Managing TAA exclusions

TAA (IOA) rules created by Kaspersky experts contain indicators of suspicious behavior of an object in the corporate IT infrastructure. Kaspersky Anti Targeted Attack Platform scans the events database of the application and creates alerts for events that match behaviors described by TAA (IOA) rules. If you do not want the application to create alerts for events generated as part of host activity that is normal for your organization, you can add a TAA (IOA) rule to exclusions.

TAA (IOA) rule modes added to exclusions can work in the following modes:

• The rule is always excluded.

  In this case, Kaspersky Anti Targeted Attack Platform does not mark events as matching the TAA (IOA) rule and does not create alerts based on that rule.

• The rule is supplemented by a condition.

  In this case, the TAA (IOA) rule is supplemented by conditions in the form of a search query. Kaspersky Anti Targeted Attack Platform does not mark events that match specified conditions as matching the TAA (IOA) rules. For events that match the TAA (IOA) rule, but do not satisfy the conditions of the applied exclusion, the application marks the events and creates alerts.

If you are using the distributed solution and multitenancy mode, TAA exclusions can have the following types:

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

• Local—Created on the SCN server. These exclusions apply only to hosts that are connected to this SCN server. Exclusions belong to the tenant which the user is managing in the application web interface.
• Global—Created on the PCN server. Exclusions apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Exclusions belong to the tenant which the user is managing in the application web interface.

Users with the Senior security officer role can create, edit, and delete exclusions for tenants to whose data they have access.

Users with the Security auditor and Security officer roles can only view the list of TAA exclusions and the properties of a selected exclusion.

For each TAA (IOA) rule, you can create only one local or global exclusion.

If one TAA (IOA) rule has exclusions created both on an SCN server and the PCN server, Kaspersky Anti Targeted Attack Platform processes events in accordance with exclusion settings on the PCN server.