Managing TAA exclusions

TAA (IOA) rules created by Kaspersky experts contain indicators of suspicious behavior of an object in the corporate IT infrastructure. Kaspersky Anti Targeted Attack Platform scans the events database of the program and creates alerts for events that match behaviors described by TAA (IOA) rules. If you do not want the program to create alerts for events generated as part of host activity that is normal for your organization, you can add a TAA (IOA) rule to exclusions.

TAA (IOA) rule modes added to exclusions can work in the following modes:

• The rule is always excluded.

  In this case, Kaspersky Anti Targeted Attack Platform does not mark events as matching the TAA (IOA) rule and does not create alerts based on that rule.

• The rule is supplemented by a condition.

  In this case, the TAA (IOA) rule is supplemented by conditions in the form of a search query. Kaspersky Anti Targeted Attack Platform does not mark events that match specified conditions as matching the TAA (IOA) rules. For events that match the TAA (IOA) rule, but do not satisfy the conditions of the applied exclusion, the program marks the events and creates alerts.

If you are using the

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy mode

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

• Local—Created on the SCN server. These exclusions apply only to hosts that are connected to this SCN server. Exclusions belong to the tenant which the user is managing in the program web interface.
• Global—Created on the PCN server. Exclusions apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Exclusions belong to the tenant which the user is managing in the program web interface.

Users with the Senior security officer role can create, edit, and delete exclusions for tenants to whose data they have access.

Users with the Security auditor and Security officer roles can only view the list of TAA exclusions and the properties of a selected exclusion.

For each TAA (IOA) rule, you can create only one local or global exclusion.

If one TAA (IOA) rule has exclusions created both on an SCN server and the PCN server, Kaspersky Anti Targeted Attack Platform processes events in accordance with exclusion settings on the PCN server.

Viewing the table of TAA (IOA) rules added to exclusions

To view the table of TAA (IOA) rules added to exclusions:

1. In the main window of the program web interface, select the Settings section, Exclusions subsection.
2. Click the TAA exclusions tab.

The table of excluded TAA (IOA) rules is displayed. You can filter the rules by clicking links in column headers.

The table contains the following information:

•  —Importance level that is assigned to an alert generated using this TAA (IOA) rule.

  The importance level can have one of the following values:

  •  – Low.
  •  – Medium.
  •  – High.
• Type is the type of the rule depending on the role of the server which generated it:
  • Local—Created on the SCN server. These exclusions apply only to hosts that are connected to this SCN server. Exclusions belong to the tenant which the user is managing in the program web interface.
  • Global—Created on the PCN server. Exclusions apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Exclusions belong to the tenant which the user is managing in the program web interface.
• Confidence is the level of confidence depending on the likelihood of false alarms caused by the rule:
  • High.
  • Medium.
  • Low.

  The higher the confidence level, the lower the likelihood of false alarms.

• Exclude rule is the operating mode of the rule that is added to exclusions.
  • Always means the rule is always excluded. In this case, Kaspersky Anti Targeted Attack Platform does not mark events as matching the TAA (IOA) rule and does not create alerts based on that rule.
  • Based on conditions means the rule is excluded if a condition is added. In this case, the TAA (IOA) rule is supplemented by conditions in the form of a search query. Kaspersky Anti Targeted Attack Platform does not mark events that match specified conditions as matching the TAA (IOA) rules. For events that match the TAA (IOA) rule, but do not satisfy the conditions of the applied exclusion, the program marks the events and creates alerts.
• Name is the name of the rule.

Adding a TAA (IOA) rule to exclusions

You can add to exclusions only TAA (IOA) rules made by Kaspersky. If you do not want to apply a custom TAA (IOA) rule for scanning events, you can disable that rule or delete it.

To add a TAA (IOA) rule to exclusions from the Alerts section:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. Click the link in the Technologies column to open the filter configuration window.
3. In the drop-down list on the left, select Contains.
4. In the drop-down list on the right, select the (TAA) Targeted Attack Analyzer technology.
5. Click Apply.

   The table displays alerts generated by the TAA technology based on TAA (IOA) rules.

6. Select an alert for which the Detected column displays the name of the relevant rule.

   This opens a window containing information about the alert.

7. Under Scan results, click the link with the name of the rule to open the rule information window.
8. To the right of the TAA exclusions setting name, click Add to exclusions.

   This opens a window that allows you to add the TAA (IOA) rule to exclusions.

9. In the Exclude rule field, select the exclusion operating mode:
   • Always if you do not want the program to create alerts for events that match the selected TAA (IOA) rule.
   • Based on conditions if you do not want the program to create alerts only for events that match specified conditions. Alerts are created for events that match the TAA (IOA) rule with the configured exclusion conditions taken into account.

     If you selected Based on conditions:

     1. Click Configure additional conditions to open the event search form.
     2. If you are using the distributed solution and multitenancy mode and want to enable the display of events for all tenants, turn on the Search in all tenants toggle switch.
     3. Perform an event search in design mode.

        A table is displayed of events that match the TAA (IOA) rule given the specified exclusion criteria.

        If you are using the distributed solution and multitenancy mode, found events are grouped in tiers: Server – Tenant names – Server names.

     4. Click the name of the server for which you want to view events.

        The host table of the selected server is displayed. Event grouping levels are displayed above the table.

        If necessary, you can change event search conditions.

     5. Click Add exclusion.
10. If you are using the distributed solution and multitenancy mode, in the Apply to servers* field, select check boxes for tenants and servers to which the rule must be applied.
11. Click Add.

