Creating a TAA (IOA) rule based on event search conditions

Support

Support for business applications

Kaspersky Anti Targeted Attack (KATA) Platform

For security officers: Getting started with the application web interface

Managing user-defined rules

Managing user-defined TAA (IOA) rules

Creating a TAA (IOA) rule based on event search conditions

8 November 2023

ID 247643_1

To create a TAA (IOA) rule based on event search conditions:

Select the Threat Hunting section in the application web interface window.
This opens the event search form.
Perform an event search in design mode or source code mode.
Click Save as TAA (IOA) rule.
This opens the New TAA (IOA) rule window.
In the Name field, type the name of the rule.
Click Save.

The event search condition will be saved. In the TAA (IOA) rule table in the Custom rules section, TAA subsection of the web interface, the new rule is displayed with the specified name.

If you want to save event search conditions as a user-defined TAA (IOA) rule, avoid using the following fields:

IOAId.
IOATag.
IOATechnique.
IOATactics.
IOAImportance.
IOAConfidence.

At the time of saving the user-defined TAA (IOA) rule, the application may not have any events containing data for these fields. When events with this data turn up, the user-defined field that you have created earlier will be unable to mark events by these fields.

Users with the Security auditor and Security officer roles cannot create TAA (IOA) rules based on event search conditions.

Kaspersky Professional Services

Implementation services. Health check and security system configuration. Contact us if you need expert help.

Kaspersky Premium Support (MSA): High‑priority incident processing

Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.