Viewing a threat development chain graph

For each alert that has been detected by Endpoint Detection and Response by using the Endpoint Protection Platform (EPP) technology and that is displayed on a widget or in a table, you can view a threat development chain graph.

A threat development chain graph is a tool for analyzing the root cause of an attack. The graph provides visual information about the objects involved in the attack, for example, processes on a managed device, network connections, or registry keys.

While analyzing the threat development chain graph, you may want to take manual response measures or fine-tune the Endpoint Detection and Response feature.

To view a threat development chain graph:

  1. Proceed to the Endpoint Detection and Response widget or table.
  2. In the required line where the Technology column value is EPP, click Examine.

The Threat development chain graph window opens. The window contains a threat development chain graph and detailed information about the alert.

A threat development chain graph shows the following types of objects:

A graph is generated according to the following rules:

  1. The central point of a graph is a process that meets either of the following rules:
    • If the threat has been detected in a process, it is this process.
    • If the threat has been detected in a file, it is the process that created this file.
  2. For the process that is mentioned in rule 1, the graph shows up to two parent processes. A parent process is the one that either generated or modified a child process.
  3. For the process that is mentioned in rule 1, the graph shows all other related objects: created files, created and modified child processes, organized network connections, and modified registry keys.

When you click any object on a graph, the area below shows detailed information about the selected object.

When you click a link in the SHA256, MD5, IP address, or URL fields in the detailed information about a file, you are taken to the Kaspersky Threat Intelligence Portal https://opentip.kaspersky.com/. The portal brings together all of the knowledge that Kaspersky has acquired about cyberthreats into a single web service. It allows you to check any suspicious threat indicator, whether it is a file, file hash, IP address, or web address.

Page top