Contents
- Kaspersky Endpoint Detection and Response Expert Help
- About Kaspersky Endpoint Detection and Response Expert
- Licensing of Kaspersky Endpoint Detection and Response Expert
- Data provision
- Getting started
- User management
- Alerts
- Incidents
- Threat hunting
- About threat hunting
- Building and running queries for threat hunting
- About syntax in threat hunting queries
- Creating IOA rules from queries
- Viewing and configuring the event list
- Configuring the event table
- Viewing event details
- Viewing a tree of events
- Viewing information about related events in a tree of events
- Custom rules
- About custom rules
- Viewing and configuring custom rules list
- Viewing custom rule details
- About custom rule details
- Configuring custom rules table
- Creating custom IOA rules
- Creating exclusions from Kaspersky IOA rules
- Editing custom rules
- Enabling and disabling custom rules
- Deleting IOA custom rules
- Deleting exclusions
- Response actions
- About network isolation
- About moving file to quarantine
- Viewing a list of quarantined files
- Specifying settings for storing files in the Quarantine
- About deleting files
- About running critical areas scan
- About IOC scan
- About execution prevention
- About process start task
- About terminating process task
- About getting file task
- Monitoring and reporting
- Contact Customer Service
- Termination of the Kaspersky Endpoint Detection and Response Expert solution usage
- Sources of information about the application
- Glossary
- Known issues
- Information about third-party code
- Trademark notices
Kaspersky Endpoint Detection and Response Expert Help
Key features
Hardware and software requirements
Getting started
Contact Technical Support
Page top
About Kaspersky Endpoint Detection and Response Expert
Kaspersky Endpoint Detection and Response Expert (also referred to as Kaspersky EDR Expert) is a cloud solution designed to protect an organization's IT infrastructure from complex cyberthreats.
An on-premises Kaspersky Endpoint Detection and Response solution is available as part of Kaspersky Anti-Targeted Attack Platform.
The solution combines automatic threat detection with the ability to respond to these threats to resist complex attacks, including new exploits, ransomware, fileless attacks, and methods that use legitimate system tools.
Kaspersky Endpoint Detection and Response Expert monitors and analyzes threat progressing, and provides security officers or administrators with information about possible attacks to facilitate a timely manual response, or performs the predefined automated response measures. It provides functionality for developing custom rules and threat hunting.
Kaspersky Endpoint Detection and Response Expert solution is not available in the United States or to U.S. persons. When non-U.S. persons are temporarily in the United States, it is required to suspend the use of Kaspersky EDR Expert on their assets.
Supported Kaspersky applications
Kaspersky Endpoint Detection and Response Expert supports the following versions of Kaspersky applications:
- Kaspersky Security Center Cloud Console
- Kaspersky Security Center Network Agent 13.2.2
- Kaspersky Endpoint Security for Windows 11.8 or later
For details about hardware and software requirements, please refer to the Hardware and software requirements sections in the following Kaspersky Endpoint Security for Windows and Kaspersky Security Center Cloud Console documentation.
Please note that Kaspersky Managed Detection and Response (MDR) and Kaspersky Endpoint Detection and Response Expert can not be used simultaneously.
You can not use the Kaspersky Endpoint Detection and Response Expert functions in Kaspersky Security Center Cloud Console when you are working with a Virtual Administration Server. In this case, Kaspersky Endpoint Detection and Response Expert features are hidden in Kaspersky Security Center Cloud Console. Switch to the parent Administration Server (not virtual) to use Kaspersky EDR Expert functions.
Page top
Architecture of Kaspersky Endpoint Detection and Response Expert
Kaspersky Endpoint Detection and Response Expert includes the following components:
- that support Kaspersky Endpoint Detection and Response Expert functionality and are installed on separate in the organization IT infrastructure. These applications continuously monitor the processes running on protected devices, open network connections and the files being modified.
- Solution for centralized network security management (Kaspersky Security Center Cloud Console).
- Kaspersky Security Center Network Agent which enables interaction between the administration server and Kaspersky applications that are installed on a specific network node (workstation or server).
- Threat Intelligence:
- Kaspersky Security Network (KSN) infrastructure of cloud services that provides access to the online Kaspersky Knowledge Base, which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky applications to threats, improves the performance of some protection components, and reduces the likelihood of false alarms. For Kaspersky Endpoint Detection and Response Expert functioning, Kaspersky Private Security Network (KPSN) is used that sends data to regional servers without submitting data to KSN from their assets.
- Integration with Kaspersky Threat Intelligence Portal platform, which contains and displays information about the reputation of files and URLs.
- Kaspersky Threats database.
Licensing of Kaspersky Endpoint Detection and Response Expert
This section covers the main aspects of service licensing for Kaspersky Endpoint Detection and Response Expert.
About the End User License Agreement
The End User License Agreement (License Agreement) is a binding agreement between you and AO Kaspersky Lab stipulating the terms on which you may use the application.
Carefully read the License Agreement before you start using the application.
You can view the terms of the End User License Agreement by using the following methods:
- During installation of Kaspersky Endpoint Detection and Response.
- By reading the license.txt document. This document is included in the application distribution kit.
You accept the terms of the End User License Agreement by confirming that you agree with the End User License Agreement when installing the application. If you do not accept the terms of the License Agreement, cancel application installation and do not use the application.
Page top
About the license
A license is a time-limited right to use the solution, granted under the Terms and Conditions.
A license grants you the following kinds of services:
- Use of the solution, in accordance with the Terms and Conditions.
- Getting technical support.
The scope of services and validity period depend on the type of license under which the solution was activated.
The following license types are provided:
- Commercial is a paid license granted upon purchase of the solution.
When the commercial license expires, the solution continues running with limited functionality (new telemetry is not provided). To continue using all of the features of Kaspersky Endpoint Detection and Response, you must renew your commercial license.
We recommend renewing the license before it expires, to ensure maximum protection against all security threats.
- Subscription is a paid license that enables the solution usage for a monthly billing period, with auto-renewal, until it is canceled or expires.
There are two types of subscriptions:
- A Limited subscription automatically renews at the end of each billing period until the defined expiration date.
- An Open-ended subscription auto-renews at the end of each billing period until it is canceled by the customer.
You can manage your subscription via the Kaspersky License Management Portal (LMP).
When the subscription is canceled or expired, the solution continues running with limited functionality (new telemetry is not provided). To continue using all of the features of Kaspersky Endpoint Detection and Response, you must renew your subscription license.
We recommend that you renew the license before its expiration, to ensure maximum protection against all security threats.
About the license certificate
A license certificate is a document that you receive along with a key file or an activation code.
