Viewing the alert table
Kaspersky Anti Targeted Attack Platform processes data from the following sources:
- Mirrored traffic on the corporate LAN (HTTP, FTP, and DNS protocols).
- HTTP and FTP traffic, as well as HTTPS traffic if the administrator has configured SSL certificate replacement on the proxy server.
- Copies of email messages received via the POP3 or SMTP protocol, as well as copies of email messages received from Kaspersky Secure Mail Gateway or Kaspersky Security for Linux Mail Server if they are being used in your organization.
- Information on running processes, active network connections, and modified files, which is received from individual computers belonging to the corporate IT infrastructure.
Kaspersky Anti Targeted Attack Platform uses a table of alerts to display the detected signs of targeted attacks and intrusions into the corporate IT infrastructure.
The table of alerts does not display information on objects which satisfy at least one of the following conditions:
- The object has reputation Trusted in the KSN database.
- The object is digitally signed by a trusted vendor:
- Kaspersky.
- Google.
- Apple.
- Microsoft.
Information about these alerts is saved in the program database (on the Central Node or SCN).
Information about alerts in the database is rotated every night when the maximum allowed number of alerts is reached:
- Alerts generated by the (IDS) Intrusion Detection System and (URL) URL Reputation components have a maximum of 100,000 alerts for each component.
- All other alerts have a maximum of 20,000 alerts for each module or component.
If you are using the and , rotation is performed on all SCNs and then synchronization with the PCN is performed. After synchronization, all deleted alerts are automatically deleted from the PCN.
The alerts table is in the Alerts section.
By default, this section displays information only on alerts that were not processed by users. To also display information on processed alerts, turn on the Processed switch in the upper-right corner of the window.
You can sort alerts in the table by Created or Updated, Importance, Source, and State columns.
The table of alerts contains the following information:
- VIP specifies if the alert has a status with special access rights. For example, alerts with the VIP status cannot be viewed by program users with the Security officer role.
- Created is the time when the program generated the alert, and Updated is the time when the alert was updated.
- —Alert importance for the Kaspersky Anti Targeted Attack Platform user depending on the impact this alert may have on computer or corporate LAN security based on Kaspersky experience.
Alerts can have one of the following importance levels:
- High, marked with the symbol—the alert has a high level of importance.
- Medium, marked with the symbol—the alert has a medium level of importance.
- Low, marked with the symbol—the alert has a low level of importance.
- Detected—One or multiple categories of detected objects. For example, when the program detects a file infected with the Trojan-Downloader.JS.Cryptoload.ad virus, the Detected—Field shows Trojan-Downloader.JS.Cryptoload.ad for this alert.
- Details—Brief summary of the alert. For example: the name of a detected file or URL address of a malicious link.
- Source—Address of the source of the detected object. For example, this can be the email address from which a malicious file was sent, or the URL from which a malicious file was downloaded.
- Destination—Destination address of a detected object. For example, this can be the email address of your organization's mail domain to which a malicious file was sent, or the IP address of a computer on your corporate LAN to which a malicious file was downloaded.
- Servers is the list of names of servers which created the alert. Servers belong to the tenant that you are managing in the program web interface. Information about servers is displayed only when you are working in distributed solution and multitenancy mode.
- Technologies—Names of the program modules or components that generated the alert.
The Technologies column may indicate the following program modules and components:
- (YARA) YARA.
- (SB) Sandbox.
- (URL) URL Reputation.
- (IDS) Intrusion Detection System.
- (AM) Anti-Malware Engine.
- (TAA) Targeted Attack Analyzer.
- (IOC) IOC.
- State—Alert status depending on whether or not this alert has been processed by the Kaspersky Anti Targeted Attack Platform user.
Alerts can have one of the following states:
- New for new alerts
- In process for alerts that are already being processed by Kaspersky Anti Targeted Attack Platform user
- Rescan for alerts resulting from a rescan of an object
This column also displays the user name to which the alert was assigned. For example, Administrator.
If information in table columns is displayed as a link, you can click the link to open a list in which you can select the action to perform on the object. Depending on the type of value of the cell, you can perform one of the following actions:
- Any type of cell value:
- Add to filter.
- Exclude from filter.
- Copy value to clipboard.
- MD5 hash:
- Add to filter.
- Exclude from filter.
- Find events.
- Find on TIP.
- Create prevention rule.
- Copy value to clipboard.
- SHA256 hash:
- Add to filter.
- Exclude from filter.
- Find events.
- Find on TIP.
- Create prevention rule.
- Copy value to clipboard.
- Destination IP address: Find events.
- Alert state:
- Assign to me.
- Close alert.
The Intrusion Detection System module consolidates information about processed network events in one alert when the following conditions are simultaneously met:
- The name of the triggered rule, version of program databases, and source all match for network events.
- No more than 24 hours elapsed between the events.
One alert is displayed for all network events that meet these conditions. The alert notification contains information only about the first network event.
Page top