- Kaspersky Anti Targeted Attack Platform Help
- Kaspersky Anti Targeted Attack Platform
- What's new
- About Kaspersky Threat Intelligence Portal
- Distribution kit
- Hardware and software requirements
- Requirements for Kaspersky Endpoint Agent
- Compatibility of Kaspersky Endpoint Agent (Endpoint Sensors) versions with Kaspersky Anti Targeted Attack Platform versions
- Compatibility of the Kaspersky Endpoint Agent (Endpoint Sensors) component versions with Kaspersky Endpoint Security versions
- Compatibility of Kaspersky Endpoint Agent with other programs
- Limitations of the current version of the program
- About data provision
- Data of the Central Node and Sensor components
- Sandbox component data
- Data transmitted between program components
- Data of Kaspersky Endpoint Agent
- Data received from the Central Node component
- Data in fields of Windows Event Log events of Kaspersky Endpoint Agent
- Data in Kaspersky Endpoint Agent requests to Kaspersky Anti Targeted Attack Platform
- Service data of Kaspersky Endpoint Agent
- Data contained in Kaspersky Endpoint Agent trace files and dumps
- Data sent to Kaspersky if KSN and KMP Statements are accepted
- Data in alerts and events
- Data contained in task completion reports
- Data contained in an install log
- Data on files that are blocked from starting
- Data related to the performance of tasks
- Program licensing
- About the End User License Agreement
- About the license
- About the license certificate
- About the key
- About the key file
- Viewing information about the license and added keys
- Viewing the text of the End User License Agreement in the web interface of the Central Node
- Viewing the text of the Privacy Policy in the web interface of the Central Node
- Viewing information about the third-party code used in the program
- Viewing the text of the End User License Agreement in the web interface of the Sandbox
- Viewing the text of the End User License Agreement on a computer with Kaspersky Endpoint Agent
- Adding a key
- Replacing a key
- Removing a key
- Program modes based on the license
- Program architecture
- Operation of the program
- Distributed solution and multitenancy mode
- Distributed mode and multitenancy transition scenario
- Modifications of program settings for distributed solution mode and multitenancy
- Assigning the PCN role to a server
- Assigning the SCN role to a server
- Processing SCN to PCN connection requests
- Viewing information about organizations, PCN and SCN servers
- Adding an organization to the PCN server
- Removing an organization from the PCN server
- Renaming an organization on the PCN server
- Disconnecting an SCN from PCN
- Modifications of program settings for disconnecting an SCN from PCN
- Decommissioning an SCN server
- Sizing Guide
- Installing and performing initial configuration of the solution
- Preparing for installing program components
- Preparing the IT infrastructure for program components installation
- Preparing the IT infrastructure for integration with a mail server used for receiving messages via POP3
- Preparing the IT infrastructure for integration with a mail server used for receiving messages via SMTP
- Preparing the virtual machine for installing the Sandbox component
- Procedure for installing and configuring program components
- Installation: Sandbox component
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a disk for installing the Sandbox component
- Step 3. Assigning the host name
- Step 4. Selecting the management network interface in the list
- Step 5. Assigning the address and network mask of the controlling interface
- Step 6. Adding DNS server addresses
- Step 7. Configuring a static network route
- Step 8. Configuring the minimum password length for the Sandbox administrator password
- Step 9. Creating the Sandbox administrator account
- Installing and configuring the Central Node and Sensor components on the same server
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a disk for installing the Central Node and Sensor components
- Step 3. Selecting a server role
- Step 4. Configuring the minimum password length for the administrator password
- Step 5. Creating an account for working in the administrator menu and in the server management console
- Step 6. Assigning the host name
- Step 7. Enabling a network interface for the first time
- Step 8. Assigning the address and subnet mask of the management interface
- Step 9. Configuring the default network route
- Step 10. Configuring DNS settings
- Step 11. Configuring proxy server connection settings
- Step 12. Setting the time zone
- Step 13. Configuring time synchronization with an NTP server
