may cause performance issues, in which case stable performance of Kaspersky Anti Targeted Attack Platform is not guaranteed

To import a TAA (IOA) rule:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Click Import.

   This opens the file selection window on your local computer.

3. Select the file that you want to upload and click Open.

   This opens the New TAA (IOA) rule window.

4. Set the State toggle switch to Enabled if you want to enable the rule for scanning the event database.
5. On the Details tab, in the Name field, enter the name of the rule.
6. In the Description field, enter any additional information about the rule.
7. In the Importance drop-down list, select the importance level to be assigned to alerts generated using this TAA (IOA) rule.
   • Low.
   • Medium.
   • High.
8. In the Confidence drop-down list, select the level of confidence of this rule based on your estimate:
   • Low.
   • Medium.
   • High.
9. Under Apply to, select check boxes corresponding to servers on which you want to apply the rule.
10. On the Query tab, verify the defined search conditions. Make changes if necessary.
11. Click Save.

The user-defined TAA (IOA) rule is imported into the program.

You can also add a TAA (IOA) rule by saving events database search conditions in the Threat Hunting section.

Viewing custom TAA (IOA) rule details

To display information about the TAA (IOA) rule:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Select the rule for which you want to view information.

This opens a window containing information about the rule.

The window contains the following information:

• Click the Alerts link to display the alert table in a new browser tab. The alerts are filtered by the Targeted Attack Analyzer technology and the name of the TAA (IOA) rule that you are working on.
• Click the Find events link to display the events table in a new browser tab. The table is filtered by rule name.
• Click the Run query link to display the events table in a new browser tab. The table is filtered by rule name. The event search conditions are populated with information from the TAA (IOA) rule that you are working on. For example, EventType=Process started AND FileName CONTAINS <name of the rule you are working on>. You can edit the event search query.
• Click the IOA ID link to display the ID that the program assigns to each rule.

  IDs cannot be modified. You can copy the ID by clicking the Copy value to clipboard button.

• State is the use of the rule in events database scans.

The Details tab shows the following information:

• Name is the name of the rule that you specified when you added the rule.
• Description is any additional information about the rule that you specified.
• Importance is an estimate of the probable impact of the event on the security of computers or the corporate LAN as specified by the user when the rule was added.
• Confidence is the level of confidence depending on the likelihood of false alarms as defined by the user when the rule was added.
• Type is the type of the rule depending on the role of the server which generated it:
  • Global—Created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the tenant which the user is managing in the program web interface.
  • Local—Created on the SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the tenant which the user is managing in the program web interface.
• Apply to—Name of servers with the Central Node component on which the rule is applied.

The Query tab displays the source code of the query being checked. Click the Run query link in the upper part of the window to go to the Threat Hunting section and run an event search query.

Searching for alerts and events in which TAA (IOA) rules were triggered

To search and display alerts and events that were created by a user-defined TAA (IOA) rule triggering:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Select the rule for which you want to view the triggering result.

   This opens a window containing information about the rule.

3. Do one of the following:
   • If you want to view alerts generated by the TAA (IOA) rule triggering, click Alerts to go to the alerts database.

     The alert table is opened in a new browser tab.

   • If you want to view events generated by the TAA (IOA) rule triggering, click Events to go to the events database.

     The event table is opened in a new browser tab.

To search and display alerts and events that were created by a Kaspersky TAA (IOA) rule triggering:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. Click the link in the Technologies column to open the filter configuration window.
3. In the drop-down list on the left, select Contains.
4. In the drop-down list on the right, select the (TAA) Targeted Attack Analyzer technology.
5. Click Apply.

   The table displays alerts generated by the TAA technology based on TAA (IOA) rules.

6. Select an alert for which the Detected column displays the name of the relevant rule.

   This opens a window containing information about the alert.

7. Under Scan results, click the link with the name of the rule to open the rule information window.
8. Do one of the following:
   • If you want to view alerts generated by the TAA (IOA) rule triggering, click Alerts to go to the alerts database.

     The alert table is opened in a new browser tab.

   • If you want to view events generated by the TAA (IOA) rule triggering, click Events to go to the events database.

     The event table is opened in a new browser tab.

