Contents
- Managing user-defined rules
- Using indicators of compromise (IOC) and attack (IOA) for Threat Hunting
- Managing user-defined TAA (IOA) rules
- Viewing the TAA (IOA) rule table
- Creating a TAA (IOA) rule based on event search conditions
- Importing TAA (IOA) rules
- Viewing custom TAA (IOA) rule details
- Searching for alerts and events in which TAA (IOA) rules were triggered
- Filtering and searching TAA (IOA) rules
- Resetting the TAA (IOA) rule filter
- Enabling and disabling TAA (IOA) rules
- Modifying a TAA (IOA) rule
- Deleting TAA (IOA) rules
- Managing user-defined IOC rules
- Viewing the table of IOC files
- Viewing information about an IOC file
- Uploading an IOC file
- Downloading an IOC file to a computer
- Enabling and disabling the automatic use of an IOC file when scanning hosts
- Deleting an IOC file
- Searching for alerts in IOC scan results
- Searching for events using an IOC file
- Filtering and searching IOC files
- Clearing an IOC file filter
- Configuring an IOC scan schedule
- Managing user-defined Intrusion Detection rules
- Managing user-defined YARA rules
Managing user-defined rules
For additional protection of the corporate IT infrastructure, you can configure TAA, IDS, IOC, and YARA custom rules.
Users with the Senior security officer role can work with custom TAA, IDS, IOC, and YARA rules: load and delete rule files, view lists of rules, and edit the selected rules.
Users with the Security auditor role can view the lists of custom TAA, IDS, IOC, and YARA rules and properties of selected rules without the possibility of editing.
Users with the Security officer role can view the lists of custom TAA, IOC, and YARA rules and properties of selected rules without the possibility of editing.
Using indicators of compromise (IOC) and attack (IOA) for Threat Hunting
Kaspersky Anti Targeted Attack Platform uses two types of indicators for threat hunting: IOC (Indicator of Compromise) and IOA (Indicator of Attack).
An IOC is a set of data about a malicious object or malicious activity. Kaspersky Anti Targeted Attack Platform uses IOC files conforming to the
standard, which is an open standard for describing indicators of compromise. IOC files contain a set of indicators that are compared to the indicators of an event. If the compared indicators match, the application considers the event to be a detection and creates an alert. The likelihood of an alert may increase if a scan detects exact matches between the data of an object and several IOC files.An IOA (also referred to as a "TAA (IOA) rule") is a rule containing the description of a suspicious activity in the system that could be a sign of a targeted attack. Kaspersky Anti Targeted Attack Platform scans the Events database of the application and marks events or event chains that match behaviors described by TAA (IOA) rules. The streaming scan technology is used, which involves continuous real-time scanning of events being received from protected devices.
TAA (IOA) rules created by Kaspersky experts are used by the TAA (Targeted Attack Analyzer) technology and are updated alongside the application databases. They are not displayed in the interface of the application and cannot be edited.
You can add user-defined IOC and TAA (IOA) rules using IOC files in the OpenIOC format as well as create TAA (IOA) rules based on event database search conditions.
The following table contains a comparative analysis of indicators of compromise (IOC) and attack (IOA).
Comparison of IOC and IOA indicators
Characteristic |
IOC in user-defined IOC rules |
IOA in user-defined TAA (IOA) rules |
IOA in TAA (IOA) rules created by Kaspersky experts |
---|---|---|---|
Scan scope |
Computers with the Endpoint Agent component |
Application events database |
Application events database |
Scanning mechanism |
Periodical scan |
Streaming scan |
Streaming scan |
Can be added to exclusions from scan |
None. |
Not needed. Users with the Senior security officer role can edit the text of the indicator in custom TAA (IOA) rules as necessary. |
Yes. |
If you are using the
and mode, this section displays information for the selected tenant. Page topManaging user-defined TAA (IOA) rules
Custom TAA (IOA) rules are created based on event databased search criteria. For example, if you want Kaspersky Anti Targeted Attack Platform to generate alerts for events when an application that you consider unsafe is started on computers with the Endpoint Agent component, you can:
- Generate a search query to the event database manually or upload an IOC file with indicators of compromise or a YAML file with a Sigma rule to detect this application.
When creating an IOC file, review the list of IOC terms that you can use to search for events in the Threat Hunting section. You can view the list of supported IOC terms by downloading the file from the link below.
IOC terms for searching events in the Threat Hunting section
- Create a custom TAA (IOA) rule based on event search conditions.
When Central Node server receives events matching the created TAA (IOA) rule, Kaspersky Anti Targeted Attack Platform generates alerts.
You can also create a TAA (IOA) rule based on conditions from an already loaded IOC file. To do so:
- Find events corresponding to the criteria of the selected file.
- Create a TAA (IOA) rule based on event search criteria from the selected file.
In distributed solution and multitenancy mode, TAA (IOA) rules can have one of the following types:
- Global—Created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the tenant which the user is managing in the application web interface.
- Local—Created on the SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the tenant which the user is managing in the application web interface.
The differences between user rules and Kaspersky rules are summarized in the following table.
Comparison of TAA (IOA) rules
Characteristic |
User-defined TAA (IOA) rules |
Kaspersky TAA (IOA) rules |
---|---|---|
Recommendations on responding to the event |
No |
Yes You can view recommendations in |
Correspondence to technique in |
No |
Yes You can view the description of the |
Display in the TAA (IOA) rule table |
Yes |
No |
Ability to disable database lookup for this rule |
||
Ability to delete or add the rule |
You can delete or add a rule in the web interface of the application |
Rules are updated together with application databases |
Searching for alerts and events in which TAA (IOA) rules were triggered |
Using Alerts and Events links in the TAA (IOA) rule information window |
Using Alerts and Events links in the alert information window |
Users with the Senior security officer role can create, import, delete, enable or disable TAA (IOA) rules, and exclude Kaspersky TAA (IOA) rules from scanning. Users with the Security officer or Security auditor roles can use TAA (IOA) rules to search for signs of targeted attacks, infected and possibly infected objects in the database of events and alerts, and to view the TAA (IOA) rule table and TAA (IOA) rule information.
