Event chain scanning by Kaspersky TAA (IOA) rules

Some cyberattacks can be detected only by looking at a certain sequence of events. If the event chain scanning functionality is enabled, Kaspersky Anti Targeted Attack Platform marks events arriving at the Central Node server in accordance with Kaspersky TAA (IOA) rules and, when it detects a suspicious sequence of events, an alert is recorded in the table of alerts.

You can view events marked by a Kaspersky TAA (IOA) rule in one of the following ways:

• By creating a search query to the event database with the following criteria: IOATag, IOAImportance, IOAConfidence.
• While viewing events and alerts.

Kaspersky TAA (IOA) rules cannot be edited. If you do not want the application to create alerts for events generated as part of host activity that is normal for your organization, you can add a TAA (IOA) rule to exclusions. Only one exclusion can be created per Kaspersky TAA (IOA) rule.

In

distributed solution and multitenancy mode

Distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

and

multitenancy mode

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

.

Using TAA (IOA) rules that scan chains of events causes higher usage of system resources. If you encounter performance problems with the application, we recommend disabling this functionality.

Special considerations for displaying event chain information in widgets

The top 10 widgets display information only about events that triggered a TAA (IOA) rule. Widgets do not take into account events that occurred earlier and participate in the event chain, but did not trigger a rule. For this reason, the number of events reported by the widget may not match the number of events in the selection displayed when you click the link with the host name and the name of the TAA (IOA) rule.

Enabling or disabling event chain scanning by Kaspersky TAA (IOA) rules

To enable or disable event chain scanning by Kaspersky TAA (IOA) rules:

1. In the window of the application web interface, select the Settings section, Endpoint Agents subsection.
2. Under Use TAA (IOA) rules for chains of events, do one of the following:
   • If you want to enable the functionality, set the Use rules for chains of events toggle switch to Enabled.
   • If you want to disable the functionality, set the Use rules for chains of events toggle switch to Disabled.

   This functionality is disabled by default.

Event chain scanning by Kaspersky TAA (IOA) rules is enabled or disabled.

Viewing events marked by a Kaspersky TAA (IOA) rule

To view all events marked by the selected Kaspersky TAA (IOA) rule in the Alerts section:

1. Select the Alerts section in the window of the application web interface.

   This opens the table of alerts.

2. Click the link in the Technologies column to open the filter configuration window.
3. In the drop-down list on the left, select Contain.
4. In the drop-down list on the right, select the (TAA) Targeted Attack Analyzer technology.
5. Click Apply.

   The table displays alerts generated by the TAA technology based on TAA (IOA) rules.

6. Select an alert for which the Detected column displays the name of the relevant rule.

   This opens a window containing information about the alert.

7. Under Scan results, click the link with the name of the rule to open the rule information window.
8. This opens a window; in that window, click Events.

A table of events matching the selected TAA (IOA) rule is displayed.

To view all events marked by the selected Kaspersky TAA (IOA) rule in the Threat Hunting section:

1. Select the Threat Hunting section in the application web interface window.

   This opens the event search form.

2. Define the search conditions and click the Search button. For example, you can select event search criteria in the TAA properties group in builder mode.

   The table of events that satisfy the search criteria is displayed.

3. Select an event.
4. To the right of the IOA tags setting, click the name of the rule.

   This opens a window containing information about the rule.

5. This opens a window; in that window, click Events.

A table of events matching the selected TAA (IOA) rule is displayed.