Filtering and searching TAA (IOA) rules

To filter or search for TAA (IOA) rules by required criteria:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Depending on the filtering criterion, do the following:
   • By importance
     1. Click the icon to open the IOA rule filter configuration window.
     2. Select the check boxes next to the importance levels that you want to include in the filter criteria:
        • Low.
        • Medium.
        • High.
     3. Click Apply.
   • By rule type
     1. Click the Type link to open the filter configuration window.
     2. Select one of the following options:
        • All—all rules.
        • Global – rules created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the tenant which the user is managing in the program web interface.
        • Local—rules created on an SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the tenant which the user is managing in the program web interface.
   • By confidence level
     1. Click the Confidence link to open the filter configuration window.
     2. Select the check boxes opposite those confidence levels that you want to add to filter criteria.
        • Low.
        • Medium.
        • High.
     3. Click Apply.
   • By rule name
     1. Click the IOA tag link to open the filter configuration window.
     2. Enter one or several characters of the IOA rule name.
     3. Click Apply.
   • By server name Click the Servers link to open the filter configuration window.
   • By rule-based alert generation
     1. Click the Generate alerts link to expand the filter settings list.
     2. Select one of the following options:
        • All
        • Enabled
        • Disabled
   • By rule state
     1. Click State to expand the filter settings list.
     2. Select one of the following options:
        • All
        • Enabled
        • Disabled

The table displays only rules that match the specified criteria.

You can use multiple filters at the same time.

Resetting the TAA (IOA) rule filter

To clear a TAA (IOA) rule filter based on one or multiple filter conditions:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Click to the right of that column heading of the rule table for which you want to clear filtering criteria.

   If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.

The selected filters are cleared.

The table displays only rules that match the specified criteria.

Enabling and disabling TAA (IOA) rules

Users with the Senior security officer role can enable or disable one or several rules, as well as all rules at once.

To enable or disable the use of a TAA (IOA) rule when scanning events:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. In the row with the relevant rule, select or clear the check box in the State column.

The use of the rule when scanning events is enabled or disabled.

To enable or disable the use of all or multiple TAA (IOA) rules when scanning events:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Select the check boxes on the left of the rules whose use you want to enable or disable.

   You can select all rules by selecting the check box in the row containing the headers of columns.

   A control panel appears in the lower part of the window.

3. Click Enable or Disable to enable or disable all rules.

The use of the selected rules when scanning events is enabled or disabled.

In distributed solution and multitenancy mode, you can manage only global TAA (IOA) rules on the PCN server. You can manage local TAA (IOA) rules on SCN servers of tenants to which you have access.

Users with the Security auditor and Security officer roles cannot enable or disable TAA (IOA) rules.

Modifying a TAA (IOA) rule

Users with the Senior security officer role can modify custom TAA (IOA) rules. Rules created by Kaspersky cannot be edited.

In distributed solution and multitenancy mode, you can edit only those TAA (IOA) rules that were created on the current server. Consequently, in the web interface of the PCN, you can edit only the rules that were created on the PCN. In the web interface of an SCN, you can edit only the rules that were created on the SCN.

To edit a TAA (IOA) rule:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Select the rule that you want to modify.

   This opens a window containing information about the rule.

3. Make the relevant changes.
4. Click Save.

The rule settings are modified.

Users with the Security auditor and Security officer roles cannot modify TAA (IOA) rules based on event search conditions.

Deleting TAA (IOA) rules

Users with the Senior security officer role can delete one or more TAA (IOA) rules, or all rules at the same time.

In distributed solution and multitenancy mode, you can delete only those TAA (IOA) rules that were created on the current server. Consequently, in the web interface of the PCN, you can delete only the rules that were created on the PCN. In the web interface of an SCN, you can delete only the rules that were created on the SCN.

To delete a custom TAA (IOA) rule:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Select the rule that you want to delete.

   This opens a window containing information about the rule.

3. Click Delete.

   This opens the action confirmation window.

4. Click Yes.

The rule is deleted.

To delete all or multiple custom TAA (IOA) rules:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Select the check boxes on the left of the rules that you want to delete.

   You can select all rules by selecting the check box in the row containing the headers of columns.

   A control panel appears in the lower part of the window.

3. Click Delete.

   This opens the action confirmation window.

4. Click Yes.

The selected rules will be deleted.

You cannot delete TAA (IOA) rules defined by Kaspersky. If you do not want to use a Kaspersky TAA (IOA) rule for scanning, add it to exclusions.

Users with the Security auditor and Security officer roles cannot modify TAA (IOA) rules based on event search conditions.

Managing user-defined IDS rules

In distributed solution and multitenancy mode, custom IDS rules can have one of the following types:

• Global—Created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the tenant which the user is managing in the program web interface.
• Local—Created on the SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the tenant which the user is managing in the program web interface.

Users with the Senior security officer role can import, configure, replace, and delete user-defined IDS rules, as well as add Kaspersky-defined IDS rules to exclusions from scanning. Users with the Senior security officer or Security auditor roles can use IDS rules to search for signs of targeted attacks, infected and possibly infected objects in the alert database, and to view the IDS rule information.