Viewing the TAA (IOA) rule table
If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.
The table of user-defined TAA (IOA) rules contains information about TAA (IOA) rules that are used to scan events and create alerts; the table is in the Custom rules section, TAA subsection of the application web interface window.
The table contains the following information:
—Importance level that is assigned to an alert generated using this TAA (IOA) rule.
The importance level can have one of the following values:
– Low.
– Medium.
– High.
- Type is the type of the rule depending on the operating mode of the application and the role of the server which generated the rule:
- Global—Created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the tenant which the user is managing in the application web interface.
- Local—Created on the SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the tenant which the user is managing in the application web interface.
- Confidence – level of confidence depending on the likelihood of false alarms caused by the rule:
- High.
- Medium.
- Low.
The higher the confidence, the lower the likelihood of false alarms.
- Name – name of the rule.
- Servers are names of servers with the PCN or SCN role to which the rule applies.
This column is displayed if you are using the distributed solution and multitenancy mode.
- Alerts – requirement to store information on alerts based on matching an event from the database with criteria of the rule.
- Enabled – a record is created for the event in the alerts table with Targeted Attack Analyzer (TAA) technology specified.
- Disabled – not displayed in the alert table.
- State – usage status of the rule in event scans:
- Enabled – the rule is being used.
- Disabled – the rule is not being used.
Creating a TAA (IOA) rule based on event search conditions
To create a TAA (IOA) rule based on event search conditions:
- Select the Threat Hunting section in the application web interface window.
This opens the event search form.
- Perform an event search in builder mode or source code mode.
- Click Save as TAA (IOA) rule.
This opens the New TAA (IOA) rule window.
- In the Name field, type the name of the rule.
- Click Save.
The event search condition will be saved. In the TAA (IOA) rule table in the Custom rules section, TAA subsection of the web interface, the new rule is displayed with the specified name.
If you want to save event search conditions as a user-defined TAA (IOA) rule, avoid using the following fields:
- IOAId.
- IOATag.
- IOATechnique.
- IOATactics.
- IOAImportance.
- IOAConfidence.
At the time of saving the user-defined TAA (IOA) rule, the application may not have any events containing data for these fields. When events with this data turn up, the user-defined field that you have created earlier will be unable to mark events by these fields.
Users with the Security auditor and Security officer roles cannot create TAA (IOA) rules based on event search conditions.
Importing TAA (IOA) rules
You can import TAA (IOA) rules from an IOC file or a YAML file with a Sigma rule and use these to scan events and generate Targeted Attack Analyzer alerts.
To import a TAA (IOA) rule:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- Click Import.
This opens the file selection window on your local computer.
- Select the file that you want to upload and click Open.
This opens the New TAA (IOA) rule window.
- Set the State toggle switch to Enabled if you want to enable the rule for scanning the event database.
- On the Details tab, in the Name field, enter the name of the rule.
- In the Description field, enter any additional information about the rule.
- In the Importance drop-down list, select the importance level to be assigned to alerts generated using this TAA (IOA) rule.
- Low.
- Medium.
- High.
- In the Confidence drop-down list, select the level of confidence of this rule based on your estimate:
- Low.
- Medium.
- High.
- Under Apply to, select check boxes corresponding to servers on which you want to apply the rule.
- On the Query tab, verify the defined search conditions. Make changes if necessary.
- Click Save.
The user-defined TAA (IOA) rule is imported into the application.
You can also add a TAA (IOA) rule by saving events database search conditions in the Threat Hunting section.
Viewing custom TAA (IOA) rule details
To display information about the TAA (IOA) rule:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- Select the rule for which you want to view information.
This opens a window containing information about the rule.
The window contains the following information:
- Click the Alerts link to display the alert table in a new browser tab. The alerts are filtered by the Targeted Attack Analyzer technology and the name of the TAA (IOA) rule that you are working on.
- Click the Find events link to display the events table in a new browser tab. The table is filtered by rule name.
- Click the Run query link to display the events table in a new browser tab. The table is filtered by rule name. The event search conditions are populated with information from the TAA (IOA) rule that you are working on. For example,
EventType=Process started AND FileName CONTAINS <name of the rule you are working on>
. You can edit the event search query. - Click the IOA ID link to display the ID that the application assigns to each rule.
IDs cannot be modified. You can copy the ID by clicking the Copy value to clipboard button.
- State – use of the rule in events database scans.
The Details tab shows the following information:
- Name is the name of the rule that you specified when you added the rule.
- Description is any additional information about the rule that you specified.
- Importance is an estimate of the probable impact of the event on the security of computers or the corporate LAN as specified by the user when the rule was added.
- Confidence is the level of confidence depending on the likelihood of false alarms as defined by the user when the rule was added.
- Type is the type of the rule depending on the role of the server which generated it:
- Global—Created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the tenant which the user is managing in the application web interface.
- Local—Created on the SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the tenant which the user is managing in the application web interface.
- Apply to – name of servers with the Central Node component on which the rule is applied.
The Query tab displays the source code of the query being checked. Click the Run query link in the upper part of the window to go to the Threat Hunting section and run an event search query.
Searching for alerts and events in which TAA (IOA) rules were triggered
To search and display alerts and events that were created by a user-defined TAA (IOA) rule triggering:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- Select the rule for which you want to view the triggering result.