- Step 14. Configuring integration with the Sandbox component
- Step 15. Allocating the disk for the Targeted Attack Analyzer component's database
- Step 16. Creating an administrator account for the web interface of Kaspersky Anti Targeted Attack Platform
- Step 17. Configuring receipt of mirrored traffic from SPAN ports
- Step 18. Configuring integration with a proxy server via ICAP
- Step 19. Configuring integration with a mail server via POP3
- Step 20. Configuring integration with a mail server via SMTP
- Installing and configuring the Sensor component on a separate server
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a disk for installing the Sensor component
- Step 3. Selecting a server role
- Step 4. Configuring the minimum password length for the administrator password
- Step 5. Creating an account for working in the administrator menu and in the server management console
- Step 6. Assigning the host name
- Step 7. Enabling a network interface for the first time
- Step 8. Assigning the address and subnet mask of the management interface
- Step 9. Configuring the default network route
- Step 10. Configuring DNS settings
- Step 11. Configuring proxy server connection settings
- Step 12. Setting the time zone
- Step 13. Configuring time synchronization with an NTP server
- Step 14. Connecting to the server with the Central Node component
- Step 15. Selecting the Central Node server as the source of Sensor component database updates
- Step 16. Configuring receipt of mirrored traffic from SPAN ports
- Step 17. Configuring integration with a proxy server via ICAP
- Step 18. Configuring integration with a mail server via POP3
- Step 19. Configuring integration with a mail server via SMTP
- Preparing for installing program components
- Configuring the integration of Kaspersky Anti Targeted Attack Platform with Kaspersky Endpoint Agent
- Configuring the trusted connection of Kaspersky Anti Targeted Attack Platform with Kaspersky Endpoint Agent
- Configuring the connection with the Central Node server without validating the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.
- Configuring the connection with the Sensor server without validating the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.
- Configuring the connection with the Central Node server with validation of the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.
- Configuring the connection with the Sensor server with validation of the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.
- Downloading the TLS certificate of the Central Node server
- Generating a TLS certificate for the Central Node server in the web interface of Kaspersky Anti Targeted Attack Platform
- Uploading an independently prepared TLS certificate for the Central Node server using the web interface of Kaspersky Anti Targeted Attack Platform.
- Uploading a TLS certificate of the Central Node server or Sensor to Kaspersky Endpoint Agent
- Enabling the validation of the Kaspersky Endpoint Agent TLS certificate in the web interface of Kaspersky Anti Targeted Attack Platform
- Generating a TLS certificate of Kaspersky Endpoint Agent in the web interface of Kaspersky Anti Targeted Attack Platform and downloading a cryptographic container
- Uploading an independently prepared TLS certificate of Kaspersky Endpoint Agent using the web interface of Kaspersky Anti Targeted Attack Platform.
- Viewing the table of Kaspersky Endpoint Agent TLS certificates in the web interface of Kaspersky Anti Targeted Attack Platform
- Filtering and searching Kaspersky Endpoint Agent TLS certificates in the web interface of Kaspersky Anti Targeted Attack Platform
- Deleting Kaspersky Endpoint Agent TLS certificates in the web interface of Kaspersky Anti Targeted Attack Platform
- Configuring the validation of the Kaspersky Endpoint Agent TLS certificate by the Central Node server and uploading a cryptographic container to Kaspersky Endpoint Agent
- Configuring traffic redirection from Kaspersky Endpoint Agent to the Sensor server
- Generating a TLS certificate for the Sensor server in the administrator menu of the Sensor server
- Uploading an independently prepared TLS certificate for the Sensor server in the administrator menu of the Sensor server
- Downloading the TLS certificate of the Sensor server to your computer
- Configuring the integration and trusted connection with Kaspersky Anti Targeted Attack Platform on the Kaspersky Endpoint Agent side
- Configuring the trusted connection of Kaspersky Anti Targeted Attack Platform with Kaspersky Endpoint Agent
- Getting started with the program
- Managing accounts of program administrators and users
- Creating an administrator account for the program web interface