Users with the Security officer role cannot gain access to user-defined IDS rules.

Importing a user-defined IDS rule

You can import a Snort or Suricata file and use it to scan events and create Intrusion Detection System alerts.

It is highly recommended that you test custom IDS rules in a test environment before you import them. Custom IDS rules may cause performance issues, in which case stable performance of Kaspersky Anti Targeted Attack Platform is not guaranteed

For example, loading user-defined rules can cause the following errors:

• The program may create too many IDS alerts.
• If the program cannot record all IDS alerts in time, some network traffic objects may remain unscanned.
• Regular expressions in user-defined rules may impact performance or cause faulty operation of the program.
• Even formally correct user-defined rules may impact performance or cause faulty operation of the program.

IDs and attributes of custom rules may be modified when they are uploaded. Reject and Drop actions are changed to Alert. Rules with the Pass action are deleted

To import a custom IDS rule:

1. In the window of the program web interface, select the Custom rules section, IDS subsection.
2. This opens the user-defined IDS rule window. Click Import.

   This opens the file selection window on your local computer.

3. Select the file that you want to upload and click Open.

The user-defined IDS rule is imported into the program.

Viewing the information of a user-defined IDS rule

To view the information of a user-defined IDS rule,

In the window of the program web interface, select the Custom rules section, IDS subsection.

The web interface displays the following information about the IDS rule:

• State—Usage status of the rule in event scans.
• File size—Size of the rule file.
• Last update—Time when the rule was imported.
• Created by—Name of the user whose account was used to import the rule.
• Importance—Importance level that is assigned to an alert generated using this IDS rule.

Enabling and disabling the use of an IDS rule when scanning events

To enable or disable an IDS rule when scanning events:

1. In the window of the program web interface, select the Custom rules section, IDS subsection.
2. This opens the user-defined IDS rule window.
3. Move the State switch to one of the following positions:
   • Enabled
   • Disabled

The use of the IDS rule when scanning events is enabled or disabled.

Users with the Security auditor role cannot enable or disable IDS rules.

Users with the Security officer role cannot gain access to user-defined IDS rules.

Configuring the importance of alerts generated by the user-defined IDS rule

To configure the importance level that is assigned to alerts generated using the IDS rule:

1. In the window of the program web interface, select the Custom rules section, IDS subsection.
2. This opens the user-defined IDS rule window. In the Importance drop-down list, select the importance level to be assigned to alerts generated using this IDS rule.
   • Low.
   • Medium.
   • High.
3. If necessary, use the State switch to enable this IDS rule.

The importance of alerts generated using this IDS rule is configured.

Users with the Security auditor role cannot configure IDS rules.

Users with the Security officer role cannot gain access to user-defined IDS rules.

Replacing a user-defined IDS rule

You can replace a previously imported Snort or Suricata file and use it to scan events and create Intrusion Detection System alerts.

It is highly recommended that you test custom IDS rules in a test environment before you import them. Custom IDS rules may cause performance issues, in which case stable performance of Kaspersky Anti Targeted Attack Platform is not guaranteed

IDs and attributes of custom rules may be modified when they are uploaded. Reject and Drop actions are changed to Alert. Rules with the Pass action are deleted

To replace a custom IDS rule:

1. In the window of the program web interface, select the Custom rules section, IDS subsection.
2. This opens the user-defined IDS rule window. Below the rule information, click Replace.

   This opens the file selection window on your local computer.

3. Select the file that you want to upload and click Open.

The user-defined IDS rule is imported into the program, replacing the previously imported rule.

Users with the Security auditor role cannot replace user-defined IDS rules.

Users with the Security officer role cannot gain access to user-defined IDS rules.

Downloading a user-defined IDS rule file to the computer

You can download a previously imported IDS rule file to your computer.

To download a custom IDS rule file to the computer:

1. In the window of the program web interface, select the Custom rules section, IDS subsection.
2. This opens the user-defined IDS rule window. Below the rule information, click Download.

The file will be saved to your local computer in the browser's downloads folder.

Deleting a user-defined IDS rule

When working in distributed solution mode, users with the Senior security officer role can delete only a user-defined IDS rule that was imported into the current server. It means that in the PCN web interface, you can only delete a rule that was created on the PCN. In the SCN web interface, you can only delete a rule that was created on the SCN.

To delete a custom IDS rule:

1. In the window of the program web interface, select the Custom rules section, IDS subsection.
2. This opens the user-defined IDS rule window. Click Delete.