This opens a window containing information about the rule.
- Do one of the following:
- If you want to view alerts generated by the TAA (IOA) rule triggering, click Alerts to go to the alerts database.
The alert table is opened in a new browser tab.
- If you want to view events generated by the TAA (IOA) rule triggering, click Events to go to the events database.
The event table is opened in a new browser tab.
- If you want to view alerts generated by the TAA (IOA) rule triggering, click Alerts to go to the alerts database.
To search and display alerts and events that were created by a user-defined TAA (IOA) rule triggering:
To search and display alerts and events that were created by a Kaspersky TAA (IOA) rule triggering:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click the link in the Technologies column to open the filter configuration window.
- In the drop-down list on the left, select Contain.
- In the drop-down list on the right, select the (TAA) Targeted Attack Analyzer technology.
- Click Apply.
The table displays alerts generated by the TAA technology based on TAA (IOA) rules.
- Select an alert for which the Detected column displays the name of the relevant rule.
This opens a window containing information about the alert.
- Under Scan results, click the link with the name of the rule to open the rule information window.
- Do one of the following:
- If you want to view alerts generated by the TAA (IOA) rule triggering, click Alerts to go to the alerts database.
The alert table is opened in a new browser tab.
- If you want to view events generated by the TAA (IOA) rule triggering, click Events to go to the events database.
The event table is opened in a new browser tab.
- If you want to view alerts generated by the TAA (IOA) rule triggering, click Alerts to go to the alerts database.
To search and display alerts and events that were created by a Kaspersky TAA (IOA) rule triggering:
Filtering and searching TAA (IOA) rules
To filter or search for TAA (IOA) rules by required criteria:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- Depending on the filtering criterion, do the following:
The table displays only rules that match the specified criteria.
You can use multiple filters at the same time.
Resetting the TAA (IOA) rule filter
To clear a TAA (IOA) rule filter based on one or multiple filter conditions:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- Click
to the right of that column heading of the rule table for which you want to clear filtering criteria.
If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.
The selected filters are cleared.
The table displays only rules that match the specified criteria.
Enabling and disabling TAA (IOA) rules
Users with the Senior security officer role can enable or disable one or several rules, as well as all rules at once.
To enable or disable the use of a TAA (IOA) rule when scanning events:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- In the row with the relevant rule, select or clear the check box in the State column.
The use of the rule when scanning events is enabled or disabled.
To enable or disable the use of all or multiple TAA (IOA) rules when scanning events:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- Select the check boxes on the left of the rules whose use you want to enable or disable.
You can select all rules by selecting the check box in the row containing the headers of columns.
A control panel appears in the lower part of the window.
- Click Enable or Disable to enable or disable all rules.
The use of the selected rules when scanning events is enabled or disabled.
In distributed solution and multitenancy mode, you can manage only global TAA (IOA) rules on the PCN server. You can manage local TAA (IOA) rules on SCN servers of tenants to which you have access.
Users with the Security auditor and Security officer roles cannot enable or disable TAA (IOA) rules.
Modifying a TAA (IOA) rule
Users with the Senior security officer role can modify custom TAA (IOA) rules. Rules created by Kaspersky cannot be edited.
In distributed solution and multitenancy mode, you can edit only those TAA (IOA) rules that were created on the current server. Consequently, in the web interface of the PCN, you can edit only the rules that were created on the PCN. In the web interface of an SCN, you can edit only the rules that were created on the SCN.
To edit a TAA (IOA) rule:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- Select the rule that you want to modify.
This opens a window containing information about the rule.
- Make the relevant changes.
- Click Save.
The rule settings are modified.
Users with the Security auditor and Security officer roles cannot modify TAA (IOA) rules based on event search conditions.
Deleting TAA (IOA) rules
Users with the Senior security officer role can delete one or more TAA (IOA) rules, or all rules at the same time.
In distributed solution and multitenancy mode, you can delete only those TAA (IOA) rules that were created on the current server. Consequently, in the web interface of the PCN, you can delete only the rules that were created on the PCN. In the web interface of an SCN, you can delete only the rules that were created on the SCN.
To delete a custom TAA (IOA) rule:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- Select the rule that you want to delete.
This opens a window containing information about the rule.
- Click Delete.
This opens the action confirmation window.
- Click Yes.
The rule is deleted.
To delete all or multiple custom TAA (IOA) rules:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- Select the check boxes on the left of the rules that you want to delete.
You can select all rules by selecting the check box in the row containing the headers of columns.
A control panel appears in the lower part of the window.
- Click Delete.
This opens the action confirmation window.
- Click Yes.
The selected rules will be deleted.
You cannot delete TAA (IOA) rules defined by Kaspersky. If you do not want to use a Kaspersky TAA (IOA) rule for scanning, add it to exclusions.
Users with the Security auditor and Security officer roles cannot modify TAA (IOA) rules based on event search conditions.
Managing user-defined IOC rules
You can use IOC files to search indicators of compromise in the event database and on computers with the Endpoint Agent component. For example, if you have received third-party information about a piece of malware currently spreading, you can:
- Create an IOC file with indicators of compromise for the malware and upload it to the web interface of Kaspersky Anti Targeted Attack Platform.
- Find events corresponding to the criteria of the selected IOC file.
You can view such events, and if you want Kaspersky Anti Targeted Attack Platform to generate alerts for the selected events, you can create a TAA (IOA) rule.
- Enable automatic use of the selected IOC file to search indicators of compromise on computers with the Endpoint Agent component.
- If while scanning the computers, the Endpoint Agent component detects indicators of compromise, Kaspersky Anti Targeted Attack Platform generates an alert.
You can find these alerts in the table of alerts by filtering by technology name.
