Kaspersky Endpoint Detection and Response Expert
- Kaspersky Endpoint Detection and Response Expert Help
- About Kaspersky Endpoint Detection and Response Expert
- Licensing of Kaspersky Endpoint Detection and Response Expert
- Data provision
- Getting started
- User management
- Alerts
- Incidents
- Threat hunting
- About threat hunting
- Building and running queries for threat hunting
- About syntax in threat hunting queries
- Creating IOA rules from queries
- Viewing and configuring the event list
- Configuring the event table
- Viewing event details
- Viewing a tree of events
- Viewing information about related events in a tree of events
- Custom rules
- About custom rules
- Viewing and configuring custom rules list
- Viewing custom rule details
- About custom rule details
- Configuring custom rules table
- Creating custom IOA rules
- Creating exclusions from Kaspersky IOA rules
- Editing custom rules
- Enabling and disabling custom rules
- Deleting IOA custom rules
- Deleting exclusions
- Response actions
- About network isolation
- About moving file to quarantine
- Viewing a list of quarantined files
- Specifying settings for storing files in the Quarantine
- About deleting files
- About running critical areas scan
- About IOC scan
- About execution prevention
- About process start task
- About terminating process task
- About getting file task
- Monitoring and reporting
- Contact Customer Service
- Termination of the Kaspersky Endpoint Detection and Response Expert solution usage
- Sources of information about the application
- Glossary
- Known issues
- Information about third-party code
- Trademark notices
Viewing alert details
Alert details are a page in the interface that contains all of the information related to the alert, including the alert properties.
To view alert details:
- In the main menu, go to MONITORING & REPORTING → Alerts.
- If you have both Kaspersky EDR Optimum and Kaspersky EDR Expert integrated into Kaspersky Security Center Cloud Console, the Alerts section is divided into two tabs. Go to the Expert tab. Otherwise, skip this step.
- In the alert table, click the ID of the required alert.
The alert details are displayed.
The toolbar in the upper part of the alert details allows you to perform the following actions:
- Assign the alert to an analyst
- Change the alert status
- Link the alert to an incident
- Unlink the alert from the incident
Alert details contain the following sections:
- Summary
The summary section contains the following alert properties:
- Severity. Possible values: Low, Medium, or High. Alert severity shows the impact this alert may have on computer security or corporate LAN security based on Kaspersky experience.
- Rules. The IOC rules or IOA rules that triggered to detect the alert.
- Registered. A date and time when the alert was added to the alert table.
- First event. A date and time of the first event related to the alert.
- Last event. A date and time of the most recent event related to the alert.
- Technology. The technology that detected the alert.
- Detection source. The application that obtained the telemetry data.
- MITRE tactic. A tactic or several tactics detected in the alert. The tactics are defined in the MITRE ATT&CK knowledge base.
- MITRE technique. A technique or several techniques detected in the alert. The techniques are defined in the MITRE ATT&CK knowledge base.
- Device name, ID. The names and identifiers of the devices that were affected by the alert. By clicking the ellipsis icon next to the device name or device ID, you can open the shortcut menu related to the device name or device ID. Use this menu to learn more details about the device, for example, to view the device properties or search the device name or ID in Threat hunting for the last 24 hours.
- User name, SID. The names and security identifiers of users whose devices or accounts were affected by the alert. By clicking the ellipsis icon next to the user name or user SID, you can open the shortcut menu related to the user name or user SID. Use this menu to learn more details about the user account, for example, to search the user name or SID in Threat hunting for the last 24 hours.
- Details
The contents of this section depend on the alert type.
IOA alert details
In IOA alert details, you can use the Details section to track the telemetry events related to the alert.
Actions that you can perform:
- Export to file. Click this button to save the table to a CSV file.
- Threat hunting query. Click this button to open the Threat Hunting section. In this section, you can define search conditions, for example, to find all of the events in which the device was affected.
- Find events in +/- 10 min range. Click this button to view the events in the IT infrastructure in the interval starting from 10 minutes before the first event in the Details section of the alert details to 10 minutes after the most recent event.
- Find events for the preceding 24 hours. Click this button to view the events in the IT infrastructure for the 24 hours preceding the first event in the Details section of the alert details.
IOC alert details
In IOC alert details, the Details section contains the objects that were found as a result of the IOC scan task run.
- Assets
In the Assets section, you can view the devices and users affected by or involved in the alert.