   This opens the action confirmation window.

3. Click Yes.

The rule is deleted.

You cannot delete IDS rules defined by Kaspersky. If you do not want to use a Kaspersky IDS rule for scanning, add it to exclusions.

Users with the Security auditor role cannot delete user-defined IDS rules.

Users with the Security officer role cannot gain access to user-defined IDS rules.

Managing user-defined YARA rules

You can use YARA rules as YARA module databases to scan files and objects received at the Central Node and to scan hosts that have Kaspersky Endpoint Agent for Windows installed.

In distributed solution and multitenancy mode, custom YARA rules can have one of the following types:

• Global—Created on the PCN server. These rules are used to scan files and objects received at the PCN server and all SCN servers connected to that PCN server. Scanned files and objects belong to the tenant which the user is managing in the program web interface.
• Local—Created on the SCN server. These rules are used to scan files and objects received at the SCN server. Scanned files and objects belong to the tenant which the user is managing in the program web interface.

When managing the program web interface, users with the Senior security officer role can import a YARA rule file into Kaspersky Anti Targeted Attack Platform using the program web interface.

Users with the Security auditor and Security officer roles can only view YARA rules.

Viewing the YARA rule table

The table of user-defined YARA rules contains information about YARA rules that are used to scan events and create alerts; the table is displayed in the Custom rules section, YARA subsection of the program web interface window.

The table contains the following information:

• Created is the rule creation time.
•  —Alert importance for the Kaspersky Anti Targeted Attack Platform user depending on the impact this alert may have on computer or corporate LAN security based on Kaspersky experience.

  By default, alerts generated by uploaded YARA rules are assigned a high level of importance.

• Type is the type of the rule depending on the operating mode of the program and the role of the server which generated the rule:
  • Global—Created on the PCN server. These rules are used to scan files and objects received at the PCN server and all SCN servers connected to that PCN server. Scanned files and objects belong to the tenant which the user is managing in the program web interface.
  • Local—Created on the SCN server. These rules are used to scan files and objects received at the SCN server. Scanned files and objects belong to the tenant which the user is managing in the program web interface.
• Name – name of the rule.
• File name is the name of the file from which the rule was imported.
• Created by is the name of the user whose account was used to import the rule.
• Servers – name of the server with the Central Node component on which the rule is applied.
• Traffic scan is the usage status of the rule when stream scanning files and objects arriving at the Central Node:
  • Enabled – the rule is being used.
  • Disabled – the rule is not being used.

Importing YARA rules

To import YARA rules:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.
2. Click Upload.

   This opens the file selection window.

3. Select the YARA rules file that you want to upload and click the Open button.

   This closes the file selection window and opens the Import YARA rules window.

   The maximum allowed size of an uploaded file is 20 MB.

   A report is displayed in the lower part of the window. The report contains the following information:

   • The number of rules that can be successfully imported.
   • The number of rules that will not be imported (if any).

     For each rule that cannot be imported, its name is listed.

4. Select the Traffic scan check box if you want to use imported rules for streaming scans of objects and data received at the Central Node.
5. If necessary, enter any additional information in the Description field.

   The Importance field cannot be edited. By default, alerts generated by uploaded YARA rules are assigned a high level of importance.

6. Under Apply to, select check boxes corresponding to servers on which you want to apply the rules.

   This field is displayed only when you are using the distributed solution and multitenancy mode.

7. Click Save.

Imported rules are displayed in the table of YARA rules.

Configuring YARA rule table display

You can show or hide columns and change the order of columns in the table.

To configure the table display:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.

   This opens the YARA rule table.

2. In the heading part of the table, click .

   This opens the Customize table window.

3. If you want to show a column in the table, select the check box next to the name of the parameter that you want displayed in the table.

   If you want to hide a parameter in the table, clear the check box.

   At least one check box must be selected.

4. If you want to change the order of columns in the table, move the mouse cursor to the row with the relevant parameter, click and move the row to its new place.
5. If you want to restore default table display settings, click Default.
6. Click Apply.

The table display is configured.

Viewing YARA rule details

To view YARA rule details:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.

   This opens the YARA rule table.

2. Select the rule for which you want to view information.

This opens a window containing information about the rule.