A license certificate contains the following information about the license provided:
- License key or order number
- Information about the user who has been granted the license
- Information about the application that can be activated under the license provided
- Limit of the number of licensing units (e.g., devices on which the application can be used under the license provided)
- License validity start date
- License expiration date or license term
- License type
About the activation code
An activation code is a unique sequence of 20 letters and numbers. You have to enter an activation code in order to add a license key for activating Kaspersky Endpoint Detection and Response Expert. You receive the activation code at the email address that you provided when you bought Kaspersky Endpoint Detection and Response.
To activate the solution by using an activation code, internet access is required in order to connect to Kaspersky activation servers.
If you have lost your activation code, contact the Kaspersky partner from whom you purchased the license.
Page top
About the key file
A key file is a file with the .key extension provided to you by Kaspersky. Key files are designed to activate the application by adding a license key.
You receive a key file at the email address that you provided when you bought Kaspersky Endpoint Detection and Response or ordered the trial version of Kaspersky Endpoint Detection and Response.
You do not need to connect to Kaspersky activation servers in order to activate the application with a key file.
You can restore a key file if it has been accidentally deleted. You may need a key file to register a Kaspersky CompanyAccount, for example.
To restore your key file, perform any of the following actions:
- Contact the license seller.
- Receive a key file through Kaspersky website by using your available activation code.
About Kaspersky Security Network
Kaspersky Security Network (also referred to as KSN) is an infrastructure of cloud services providing access to the online Kaspersky Knowledge Base that contains information about the reputation of files, web resources, and software.
For more detailed information about sending the Kaspersky statistical information that is generated during participation in KSN, and about the storage and destruction of such information, please refer to the Kaspersky Security Network Statement and the Kaspersky website.
KSN Infrastructure
Kaspersky Security Network has the following infrastructural solutions:
- Global KSN is the solution that is used by most Kaspersky applications. KSN participants receive information from Kaspersky Security Network and send Kaspersky information about objects detected on the user's computer to be analyzed additionally by Kaspersky analysts, and to be included in the reputation and statistical databases of Kaspersky Security Network.
- KPSN (Kaspersky Private Security Network) is a solution that enables users of computers hosting Kaspersky applications to obtain access to the reputation databases of Kaspersky Security Network and to other statistical data, without sending data to KSN from their own computers. KPSN is designed for corporate customers who are unable to participate in Kaspersky Security Network for any of the following reasons:
- Local workstations are not connected to the internet.
- Transmission of any data outside the country or outside the corporate LAN is prohibited by law or restricted by corporate security policies.
To operate Kaspersky Endpoint Detection and Response Expert, it is required to use KPSN. KPSN is configured automatically in Kaspersky Security Center during the activation of the Kaspersky EDR Expert solution.
For details on configuring Kaspersky Security Network, see Kaspersky Security Center documentation.
Page top
Data provision
This section contains information on the specific data that you provide to Kaspersky while using Kaspersky Endpoint Detection and Response Expert.
About data provision
In order for Kaspersky Endpoint Detection and Response Expert to work, it's necessary for Kaspersky to process the user's data. Components do not send data without the permission of the Kaspersky Endpoint Detection and Response Expert administrator.
Kaspersky protects any information received in accordance with law and applicable Kaspersky rules. Data is transmitted over a secure channel.
The following data is used for the operation of Kaspersky EDR Expert:
- Data listed in the Data Processing Agreement under Scope and purposes of processing personal data
- Information about alerts
Engaged sub-processors
The following sub-processors are engaged for the processing of personal data according to the Kaspersky Endpoint Detection and Response Expert Data Processing Agreement.
Sub-processors engaged by AO Kaspersky Lab
Type of sub-processing activity |
Name and address of another processor |
Data storage location |
|---|---|---|
Cloud infrastructure provider
|
Microsoft Azure Microsoft Ireland Operations Limited One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521 HUAWEI CLOUD Sparkoo Technologies Hong Kong Co., Limited |
Kaspersky Security Center Cloud Console data center depends on the country, selected during the deployment of Kaspersky Security Center Cloud Console. See the list of countries and corresponding data center regions in Kaspersky Security Center Cloud Console Online Help. Kaspersky EDR Expert supports the following Kaspersky Security Center Cloud Console regions:
Additionally Kaspersky EDR Expert engages data centers in the following regions:
|
Regions of data processing
Data processing center for Kaspersky Security Center Cloud Console depends on the region selected when deploying Kaspersky Security Center Cloud Console. Countries and their corresponding regions of data processing are listed in the Kaspersky Security Center Cloud Console Help.
Kaspersky EDR Expert supports the following Kaspersky Security Center Cloud Console regions: Brazil, Ireland.
Regions of data processing
Region of Kaspersky Security Center Cloud Console deployment |
Region of data processing |
Brazil |
South Brazil |
Ireland |
Western Europe |
About data retention time
The data that is used for the Kaspersky Endpoint Detection and Response Expert operation includes the following:
- Telemetry events sent from devices in your organization
- Custom IOA rules and exclusions from Kaspersky IOA rules
Retention time of telemetry events
Telemetry data is stored and processed in the Kaspersky Endpoint Detection and Response Expert infrastructure for 30 days. An event is automatically deleted 30 days after it was sent. After the license expiration date, telemetry events will also be deleted within 30 days. After 29 days, you can get data that was sent on the last day when the license was valid.
You can extend the storage and processing time of telemetry data to 60 or 90 days by adding an Extension module.
Retention time of Custom IOA rules and exclusions from Kaspersky IOA rules after the license expiration date
After your license has expired, the settings are stored for 30 days. After 30 days, they will be automatically deleted.
Page top
Getting started
Before you can start working with Kaspersky Endpoint Detection and Response Expert, you must activate the solution and perform the initial configuration. This section contains information about activation, initial configuration of the solution, and termination of use of Kaspersky EDR Expert.
About activation of Kaspersky Endpoint Detection and Response Expert
Activation of Kaspersky Endpoint Detection and Response Expert involves activation of EPP applications installed on the protected devices using a license that includes Kaspersky Endpoint Detection and Response Expert functionality.
You can purchase the license for Kaspersky Endpoint Detection and Response Expert in the following ways:
- As part of the EPP application license.
- Separately, in addition to the previously purchased license to use the EPP application.
If your license for the EPP application on devices includes Kaspersky Endpoint Detection and Response Expert functionality, the solution will become available after performing initial setup of the solution.
If you purchased a license for Kaspersky Endpoint Detection and Response Expert separately in addition to the previously purchased license after installing and activating Kaspersky applications on devices, you must add Kaspersky Endpoint Detection and Response in Kaspersky Security Center Cloud Console. After that, you can perform initial setup of the solution.