- Creating a user account for the program web interface
- Changing access rights of a program web interface user account
- Enabling and disabling an administrator account or user account of the program web interface
- Changing the password of a program administrator or user account
- Changing the password of your account
- Participation in Kaspersky Security Network and use of Kaspersky Private Security Network
- Managing the Sandbox component through the web interface
- Updating the Sandbox component databases
- Configuring connection between the Sandbox and Central Node components
- Configuring the Sandbox component network interfaces
- Updating the Sandbox system
- Setting the Sandbox system date and time
- Installing and configuring images of operating systems and software required for the operation of the Sandbox component
- Downloading ISO images of operating systems and software required for the operation of the Sandbox component
- Creating virtual machines with images of operating systems and software required for the operation of the Sandbox component
- Installing virtual machines with images of operating systems and software required for the operation of the Sandbox component
- Deleting all pending virtual machines
- Setting the maximum number of simultaneously running virtual machines
- Downloading the Sandbox system log to the hard drive
- Exporting Sandbox settings
- Importing Sandbox settings
- Restarting the Sandbox server
- Powering off the Sandbox server
- Changing the Sandbox administrator account password
- For an administrator: Getting started with the program web interface
- Kaspersky Anti Targeted Attack Platform Interface
- Monitoring program operation
- About widgets and layouts
- Selecting an organization and a server to manage in the Dashboard section
- Adding a widget to the current layout
- Moving a widget in the current layout
- Removing a widget from the current layout
- Saving a layout to PDF
- Configuring the period for displaying data in widgets
- Monitoring the receipt and processing of incoming data
- Monitoring the queues for data processing by program modules and components
- Monitoring the processing of data by the Sandbox component
- Viewing the working condition of modules and components of the program
- Managing Central Node, PCN, or SCN servers using the program web interface
- Configuring the date and time on the server
- Powering off and restarting the server
- Generating or uploading a TLS certificate of the server
- Downloading the TLS certificate of the server
- Assigning a server DNS name
- Configuring DNS settings
- Configuring settings of the network interface
- Configuring the default network route
- Configuring proxy server connection settings
- Managing the Sensor component
- Processing a connection request from the Sensor component
- Viewing the table of servers with the Sensor component
- Configuring the maximum size of a scanned file
- Configuring receipt of mirrored traffic from SPAN ports
- Configuring integration with a mail server via SMTP
- Configuring TLS encryption of connections with a mail server via SMTP
- Enabling integration with a proxy server via ICAP
- Configuring integration with a mail server via POP3
- Managing Kaspersky Endpoint Agent host information
- Selecting an organization to manage in the Endpoint Agents section
- Viewing the Kaspersky Endpoint Agent host table on a standalone Central Node server
- Viewing the Kaspersky Endpoint Agent host table in distributed solution and multitenancy mode
- Viewing information about a host
- Filtering and searching hosts with Kaspersky Endpoint Agent by host name
- Filtering and searching hosts with Kaspersky Endpoint Agent that have been isolated from the network
- Filtering and searching hosts with Kaspersky Endpoint Agent by PCN and SCN server names
- Filtering and searching hosts with Kaspersky Endpoint Agent by computer IP address
- Filtering and searching hosts with Kaspersky Endpoint Agent by operating system version on the computer
- Filtering and searching hosts with Kaspersky Endpoint Agent by Kaspersky Endpoint Agent version
- Filtering and searching hosts with Kaspersky Endpoint Agent based on their activity
- Quickly creating a filter for hosts with Kaspersky Endpoint Agent
- Resetting the hosts with Kaspersky Endpoint Agent filter
- Configuring activity indicators of Kaspersky Endpoint Agent
- Supported interpreters and processes
- Configuring integration with the Sandbox component
- Configuring integration with external systems
- Configuring integration with an SIEM system
- Enabling and disabling event logging to a local log
- Enabling and disabling event logging to a remote log
