Managing user-defined TAA (IOA) rules

Custom TAA (IOA) rules are created based on event databased search criteria. For example, if you want Kaspersky Anti Targeted Attack Platform to generate alerts for events when a program that you consider unsafe is started on Kaspersky Endpoint Agent computers, you can:

1. Generate a search query for the event database.
2. Create a custom TAA (IOA) rule based on event search conditions.

   When Central Node server receives events matching the created TAA (IOA) rule, Kaspersky Anti Targeted Attack Platform generates alerts.

You can also create a TAA (IOA) rule based on one or multiple event search criteria from the selected IOC file. To do so:

1. Upload an IOC file containing indicators of compromise corresponding to the malware to Kaspersky Anti Targeted Attack Platform.
2. Find events corresponding to the criteria of the selected IOC file.
3. Create a TAA (IOA) rule based on one or more event search criteria from the selected IOC file.

In

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy mode

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

• Global—Created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the tenant which the user is managing in the program web interface.
• Local—Created on the SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the tenant which the user is managing in the program web interface.

The differences between user rules and Kaspersky rules are summarized in the following table.

Comparison of TAA (IOA) rules

Users with the Senior security officer role can create, import, delete, enable or disable TAA (IOA) rules, and exclude Kaspersky TAA (IOA) rules from scanning. Users with the Security officer or Security auditor roles can use TAA (IOA) rules to search for signs of targeted attacks, infected and possibly infected objects in the database of events and alerts, and to view the TAA (IOA) rule table and TAA (IOA) rule information.

Viewing the TAA (IOA) rule table

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

The table of user-defined TAA (IOA) rules contains information about TAA (IOA) rules that are used to scan events and create alerts; the table is in the Custom rules section, TAA subsection of the program web interface window.

The table contains the following information:

1.  —Importance level that is assigned to an alert generated using this TAA (IOA) rule.

   The importance level can have one of the following values:

   •  – Low.
   •  – Medium.
   •  – High.
2. Type is the type of the rule depending on the operating mode of the program and the role of the server which generated the rule:
   • Global—Created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the tenant which the user is managing in the program web interface.
   • Local—Created on the SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the tenant which the user is managing in the program web interface.
3. Confidence is the level of confidence depending on the likelihood of false alarms caused by the rule:
   • High.
   • Medium.
   • Low.

   The higher the confidence, the lower the likelihood of false alarms.

4. Name – name of the rule.
5. Servers – name of the server with the Central Node component on which the rule is applied.
6. Generate alerts – requirement to store information on alerts based on matching an event from the database with criteria of the rule.
   • Enabled – a record is created for the event in the alerts table with Targeted Attack Analyzer (TAA) technology specified.
   • Disabled – not displayed in the alert table.
7. State – usage status of the rule in event scans:
   • Enabled – the rule is being used.
   • Disabled – the rule is not being used.

Creating a TAA (IOA) rule based on event search conditions

To create a TAA (IOA) rule based on event search conditions:

1. Select the Threat Hunting section in the program web interface window.

   This opens the event search form.

2. Perform an event search in design mode or source code mode.
3. Click Save as TAA (IOA) rule.

   This opens the New TAA (IOA) rule window.

4. In the Name field, type the name of the rule.
5. Click Save.

The event search condition will be saved. In the TAA (IOA) rule table in the Custom rules section, TAA subsection of the web interface, the new rule is displayed with the specified name.

If you want to save event search conditions as a user-defined TAA (IOA) rule, avoid using the following fields:

• IOAId.
• IOATag.
• IOATechnique.
• IOATactics.
• IOAImportance.
• IOAConfidence.

At the time of saving the user-defined TAA (IOA) rule, the program might not have any events containing data for these fields. When events with this data turn up, the user-defined TAA (IOA) rule that you have created earlier will be unable to mark events by these fields.

Users with the Security auditor and Security officer roles cannot create TAA (IOA) rules based on event search conditions.

Importing a TAA (IOA) rule

You can import an IOC format file and use it to scan events and create Targeted Attack Analyzer alerts.

It is highly recommended that you test custom TAA (IOA) rules in a test environment before you import them. Custom TAA (IOA) rules may cause performance issues, in which case stable performance of Kaspersky Anti Targeted Attack Platform is not guaranteed

To import a TAA (IOA) rule:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Click Import.