Page top
Activation of Kaspersky Endpoint Detection and Response Expert
To activate Kaspersky Endpoint Detection and Response Expert:
- In Kaspersky Security Center Cloud Console, in the Licenses section, add the activation key that you purchased for Kaspersky EDR Expert, and then deploy the license key to the assets of your organization. For details, refer to the Kaspersky Security Center Cloud Console documentation.
- In Kaspersky Security Center Cloud Console, go to the Marketplace section, and then click the Kaspersky Endpoint Detection and Response Expert tile.
Make sure you have the Allow access right in the EDR Integration functional area, to activate Kaspersky EDR Expert.
- In the window that opens, click the Start activation button.
- Accept the terms of Kaspersky EDR Expert Data Processing Agreement and Kaspersky Security Network Statement.
- Click the Switch to KPSN button to enable KPSN usage with Kaspersky EDR Expert settings
If KPSN is already enabled, your current KPSN will be switched to KPSN and use the Kaspersky EDR Expert settings.
A message that confirms the use of KPSN appears. This step ensures that
is sent to the dedicated servers that comply with GDPR regulations.Telemetry data is stored for 30 days. You can extend the storage time by adding an Extension module.
- Perform the initial setup of the Kaspersky Endpoint Detection and Response Expert solution.
Activation of Kaspersky Endpoint Detection and Response Expert is complete. You can start using the solution.
Page top
Initial configuration of Kaspersky Endpoint Detection and Response Expert
To set up Kaspersky Endpoint Detection and Response Expert:
- Assign the pre-defined Senior Security Analyst role or create roles with custom access settings.
- Make sure that the supported version of Kaspersky Security Center Network Agent is installed on your and update it if necessary.
For more information about Kaspersky Security Center Network Agent, refer to Kaspersky Security Center Cloud Console. - Install the supported EPP applications on your assets.
Make sure that your license for using the EPP applications on assets includes the Kaspersky Endpoint Detection and Response Expert functionality. Note that you cannot activate the solution on top of Kaspersky EDR Optimum.
For detailed information on installing EPP applications, refer to Kaspersky Endpoint Security for Windows Help. - Create policies for the supported EPP applications. Enable Kaspersky EDR Expert and configure Kaspersky Security Network usage in these policies.
The initial configuration of Kaspersky EDR Expert is complete. You can change these settings by clicking the Kaspersky Endpoint Detection and Response Expert tile in the Marketplace section of Kaspersky Security Center Cloud Console.
Page top
Temporary suspension of using Kaspersky Endpoint Detection and Response Expert
It is required to suspend the use of the solution on the assets if they are temporarily located on the United States territory (for example, during a business trip).
To suspend the use of Kaspersky Endpoint Detection and Response Expert temporarily on particular assets:
- In Kaspersky Security Center, create a new administration group to manage assets on which you want to suspend the use of the solution. You will be able to modify the list of assets in this group later.
- For this administration group, create new Kaspersky Endpoint Security for Windows policy, and then disable the use of Kaspersky Endpoint Detection and Response Expert and Kaspersky Security Network in the policy settings.
For details about configuring the policy, refer to Kaspersky Endpoint Security for Windows help instructions on managing policies and configuring integration with Kaspersky Endpoint Detection and Response Expert.
- Move the assets on which you want to suspend the use of the solution to the created administration group.
The new policy where the use of Kaspersky Endpoint Detection and Response Expert and Kaspersky Security Network are disabled will be applied to the assets after synchronization. You can also manually force the synchronization.
To resume the use of Kaspersky Endpoint Detection and Response Expert after suspension:
- Exclude the asset from the administration group used for suspension.
- Apply a regular policy where the use of the solution is enabled and configured to this asset.
The assets will not be monitored by Kaspersky Endpoint Detection and Response Expert until a policy where the use of the solution is enabled and configured is applied to them.
About user roles
Kaspersky Endpoint Detection and Response Expert users can have different roles, with a different set of rights available for each role. The following pre-defined roles are present in Kaspersky EDR Expert:
If the pre-defined roles do not meet the specific needs of your organization, you can create your own custom roles.
Page top
Setting access rights
You must set access rights for every user of Kaspersky Security Center Cloud Console who will use Kaspersky Endpoint Detection and Response Expert. Access rights depend on the actions that you want the users to perform.
To set access rights:
- In Kaspersky Security Center Cloud Console, go to the USERS & ROLES → ROLES section and create a new role. For details on how to create roles, refer to Kaspersky Security Center Cloud Console Online Help.
- On the ACCESS RIGHTS tab of a new role, grant the Allow access right for the following functional areas (the table below shows access rights of Senior Security Analyst):
Access rights to application features
Functional area
Rights
User action: right required to perform the action
Kaspersky Endpoint Detection and Response Expert functional areas
EDR integration
Read
Write
View and revoke consent with the terms of using the solution: Read, Write
View consent with the terms of using the solution: Read
Threat hunting
Execute
Work with the threat-hunting functionality: Execute
Custom IOA rule management
Read
Write
View custom
: ReadCreate and edit custom IOA rules: Write
Create and edit exclusions from Kaspersky IOA rules: Write
IOA exclusions
Read
WriteView exclusions from the Kaspersky IOA rules: Read
Create exclusions from the Kaspersky IOA rules from event details and alert details: Write
Edit and delete exclusions from the Kaspersky IOA rules: Write
Incident Response Platform functional areas
Alerts and incidents
Read
Write
View alerts and incidents: Read
Edit alerts and incidents: Write
Kaspersky Security Center Administration Server functional areas
General features: Basic functionality
Read
Write
The user is allowed to perform the actions that require Write access right and are listed in the General features: Basic functionality functional area in Kaspersky Security Center Cloud Console Online Help.
- Assign the created role to the users who will use Kaspersky EDR Expert.
The access rights are set.
Page top
Adding users for the Senior Security Analyst role
Before assigning the role of Senior Security Analyst in Kaspersky EDR Expert, you or the user must first create an account for this user in Kaspersky Security Center Cloud Console. For more information on how to create an account, see the Kaspersky Security Center Cloud Console Online Help. It is required to wait until the Administrator adds the created account to the company's workspace. Only then the user can sign in to Kaspersky Security Center Cloud Console with the created account and work in the company's workspace.
To add a user with the Senior Security Analyst role to the workspace, you must bind the user to a tenant. For this, do the following:
- Sign in to your account in Kaspersky Security Center Cloud Console as an Administrator.
The portal page displays the company for which you are an administrator and the list of its workspaces.
- Click the Show access control link.
The list of accounts with access to the company expands.
- Click the Grant access button.