- Configuring the main settings for SIEM system integration
- Enabling and disabling TLS encryption of the connection with the SIEM system
- Uploading a TLS certificate
- Content and properties of syslog messages about alerts
- Configuring server settings for delivery of notifications
- Database Update
- Creating a list of passwords for archives
- For a security officer: Getting started with the program web interface
- Kaspersky Anti Targeted Attack Platform Interface
- Selecting an organization to manage in the web interface of the program
- Monitoring program operation
- About widgets and layouts
- Adding a widget to the current layout
- Moving a widget in the current layout
- Removing a widget from the current layout
- Saving a layout to PDF
- Configuring the period for displaying data in widgets
- Configuring the widget display scale
- Main principles of working with "Alerts" widgets
- Viewing the working condition of modules and components of the program
- Table of alerts
- Filtering, sorting, and searching alerts
- Filtering alerts by VIP status
- Filtering and searching alerts by time
- Filtering alerts by level of importance
- Filtering and searching alerts by categories of objects detected
- Filtering and searching alerts by obtained information
- Filtering and searching alerts by source address
- Filtering and searching alerts by destination address
- Filtering and searching alerts by server name
- Filtering and searching alerts by technology name
- Filtering and searching alerts by the status of their processing by the user
- Sorting alerts in the table
- Quickly creating an alert filter
- Clearing an alert filter
- Viewing alerts
- Viewing alert details
- General information about an alert of any type
- Information in the Object information section
- Information in the Alert information section
- Information in the Scan results section
- Information in the IDS rule section
- Information in the Network event section
- Scan results in Sandbox
- IOC scan results
- Information in the Hosts section
- Information in the Change log section
- Sending alert data
- Recommendations for processing alerts
- User actions performed on alerts
- Events database threat hunting
- Searching events in design mode
- Searching events in source code mode
- Changing the event search conditions
- Searching events by processing results in EPP programs
- Uploading an IOC file and searching for events based on conditions defined in the IOC file
- Creating a user-defined TAA (IOA) rule based on event search conditions
- Event information
- Viewing the table of events
- Viewing information about an event
- Information about events in the tree of events
- Recommendations for processing events
- Information about the "Process started" event
- Information about the "Module loaded" event
- Information about the "Remote connection" event
- Information about the "Prevention rule" event
- Information about the "Document blocked" event
- Information about the "File created" event
- Information about the "Windows log event" event
- Information about the "Changes in the registry" event
- Information about the "Port listened" event
- Information about the "Driver loaded" event
- Information about the "Alert" event
- Information about the "Alert processing result" event
- Information about the "Interpreted file run" event
- Information about the "Interactive command input at the console" event
- Managing Kaspersky Endpoint Agent host information
- Viewing the Kaspersky Endpoint Agent host table on a standalone Central Node server
- Viewing the Kaspersky Endpoint Agent host table in distributed solution and multitenancy mode
- Viewing information about a host
- Filtering and searching hosts with Kaspersky Endpoint Agent by host name
- Filtering and searching hosts with Kaspersky Endpoint Agent that have been isolated from the network
- Filtering and searching hosts with Kaspersky Endpoint Agent by PCN and SCN server names
- Filtering and searching hosts with Kaspersky Endpoint Agent by computer IP address
- Filtering and searching hosts with Kaspersky Endpoint Agent by operating system version on the computer
- Filtering and searching hosts with Kaspersky Endpoint Agent by Kaspersky Endpoint Agent version
- Filtering and searching hosts with Kaspersky Endpoint Agent based on their activity
- Quickly creating a filter for hosts with Kaspersky Endpoint Agent
- Resetting the hosts with Kaspersky Endpoint Agent filter
- Supported interpreters and processes
- Network isolation of Kaspersky Endpoint Agent hosts
- Managing tasks
- Viewing the task table
- Viewing information about a task
- Creating a process termination task
- Creating a program execution task