By clicking a user name or a device name, you can:
- Search the user name or the device ID in Threat hunting for the last 24 hours.
- Search the user name or the device ID in other alerts.
- Search the user name or the device ID in other incidents.
- Copy the user name or the device name in the clipboard.
You can also click a device name to open the device properties.
By clicking a user SID or a device ID, you can:
- Search the user SID or the device ID in Threat hunting for the last 24 hours.
- Search the user SID or the device ID in other alerts.
- Search the user SID or the device ID in other incidents.
- Copy the user SID or the device ID in the clipboard.
You can also click a device ID to open the device properties.
- Observables
In the Observables section, you can view the observables related to the alert. The observables may include:
- md5 hash
- IP address
- URL
- Domain name
By clicking a link in the Value or Data columns, you can:
- Search the observable value in Threat hunting for the last 24 hours.
- Search the observable in Kaspersky Threat Intelligence Portal (opens in a new browser tab).
- Search the observable value or data in other alerts.
- Search the observable value or data in other incidents.
- Copy the observable value or data in the clipboard.
- Similar closed alerts
In the Similar closed alerts section you can view the list of closed alerts that have the same affected artifacts as the current alert. The affected artifacts include observables and affected devices. The similar closed alerts can help you investigate the current alert.
By using the list, you can evaluate the degree of similarity of the current alert and other alerts. The similarity is calculated as follows:
Similarity = M / T * 100
Here, 'M' is a number of artifacts that matched in the current and a similar alert, and 'T' is total number of artifacts in the current alert.
If the similarity is 100%, the current alert has nothing new in comparison with the similar alert. If the similarity is 0%, the current and the similar alert are completely different. Alerts that have a similarity of 0% are not included in the list.
The calculated value is rounded off to the nearest whole number. If similarity is equal to a value between 0% and 1%, the application does not round such a value down to 0%. In this case, the value is displayed as less than 1%.
Clicking an alert ID opens the alert details.
Customizing the similar closed alerts list
You can customize the table by using the following options:
- Filter the alerts by selecting the term for which the alerts have been updated. By default, the list contains the alerts that have been updated for the last 30 days.
- Click the Columns settings icon (
), and then select which columns to display and in which order. - Click the Filter icon (
), and then select and configure the filters that you want to apply. If you select several filters, they are applied simultaneously by logical AND operator. - Click a column header, and then select the sorting options. You can sort the alerts in ascending or descending order.
- Similar incidents
In the Similar incidents section, you can view the list of incidents that have the same affected artifacts as the current alert. The affected artifacts include observables and affected devices. The similar incidents can help you decide if the current alert may be linked to an existing incident.
By using the list, you can evaluate the degree of similarity of the current alert and the incidents. The similarity is calculated as follows:
Similarity = M / T * 100
Here, 'M' is a number of artifacts that matched in the current alert and a similar incident, and 'T' is total number of artifacts in the current alert.
If the similarity is 100%, the current alert has nothing new in comparison with the similar incident. If the similarity is 0%, the current alert and the similar incident are completely different. Incidents that have similarity of 0% are not included in the list.
The calculated value is rounded off to the nearest whole number. If the similarity is equal to a value between 0% and 1%, the application does not round such a value down to 0%. In this case, the value is displayed as less than 1%.
Clicking an incident ID opens the incident details.
Customizing the similar incidents list
You can customize the table by using the following options:
- Filter the incidents by selecting the term for which the incidents have been updated. By default, the list contains the incidents that have been updated for the last 30 days.
- Click the Columns settings icon (), and then select which columns to display and in which order.
- Click the Filter icon (), and then select and configure the filters that you want to apply. If you select several filters, they are applied simultaneously by logical AND operator.
- Click a column header, and then select the sorting options. You can sort the incidents in ascending or descending order.
- Comments
In the Comments section, you can leave comments related to the alert. For example, you can enter a comment about investigation results or when you change the alert properties, such as the alert assignee or status.
You can edit or remove your own comments. The comments of other users cannot be modified or removed.
To save your comment, press Enter. To start a new line, press Shift+Enter. To edit or delete your comment, use the buttons on the top right.
The Write permission in the Alerts and incidents functional area is required to leave comments.
- History
In the History section, you can track the changes that were made to the alert as a work item:
- Changing alert status
- Changing alert assignee
- Linking alert to an incident
- Unlinking alert from an incident
|
See also: |