The window contains the following information:

• Click the Alerts link to display the alert table in a new browser tab. The alerts are filtered by the Targeted Attack Analyzer technology and the name of the TAA (IOA) rule that you are working on.
• The Start YARA scan link opens the task creation window.
• The Download link lets you download a file with YARA rules.
• Rule name is the name of the rule specified in the file.
• Traffic scan is the usage status of the rule when stream scanning files and objects arriving at the Central Node:
• Type is the type of the rule depending on the role of the server which generated it:
  • Global—Created on the PCN server. These rules are used to scan files and objects received at the PCN server and all SCN servers connected to that PCN server. Scanned files and objects belong to the tenant which the user is managing in the program web interface.
  • Local—Created on the SCN server. These rules are used to scan files and objects received at the SCN server. Scanned files and objects belong to the tenant which the user is managing in the program web interface.
• Importance—Importance level that is assigned to an alert generated using this rule.

  By default, alerts generated by uploaded YARA rules are assigned a high level of importance.

• Description is any additional information about the rule that you specified.
• Apply to—Name of servers with the Central Node component on which the rule is applied.

Filtering and searching YARA rules

To filter or search for YARA rules by required criteria:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.

   This opens the YARA rule table.

2. Depending on the filtering criterion, do the following:
   • By creation time
     1. Click the Created link to open the filter settings window.
     2. Select one of the following options:
        • Any time if you want the table to display rules created at any time.
        • Last hour if you want the table to display rules that were created during the last hour.
        • Last day if you want the table to display rules that were created during the last day.
        • Custom range if you want the table to display templates that were created during the specified period.
   • By rule name
     1. Click the Rule name link to open the filtering menu.
     2. In the drop-down list, select one of the following filtering operators:
        • Contains
        • Does not contain
     3. In the text box, type the name of the rule or a sequence of characters from the name of the rule.
     4. Click Apply.
   • By file name
     1. Click the File name link to open the filtering menu.
     2. In the drop-down list, select one of the following filtering operators:
        • Contains
        • Does not contain
     3. In the entry field, type the name of the file or a sequence of characters from the name of the file.
     4. Click Apply.
   • By the name of the user who uploaded the rules file
     1. Click the Created by link to open the filtering menu.
     2. In the drop-down list, select one of the following filtering operators:
        • Contains
        • Does not contain
     3. In the text box, type the user name or a sequence of characters from the user name.
     4. Click Apply.
   • By rule state
     1. Click the Traffic scan link to expand the filter settings list.
     2. Select one of the following options:
        • All
        • Enabled
        • Disabled

The table displays only rules that match the specified criteria.

You can use multiple filters at the same time.

Clearing a YARA rule filter

To clear the YARA rule filter for one or more filtering criteria:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.

   This opens the YARA rule table.

2. Click to the right of that column heading of the rule table for which you want to clear filtering criteria.

   If you want to clear multiple filter conditions, take steps to clear each filter condition individually.

The selected filters are cleared.

The table displays only rules that match the specified criteria.

Enabling and disabling YARA rules

Users with the Senior security officer role can enable or disable one or several rules, as well as all rules at once.

When working in distributed solution and multitenancy mode, you can enable or disable only those YARA rules that were created on the current server. It means that in the web interface of the PCN, you can enable or disable only the rules that were created on the PCN server. In the web interface of an SCN, you can enable or disable only the rules that were created on the SCN server.

If YARA rules with identical names are enabled on the PCN and SCN servers, the PCN rule takes precedence over the SCN rule when scanning files and objects.

To enable or disable a YARA rule for stream scanning files and objects arriving at the Central Node:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.

   This opens the YARA rule table.

2. In the row with the relevant rule, select or clear the check box in the Traffic scan column.

The rule is enabled or disabled for stream scanning files and objects arriving at the Central Node.

To enable or disable all or multiple YARA rules for stream scanning files and objects arriving at the Central Node:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.
2. Select the check boxes on the left of the rules whose use you want to enable or disable.

   You can select all rules by selecting the check box in the row containing the headers of columns.

   A control panel appears in the lower part of the window.

3. Click Enable or Disable to enable or disable all rules.

Selected rules are enabled or disabled for stream scanning files and objects arriving at the Central Node.

Deleting YARA rules

To delete a YARA rule:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.

   This opens the YARA rule table.

2. Select the rule that you want to delete.

   This opens a window containing information about the rule.

3. Click Delete.
4. This opens the action confirmation window; in that window, click Yes.

The rule is deleted.

To delete all or multiple YARA rules:

1. In the window of the program web interface, select the Custom rules section, YARA subsection.

   This opens the YARA rule table.

2. Select the check boxes on the left of the rules that you want to delete.

   You can select all rules by selecting the check box in the row containing the headers of columns.

   A control panel appears in the lower part of the window.

3. Click Delete.
4. This opens the action confirmation window; in that window, click Yes.

The selected rules will be deleted.

Users with the Security auditor and Security officer roles cannot delete YARA rules.