- Creating a file download task
- Creating a file deletion task
- Creating a file quarantine task
- Creating a quarantined file recovery task
- Creating a copy of a task
- Deleting tasks
- Filtering tasks by creation time
- Filtering tasks by type
- Filtering tasks by name
- Filtering tasks by file name and path
- Filtering tasks by description
- Filtering tasks by server name
- Filtering tasks based on the name of the user that created the task
- Filtering tasks by processing status
- Clearing a task filter
- Managing policies (prevention rules)
- Viewing the prevention rule table
- Viewing a prevention rule
- Creating a prevention rule
- Enabling and disabling a prevention rule
- Deleting prevention rules
- Filtering prevention rules by name
- Filtering prevention rules by type
- Filtering prevention rules by file hash
- Filtering prevention rules by server name
- Clearing a prevention rule filter
- Managing user-defined rules
- Using indicators of compromise (IOC) and attack (IOA) for Threat Hunting
- Managing user-defined IOC rules
- Viewing the table of IOC files
- Viewing information about an IOC file
- Uploading an IOC file
- Downloading an IOC file to a computer
- Enabling and disabling the automatic use of an IOC file when scanning events
- Deleting an IOC file
- Searching for alerts in IOC scan results
- Searching for alerts using an IOC file
- Filtering and searching IOC files
- Clearing an IOC file filter
- Configuring an IOC scan schedule
- Managing user-defined TAA (IOA) rules
- Viewing the TAA (IOA) rule table
- Viewing the information of a user-defined TAA (IOA) rule
- Searching for alerts and events in which TAA (IOA) rules were triggered
- Filtering and searching TAA (IOA) rules
- Resetting the TAA (IOA) rule filter
- Creating a user-defined TAA (IOA) rule based on event search conditions
- Importing a user-defined TAA (IOA) rule
- Enabling and disabling TAA (IOA) rules
- Modifying a user-defined TAA (IOA) rule
- Deleting user-defined TAA (IOA) rules
- Managing user-defined IDS rules
- Importing a user-defined IDS rule
- Viewing the information of a user-defined IDS rule
- Enabling and disabling the use of an IDS rule when scanning events
- Configuring the importance of alerts generated by the user-defined IDS rule
- Replacing a user-defined IDS rule
- Downloading a user-defined IDS rule file to the computer
- Deleting a user-defined IDS rule
- Managing YARA rules
- Managing objects in Storage and Quarantine
- Viewing the table of objects that were placed in Storage
- Viewing information about an object manually placed in Storage
- Viewing information about an object placed in Storage by a task
- Downloading objects from Storage
- Uploading objects to Storage
- Sending objects in Storage for scanning
- Deleting objects from Storage
- Filtering objects in Storage by object type
- Filtering objects in Storage by object description
- Filtering objects in Storage based on scan results
- Filtering objects in Storage based on the name of Central Node, PCN, or SCN server
- Filtering objects in Storage by object source
- Filtering objects based on the time they were placed in Storage
- Clearing a Storage objects filter
- Viewing the table of objects quarantined on computers with Kaspersky Endpoint Agent
- Viewing information about a quarantined object
- Restoring an object from Quarantine
- Obtaining a copy of a quarantined object on a Kaspersky Anti Targeted Attack Platform server
- Removing information about the quarantined object from the table
- Filtering information about quarantined objects by object description
- Filtering information about quarantined objects by host name
- Filtering information about quarantined objects by time
- Resetting the filter for information about quarantined objects
- Managing reports
- Creating a template
- Creating a report based on a template
- Viewing the table of templates and reports
- Viewing a report
- Downloading a report to a local computer
- Editing a template
- Filtering templates by name
- Filtering templates based on the name of the user that created the template
- Filtering templates by creation time
- Clearing a template filter
- Deleting a template
- Filtering reports by creation time
- Filtering reports by name
- Filtering reports by the name of the server with the Central Node component
- Filtering reports based on the name of the user that created the report
- Clearing a report filter
- Deleting a report
- Sending notifications
- Viewing the table of rules for sending notifications
- Creating a rule for sending notifications about alerts
- Creating a rule for sending notifications about the operation of program components
- Enabling and disabling a rule for sending notifications