The TAA (IOA) rule is added to exclusions and is displayed in the exclusion list in the Settings section, Exclusions subsection on the TAA exclusions tab in the program web interface. This rule is no longer used for creating alerts.

To add a TAA (IOA) rule to exclusions from the Threat Hunting section:

1. Select the Threat Hunting section in the program web interface window.

   This opens the event search form.

2. Define the search conditions and click the Search button. For example, you can select event search criteria in the TAA properties group in design mode.

   The table of events that satisfy the search criteria is displayed.

3. Select an event.
4. To the right of the IOA tags setting, click the name of the rule.

   This opens a window containing information about the rule.

5. To the right of the TAA exclusions setting name, click Add to exclusions.

   This opens a window that allows you to add the TAA (IOA) rule to exclusions.

6. In the Exclude rule field, select the exclusion operating mode:
   • Always if you do not want the program to create alerts for events that match the selected TAA (IOA) rule.
   • Based on conditions if you do not want the program to create alerts only for events that match specified conditions. Alerts are created for events that match the TAA (IOA) rule with the configured exclusion conditions taken into account.

     If you selected Based on conditions:

     1. Click Configure additional conditions to open the event search form.
     2. If you are using the distributed solution and multitenancy mode and want to enable the display of events for all tenants, turn on the Search in all tenants toggle switch.
     3. Perform an event search in design mode.

        A table is displayed of events that match the TAA (IOA) rule given the specified exclusion criteria.

        If you are using the distributed solution and multitenancy mode, found events are grouped in tiers: Server – Tenant names – Server names.

     4. Click the name of the server for which you want to view events.

        The host table of the selected server is displayed. Event grouping levels are displayed above the table.

        If necessary, you can change event search conditions.

     5. Click Add exclusion.
7. Click Add.

The TAA (IOA) rule is added to exclusions and is displayed in the exclusion list in the Settings section, Exclusions subsection on the TAA exclusions tab in the program web interface. This rule is no longer applied when scanning events.

When creating a search query to be saved as an exclusion criterion, avoid using the following fields:

• IOAId.
• IOATag.
• IOATechnique.
• IOATactics.
• IOAImportance.
• IOAConfidence.

These fields are only displayed after Kaspersky Anti Targeted Attack Platform marks events as matching TAA (IOA) rules.

Users with the Security auditor and Security officer roles cannot add TAA (IOA) rules to exclusions.

Viewing a TAA (IOA) rule added to exclusions

To view a TAA (IOA) rule added to exclusions:

1. In the program web interface window, select the Settings section, Exclusions subsection and go to the TAA exclusions tab.

   The table of excluded TAA (IOA) rules is displayed.

2. Select the rule that you want to view.

This opens a window containing information about the rule.

The window contains the following information:

• TAA (IOA) rule: click this link to open a window containing a description of the MITRE technique corresponding to this rule, recommendations on responding to the event, and information about the likelihood of false alarms.
• ID is the ID that the program assigns to each rule.
• Name is the name of the rule that you specified when you added the rule.
• Importance is an estimate of the probable impact of the event on the security of computers or the corporate LAN as assessed by Kaspersky experts.
• Confidence is the level of confidence depending on the probability of false positives as estimated by Kaspersky experts.
• Exclude rule is the operating mode of the rule that is added to exclusions.
  • Always means the rule is always excluded. In this case, Kaspersky Anti Targeted Attack Platform does not mark events as matching the TAA (IOA) rule and does not create alerts based on that rule.
  • Based on conditions means the rule is excluded if a condition is added. In this case, the TAA (IOA) rule is supplemented by conditions in the form of a search query. Kaspersky Anti Targeted Attack Platform does not mark events that match specified conditions as matching the TAA (IOA) rules. For events that match the TAA (IOA) rule, but do not satisfy the conditions of the applied exclusion, the program marks the events and creates alerts.
• Configure additional conditions: click this link to open the event search form with search conditions.

  The field is displayed if, when adding the TAA (IOA) rule to exclusions, you have selected the Based on conditions mode, and configured some search criteria.

• The search criteria are configured in the <IOA ID> AND NOT <search criteria> format.

  Search criteria are displayed if, when adding the TAA (IOA) rule to exclusions, you have selected the Based on conditions mode, and configured some search criteria.

• Apply to servers* are hosts to which the exclusion applies.

  This field is displayed in distributed solution and multitenancy mode.

Removing a TAA (IOA) rule from exclusions

You can remove from exclusions a single TAA (IOA) rule, multiple rules, or all rules at the same time.

To remove a TAA (IOA) rule from exclusions:

1. In the program web interface window, select the Settings section, Exclusions subsection and go to the TAA exclusions tab.

   The table of excluded TAA (IOA) rules is displayed.

2. Select the rule that you want to remove from exclusions.

   This opens a window containing information about the rule.

3. Click Delete.

   This opens the action confirmation window.

4. Click Yes.

The rule is removed from exclusions. The rule is applied when creating alerts or scanning events.

To remove all or multiple TAA (IOA) rules from exclusions:

1. In the program web interface window, select the Settings section, Exclusions subsection and go to the TAA exclusions tab.
2. The table of excluded TAA (IOA) rules is displayed.
3. Select check boxes next to rules that you want to remove from exclusions.

   You can select all rules by selecting the check box in the row containing the headers of columns.

4. In the pane that appears in the lower part of the window, click Delete.

   This opens the action confirmation window.

5. Click Yes.

The selected rules are removed from exclusions. The rules are applied when creating alerts or scanning events.

Users with the Security auditor and Security officer roles cannot remove TAA (IOA) rules from exclusions.