Viewing a threat development chain graph

For each detection that has been made by Root-Cause Analysis and is displayed on a widget or in a table, you can view a threat development chain graph.

A threat development chain graph is a tool for analyzing the root cause of an attack. The graph provides visual information about the objects involved in the attack, for example, processes on a managed device, network connections, or registry keys.

To view a threat development chain graph:

  1. Proceed to the Root-Cause Analysis widget or table.
  2. In the required line, click Examine.

The Root-Cause Analysis detection details window opens. The window contains a threat development chain graph and detailed information about the detection.

A threat development chain graph shows the following types of objects:

A graph is generated according to the following rules:

  1. The central point of a graph is a process that meets either of the following rules:
    • If the threat has been detected in a process, it is this process.
    • If the threat has been detected in a file, it is the process that created this file.
  2. For the process that is mentioned in rule 1, the graph shows up to two parent processes. A parent process is the one that either generated or modified a child process.
  3. For the process that is mentioned in rule 1, the graph shows all other related objects: created files, created and modified child processes, organized network connections, and modified registry keys.

When you click any object on a graph, the area below shows detailed information about the selected object.

When you click a link in the SHA256, MD5, IP address, or URL fields in the detailed information about a file, you are taken to the Kaspersky Threat Intelligence Portal https://opentip.kaspersky.com/. The portal brings together all of the knowledge that Kaspersky has acquired about cyberthreats into a single web service. It allows you to check any suspicious threat indicator, whether it is a file, file hash, IP address, or web address.

Page top