- Configure the schedule for searching for indicators of compromise using IOC files on computers with the Endpoint Agent component.
In distributed solution and multitenancy mode, IOC files can have the following types:
- Local—IOC files uploaded to an SCN server. These IOC files are used to search for indicators of compromise on Kaspersky Endpoint Agent hosts connected to the SCN server.
- Global—IOC files uploaded to the PCN server. These IOC files are used to search for indicators of compromise on Kaspersky Endpoint Agent hosts connected to the PCN server and all SCN servers connected to the PCN server.
An IOC file is a text file saved with the .ioc extension. When creating the IOC file, review the list of IOC terms supported by the application that you are using in the Endpoint Agent role. You can view the list of supported IOC terms by downloading the files from the links below.
Kaspersky Endpoint Agent for Windows and Kaspersky Endpoint Security for Windows
Kaspersky Endpoint Security 12 for Linux
Kaspersky Endpoint Security 11.4 for Linux and Kaspersky Endpoint Security for Mac do not support IOC files.
Example of an IOC file for finding a file by its hash
Each IOC file can contain only one rule. The rule can be of any complexity.
Users with the Senior security officer role can import, delete, download IOC files to their computer, enable or disable the search of indicators of compromise using IOC files, as well as configure the schedule for searching indicators of compromise on computers with the Endpoint Agent component.
Users with the Security officer and Security auditor roles can view the list of IOC files and information about the selected file, and export IOC files to their computer.
Viewing the table of IOC files
If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.
The table of IOC files contains information about IOC files used for scanning on computers with the Endpoint Agent component installed; you can find the table in the Custom rules section, IOC subsection of the application web interface window.
The table of IOC files contains the following information:
—Importance level that will be assigned to an alert generated using this IOC file.
The importance level can have one of the following values:
— Low importance.
— Medium importance.
— High importance.
- Type—Type of IOC file depending on the application operating mode and the server to which the IOC file was uploaded:
- Local—IOC files uploaded to an SCN server. These IOC files are used to search for indicators of compromise on hosts with the Endpoint Agent component connected to the SCN server.
- Global—IOC files uploaded to the PCN server. These IOC files are used to search for indicators of compromise on hosts with the Endpoint Agent component connected to the PCN server and all SCN servers connected to the PCN server.
- Name—Name of the IOC file.
- Servers are names of servers with the PCN or SCN role to which the rule applies.
This column is displayed if you are using the distributed solution and multitenancy mode.
- Autoscan—The IOC file is used when automatically scanning hosts with the Endpoint Agent component.
Host scanning using this IOC file can have one of the following statuses:
- Enabled
- Disabled
Viewing information about an IOC file
To view IOC file details:
- In the window of the application web interface, select the Custom rules section, IOC subsection.
This opens the table of IOC files.
- Select the IOC file for which you want to view information.
This opens a window containing information about the IOC file.
The window contains the following information:
- Clicking the Find alerts link opens the Alerts section with the filter condition populated with the name of your selected IOC file.
- Clicking the Find events link opens the Threat Hunting section with the search condition populated with indicators of compromise of your selected IOC file.
- Clicking the Download link opens the IOC file download window.
- Autoscan—The IOC file is used when automatically scanning hosts with the Endpoint Agent component.
- Name—Name of the IOC file.
- Importance—Importance level that must be assigned to an alert generated using this IOC file.
The importance level can have one of the following values:
— Low importance.
— Medium importance.
— High importance.
- Apply to—Displays the name of the tenant and the names of servers associated with events scanned based on this IOC file (in distributed solution and multitenancy mode).
- XML—Displays the IOC file contents in XML format.
Uploading an IOC file
IOC files having UserItem properties for domain users are not supported.
To upload an IOC file:
- In the window of the program web interface, select the Custom rules section, IOC subsection.
This opens the table of IOC files.
- Click Import.
This opens the file selection window on your local computer.
- Select the file that you want to upload and click Open.
- Specify the following parameters:
- Autoscan—The IOC file is used when automatically scanning hosts with the Endpoint Agent component:
- Enabled
- Disabled
- Name—Name of the IOC file.
- Importance—Importance level that must be assigned to an alert generated using this IOC file:
- Low.
- Medium.
- High.
- Apply to—Name of the tenant and names of the servers which you want to scan using this IOC file (in distributed solution and multitenancy mode).
- Autoscan—The IOC file is used when automatically scanning hosts with the Endpoint Agent component:
- Click Save.
The IOC file will be uploaded in XML format.
Downloading an IOC file to a computer
You can download a previously uploaded IOC file to a computer.
To download an IOC file:
- In the window of the program web interface, select the Custom rules section, IOC subsection.
This opens the table of IOC files.
- Select the IOC file that you want to download.
This opens a window containing information about the IOC file.
- Depending on your browser settings, click the Download link to save the file to the default folder or specify a folder in which to save the file.
The IOC file is saved to your computer in the browser's downloads folder.
Enabling and disabling the automatic use of an IOC file when scanning hosts
You can enable or disable the automatic use of an IOC file for searching for indicators of compromise on hosts with the Endpoint Agent component.
To enable or disable the automatic use of an IOC file for searching for indicators of compromise on hosts with the Endpoint Agent component:
- In the window of the program web interface, select the Custom rules section, IOC subsection.
This opens the table of IOC files.
- In the row containing the IOC file whose use you want to enable or disable, in the State column, set the toggle switch to one of the following positions:
- Enabled
- Disabled
Automatic use of an IOC file for searching for indicators of compromise on hosts with the Endpoint Agent component is enabled or disabled.
Users with the Security auditor and Security officer roles cannot enable or disable automatic application of an IOC file.