- Enter the user's email address and choose the User access level.
- Click the Grant button
A new user with access to your company's workspace is added. You can now assign the role of Senior Security Analyst to this user.
When you assign the role of Senior Security Analyst to this user in Kaspersky Security Center Cloud Console, on step 5 of the wizard select all the administration groups that the user should work with. If some administration groups are not selected, the user won't be able to do response actions on the hosts that belong to these groups.
Page top
Alerts
This section contains general information about alerts, their properties, typical life cycle, and connection with incidents. The instructions that are provided will help you analyze the alert table, change alert properties according to the current state in the life cycle, and combine alerts into incidents by linking or unlinking the alerts.
About alerts
An alert is an event in the organization's IT infrastructure that was marked by Kaspersky EDR Expert as unusual or suspicious, and that may pose a threat to the security of the organization's IT infrastructure.
Kaspersky EDR Expert generates an alert when an EPP application (for example, Kaspersky Endpoint Security for Windows) detects certain activity in the infrastructure that corresponds to conditions defined in the detection rules. An alert is always registered and created automatically by the application; it cannot be created manually.
All alerts are divided into the following alert types: IOC (Indicator of Compromise) and IOA (Indicator of Attack).
After detection, Kaspersky EDR Expert adds alerts to the alert table as work items that are to be processed by analysts. You cannot delete alerts, you can only close them.
Alerts can be assigned only to analysts who have the access right to read and modify alerts and incidents.
You can manage alerts as work items by using the following alert properties:
You can combine and link alerts to bigger work items called incidents. You can link alerts to incidents manually, or enable the rules to create incidents and link alerts automatically. By using incidents, analysts can investigate multiple alerts as a single issue. When you link a currently unlinked alert to an incident, the alert loses its current status and gains the status In incident. You can link a currently linked alert to another incident. In this case, the In incident status of the alert is kept. You can link a maximum of 200 alerts to an incident.
Each alert has alert details that provide all of the information related to the alert. You can use this information to investigate the alert, track the events that preceded the alert, view detection artifacts, affected assets, or link the alert to an incident.
About alert types
All alerts are divided into the following alert types:
- IOC (Indicator of Compromise) alerts
An alert of this type is registered as a result of performing the IOC scan task on a protected device. When an IOC rule triggers and defines an event as an alert, Kaspersky EDR Expert creates a new IOC alert. The created IOC alerts represent the current device status at the start of the IOC scan task. You can create custom IOC rules.
An IOC alert always corresponds to a single IOC rule triggered in the IT infrastructure. If the IOC scan task results in several triggered IOC rules, Kaspersky EDR Expert creates a separate IOC alert for each of the triggered IOC rules.
An IOC alert always corresponds to a single device. If the same IOC rule is triggered on several devices, Kaspersky EDR Expert creates a separate IOC alert for each device.
- IOA (Indicator of Attack) alerts
An alert of this type is registered as a result of an analysis of the telemetry data flow from the protected devices. When an IOA rule triggers and defines an event as an alert, Kaspersky EDR Expert creates a new IOA alert. Because the telemetry data flow is analyzed permanently, the created IOA alerts represent the current activity on the protected devices. The IOA rules are predefined by Kaspersky specialists. In addition, you can create custom IOA rules.
An IOA alert always corresponds to a single device. If the same IOA rule is triggered on several devices, Kaspersky EDR Expert creates a separate IOA alert for each device.
Kaspersky EDR Expert analyzes events in 15-minute intervals. If at least one IOA rule is triggered during a 15-minute interval, Kaspersky EDR Expert creates an IOA alert. If several IOA rules (both predefined and custom) are triggered during a 15-minute interval on the same device, the created IOA alert aggregates all of the alert events and triggered rules.
Kaspersky EDR Expert does not create an IOA alert if an identical alert was already registered on the same device during the last 24 hours. Two IOA alerts are considered as identical if the following properties are identical for both of them:
- Triggered IOA rules
- All MD5 hashes obtained from the events related to the alert
- Observables of the IP and Domain data types
Viewing the alert table
The alert table provides you an overview of all alerts registered by Kaspersky EDR Expert.
To view the alert table:
- In the main menu, go to MONITORING & REPORTING → Alerts.
- If you have both Kaspersky EDR Optimum and Kaspersky EDR Expert integrated into Kaspersky Security Center Cloud Console, the Alerts section is divided into two tabs. Go to the Expert tab. Otherwise, skip this step.
The alert table is displayed.
The alert table has the following columns:
- Alert ID. The unique identifier of an alert.
- Registered. The date and time when the alert was added to the alert table.
- Updated. The date and time of the last change from the alert history.
- Status. The current status of the alert.
- Analyst. The current assignee of the alert.
- Detection source. The application that obtained the telemetry data.
- Technology. The technology that detected the alert.
- Rules. The IOC or IOA rules that were triggered to detect the alert.
- Affected assets. The devices and users that were affected by the alert.
- Observables. Detection artifacts, for example IP addresses or MD5 hashes of files.
- SIDs. Security identifiers of users whose devices or accounts were affected by the alert.
Viewing alert details
Alert details are a page in the interface that contains all of the information related to the alert, including the alert properties.
To view alert details:
- In the main menu, go to MONITORING & REPORTING → Alerts.
- If you have both Kaspersky EDR Optimum and Kaspersky EDR Expert integrated into Kaspersky Security Center Cloud Console, the Alerts section is divided into two tabs. Go to the Expert tab. Otherwise, skip this step.
- In the alert table, click the ID of the required alert.
The alert details are displayed.
The toolbar in the upper part of the alert details allows you to perform the following actions:
- Assign the alert to an analyst
- Change the alert status
- Link the alert to an incident
- Unlink the alert from the incident
Alert details contain the following sections:
- Summary
- Details
- Assets
- Observables
- Similar closed alerts
In the Similar closed alerts section you can view the list of closed alerts that have the same affected artifacts as the current alert. The affected artifacts include observables and affected devices. The similar closed alerts can help you investigate the current alert.
By using the list, you can evaluate the degree of similarity of the current alert and other alerts. The similarity is calculated as follows:
Similarity = M / T * 100
Here, 'M' is a number of artifacts that matched in the current and a similar alert, and 'T' is total number of artifacts in the current alert.
If the similarity is 100%, the current alert has nothing new in comparison with the similar alert. If the similarity is 0%, the current and the similar alert are completely different. Alerts that have a similarity of 0% are not included in the list.
The calculated value is rounded off to the nearest whole number. If similarity is equal to a value between 0% and 1%, the application does not round such a value down to 0%. In this case, the value is displayed as less than 1%.
Clicking an alert ID opens the alert details.
