Viewing information about Endpoint Detection and Response alerts
You can view information about Endpoint Detection and Response alerts in a widget and a table. The widget shows up to 10 alerts and the table shows up to 1000 alerts.
If you have configured notifications about the IoC found events, sometimes you may be notified about a detected IoC before the respective alert is displayed inside Kaspersky Endpoint Security Cloud. This is because events occur when the IoC scan is still in progress, while an alert appears only after the scan ends.
Endpoint Detection and Response widget
To view the Endpoint Detection and Response widget:
- Open Kaspersky Endpoint Security Cloud Management Console.
- In the Information panel section, click the Monitoring tab.
- If Endpoint Detection and Response is disabled, start using the feature.
The widget displays the requested information.
From the displayed widget, you can proceed to the following:
- Properties of the device on which a detection occurred.
- Alert details, depending on the technology that detected the alert:
- If the alert was detected by Endpoint Protection Platform (EPP)—threat development chain graph, to perform root-cause analysis of the attack and take response measures.
- If the alert was detected by Indicators of Compromise Scan (IoC Scan)—objects that have been detected by using IoCs and automatic response measures that have been taken.
- Table with the Endpoint Detection and Response alerts.
Endpoint Detection and Response table
To view the table with the Endpoint Detection and Response alerts:
- Open Kaspersky Endpoint Security Cloud Management Console.
- Open the Endpoint Detection and Response alerts window in any of the following ways:
- In the Information panel section, click the Monitoring tab, and then click the Go to the list of alerts link in the Endpoint Detection and Response widget.
- Select the Security management → Endpoint Detection and Response section.
- If Endpoint Detection and Response is disabled, start using the feature.
The table displays the requested information.
- Filter the displayed records by selecting the required values in the drop-down lists:
- Detected on
The period over which alerts have occurred.
- Status
The status of alerts, depending on the technology that detected them:
- If an alert was detected by EPP—whether the detected objects have been treated or untreated (deleted).
- If an alert was detected by IoC scan—whether IoCs have been only detected or automatic response measures have been taken.
- Technology
The technology that detected alerts: EPP or IoC scan.
- Detected on
From the displayed table, you can proceed to the following:
- Properties of the device on which a detection occurred.
- Settings of the security profile that is assigned to the user who owns an affected device.
- Alert details, depending on the technology that detected the alert:
- If the alert was detected by Endpoint Protection Platform (EPP)—threat development chain graph, to perform root-cause analysis of the attack and take response measures.
- If the alert was detected by Indicators of Compromise Scan (IoC Scan)—objects that have been detected by using IoCs and automatic response measures that have been taken.
Also, you can export information about all of the current alerts to a CSV file.