Deleting an IOC file
To delete an IOC file:
- In the window of the program web interface, select the Custom rules section, IOC subsection.
This opens the table of IOC files.
- Select the IOC file that you want to delete.
This opens a window containing information about the IOC file.
- Click Delete.
The IOC file will be deleted.
Users with the Security auditor and Security officer roles cannot delete IOC files.
Searching for alerts in IOC scan results
To find and view scan results for the selected IOC file:
- In the window of the program web interface, select the Custom rules section, IOC subsection.
This opens the table of IOC files.
- Select the IOC file for which you want to view scan results.
This opens a window containing information about the IOC file.
- Go to the alert database by clicking Find alerts.
The alert table is opened in a new browser tab.
You can also view scan results for all IOC files by filtering alerts by technology name.
Searching for events using an IOC file
To view events found using an IOC file:
- In the window of the program web interface, select the Custom rules section, IOC subsection.
This opens the table of IOC files.
- Select the IOC file to use for searching for events in the event database.
This opens a window containing information about the IOC file.
- Go to the event database by clicking Find events.
The event table is opened in a new browser tab.
Filtering and searching IOC files
To filter or search for IOC files by required criteria:
- In the window of the program web interface, select the Custom rules section, IOC subsection.
- This opens the table of IOC files. Depending on the filtering criterion, do the following:
The table of IOC files will display only IOC files that match the filter criteria you have set.
You can use multiple filters at the same time.
Clearing an IOC file filter
To clear the IOC file filter for one or more filtering criteria:
- In the window of the program web interface, select the Custom rules section, IOC subsection.
- This opens the IOC file table. Click
to the right of the header of the IOC file table column for which you want to clear the filtering conditions.
If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.
The selected filters are cleared.
The table of IOC files will display only IOC files that match the filter criteria you have set.
Configuring an IOC scan schedule
You can configure the schedule for searching for indicators of compromise using IOC files on hosts with the Endpoint Agent component.
Users with Security auditor and Security officer roles cannot configure the schedule for searching for indicators of compromise using IOC files.
To configure the schedule for searching for indicators of compromise using IOC files on hosts with the Endpoint Agent component:
- In the window of the application web interface, select the Settings section, Endpoint Agents subsection, IOC scanning schedule group of settings.
- In the Start time drop-down lists, select the start time of the indicator of compromise search. The time is specified in the time zone of the Central Node server on which you are performing the configuration.
If the Endpoint Agent gets the new scan schedule later than the time specified in the IOC scanning schedule, the next scan is initiated the next day at the specified time.
- In the Maximum scan duration drop-down list, select a time limit for completing the indicator of compromise search.
- Click Apply.
The new schedule for searching for indicators of compromise using IOC files on hosts with the Endpoint Agent component becomes active immediately after changes are saved. Results of the indicator of compromise search are displayed in the table of alerts.
Managing the search for indicators of compromise using IOC files is limited to the functionality provided by the web interface of Kaspersky Anti Targeted Attack Platform. No alternative ways of managing the search for indicators of compromise are provided.
If you are using Kaspersky Endpoint Security for Windows in the role of the Endpoint Agent component, make sure that the IOC files comply with the requirements. You must also take into account that when adding the RegistryItem data type to the IOC search scope, the application analyzes only certain registry keys.
For more details on the requirements for IOC files and the scanned registry keys, refer to the Online Help for Kaspersky Endpoint Security for Windows:
Managing user-defined Intrusion Detection rules
To detect intrusions in network traffic, you can use Intrusion Detection rules and additional Intrusion Detection methods that use built-in algorithms. When indicators of attacks are detected in traffic, Kaspersky Anti Targeted Attack Platform registers Intrusion Detection technology events.
A valid KATA or KATA + NDR license key is required to manage user-defined Intrusion Detection rules.
An Intrusion Detection rule describes a traffic anomaly that may signify an attack in the network. Rules contain conditions that the Intrusion Detection system uses to analyze traffic.
Intrusion Detection rules are applied if the Rule-based Intrusion Detection method is enabled. You can enable or disable the method.
You can use the following types of rule sets:
- System rule sets. These rule sets are supplied by Kaspersky and are designed to detect indicators of the most common attacks or unwanted network activity. System rule sets are available immediately after installing the application. You can update system rule sets by installing updates.
- User-defined rule sets. These are the rule sets that you upload yourself. The files you upload must contain data structures that define Intrusion Detection rules. Files that you want to upload must all be in the same directory, and they must have the .rules extension. The names of the custom rule sets match the names of the files from which the rule sets were uploaded.
User-defined Intrusion Detection rule sets are displayed in the Custom rules → Intrusion detection section.
The application supports up to 50,000 rules in total across all uploaded rule sets. You can upload up to 100 rule sets.
Rules loaded from user-defined rule sets may contain traffic analysis conditions that cause the application to register too many rule triggering events. In that case, you must keep in mind that registering too many events can impact the performance of the Intrusion Detection system.
Intrusion Detection rule sets can be enabled or disabled. Rules from an enabled rule set are applied when analyzing traffic if the Rule-based Intrusion Detection method is enabled. If a rule set is disabled, the rules in that rule set are not applied.
When a rule set is uploaded, the application checks the rules it contains. If any errors are found in the rules, the application blocks such rules and they are not applied. If errors are found in all rules of a rule set or the rule set does not contain any rules, the application disables such a rule set.
When conditions specified in a rule from an enabled set are detected in traffic, the application registers a rule triggering event. System event types are used for registration, which have the following codes:
- 4000003000 for an event involving a rule from the system rule set being triggered
- 4000003001 for an event involving a rule from a user-defined rule set being triggered
User-defined rule sets can contain rules obtained from other intrusion detection and prevention systems. When processing such rules, the application does not perform the specified actions that apply to network packets (for example, the drop
and reject
actions). When an intrusion detection rule triggers, Kaspersky Anti Targeted Attack Platform only registers an event.