Customizing the similar closed alerts list
You can customize the table by using the following options:
- Filter the alerts by selecting the term for which the alerts have been updated. By default, the list contains the alerts that have been updated for the last 30 days.
- Click the Columns settings icon (
), and then select which columns to display and in which order. - Click the Filter icon (
), and then select and configure the filters that you want to apply. If you select several filters, they are applied simultaneously by logical AND operator. - Click a column header, and then select the sorting options. You can sort the alerts in ascending or descending order.
- Similar incidents
In the Similar incidents section, you can view the list of incidents that have the same affected artifacts as the current alert. The affected artifacts include observables and affected devices. The similar incidents can help you decide if the current alert may be linked to an existing incident.
By using the list, you can evaluate the degree of similarity of the current alert and the incidents. The similarity is calculated as follows:
Similarity = M / T * 100
Here, 'M' is a number of artifacts that matched in the current alert and a similar incident, and 'T' is total number of artifacts in the current alert.
If the similarity is 100%, the current alert has nothing new in comparison with the similar incident. If the similarity is 0%, the current alert and the similar incident are completely different. Incidents that have similarity of 0% are not included in the list.
The calculated value is rounded off to the nearest whole number. If the similarity is equal to a value between 0% and 1%, the application does not round such a value down to 0%. In this case, the value is displayed as less than 1%.
Clicking an incident ID opens the incident details.
Customizing the similar incidents list
You can customize the table by using the following options:
- Filter the incidents by selecting the term for which the incidents have been updated. By default, the list contains the incidents that have been updated for the last 30 days.
- Click the Columns settings icon (), and then select which columns to display and in which order.
- Click the Filter icon (), and then select and configure the filters that you want to apply. If you select several filters, they are applied simultaneously by logical AND operator.
- Click a column header, and then select the sorting options. You can sort the incidents in ascending or descending order.
- Comments
- History
Assigning alerts to analysts
As a work item, an alert can be assigned to a SOC analyst for inspection and possible investigation. You can change the assignee of an active alert at any time; you cannot change an assignee of a closed alert. You can also remove the assignee to make the alert unassigned.
Alerts can be assigned only to analysts that have the access right to read and modify alerts and incidents.
To assign one or several alerts to an analyst:
- In the main menu, go to MONITORING & REPORTING → Alerts.
- If you have both Kaspersky EDR Optimum and Kaspersky EDR Expert integrated into Kaspersky Security Center Cloud Console, the Alerts section is divided into two tabs. Go to the Expert tab. Otherwise, skip this step.
- Select the check boxes next to the alerts that you want to assign to the analyst.
- Click the Assign to button.
- In the Assign to window, start typing the analyst name, and then select the name from the list.
You can select the Not assigned option. In this case, the selected alerts become unassigned and their status changes to New.
You cannot select the Not assigned option for the alerts in the In incident status.
- Click the Save button.
The alerts are assigned to the analyst.
Changing an alert status
As a work item, an alert has a status that shows the current state of the alert in its life cycle.
You can change alert statuses for your own alerts or alerts of other analysts only if you have the access right to read and modify alerts and incidents.
An alert can have one of the following statuses:
To change the status of one or several alerts:
- In the main menu, go to MONITORING & REPORTING → Alerts.
- If you have both Kaspersky EDR Optimum and Kaspersky EDR Expert integrated into Kaspersky Security Center Cloud Console, the Alerts section is divided into two tabs. Go to the Expert tab. Otherwise, skip this step.
- Select the check boxes next to the alerts whose status you want to change.
- Click the Change status button.
- In the Change status window, select the status to set.
If you set the Closed status, you must select a resolution and provide a short comment.
- Provide a comment, if necessary.
- Click the Save button.
The status of the selected alerts is changed.
Linking alerts to incidents
You can link one or multiple alerts to an incident, for example, for the following reasons:
- Multiple alerts may be interpreted as indicators of the same issue in an organization's IT infrastructure. If this is the case, the alerts in the incident can be investigated as a single issue. You can link up to 200 alerts to an incident.
- A single alert may be linked to an incident if the alert is defined as true positive.
You can link an alert to an incident if the alert has any status except for Closed. When linked to an incident, an alert loses its current status and gains the special status In incident. If you link alerts that are currently linked to other incidents, the alerts are unlinked from the current incidents, because an alert can be linked to only one incident.
Alerts can be linked to an incident manually or automatically.
Linking alerts manually
To link alerts to an existing or new incident:
- In the main menu, go to MONITORING & REPORTING → Alerts.
- If you have both Kaspersky EDR Optimum and Kaspersky EDR Expert integrated into Kaspersky Security Center Cloud Console, the Alerts section is divided into tabs. Go to the Expert tab. Otherwise, skip this step.
- Select the check boxes next to the alerts that you want to link to an incident.
- If you want to link alerts to an existing incident:
- Click the Link to incident button.
- Select an incident to link the alerts to.
- If you want to link alerts to a new incident:
- Click the Create incident button.
- Fill in the properties of the new incident: name, assignee, and priority.
- Click the Save button.
The selected alerts are linked to an existing or new incident.
Linking alerts automatically
Kaspersky EDR Expert has built-in rules to link alerts to an incident automatically. By default, these rules are disabled. You can enable them to help you handle the newly registered alerts. You can only enable or disable all of the rules at once.
Automatic incident creation rules:
- Rule 1. Linking a new alert to an existing incident
Kaspersky EDR Expert links a new alert to an existing incident if at least one of the following parameters of the alert matches the same parameter in the incident:
- Any of the observables (MD5 hash, URL, IP address, domain name)
The MD5 hash parameter is triggered only if less than 30 days have passed from the last update of the incident until the alert registration time. For the REST parameters (URL, IP address, domain name), this time interval must be less than two days.
- Device ID from the list of affected assets
This parameter is triggered only if less than one hour has passed from the last update of the incident until the alert registration time.
- Triggered IOC rule
This parameter is triggered only if less than one hour has passed from the last update of the incident until the alert registration time.
Other conditions that must be met for the rule to trigger:
- The incident must contain less than 200 alerts.
- The incident status is not Closed.
- Any of the observables (MD5 hash, URL, IP address, domain name)
- Rule 2. Creating a new incident from alerts on the same device
When a new alert is registered, Kaspersky EDR Expert checks if all of the following conditions are met:
- The newly registered alert and one or more alerts in the alert table have the same device ID.
- Alerts found with the same device ID must have the New status.
- Alerts found with the same device ID have been registered within 30 minutes before the newly registered alert.
If the conditions are met, Kaspersky EDR Expert creates a new incident, and links the new and found alerts to the new incident.
