In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts or events that have attributes in common with the alert you are working on.
You can follow the following recommendations:
Under Qualifying, expand the Find similar alerts list.
A list of attributes is displayed that can be used to find similar alerts, and the number of similar alerts for each attribute.
Select one of the following attributes:
By MD5. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by theDetails column, the MD5 hash. The MD5 hash of the file from the alert you are working on is highlighted in yellow.
By SHA256. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by theDetails column, the SHA256 hash. The SHA256 hash of the file from the alert you are working on is highlighted in yellow.
By host name. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by theSource column. The host name from the alert you are working on is highlighted in yellow.
By sender address. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by theSource column. The sender address of the email message from the alert you are working on is highlighted in yellow.
By recipient address. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by theDestination column. The recipient address of the email message from the alert you are working on is highlighted in yellow.
By URL. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by theDetails column, the URL from the alert you are working on.
Under Qualifying, select Find similar events. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, the Scan: detect processing result event type is selected and a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.
Kaspersky Endpoint Detection and Response. Functional block of the Kaspersky Anti Targeted Attack Platform program, which provides protection for the local area network of the organization.
Under Investigation, select Find similar events. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.