The values of Kaspersky Anti Targeted Attack Platform event scores correspond to the priority values in the intrusion detection rules (see the table below).
Correspondence between rule priorities and event scores
Priority values in intrusion detection rules |
Kaspersky Anti Targeted Attack Platform event scores |
---|---|
4 or more |
2.5 |
3 |
4.5 |
2 |
6.5 |
1 |
9 |
You can configure the settings for registering Intrusion Detection events under Settings → Event types.
You can view Intrusion Detection events in the table of registered events.
Users with the Senior security officer role can upload, enable, and disable user-defined Intrusion Detection rule sets. Users with the Security auditor role can view user-defined detection rule sets. Users with the Security officer role do not have access to user-defined intrusion detection rules.
Intrusion Detection rules
An Intrusion Detection rule describes a traffic anomaly that may signify an attack in the network. Rules contain conditions that the Intrusion Detection system uses to analyze traffic.
Intrusion Detection rules are applied if the Rule-based Intrusion Detection method is enabled. You can enable or disable the method.
You can use the following types of rule sets:
- System rule sets. These rule sets are supplied by Kaspersky and are designed to detect indicators of the most common attacks or unwanted network activity. System rule sets are available immediately after installing the application. You can update system rule sets by installing updates.
- User-defined rule sets. These are the rule sets that you upload yourself. The files you upload must contain data structures that define Intrusion Detection rules. Files that you want to upload must all be in the same directory, and they must have the .rules extension. The names of the custom rule sets match the names of the files from which the rule sets were uploaded.
The application supports up to 50,000 rules in total across all uploaded rule sets. You can upload up to 100 rule sets.
Rules loaded from user-defined rule sets may contain traffic analysis conditions that cause the application to register too many rule triggering events. In that case, you must keep in mind that registering too many events can impact the performance of the Intrusion Detection system.
Intrusion Detection rule sets can be enabled or disabled. Rules from an enabled rule set are applied when analyzing traffic if the Rule-based Intrusion Detection method is enabled. If a rule set is disabled, the rules in that rule set are not applied.
When a rule set is uploaded, the application checks the rules it contains. If any errors are found in the rules, the application blocks such rules and they are not applied. If errors are found in all rules of a rule set or the rule set does not contain any rules, the application disables such a rule set.
When conditions specified in a rule from an enabled set are detected in traffic, the application registers a rule triggering event. System event types are used for registration, which have the following codes:
- 4000003000 for an event involving a rule from the system rule set being triggered
- 4000003001 for an event involving a rule from a user-defined rule set being triggered
User-defined rule sets can contain rules obtained from other intrusion detection and prevention systems. When processing such rules, the application does not perform the specified actions that apply to network packets (for example, the drop
and reject
actions). When an intrusion detection rule triggers, Kaspersky Anti Targeted Attack Platform only registers an event.
The values of Kaspersky Anti Targeted Attack Platform event scores correspond to the priority values in the intrusion detection rules (see the table below).
Correspondence between rule priorities and event scores
Priority values in intrusion detection rules |
Kaspersky Anti Targeted Attack Platform event scores |
---|---|
4 or more |
2.5 |
3 |
4.5 |
2 |
6.5 |
1 |
9 |
Additional Intrusion Detection methods
To detect intrusions, you can use the following additional methods:
- Detection of signs of falsified addresses in ARP packets (ARP spoofing).
If ARP spoofing detection is enabled, Kaspersky Anti Targeted Attack Platform checks the addresses specified in ARP packets and detects indicators of low-level man-in-the-middle (MITM) attacks. This type of attack in networks that use the ARP protocol is indicated by fake ARP messages being found in the traffic.
When indicators of ARP spoofing are detected, the application registers Intrusion Detection technology events. System event types are used for registration, which have the following codes:
- 4000004001 for an event involving the detection of multiple ARP responses that are not associated with ARP requests
- 4000004002 for an event involving the detection of multiple ARP requests from the same MAC address to different recipients.
- TCP Protocol Anomaly Detection.
If TCP Protocol Anomaly Detection is enabled, Kaspersky Anti Targeted Attack Platform scans TCP segments of the data stream in supported application layer protocols.
When Kaspersky Anti Targeted Attack Platform detects packets containing overlapping TCP segments with different content, it registers an Intrusion Detection technology event. Events are registered with system event type code 4000002701.
- IP Protocol Anomaly Detection.
If IP protocol anomaly detection is enabled, Kaspersky Anti Targeted Attack Platform scans fragmented IP packets.
When IP packet assembly errors are detected, the application registers Intrusion Detection technology events. System event types are used for registration, which have the following codes:
- 4000005100 for an event involving the detection of a data conflict during IP packet assembly (IP fragment overlapped)
- 4000005101 for an event involving the detection of an IP packet exceeding the maximum allowed size (IP fragment overrun)
- 4000005102 for an event involving the detection of an IP packet with the initial fragment smaller than expected (IP fragment too small)
- 4000005103 for an event involving the detection of mis-association of fragments of an IP packet (mis-associated fragments)
- Brute-force Attack and Scan Detection.
When Brute-force Attack and Scan Detection is enabled, Kaspersky Anti Targeted Attack Platform examines network activity statistics to detect indicators of brute force attacks, denial of service attacks, scanning, network service spoofing, and other anomalies.
This method uses built-in rules. When the rules are triggered, the application registers an Intrusion Detection technology event. Events are registered with system event type code 4000003002.
You can enable or disable methods. Additional Intrusion Detection methods can be applied regardless of whether Intrusion Detection rules exist or are enabled. Additional detection methods use built-in algorithms.