- Rule 3. Creating a new incident from a single alert
Kaspersky EDR Expert creates a new incident and links a newly registered alert to the incident if the following conditions are met:
- An alert was registered as a result of triggering an IOC rule.
- Neither rule 1 nor rule 2 of the automatic incident creation rules has been triggered.
To enable the automatic incident creation rules:
- Go to Console settings → Integration.
The Console settings window opens.
- On the Integration tab, select the Kaspersky EDR Expert section.
- Click the Settings link next to the Incident creation option.
The Incident creation window opens.
- Select the Enable rules to create incidents automatically option.
- Click the OK button.
The automatic incident creation rules are enabled.
Unlinking alerts from incidents
You might need to unlink an alert from an incident, for example, if the alert analysis and investigation showed that the alert is not connected to other alerts in the incident. When you unlink an alert from an incident, Kaspersky EDR Expert performs the following actions:
- Refreshes all of the data related to the incident, to reflect that the alert no longer belongs to the incident. For example, you can view the changes in the incident details.
- Resets the status of the unlinked alerts to New.
You can unlink the alerts from the incidents by using the alert table or the incident details.
Unlinking alerts from incidents by using the alert table
To unlink alerts from their incidents:
- In the main menu, go to MONITORING & REPORTING → Alerts.
- If you have both Kaspersky EDR Optimum and Kaspersky EDR Expert integrated into Kaspersky Security Center Cloud Console, the Alerts section is divided into two tabs. Go to the Expert tab. Otherwise, skip this step.
- Select the check boxes next to the alerts that you want to unlink from the incidents.
- Click the Unlink from incident button.
The Unlink alerts window opens.
- If you want, enter a comment. You may want to specify the reason why you are unlinking the alerts. The comment will be added to the Comments section of the alert details.
- If you want, change an assignee of the alerts that you want to unlink.
- Click the Save button.
The selected alerts are unlinked from their incidents.
Unlinking alerts from incidents by using the incident details
To unlink alerts from the incident:
- In the main menu, go to MONITORING & REPORTING → incidents.
- In the incident table, click the ID of the incident from which you want to unlink alerts.
The window with incident details opens.
- In the Alerts section, select the check boxes next to the alerts that you want to unlink from the incident.
- Click the Unlink from incident button.
The selected alerts are unlinked from the incident.
Incidents
This section contains general information about incidents, their properties, typical life cycle, and connection with alerts. This section also gives instructions on how to create incidents, analyze the incident table, change incident properties according to the current state in the life cycle, and merge incidents.
About incidents
An incident is a container of alerts that normally indicates a true positive issue in the organization's IT infrastructure. An incident may contain a single or several alerts. By using incidents, analysts can investigate multiple alerts as a single issue.
You can create incidents manually or enable the rules for automatic creation of incidents. After an incident is created, you can link alerts to the incident. You can link no more than 200 alerts to an incident.
After creation, Kaspersky EDR Expert adds incidents to the incident table as work items that are to be processed by analysts.
Incidents can be assigned only to analysts that have the access right to read and modify alerts and incidents.
You can manage incidents as work items by using the following incident properties:
Two or more incidents may be interpreted as indicators of the same issue in an organization's IT infrastructure. If this is the case, you can merge the incidents to investigate them as a single issue.
Each incident has incident details that provide all of the information related to the incident. You can use this information to investigate the incident or merge incidents.
Creating incidents
You can create incidents manually or enable the rules for automatic creation of incidents. This topic describes how to create incidents manually.
To be able to create incidents, you must have the access right to read and modify alerts and incidents.
You can create incidents by using the incident table or the alert table.
Creating incidents by using the incident table
To create an incident:
- In the main menu, go to MONITORING & REPORTING → Incidents. Click the Create incident button.
- On the General settings step, specify the following settings:
- Incident name
- Assignee
- Priority
- Description
- On the Linking alerts step, select the alerts that you want to link to the incident. You can link up to 200 alerts to an incident.
If you want to create an empty incident, skip this step. You can link alerts to the incident later, after the incident is created.
- Click the Save button.
The incident is created.
Creating incidents by using the alert table
You create an incident by selecting the alerts to link to the new incident. Refer to linking alerts to incidents.
Viewing the incident table
The incident table provides an overview of all created incidents.
To view the incident table,
In the main menu, go to MONITORING & REPORTING → incidents.
The incident table is displayed.
The incident table has the following columns:
- Incident ID, name. A name and a unique identifier of an incident.
- Created. Date and time when the incident was created.
- Updated. Date and time of the last change, from the incident history.
- Threat duration. Time between the earliest and the most recent events among all of the alerts linked to the incident.
- Status. Current status of the incident.
- Severity, priority. Severity and priority of the incident.
- Analyst. Current assignee of the incident.
- Detection source. Application that obtained the telemetry data.
- Technology. The technologies that detected the alerts linked to the incident.
- Affected assets. Devices and users that were affected by the incident.
- Observables. Number of the detection artifacts, for example, IP addresses or MD5 hashes of files.
Viewing incident details
Incident details are a page in the interface that contains all of the information related to the incident, including the incident properties.
To view incident details:
- In the main menu, go to MONITORING & REPORTING → Incidents.
- In the incident table, click the ID of the required incident.
The window with incident details is displayed.
The toolbar in the upper part of the incident details allows you to perform the following actions:
- Assign the incident to an analyst
- Change the incident status
- Link alerts to the incident
- Merge the incident with other incidents
Incident details contain the following sections:
- Similar incidents
In the Similar incidents section, you can view the list of incidents that have the same affected artifacts as the current incident. The affected artifacts include both observables and affected devices of the alerts linked to an incident. The list contains incidents in any status.
By using the list, you can evaluate the degree of similarity of the current incident and other incidents. The similarity is calculated as follows:
Similarity = M / T * 100
Here, M is a number of artifacts that matched in the current and a similar incident, and T is total number of artifacts in the current incident.
If the similarity is 100%, the current incident has nothing new in comparison with the similar incident. If the similarity is 0%, the current and the similar incident are completely different. Incidents that have similarity of 0% are not included in the list.
The calculated value is rounded off to the nearest whole number. If similarity is equal to a value between 0% and 1%, the application does not round such value down to 0%. In this case, the value is displayed as less than 1%.
Clicking an incident ID opens the incident details.
Customizing the similar incidents list
You can customize the table by using the following options:
- Filter the incidents by selecting the term for which the incidents have been updated. By default, the list contains the incidents that have been updated for the last 30 days.
- Click the Columns settings icon (), and then select which columns to display and in which order.
- Click the Filter icon (), and then select and configure the filters that you want to apply. If you select several filters, they are applied simultaneously by logical AND operator.
