Exporting and importing Sigma rules of a custom collection

To export or import Sigma rules from a custom collection:

1. Do one of the following:
   • for a group of protected devices, open the application policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
   • for an individual protected device, open the application settings for the device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device for which you want to configure application settings.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the Kaspersky Endpoint Agent window that opens, select the Application settings tab.
2. In the Anomaly Detection using Sigma rules section, use the check box next to the collection name to select a custom collection of Sigma rules that you want to add one or more Sigma rules to.
3. Click Add.

   The Modifying the collection rules window opens.

4. Click the Export button to export Sigma rules from a custom collection.

   Kaspersky Endpoint Agent saves an archive named sigma.zip in the standard download folder.

5. Import Sigma rules into a custom collection:
   1. Click Import.
   2. In the window that opens, select the ZIP archive that contains the YAML files with the described Sigma rules.
   3. Click Open.

      If a Sigma rule contains syntax errors or if mandatory attributes are missing, the rule will not be added to the collection.

      Sigma rules contained in the archive will be displayed in the list of rules in the collection.

      If the imported ZIP archive contains duplicate Sigma rules that already exist in the collection, these rules will not be overwritten.

6. Click OK.