Support

Support for business applications

Kaspersky Unified Monitoring and Analysis Platform

User guide

Example of incident investigation with KUMA

Step 5. False positive check

Kaspersky Unified Monitoring and Analysis Platform
Нет результатов
Knowledge Base Online Help
FAQ Solution overview Forum Contact support Product videos

Step 5. False positive check

April 8, 2024

ID 245873

Get as PDF

At this stage, make sure that the activity that triggered the correlation rule is abnormal for the organization IT infrastructure.

Example

At this step, the analyst checks whether the detected activity can be legitimate as part of normal system operation (for example, an update). The event information shows that a registry key was created under the user account using the reg.exe utility. A registry key was also created in the \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hive, responsible for autorun of applications at user logon. Based on this information, one can surmise that the activity is not legitimate and the alarm is not false.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.