Page topEnabling and disabling sets of Intrusion Detection rules
Intrusion Detection rule sets can be Enabled or Disabled. If a rule set is disabled, none of the rules in that rule set are used for intrusion detection.
When you enable or disable selected rule sets, the Intrusion Detection system is restarted on all computers that have application components (Central Node and Sensor) installed. A restart is necessary to apply the changes.
Only users with the Senior security officer role can change the status of Intrusion Detection rule sets.
To change the status of Intrusion Detection rule sets:
- In the window of the application web interface, select the Custom rules section, Intrusion detection subsection.
- Select the check boxes next to the rule sets whose status you want to change.
- Right-click to open the context menu.
- In the context menu, select one of the following commands:
- Enable if you want to enable all disabled sets of rules from among the selected rule sets.
- Disable if you want to disable all enabled sets of rules from among the selected rule sets.
- Change the statuses of selected rule sets if you want to invert the statuses of all selected rule sets. This option allows you to quickly enable and disable selected rule sets with different statuses on all computers with installed application components: to apply the changes, you only need one restart of the Intrusion Detection system on these computers.
- In the confirmation window, click OK.
The statuses of the intrusion detection rule sets are changed.
Page topLoading and replacing user-defined sets of Intrusion Detection rules
You can upload Intrusion Detection rule sets from files into the application. To be uploaded to the application, files with Intrusion Detection rule descriptions must be located in the same folder and have the .rules extension. File names may not contain the following characters: \ / : * ? , " < > |
Intrusion Detection rules uploaded from a file are saved in the application as a user-defined rule set. The name of the rule set is the same as the name of the file from which the rule set was uploaded.
When rule sets are uploaded from files, current user-defined rule sets are deleted from the table and replaced with new rule sets.
Only users with the Senior security officer role can upload user-defined Intrusion Detection rule sets.
To upload and replace user-defined Intrusion Detection rule sets:
- In the window of the application web interface, select the Custom rules section, Intrusion detection subsection.
- In the toolbar, click the Replace all user-defined rules button.
- In the confirmation window, click OK.
This opens the file upload window.
- Select the folder that contains the files that you need and click the button to upload files from this folder.
The rule set table displays new user-defined rule sets. All rule sets without errors are enabled.
- Check the uploaded rule sets for errors.
Information about the detected errors is displayed in the Rules column. The OK status is displayed if there are no errors. If the rule set contains errors, you can view detailed information about them by clicking Details.
- If necessary, enable or disable the rule sets (including the rule sets that have the Errors in some rules status).
User-defined Intrusion Detection rule sets are uploaded.
Page topRemoving user-defined sets of Intrusion Detection rules
You can delete all user-defined Intrusion Detection rule sets that were uploaded into the application from files. Selecting which user-defined rule sets to delete is not possible. If you want to use only some of the current rule sets in the application, you can copy the files with these sets to a separate folder and replace all user-defined rule sets with rule sets from this folder.
Only users with the Senior security officer role can delete user-defined Intrusion Detection rule sets.
To delete user-defined Intrusion Detection rule sets:
- In the window of the application web interface, select the Custom rules section, Intrusion detection subsection.
- In the toolbar, click the Delete all user-defined rules button.
- In the confirmation window, click OK.
This opens a window for selecting the folder with Intrusion Detection rule files.
All user-defined Intrusion Detection rule sets are deleted from the table.
Page topManaging user-defined YARA rules
You can use YARA rules as YARA module databases to scan files and objects received at the Central Node and to scan hosts with the Endpoint Agent component.
In distributed solution and multitenancy mode, custom YARA rules can have one of the following types:
- Global—Created on the PCN server. These rules are used to scan files and objects received at the PCN server and all SCN servers connected to that PCN server. Scanned files and objects belong to the tenant which the user is managing in the application web interface.
- Local—Created on the SCN server. These rules are used to scan files and objects received at the SCN server. Scanned files and objects belong to the tenant which the user is managing in the application web interface.
When managing the application web interface, users with the Senior security officer role can import a YARA rule file into Kaspersky Anti Targeted Attack Platform using the application web interface.
Users with the Security auditor and Security officer roles can only view YARA rules.
Viewing the YARA rule table
The table of user-defined YARA rules contains information about YARA rules that are used to scan files and objects and to create alerts; the table is displayed in the Custom rules section, YARA subsection of the application web interface window.
The table contains the following information:
- Created is the rule creation time.
—Alert importance for the Kaspersky Anti Targeted Attack Platform user depending on the impact this alert may have on computer or corporate LAN security based on Kaspersky experience.
By default, alerts generated as a result of scanning by uploaded YARA rules are assigned a high importance.
- Type is the type of the rule depending on the operating mode of the application and the role of the server which generated the rule:
- Global—Created on the PCN server. These rules are used to scan files and objects received at the PCN server and all SCN servers connected to that PCN server. Scanned files and objects belong to the tenant which the user is managing in the application web interface.
- Local—Created on the SCN server. These rules are used to scan files and objects received at the SCN server. Scanned files and objects belong to the tenant which the user is managing in the application web interface.
- Name – name of the rule.
- File name is the name of the file from which the rule was imported.
- Created by is the name of the user whose account was used to import the rule.
- Servers is the name of the server with the PCN or SCN role to which the rule applies.
This column is displayed if you are using the distributed solution and multitenancy mode.
- Traffic scanning is the usage status of the rule when stream scanning files and objects arriving at the Central Node:
- Enabled – the rule is being used.
- Disabled – the rule is not being used.
Configuring YARA rule table display
You can show or hide columns and change the order of columns in the table.
