Viewing details of EDR incidents

EPP events may contain information on the threat development chains received from Kaspersky Endpoint Agent. If a threat development chain is built for an event, Kaspersky Industrial CyberSecurity for Networks considers such event an Endpoint Detection and Response incident (EDR incident).

A threat development chain is a sequence of activity events on a device associated with a detected threat. A key activity event in the threat development chain is an activity event with a threat detection object. All other activity events in the chain (preceding and following the key activity event) are saved for further threat development analysis.

Information on the threat development chain built may not be added to the event simultaneously with the registration of this event. The maximum delay in adding this information to an event by the application is 10 hours after its registration. The information is not added if the event has the Resolved status.

EDR incidents are marked with the EDR icon in the event table. For each EDR incident, you can view information on the threat development chain in the details area. The information is displayed on the following tabs in the details area:

• Activity event graph provides visual information about objects involved in the threat development chain. Activity events are represented as nodes on the graph. The nodes are located at different levels in accordance with the identified threat development process. The key activity event is located at the lowest level of the graph. This level can also display nodes that group other activity events by their types. Above this level, the application can display up to four levels with activity event nodes.
• All activity events displays table view of the information about all activity events included in the threat development chain and presented as nodes in the activity event graph.

When viewing the details of an EDR incident, you can determine the potential threat status by looking at the detection processing status. The application displays this status for the threat development chain. The background color for the status depends on the result of the threat detection object processing:

• If a detected threat is considered eliminated after being processed (for example, an infected object has been disinfected by an EPP application), the application displays the detection processing status on a green background;
• In all other cases, the detection processing status is displayed on a red background.

A key activity event in the activity event graph has the same color as the detection processing status.

If the detection processing status is displayed on a red background, you can prevent further development of a possible threat, for example, by triggering a response action in Kaspersky Industrial CyberSecurity for Networks.

Under any circumstances and regardless of the displayed detection processing status, you must investigate the causes and possible consequences of an EDR incident that has occurred.

You can view detailed information on activity events in the details windows that open when you select activity events. When viewing the details, you can use links with file and URL hashes to obtain information on the reputation of these objects on the Kaspersky Threat Intelligence Portal.

If the threat development chain contains activity events that you want to detect during the next checks of EPP applications, you can export the data on these activity events to an IOC file (an indicator of compromise file).