Table of alerts

Kaspersky Anti Targeted Attack Platform processes data from the following sources:

Kaspersky Anti Targeted Attack Platform uses a table of alerts to display the detected signs of targeted attacks and intrusions into the corporate IT infrastructure.

The table of alerts does not display information on objects which satisfy at least one of the following conditions:

Information about these alerts is saved in the program database (on the Central Node or SCN).

Information about alerts in the database is rotated every night when the maximum allowed number of alerts is reached:

If you are using distributed solution and multitenancy mode, rotation is performed on all SCNs and then synchronization with the PCN is performed. After synchronization, all deleted alerts are automatically deleted from the PCN.

The alerts table is in the Alerts section.

By default, this section displays information only on alerts that were not processed by users. To also display information on processed alerts, turn on the Processed switch in the upper-right corner of the window.

You can sort alerts in the table by Created or Updated, Importance, Source, and State columns.

The table of alerts contains the following information:

  1. VIP specifies if the alert has a status with special access rights. For example, alerts with the VIP status cannot be viewed by program users with the Security officer role.
  2. Created is the time when the program generated the alert, and Updated is the time when the alert was updated.
  3. Apt_icon_Importance_new—Alert importance for the Kaspersky Anti Targeted Attack Platform user depending on the impact this alert may have on computer security or corporate LAN security based on Kaspersky experience.

    Alerts can have one of the following importance levels:

    • High, marked with the Apt_icon_importance_high symbol—the alert has a high level of importance.
    • Medium, marked with the Apt_icon_importance_medium symbol—the alert has a medium level of importance.
    • Low, marked with the Apt_icon_importance_low symbol—the alert has a low level of importance.
  4. Detected—One or multiple categories of detected objects. For example, when the program detects a file infected with the Trojan-Downloader.JS.Cryptoload.ad virus, the Detected—Field shows Trojan-Downloader.JS.Cryptoload.ad for this alert.
  5. Details—Brief summary of the alert. For example: the name of a detected file or URL address of a malicious link.
  6. Source—Address of the source of the detected object. For example, this can be the email address from which a malicious file was sent, or the URL from which a malicious file was downloaded.
  7. Destination—Destination address of a detected object. For example, this can be the email address of your organization's mail domain to which a malicious file was sent, or the IP address of a computer on your corporate LAN to which a malicious file was downloaded.
  8. Servers is the list of names of servers which created the alert. Servers belong to the organization you are managing in the program web interface. Information about servers is displayed only when you are working in distributed solution and multitenancy mode.
  9. Technologies—Names of the program modules or components that generated the alert.

    The Technologies column may indicate the following program modules and components:

    • (YARA) YARA.
    • (SB) Sandbox.
    • (URL) URL Reputation.
    • (IDS) Intrusion Detection System.
    • (AM) Anti-Malware Engine.
    • (TAA) Targeted Attack Analyzer.
    • (IOC) IOC.
  10. State—Alert status depending on whether or not this alert has been processed by the Kaspersky Anti Targeted Attack Platform user.

    Alerts can have one of the following states:

    • New—New alerts.
    • In process—Alerts that a user of Kaspersky Anti Targeted Attack Platform is already processing.
    • Rescan—Alerts resulting from a rescan of an object.

    This column also displays the user name to which the alert was assigned. For example, Administrator.

If information in table columns is displayed as a link, you can click the link to open a list in which you can select the action to perform on the object. Depending on the type of value of the cell, you can perform one of the following actions:

The Intrusion Detection System module consolidates information about processed network events in one alert when the following conditions are simultaneously met:

One alert is displayed for all network events that meet these conditions. The alert notification contains information only about the first network event.

Page top