- Click a column header, and then select the sorting options. You can sort the incidents in ascending or descending order.
- Alerts
- Assets
- Observables
- History
Assigning incidents to analysts
As a work item, an incident should be assigned to a SOC analyst for inspection and possible investigation. You can change the assignee at any time. You can also remove the assignee to make the incident unassigned.
Incidents can be assigned only to analysts that have the access right to read and modify alerts and incidents.
To assign one or several incidents to an analyst:
- In the main menu, go to MONITORING & REPORTING → Incidents.
- Select the check boxes next to the incidents that you want to assign to the analyst.
- Click the Assign to button.
- In the Assign to analyst window, start typing the analyst name, and then select the name from the list.
You can select the Not assigned option. In this case, the selected incidents become unassigned and their status changes to New.
- Click the Save button.
The incidents are assigned to the analyst.
Changing an incident status
As a work item, an incident has a status that shows the current state of the incident in its life cycle.
You can change incident statuses of your own incidents or incidents of other analysts only if you have the access right to read and modify alerts and incidents.
An incident can have one of the following statuses:
To change status of one or several incidents:
- In the main menu, go to MONITORING & REPORTING → Incidents.
- Select the check boxes next to the incidents whose status you want to change.
- Click the Change status button.
- In the Change status window, select the status to set.
If you set the Closed status, you must select a resolution and provide a short comment.
- Provide a comment, if necessary.
- Click the Save button.
The status of the selected incidents is changed.
Changing an incident priority
As a work item, an incident has a priority that defines the order in which the incident must be investigated by analysts. You can change the incident priority manually.
You can change incident priorities of your own incidents or incidents of other analysts only if you have the access right to read and modify alerts and incidents.
An incident can have one of the following priorities:
- Low
- Medium (default value)
- High
- Critical
Incidents with the Critical priority are the most urgent ones and must be investigated first. The Low priority usually means that the incident is placed in the backlog. You can define your own criteria as to which priority should be set to which incident.
To change an incident priority:
- In the main menu, go to MONITORING & REPORTING → Incidents.
- Do one of the following:
- Select the check boxes next to the incidents whose priority you want to change.
- Click the incident ID to open the details of the incident whose priority you want to change.
- Click the Change priority button.
- In the Change priority window, select the priority to set.
- Click the Save button.
The priority of the selected incidents is changed.
Merging incidents
Two or more incidents may be interpreted as indicators of the same issue in an organization's IT infrastructure. If this is the case, you can merge the incidents to investigate them as a single issue.
When you merge incidents, you need to select a target incident among them. After the incident consolidation, the issue is to be investigated within the target incident. The target incident must have a status other than Closed. Other incidents are merged into the target one and, after consolidation, gain the Closed status and the Merged resolution.
All of the alerts linked to the merged incidents are automatically linked to the target incident. Because an incident can have no more than 200 linked alerts, the application counts the alerts linked to the incidents that you want to merge. If the total number of linked alerts exceeds 200, the selected incidents cannot be merged.
To merge incidents from the incident table:
- In the main menu, go to MONITORING & REPORTING → Incidents.
- Select the check boxes next to the incidents that you want to merge into a target incident. You will select the target incident on the first step of the Wizard.
- Click the Merge incidents button.
The Merge incidents Wizard opens.
- Select the target incident.
- Click the OK button.
The incidents are merged.
To merge incidents by using incident details:
- In the main menu, go to MONITORING & REPORTING → Incidents.
- Click an incident ID to open the incident details. This incident will be merged into a target incident. You will select the target incident on the first step of the Wizard.
- Click the Merge incident button.
The Merge incidents Wizard opens.
- Select the target incident.
- Click the OK button.
The incidents are merged.
Threat hunting
This section contains general information about threat hunting features, instructions for how to build queries for threat hunting, and how to manage telemetry events.
About threat hunting
Threat hunting is a tool that allows you to find telemetry events according to a specified criterion or several criteria, and then analyze them. The search result is a list of events detected on the assets of your organization. IT security specialists of your organization can view the events, identify suspicious actions that require attention, or create custom rules to automate the search for threats in your organization.
The Allow access right is required in the Threat hunting functional area, in order to work with Threat hunting.
Page top
Building and running queries for threat hunting
You can build queries to search event database for threats. A simple query is a search condition that consists of an event field, condition, and value. A query can contain one or several search conditions.
Building queries
You can choose one of the following ways to build a query:
- Enter the event search conditions in the query search box.
- Click the event fields from the suggested list of event fields in the Help tab, and then add conditions and values. Selected event fields automatically appear in the query search box.
Certain syntax is used to build search queries. For example, you can add several conditions by using the logical operators OR and AND, and parentheses for creating groups of conditions.
Running queries
To run a query:
- Set the time range if you want to search for events that occurred during a specific period. By default, the table contains events that have occurred during the last hour.
To change the time range, click the Last hour button, and then select one of the following time ranges:
- Last hour, if you want to view events that were found during the last hour.
- Last day, if you want to view events found during the last day.
- All the time, if you want to view events found for any period of time.
- Custom range, if you want to view events found during a specific time range.
- If you selected Custom range:
- In the calendars that open, specify the start and end date and time of the event display range.
- Click the Apply button.
The calendars close.
- Click the Apply time range button to save the specified time range.
The window for specifying the time range closes.
- Click the Run query button.
The list of events that satisfy the search criteria is displayed. You are automatically switched to the Events tab. You can modify the query or save the query as a custom IOA rule.
Page top
About syntax in threat hunting queries
To search for telemetry events, you must use certain syntax. You must use the following syntax rules in search queries:
- A query must contain at least one logical expression that matches the following syntax:
<event field name> <comparison operator> <field value>. - A query can contain several logical expressions. You can combine logical expressions by using the following logical operators:
AND(Boolean AND)The results include all events that match both conditions (to the left and right of the
ANDoperator).For example, the query
DetectActionResult == "Quarantine" AND DetectStatus == "Malware*"returns events that have a DetectStatus starting with Malware and a DetectActionResult equaling Quarantine.OR(Boolean OR)The results will include events that match at least one of the logical expressions.
For example, query
DetectActionResult == "Quarantine" OR DetectStatus == "Malware*"returns events that have a DetectStatus starting with Malware or a DetectActionResult equaling Quarantine.NOT(Boolean NOT)The results will include events that do not match the expression.
For example, the query
NOT (DetectActionResult == "Quarantine")returns events in which DetectActionResult does not equal Quarantine.
- You can control the execution order of logical operations by using parentheses.
