Viewing the table of events

The events table is displayed in the Threat Hunting section of the program web interface window after completion of the search for threats in the events database.

Events are grouped by hosts of the selected servers and organizations. The table of events contains the following information:

  1. Event time—Date and time when the event was detected.
  2. Event—Type of event.
  3. Host—Name of the computer on which the event was detected.
  4. Details—Information about the event.
  5. User name—Name of the user on the computer with Kaspersky Endpoint Agent whose user account was used to detect the event.

Each type of event has its own type of cell value in the Details column of the events table (see the table below).

Correspondence of the types of cell values in the Details and Event columns

Event

Details

Process started

Name of the process file that was started. SHA256- and MD5 hash. Event importance.

Module loaded

Name of the dynamic library that was loaded. SHA256- and MD5 hash. Event importance.

Remote connection

IP address or URL to which a remote connection attempt was made. Name of the file that attempted to establish a remote connection. Event importance.

Prevention rule

Name of the file of the application that was blocked from starting. SHA256- and MD5 hash. Event importance.

Document blocked

Name of the document that was blocked from starting. SHA256- and MD5 hash. Event importance.

File created

Name of the created file. SHA256- and MD5 hash. Event importance.

Windows Log event

Event importance.

Registry modified

Name of key in registry. <name of the variable in the key>=<value of the variable>. Event importance.

Port listened

Server address and port. Name of the file of the process that listens to the port. Event importance.

Driver loaded

File name of the driver that has been loaded. SHA256- and MD5 hash. Event importance.

Detect

Path to the detected file. SHA256- and MD5 hash. Category of the detected object (for example, name of a virus). Event importance.

Detect processing result

Path to the detected file. SHA256- and MD5 hash. Category of the detected object (for example, name of a virus). Event importance.

Interpreted file run

Event importance.

Console interactive input

Event importance.

Clicking the link with the name of the event type, data, additional information and user name opens a list in which you can select the action to perform on the object. Depending on the type of value of the cell, you can perform one of the following actions:

See also

Event information

Viewing information about an event

Information about events in the tree of events

Recommendations for processing events

Information about the "Process started" event

Information about the "Module loaded" event

Information about the "Remote connection" event

Information about the "Prevention rule" event

Information about the "Document blocked" event

Information about the "File created" event

Information about the "Windows log event" event

Information about the "Changes in the registry" event

Information about the "Port listened" event

Information about the "Driver loaded" event

Information about the "Alert" event

Information about the "Alert processing result" event

Information about the "Interpreted file run" event

Information about the "Interactive command input at the console" event

Page top