Step 8. Investigation

Support

Support for business applications

Kaspersky Unified Monitoring and Analysis Platform

User guide

Example of incident investigation with KUMA

Step 8. Investigation

April 8, 2024

ID 245880

Get as PDF

This step includes viewing information about the assets, accounts, and alerts related to the incident in the incident information section.

Information about the impacted assets and accounts is displayed on the Related assets and Related users tabs in the incident information section.

Example

The analyst opens the information about the affected asset (Incidents → the relevant incident → Related alerts → the relevant alert → Related endpoints → the relevant asset). The asset information shows that the asset belongs to the Business impact/HIGH and Device type/Workstation categories, which are critical for the organization IT infrastructure.

The asset information also includes the following useful data:

FQDN, IP address, and MAC address of the asset.
The time when the asset was created and the information was last updated.
The number of alerts associated with this asset.
The categories to which the asset belongs.
Asset vulnerabilities.
Information about the installed software.
Information about the hardware characteristics of the asset.
The analyst opens the information about the associated user account (Incidents → the relevant incident → Related alerts → link with the relevant alert → Related users → account).

The following account information may be useful:
User name.
Account name.
Email address.
Groups the account belongs to.
Password expiration date.
Password creation date.
Time of the last invalid password entry.

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.