The web interface of Kaspersky Anti Targeted Attack Platform displays the following types of alerts that the user should keep track of:
A file has been downloaded or an attempt was made to download a file to a corporate LAN computer. The application detected this file in mirrored traffic on the organization's local network or in ICAP data of HTTP and FTP traffic, as well as HTTPS traffic if the administrator has configured SSL certificate replacement on the proxy server.
A file has been sent to the email address of a user on the corporate LAN. The application detected this file in copies of email messages received via the POP3 or SMTP protocol, or received from the virtual machine or server with Kaspersky Secure Mail Gateway if it is being used in your organization.
A website link was opened on a corporate LAN computer. The application detected this website link in mirrored traffic on the organization's local network or in ICAP data of HTTP and FTP traffic, as well as HTTPS traffic if the administrator has configured SSL certificate replacement on the proxy server.
Network activity has occurred in which the IP address or domain name of a corporate LAN computer was detected. The application detected this network activity in mirrored traffic on the organization's local network.
Processes have been started on a corporate LAN computer. The application detected the processes using the Endpoint Agent component installed on computers belonging to the corporate IT infrastructure.
If a file was detected, the following information may be displayed in the application web interface depending on which application modules or components generated the alert:
General information about the alert and the detected file (for example, the IP address of the computer on which the file was detected, and the name of the detected file).
Results of the virus scan of the file performed by AM Engine.
Results of scanning the file for signs of intrusion into the corporate IT infrastructure, performed by the YARA module.
Results of the file behavior analysis performed by the Sandbox component.
Results of analysis of APK executable files in the cloud infrastructure using machine learning technology.
If a website link was detected, the following information may be displayed in the application web interface depending on which application modules or components generated the alert:
General information about the alert and the detected website link (for example, the IP address of the computer on which the website link was detected, and the address of the website link).
Results of the link scan performed by the URL Reputation module for detecting of signs of malware, phishing URL addresses and URL addresses previously used by hackers for targeted attacks on the corporate IT infrastructure.
If the application detects network activity of the IP address or domain name of a computer on a corporate LAN, the application web interface may display the following information:
Details of the alert and detected network activity.
Results of web traffic scanning for signs of intrusion into the corporate IT infrastructure according to preset rules, performed by the Intrusion Detection System module (IDS).
Results of network activity scanning performed using Kaspersky TAA (IOA) rules.
Results of network activity scanning performed using TAA (IOA), IDS, IOC user rules.
If the application detects processes running on a corporate LAN computer where the Endpoint Agent component is installed, the application web interface can display the following information:
General information about the alert and processes running on the computer.
Results of network activity scanning performed for the computer using Kaspersky TAA (IOA) rules.
Results of network activity scanning performed for the computer using TAA (IOA), IOC user rules.
Alerts can be managed by users with the following roles: Security officer and Senior security officer. Users with the Security auditor role can view alerts.