- Modifying a rule for sending notifications
- Deleting a rule for sending notifications
- Filtering and searching notification forwarding rules by rule type
- Filtering and searching notification forwarding rules based on the notification subject
- Filtering and searching notification forwarding rules by email address
- Filtering and searching notification forwarding rules based on their status
- Clearing a notification forwarding rule filter
- Managing rules for assigning the VIP status to alerts
- Adding a VIP status assignment rule
- Deleting a VIP status assignment rule
- Modifying a VIP status assignment rule
- Importing a list of VIP status assignment rules
- Exporting a list of VIP status assignment rules
- Filtering and searching by type of VIP status assignment rule
- Filtering and searching by value of VIP status assignment rule
- Filtering and searching by description of VIP status assignment rule
- Clearing a VIP status assignment rule filter
- Managing the white list of objects
- Managing IDS exclusions
- Managing TAA exclusions
- Creating a list of passwords for archives
- Managing Kaspersky Endpoint Agent
- Installing and uninstalling Kaspersky Endpoint Agent
- Preparing for Kaspersky Endpoint Agent installation
- Installing Kaspersky Endpoint Agent
- Installing Kaspersky Endpoint Agent using the Installation Wizard
- Updating Kaspersky Endpoint Agent from the previous version
- Repairing Kaspersky Endpoint Agent
- Changes in the system after Kaspersky Endpoint Agent installation
- Removing Kaspersky Endpoint Agent using the Installation and Uninstallation Wizard
- Installing, restoring and uninstalling the application using the command line
- Kaspersky Endpoint Agent activation
- Managing Kaspersky Endpoint Agent using Kaspersky Security Center Administration Console
- Managing Kaspersky Endpoint Agent policies
- Configuring Kaspersky Endpoint Agent settings
- Configuring Kaspersky Endpoint Agent security settings
- Configuring Kaspersky Endpoint Agent connection settings to a proxy server
- Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation
- Configuring KSN and KMP usage in Kaspersky Endpoint Agent
- Configuring the integration of Kaspersky Endpoint Agent with Kaspersky Sandbox
- Configuring Threat Response actions of Kaspersky Endpoint Agent to respond to threats detected by Kaspersky Sandbox
- Enabling and disabling Threat Response actions
- Adding Threat Response actions to the action list of the current policy
- Authentication for Threat Response group tasks on the Administration Server
- Device protection from legitimate applications that can be used by cybercriminals
- Configuring start of Autonomous IOC Scan tasks
- Configuring integration between Kaspersky Endpoint Agent and KATA Central Node
- Configure network isolation settings
- About network isolation in Kaspersky Endpoint Agent
- About managing network isolation in Kaspersky Endpoint Agent
- Enabling and disabling network isolation
- Enabling and disabling user notification about network isolation
- Configuring automatic disabling of network isolation
- Configuring exclusions from network isolation
- Configuring quarantine settings in Kaspersky Endpoint Agent
- Managing Kaspersky Endpoint Agent tasks
- Creating a local task
- Creating a group task
- Viewing the table of tasks
- Deleting a task from the list
- Starting the tasks manually
- Viewing task execution results
- Configuring the storage time for the task execution results on the Administration Server
- Managing Kaspersky Endpoint Agent activation tasks
- Managing Kaspersky Endpoint Agent database update tasks
- Managing IOC Scan tasks in Kaspersky Endpoint Agent
- Managing Kaspersky Endpoint Agent through command line interface
- Managing Kaspersky Endpoint Agent activation
- Configuring tracing
- Configuring creation of dump files
- Viewing information about quarantine settings and quarantined objects
- Actions on quarantined objects
- Managing Kaspersky Sandbox integration settings
- Managing integration settings with KATA Central Node component
- Running Kaspersky Endpoint Agent database and module update
- Starting, stopping and viewing the current application status
- Protecting the application with password
- Protecting application services with PPL technology
- Managing self-defense settings
- Managing event filtering
- Managing network isolation
- Managing Standard IOC Scan tasks
- Installing and uninstalling Kaspersky Endpoint Agent
- Creating a backup copy and restoring the program from backup
- Creating a backup copy of the program from the program administrator menu
- Downloading a file containing a backup copy of the program from the Central Node or PCN server to the hard drive of the computer
