Viewing custom TAA (IOA) rule details

To display information about the TAA (IOA) rule:

1. In the window of the application web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Select the rule for which you want to view information.

This opens a window containing information about the rule.

The window contains the following information:

• Click the Alerts link to display the alert table in a new browser tab. The alerts are filtered by the Targeted Attack Analyzer technology and the name of the TAA (IOA) rule that you are working on.
• Click the Find events link to display the events table in a new browser tab. The table is filtered by rule name.
• Click the Run query link to display the events table in a new browser tab. The table is filtered by rule name. The event search conditions are populated with information from the TAA (IOA) rule that you are working on. For example, EventType=Process started AND FileName CONTAINS <name of the rule you are working on>. You can edit the event search query.
• Click the IOA ID link to display the ID that the application assigns to each rule.

  IDs cannot be modified. You can copy the ID by clicking the Copy value to clipboard button.

• State is the use of the rule in events database scans.

The Details tab shows the following information:

• Name is the name of the rule that you specified when you added the rule.
• Description is any additional information about the rule that you specified.
• Importance is an estimate of the probable impact of the event on the security of computers or the corporate LAN as specified by the user when the rule was added.
• Confidence is the level of confidence depending on the likelihood of false alarms as defined by the user when the rule was added.
• Type is the type of the rule depending on the role of the server which generated it:
  • Global—Created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the tenant which the user is managing in the program web interface.
  • Local—Created on the SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the tenant which the user is managing in the program web interface.
• Apply to—Name of servers with the Central Node component on which the rule is applied.

The Query tab displays the source code of the query being checked. Click the Run query link in the upper part of the window to go to the Threat Hunting section and run an event search query.