   This opens the file selection window on your local computer.

3. Select the file that you want to upload and click Open.

   This opens the New TAA (IOA) rule window.

4. Set the State toggle switch to Enabled if you want to enable the rule for scanning the event database.
5. On the Details tab, in the Name field, enter the name of the rule.
6. In the Description field, enter any additional information about the rule.
7. In the Importance drop-down list, select the importance level to be assigned to alerts generated using this TAA (IOA) rule.
   • Low.
   • Medium.
   • High.
8. In the Confidence drop-down list, select the level of confidence of this rule based on your estimate:
   • Low.
   • Medium.
   • High.
9. Under Apply to, select check boxes corresponding to servers on which you want to apply the rule.
10. On the Query tab, verify the defined search conditions. Make changes if necessary.
11. Click Save.

The user-defined TAA (IOA) rule is imported into the program.

You can also add a TAA (IOA) rule by saving events database search conditions in the Threat Hunting section.

Viewing custom TAA (IOA) rule details

To display information about the TAA (IOA) rule:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Select the rule for which you want to view information.

This opens a window containing information about the rule.

The window contains the following information:

• Click the Alerts link to display the alert table in a new browser tab. The alerts are filtered by the Targeted Attack Analyzer technology and the name of the TAA (IOA) rule that you are working on.
• Click the Find events link to display the events table in a new browser tab. The table is filtered by rule name.
• Click the Run query link to display the events table in a new browser tab. The table is filtered by rule name. The event search conditions are populated with information from the TAA (IOA) rule that you are working on. For example, EventType=Process started AND FileName CONTAINS <name of the rule you are working on>. You can edit the event search query.
• Click the IOA ID link to display the ID that the program assigns to each rule.

  IDs cannot be modified. You can copy the ID by clicking the Copy value to clipboard button.

• State is the use of the rule in events database scans.

The Details tab shows the following information:

• Name is the name of the rule that you specified when you added the rule.
• Description is any additional information about the rule that you specified.
• Importance is an estimate of the probable impact of the event on the security of computers or the corporate LAN as specified by the user when the rule was added.
• Confidence is the level of confidence depending on the likelihood of false alarms as defined by the user when the rule was added.
• Type is the type of the rule depending on the role of the server which generated it:
  • Global—Created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the tenant which the user is managing in the program web interface.
  • Local—Created on the SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the tenant which the user is managing in the program web interface.
• Apply to—Name of servers with the Central Node component on which the rule is applied.

The Query tab displays the source code of the query being checked. Click the Run query link in the upper part of the window to go to the Threat Hunting section and run an event search query.

Searching for alerts and events in which TAA (IOA) rules were triggered

To search and display alerts and events that were created by a user-defined TAA (IOA) rule triggering:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Select the rule for which you want to view the triggering result.

   This opens a window containing information about the rule.

3. Do one of the following:
   • If you want to view alerts generated by the TAA (IOA) rule triggering, click Alerts to go to the alerts database.

     The alert table is opened in a new browser tab.

   • If you want to view events generated by the TAA (IOA) rule triggering, click Events to go to the events database.

     The event table is opened in a new browser tab.

To search and display alerts and events that were created by a Kaspersky TAA (IOA) rule triggering:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. Click the link in the Technologies column to open the filter configuration window.
3. In the drop-down list on the left, select Contains.
4. In the drop-down list on the right, select the (TAA) Targeted Attack Analyzer technology.
5. Click Apply.

   The table displays alerts generated by the TAA technology based on TAA (IOA) rules.

6. Select an alert for which the Detected column displays the name of the relevant rule.

   This opens a window containing information about the alert.

7. Under Scan results, click the link with the name of the rule to open the rule information window.
8. Do one of the following:
   • If you want to view alerts generated by the TAA (IOA) rule triggering, click Alerts to go to the alerts database.

     The alert table is opened in a new browser tab.

   • If you want to view events generated by the TAA (IOA) rule triggering, click Events to go to the events database.

     The event table is opened in a new browser tab.

