Viewing event details

Support

Support for business applications

Kaspersky Endpoint Detection and Response Expert

Threat hunting

Viewing event details

March 20, 2024

ID 221538

The event list contains details about the events. You can also open an event details window. The event details window provides all the information about the event.

To open event details:

In the main menu, go to MONITORING & REPORTING → THREAT HUNTING, and then run a query.
Click the table row with the event.

A window with details about the event opens.

Clicking a value in the event details or in the event table opens a context menu with a list of actions. For each value, the following actions are available:

Copy the value to the clipboard.
Add/remove the column to/from the event list.
Add the value to the query.
The event list will be filtered by this value.
Delete the value from the query.
Events will not be filtered by this field.
Create a new query with the value.

In addition, for the SID, UserName, IP, MD5, URL, and Domain object types, the following actions are available:

Find more information on Kaspersky Threat Intelligence Portal.
Kaspersky information system that contains and displays reputation information for files and URL addresses.
View related alerts.
Clicking the link opens a list of alerts that are related to the value of the selected event field. The list of alerts opens in the Alerts section.

To view a list of related alerts:
1. Go to MONITORING & REPORTING → THREAT HUNTING and run a query.
2. Open event details and click the value to open the context menu.
  You can also open the context menu by clicking the value in the event table.
3. In the context menu of the selected value, click Go to related alerts button.
A list of related alerts is displayed.

Viewing related alerts is available only for the objects of SID, UserName, IP, md5, URL, Domain data types.
View related incidents.
Clicking the link opens a list of incidents that are related to the value of the selected event field. The list of incidents opens in the Incidents section.

To view a list of related incidents:
1. Go to MONITORING & REPORTING → THREAT HUNTING and run a query.
2. Open event details and click the value to open the context menu.
  You can also open the context menu by clicking the value in the event table.
3. In the context menu of the selected value, click Go to related incidents button.
A list of related incidents is displayed.

Viewing related incident is available only for the objects of SID, UserName, IP, md5, URL, Domain data types.

The enrich.hunts.names field contains the names of the IOA rules that were triggered by the event. Clicking a link in this field opens a window with details about the triggered custom rule.

From the event details, you can view a tree of events by clicking the corresponding button.

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.