Importing TAA (IOA) rules

You can import TAA (IOA) rules from an IOC file or a YAML file with a Sigma rule and use these to scan events and generate Targeted Attack Analyzer alerts.

To import a TAA (IOA) rule:

1. In the window of the application web interface, select the Custom rules section, TAA subsection.

   This opens the TAA (IOA) rule table.

2. Click Import.

   This opens the file selection window on your local computer.

3. Select the file that you want to upload and click Open.

   This opens the New TAA (IOA) rule window.

4. Set the State toggle switch to Enabled if you want to enable the rule for scanning the event database.
5. On the Details tab, in the Name field, enter the name of the rule.
6. In the Description field, enter any additional information about the rule.
7. In the Importance drop-down list, select the importance level to be assigned to alerts generated using this TAA (IOA) rule.
   • Low.
   • Medium.
   • High.
8. In the Confidence drop-down list, select the level of confidence of this rule based on your estimate:
   • Low.
   • Medium.
   • High.
9. Under Apply to, select check boxes corresponding to servers on which you want to apply the rule.
10. On the Query tab, verify the defined search conditions. Make changes if necessary.
11. Click Save.

The user-defined TAA (IOA) rule is imported into the application.

You can also add a TAA (IOA) rule by saving events database search conditions in the Threat Hunting section.