Recommendations for processing alerts

Information about alerts made by AM (Anti-Malware Engine), SB (Sandbox), YARA, IOC, and IDS (intrusion Detection System) technologies that is displayed in the right part of the window includes recommendations on processing these alerts.

To view information about an alert:

1. Select the Alerts section in the window of the application web interface.

   This opens the table of alerts.

2. Click the line containing the alert whose information you want to view.

This opens a window containing information about the alert.

Recommendations for processing AM alerts

In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts or events that have attributes in common with the alert you are working on.

You can follow the following recommendations:

• Under Qualifying, expand the Find similar alerts list.

  A list of attributes is displayed that can be used to find similar alerts, and the number of similar alerts for each attribute.

  Select one of the following attributes:

  • By MD5. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the MD5 hash. The MD5 hash of the file from the alert you are working on is highlighted in yellow.
  • By SHA256. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the SHA256 hash. The SHA256 hash of the file from the alert you are working on is highlighted in yellow.
  • By host name. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The host name from the alert you are working on is highlighted in yellow.
  • By sender address. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The sender address of the email message from the alert you are working on is highlighted in yellow.
  • By recipient address. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Destination column. The recipient address of the email message from the alert you are working on is highlighted in yellow.
  • By URL. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the URL from the alert you are working on.
• Under Qualifying, select Find similar events. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, the Scan: detection processing result event type is selected and a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.

  The action is only available if you are using

  KEDR functionality

  Kaspersky Endpoint Detection and Response. Functional block of the Kaspersky Anti Targeted Attack Platform program, which provides protection for the local area network of the organization.

  Kaspersky Endpoint Detection and Response. Functional block of the Kaspersky Anti Targeted Attack Platform program, which provides protection for the local area network of the organization.

  Kaspersky Endpoint Detection and Response. Functional block of the Kaspersky Anti Targeted Attack Platform program, which provides protection for the local area network of the organization.

  Kaspersky Endpoint Detection and Response. Functional block of the Kaspersky Anti Targeted Attack Platform program, which provides protection for the local area network of the organization.

  and a KEDR license key has been added.

• Under Investigation, select Find similar events. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.

  The action is only available if you are using KEDR functionality and a KEDR license key has been added.

Recommendations for processing TAA alerts

In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts or events that have attributes in common with the alert you are working on.

You can follow the following recommendations:

• Under Qualifying, expand the Find similar alerts list.

  A list of attributes is displayed that can be used to find similar alerts, and the number of similar alerts for each attribute.

  Select one of the following attributes:

  • By rule name (TAA alerts). Clicking the link opens the Alerts alert table in a new browser tab; the alerts are filtered by Detected and Technologies columns, that is, the name of the TAA (IOA) rule that was used to create the alert, and the name of the (TAA) Targeted Attack Analyzer technology.
  • By rule name (SB alerts). Clicking the link opens the Alerts alert table in a new browser tab; the alerts are filtered by Detected and Technologies columns, that is, the name of the TAA (IOA) rule that was used to create the alert, and the name of the (SB) Sandbox technology.
• Under Investigation, select Find similar events. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.

  The action is only available if you are using KEDR functionality and a KEDR license key has been added.

Recommendations for processing SB alerts

In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts or events that have attributes in common with the alert you are working on.

You can follow the following recommendations:

• Under Qualifying, expand the Find similar alerts list.

  A list of attributes is displayed that can be used to find similar alerts, and the number of similar alerts for each attribute.

  Select one of the following attributes:

  • By MD5. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the MD5 hash. The MD5 hash of the file from the alert you are working on is highlighted in yellow.
  • By SHA256. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the SHA256 hash. The SHA256 hash of the file from the alert you are working on is highlighted in yellow.
  • By host name. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The host name from the alert you are working on is highlighted in yellow.
  • By sender address. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The sender address of the email message from the alert you are working on is highlighted in yellow.
  • By recipient address. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Destination column. The recipient address of the email message from the alert you are working on is highlighted in yellow.
  • By URL. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the URL from the alert you are working on.
  • By URL from Sandbox. Click the link to display the Alerts table in a new browser tab. The alerts are filtered by the Details column, that is, the URL address from the alert you are working on, as well as all URLs that were found to be relevant by the Sandbox component as the alert was processed.
• Under Qualifying, select Find similar EPP events. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, the Scan: detection processing result event type is selected and a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.