Filtering and searching TAA (IOA) rules

To filter or search for TAA (IOA) rules by required criteria:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Depending on the filtering criterion, do the following:
   • By importance
     1. Click the icon to open the IOA rule filter configuration window.
     2. Select the check boxes next to the importance levels that you want to include in the filter criteria:
        • Low.
        • Medium.
        • High.
     3. Click Apply.
   • By rule type
     1. Click the Type link to open the filter configuration window.
     2. Select one of the following options:
        • All—all rules.
        • Global – rules created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the tenant which the user is managing in the program web interface.
        • Local—rules created on an SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the tenant which the user is managing in the program web interface.
   • By confidence level
     1. Click the Confidence link to open the filter configuration window.
     2. Select the check boxes opposite those confidence levels that you want to add to filter criteria.
        • Low.
        • Medium.
        • High.
     3. Click Apply.
   • By rule name
     1. Click the IOA tag link to open the filter configuration window.
     2. Enter one or several characters of the IOA rule name.
     3. Click Apply.
   • By server name Click the Servers link to open the filter configuration window.
   • By rule-based alert generation
     1. Click the Generate alerts link to expand the filter settings list.
     2. Select one of the following options:
        • All
        • Enabled
        • Disabled
   • By rule state
     1. Click State to expand the filter settings list.
     2. Select one of the following options:
        • All
        • Enabled
        • Disabled

The table displays only rules that match the specified criteria.

You can use multiple filters at the same time.

Resetting the TAA (IOA) rule filter

To clear a TAA (IOA) rule filter based on one or multiple filter conditions:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Click to the right of that column heading of the rule table for which you want to clear filtering criteria.

   If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.

The selected filters are cleared.

The table displays only rules that match the specified criteria.

Enabling and disabling TAA (IOA) rules

Users with the Senior security officer role can enable or disable one or several rules, as well as all rules at once.

To enable or disable the use of a TAA (IOA) rule when scanning events:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. In the row with the relevant rule, select or clear the check box in the State column.

The use of the rule when scanning events is enabled or disabled.

To enable or disable the use of all or multiple TAA (IOA) rules when scanning events:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Select the check boxes on the left of the rules whose use you want to enable or disable.

   You can select all rules by selecting the check box in the row containing the headers of columns.

   A control panel appears in the lower part of the window.

3. Click Enable or Disable to enable or disable all rules.

The use of the selected rules when scanning events is enabled or disabled.

In distributed solution and multitenancy mode, you can manage only global TAA (IOA) rules on the PCN server. You can manage local TAA (IOA) rules on SCN servers of tenants to which you have access.

Users with the Security auditor and Security officer roles cannot enable or disable TAA (IOA) rules.

Modifying a TAA (IOA) rule

Users with the Senior security officer role can modify custom TAA (IOA) rules. Rules created by Kaspersky cannot be edited.

In distributed solution and multitenancy mode, you can edit only those TAA (IOA) rules that were created on the current server. Consequently, in the web interface of the PCN, you can edit only the rules that were created on the PCN. In the web interface of an SCN, you can edit only the rules that were created on the SCN.

To edit a TAA (IOA) rule:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Select the rule that you want to modify.

   This opens a window containing information about the rule.

3. Make the relevant changes.
4. Click Save.

The rule settings are modified.

Users with the Security auditor and Security officer roles cannot modify TAA (IOA) rules based on event search conditions.

Deleting TAA (IOA) rules

Users with the Senior security officer role can delete one or more TAA (IOA) rules, or all rules at the same time.

In distributed solution and multitenancy mode, you can delete only those TAA (IOA) rules that were created on the current server. Consequently, in the web interface of the PCN, you can delete only the rules that were created on the PCN. In the web interface of an SCN, you can delete only the rules that were created on the SCN.

To delete a custom TAA (IOA) rule:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Select the rule that you want to delete.

   This opens a window containing information about the rule.

3. Click Delete.

   This opens the action confirmation window.

4. Click Yes.

The rule is deleted.

To delete all or multiple custom TAA (IOA) rules:

1. In the window of the program web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Select the check boxes on the left of the rules that you want to delete.

   You can select all rules by selecting the check box in the row containing the headers of columns.

   A control panel appears in the lower part of the window.

3. Click Delete.

   This opens the action confirmation window.

4. Click Yes.

The selected rules will be deleted.

You cannot delete TAA (IOA) rules defined by Kaspersky. If you do not want to use a Kaspersky TAA (IOA) rule for scanning, add it to exclusions.

Users with the Security auditor and Security officer roles cannot modify TAA (IOA) rules based on event search conditions.