- Uploading a file containing a backup copy of the program from your computer to the Central Node server
- Restoring the program from a backup copy through the program administrator menu
- Creating a backup copy of the program in Technical Support Mode
- Restoring the program from a backup copy in Technical Support Mode
- Upgrading Kaspersky Anti Targeted Attack Platform
- Interaction with external systems via API
- Sources of information about the program
- Contacting the Technical Support Service
- Glossary
- Advanced persistent threat (APT)
- Alternate data stream
- Anti-Malware Engine
- Backdoor program
- Central Node
- Communication channel bandwidth
- CSRF attack
- Distributed solution
- Dump
- End User License Agreement
- ICAP data
- Intrusion Detection System
- IOA
- IOC
- IOC file
- Kaspersky Anti Targeted Attack Platform
- Kaspersky Endpoint Agent
- Kaspersky Private Security Network
- Kaspersky Secure Mail Gateway
- Kaspersky Security Network (KSN)
- Kaspersky Threat Intelligence Portal
- KATA
- KEDR
- Local reputation database of KPSN
- Malicious web addresses
- Mirrored traffic
- MITM attack
- MITRE technique
- Multitenancy
- New generation threats
- NTP server
- OpenIOC
- Phishing URL addresses
- Sandbox
- Sensor
- SIEM system
- Signature
- SPAN
- Syslog
- TAA (IOA) rule
- Targeted attack
- Targeted Attack Analyzer
- TLS encryption
- Tracing
- VIP status
- YARA
- YARA rules
- Zero-day attack
- Zero-day vulnerability
- Information about third-party code
- Trademark notices
For a security officer: Getting started with the program web interface > Event information > Information about the "Alert processing result" event
Information about the "Alert processing result" event
Information about the "Alert processing result" event
The window showing information about a Detect processing result type event contains the following details:
- Tree of events.
- On the Details tab, under Detect processing result:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered
MITRE techniqueas well as recommendations for reacting to the event.The MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) database contains descriptions of hacker behavior based on the analysis of real attacks. It is a structured list of known hacker techniques represented as a table.
- Event time—Date and time of the event.
- Detect—Name of the detected object. Clicking the link with the object name opens a list in which you can select one of the following actions:
- Find events—Find all events in which this object was detected.
- View on KL TIP.
- Copy value to clipboard.
- Last action—Last action taken on the detected object.
- Host name—Name of the host on which the alert was generated.
- User name—User account used to complete the action taken on the detected object.
- Object type—Type of object (for example, a file).
- Object name—Full name of the file in which the object was detected.
- MD5—MD5 hash of the file in which the object was detected.
- SHA256—SHA256 hash of the file in which the object was detected.
- Detect mode—Scan mode in which the alert was generated.
- Record ID—ID of the record of the alert in the database.
- Databases version—Version of the database used to generate the alert.
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- On the Details tab, under Parent process:
- File—Path to the parent process file.
- MD5—MD5 hash of the parent process file.
- SHA256—SHA256 hash of the parent process file.
- Process ID—Identifier of the parent process.
- Launch parameters—Parent process startup settings.
- On the History tab, in the table:
- Type is the type of the Detect processing result event.
- Description—Description of the event.
- Time is the date and time of the alert processing result.
Clicking the link with the file name or file path opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on KL TIP.
Kaspersky information system Contains and displays reputation information for files and URL addresses.
- Find in Storage.
- Create a prevention rule.
- Copy value to clipboard.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on KL TIP.
- Find on virustotal.com.
- Find in Storage.
- Create a prevention rule.
- Copy value to clipboard.
The Kaspersky Anti Targeted Attack Platform server generates a Detect processing result event based on data received from EPP programs. If EPP programs are not installed on the computer and are not integrated with the Endpoint Agent component, information about the Detect processing result event is not logged in the event database and is not displayed in the program web interface.
Article ID: 196888, Last review: Apr 22, 2022