  The action is only available if you are using KEDR functionality and a KEDR license key has been added.

• Under Investigation, select Find similar events. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.

  The action is only available if you are using KEDR functionality and a KEDR license key has been added.

Recommendations for processing IOC alerts

In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts that have attributes in common with the alert you are working on.

You can follow the following recommendations:

• Under Qualifying, select Find similar alerts by host name. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The host name from the alert you are working on is highlighted in yellow.
• Under Qualifying, select Find similar alerts by IOC. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Detected column, the name of the IOC file from the alert you are working on.
• In the Quick response section, select Isolate <host name>. This opens the network isolation rule creation window.

To create a host isolation rule, enter the following settings:

1. In the Disable isolation after field, enter the time in hours (1 to 9999) during which network isolation of the host will be active.
2. In the Exclusions for the host isolation rule settings group, in the Traffic direction list, select the direction of network traffic that must not be blocked:
   • Incoming/Outgoing.
   • Incoming.
   • Outgoing.
3. In the IP field, enter the IP address whose network traffic must not be blocked.

   If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, you can use a proxy server for the connection of Kaspersky Endpoint Agent for Windows with Kaspersky Anti Targeted Attack Platform. When you add this proxy server to exclusions, network resources that can be accessed through the proxy server are also added to exclusions. If network resources that are accessed through the proxy server are added to exclusions, but the proxy server itself is not, such exclusions do not work.

4. If you selected Incoming or Outgoing, in the Ports field enter the connection ports.
5. If you want to add more than one exclusion, click Add and repeat the steps to fill in the Traffic direction, IP and Ports fields.
6. Click Save.

Recommendations for processing YARA alerts

In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts or events that have attributes in common with the alert you are working on.

You can follow the following recommendations:

• Under Qualifying, expand the Find similar alerts list.

  A list of attributes is displayed that can be used to find similar alerts, and the number of similar alerts for each attribute.

  Select one of the following attributes:

  • By MD5. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the MD5 hash. The MD5 hash of the file from the alert you are working on is highlighted in yellow.
  • By SHA256. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the SHA256 hash. The SHA256 hash of the file from the alert you are working on is highlighted in yellow.
  • By host name. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The host name from the alert you are working on is highlighted in yellow.
  • By sender address. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The sender address of the email message from the alert you are working on is highlighted in yellow.
  • By recipient address. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Destination column. The recipient address of the email message from the alert you are working on is highlighted in yellow.
  • By URL. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the URL from the alert you are working on.
• Under Qualifying, select Find similar alerts by host name. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, the Scan: detection processing result event type is selected and a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.

  The action is only available if you are using KEDR functionality and a KEDR license key has been added.

• Under Investigation, select Find similar events. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.

  The action is only available if you are using KEDR functionality and a KEDR license key has been added.

• In the Quick response section, select Isolate <host name>. This opens the network isolation rule creation window.

Recommendations for processing IDS alerts

In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts or events that have attributes in common with the alert you are working on.

You can follow the following recommendations:

• Under Qualifying, select Find similar alerts by IP address. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The host name or IP address from the alert you are working on is highlighted in yellow.
• Under Qualifying, select Find similar alerts by URL. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the URL. The URL from the alert you are working on is highlighted in yellow.
• Under Qualifying, select Add to exclusions.

  This opens the Add IDS rule to exclusions window. If you want to add an IDS rule that was used to create the alert to exclusions, enter a comment in the Description field and click Add.

  The IDS rule is added to exclusions and is displayed in the exclusion list in the Settings section, Exclusions subsection on the IDS tab in the application web interface.

• Under Investigation, select Find similar events by URL. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, the search filter is configured to use the URI from the alert you are working on.
• Under Investigation, select Find similar events by IP address. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, the search filter is configured to use the RemoteIP from the alert you are working on.
• In the Investigation section, click Download IDS artifact to download the file with alert data.
• In the Investigation section, click Download PCAP file to download the file with intercepted traffic data.