To configure the table display:
- In the window of the application web interface, select the Custom rules section, YARA subsection.
This opens the YARA rule table.
- In the heading part of the table, click
.
This opens the Customize table window.
- If you want to show a column in the table, select the check box next to the name of the parameter that you want displayed in the table.
If you want to hide a parameter in the table, clear the check box.
At least one check box must be selected.
- If you want to change the order of columns in the table, move the mouse cursor to the row with the relevant parameter, click
and move the row to its new place.
- If you want to restore default table display settings, click Default.
- Click Apply.
The table display is configured.
Page topImporting YARA rules
To import YARA rules:
- In the window of the program web interface, select the Custom rules section, YARA subsection.
- Click Upload.
This opens the file selection window.
- Select the YARA rule file that you want to upload and click Open.
This closes the file selection window and opens the Import YARA rules window.
The maximum allowed size of an uploaded file is 20 MB.
A report is displayed in the lower part of the window. The report contains the following information:
- The number of rules that can be successfully imported.
- The number of rules that will not be imported (if any).
For each rule that cannot be imported, its name is listed.
- Select the Traffic scanning check box if you want to use imported rules for streaming scans of objects and data received at the Central Node.
- If necessary, enter any additional information in the Description field.
The Importance field cannot be edited. By default, alerts generated by uploaded YARA rules are assigned a high level of importance.
- Under Apply to, select check boxes corresponding to servers on which you want to apply the rules.
This field is displayed only when you are using the distributed solution and multitenancy mode.
- Click Save.
Imported rules are displayed in the table of YARA rules.
Viewing YARA rule details
To view YARA rule details:
- In the window of the application web interface, select the Custom rules section, YARA subsection.
This opens the YARA rule table.
- Select the rule for which you want to view information.
This opens a window containing information about the rule.
The window contains the following information:
- Click the Alerts link to display the alert table in a new browser tab. The alerts are filtered by the Targeted Attack Analyzer technology and the name of the TAA (IOA) rule that you are working on.
- The Start YARA scan link opens the task creation window.
- The Download link lets you download a file with YARA rules.
- Rule name is the name of the rule specified in the file.
- Traffic scanning is the usage status of the rule when stream scanning files and objects arriving at the Central Node:
- Type is the type of the rule depending on the role of the server which generated it:
- Global—Created on the PCN server. These rules are used to scan files and objects received at the PCN server and all SCN servers connected to that PCN server. Scanned files and objects belong to the tenant which the user is managing in the application web interface.
- Local—Created on the SCN server. These rules are used to scan files and objects received at the SCN server. Scanned files and objects belong to the tenant which the user is managing in the application web interface.
- Importance is the importance level assigned to the alert created as a result of scanning by this rule.
By default, alerts generated as a result of scanning by uploaded YARA rules are assigned a high importance.
- Description is any additional information about the rule that you specified.
- Apply to – name of servers with the Central Node component on which the rule is applied.
Filtering and searching YARA rules
To filter or search for YARA rules by required criteria:
- In the window of the application web interface, select the Custom rules section, YARA subsection.
This opens the YARA rule table.
- Depending on the filtering criterion, do the following:
The table displays only rules that match the specified criteria.
You can use multiple filters at the same time.
Clearing a YARA rule filter
To clear the YARA rule filter for one or more filtering criteria:
- In the window of the application web interface, select the Custom rules section, YARA subsection.
This opens the YARA rule table.
- Click
to the right of that column heading of the rule table for which you want to clear filtering criteria.
If you want to clear multiple filter conditions, take steps to clear each filter condition individually.
The selected filters are cleared.
The table displays only rules that match the specified criteria.
Enabling and disabling YARA rules
Users with the Senior security officer role can enable or disable one or several rules, as well as all rules at once.
When working in distributed solution and multitenancy mode, you can enable or disable only those YARA rules that were created on the current server. It means that in the web interface of the PCN, you can enable or disable only the rules that were created on the PCN server. In the web interface of an SCN, you can enable or disable only the rules that were created on the SCN server.
If YARA rules with identical names are enabled on the PCN and SCN servers, the PCN rule takes precedence over the SCN rule when scanning files and objects.
To enable or disable a YARA rule for stream scanning files and objects arriving at the Central Node:
- In the window of the application web interface, select the Custom rules section, YARA subsection.
This opens the YARA rule table.
- In the row with the relevant rule, select or clear the check box in the Traffic scanning column.
The rule is enabled or disabled for stream scanning files and objects arriving at the Central Node.
To enable or disable all or multiple YARA rules for stream scanning files and objects arriving at the Central Node:
- In the window of the program web interface, select the Custom rules section, YARA subsection.
- Select the check boxes on the left of the rules whose use you want to enable or disable.
You can select all rules by selecting the check box in the row containing the headers of columns.
A control panel appears in the lower part of the window.
- Click Enable or Disable to enable or disable all rules.
Selected rules are enabled or disabled for stream scanning files and objects arriving at the Central Node.
Deleting YARA rules
To delete a YARA rule:
- In the window of the application web interface, select the Custom rules section, YARA subsection.
This opens the YARA rule table.
- Select the rule that you want to delete.
This opens a window containing information about the rule.
- Click Delete.
- This opens the action confirmation window; in that window, click Yes.
The rule is deleted.
To delete all or multiple YARA rules:
- In the window of the application web interface, select the Custom rules section, YARA subsection.
This opens the YARA rule table.
- Select the check boxes on the left of the rules that you want to delete.
You can select all rules by selecting the check box in the row containing the headers of columns.
A control panel appears in the lower part of the window.
- Click Delete.
- This opens the action confirmation window; in that window, click Yes.
The selected rules will be deleted.
Users with the Security auditor and Security officer roles cannot delete YARA rules.