For example, the
(DetectActionResult == "Quarantine" OR DetectStatus == "Malware*") AND FileSize > 16query will contain results that include events that have DetectStatus starting with Malware or DetectActionResult equaling Quarantine, and the size of the attached file exceeds 16 bytes.If you run the
DetectActionResult == "Quarantine" OR (DetectStatus == "Malware*" AND FileSize > 16)query, it returns events that have DetectActionResult equaling Quarantine, or DetectStatus starting with Malware and that the attached file exceeds 16 bytes. - You can use the following comparison operators:
- == (equals)
For example, if you run the
DetectActionResult == "Quarantine"query, it returns events in which the DetectActionResult field equals Quarantine. - != (does not equal)
For example, the query
DetectActionResult != "Quarantine"returns events in which the DetectActionResult field does not equal Quarantine. - > (greater than)
For example, the query
FileSize > 16returns events that have an attached file larger than 16 bytes. - < (less than)
For example, the query
FileSize < 16returns events that have an attached file less than 16 bytes. - >= (greater than or equal)
For example, the query
FileSize >= 16returns events that have an attached file greater than or equal to 16 bytes. - <= (less than or equal)
For example, the query
FileSize <= 16returns events that have an attached file less than or equal to 16 bytes.
- == (equals)
- You can view the list of event field names in the Threat hunting section → the Help tab.
- The
<field type>part is case-insensitive. For example, results of thecomputername == "host"query andCOMPUTERNAME == "host"query are the same. - The
<field value>part is a sequence of letters, numbers, and special characters.<Field value>cannot be the name of a<field type>. String values must be enclosed in quotation marks. The exception is for a search for a non-empty string, typing without quotation marks is possible (for example,computername == *orcomputername == "*"). - Search by
<field value>is case-insensitive. For example, results of theComputerName == "host"query andComputerName == "HOST"query are same. <Field value>can include the following special characters:*: the asterisk denotes any number of characters in a string (only applicable to string values).For example, query
EventName == "H*"returns all events beginning with the "H" letter.Also, you can use the asterisk to filter fields with null values: for example, the query
EventName == "*"orEventName == *returns events in which the word field has a non-empty value.?: the question mark denotes any single character in a string (only applicable to string values).For example, query
ProcessUserName == "User?"returns events with ProcessUserName like Users, User1, User2, and other matching substrings.\: the backslash is used to screen the asterisk, question mark, and backslash characters.For example, if you search for a path, use the backslash:
file_pathes == "c:\\windows\\system32\\nslookup.exe".
Creating IOA rules from queries
You can create IOA rules based on the built queries.
To create an IOA rule:
- In the main menu, go to MONITORING & REPORTING → THREAT HUNTING.
- Enter a query in the query search box.
- Click the Create IOA rule button under the search box.
The New rule window opens.
- Specify the following details:
- Click the Create button.
An IOA rule with the searched conditions is created. You can check your IOA rules in the Custom rules section. If an IOA rule is triggered by an event, the name of the rule is displayed in the event details.
Page top
Viewing and configuring the event list
The event list is displayed after completion of the search for threats in the events database.You can customize the event table for ease of analysis, group and sort events, view details of the events, and take action if necessary.
Grouping events
By default, the events are ungrouped. They are arranged in a single list. You can group events by asset name or event type.
To group events:
- In the main menu, go to MONITORING & REPORTING → THREAT HUNTING, and then run a query.
- Click the Group by button.
- Select how you want to group events:
- Asset name
- Event type
The events are grouped.
To cancel grouping the events:
- Click the Group by button.
- Select Ungroup.
The events are ungrouped. Events are arranged in a single list.
Sorting events
You can sort events by the and event fields.
To sort the list of events:
- Click the name of the clientsideeventtime or timestamp column.
- Choose descending or ascending order.
The values are sorted. The arrow next to the column name shows the sort direction.
Page top
Configuring the event table
You can configure the columns that are displayed and change the order of the columns.
To configure the columns:
- In the main menu, go to MONITORING & REPORTING → THREAT HUNTING.
- Click the
icon to open the column settings. - In the column settings window:
- If you want to change the displayed columns in the table of events, select the columns you want to display.
- If you want to change the order of displayed columns, move the event fields.
- Click the Save button.
The table is configured.
Page top
Viewing event details
The event list contains details about the events. You can also open an event details window. The event details window provides all the information about the event.
To open event details:
- In the main menu, go to MONITORING & REPORTING → THREAT HUNTING, and then run a query.
- Click the table row with the event.
A window with details about the event opens.
Clicking a value in the event details or in the event table opens a context menu with a list of actions. For each value, the following actions are available:
- Copy the value to the clipboard.
- Add/remove the column to/from the event list.
- Add the value to the query.
The event list will be filtered by this value.
- Delete the value from the query.
Events will not be filtered by this field.
- Create a new query with the value.
In addition, for the SID, UserName, IP, MD5, URL, and Domain object types, the following actions are available:
- Find more information on .
- View related alerts.
- View related incidents.
The enrich.hunts.names field contains the names of the
that were triggered by the event. Clicking a link in this field opens a window with details about the triggered custom rule.From the event details, you can view a
by clicking the corresponding button. Page top
Viewing a tree of events
The tree of events is a graph that presents information about events that are connected with this event.
To open the tree of events:
- Open the event details.
- Click the Tree of events button.
A new page opens. The page has the tree of events itself in the form of a process graph and a window with the event details on the right part of the page. In the event details, detailed information about the event or node in question is displayed.
A tree of events contains the following information:
- The initial event for which you are viewing information
- Parent process
The parent process is displayed to the left of the event you are viewing. It is labeled by the name of the executable(without the path). Clicking the parent process displays the process that has initiated the process in question and is a parent process with regard to that process. If there is no further parent process, the name of the device where the process was registered is displayed instead.
- Target process
If a process has a target process, the target process is displayed to the right of the event you are viewing. A target process is labeled by the name of executable (without the path). If the initial process indicates start of a process, the target process is displayed instead of the initial process.
Clicking an event on the event tree opens a window with details about the event.
Page top
Viewing information about related events in a tree of events
On the tree of events page, you can view a list of events that are related to the process in question.
Viewing information about related events is possible only for process nodes. A process node is a set of events that indicate start of a process.
To view events initiated by the process:
- Open event details.
- Click the Tree of events button.
This opens a page containing the tree of events.
- Click the process on the events tree.
A window with the event details opens in the right part of the page.
- In the event detail window, go to the Related events tab.
A list of events related to the process is displayed. You can filter the list by the event type, show events on the events tree or hide them. When you add events on the event tree, the node is labeled by the event type.
Only events that occurred within 12 hours after the process start are displayed in the list.
Page top
Custom rules
This section contains general information about custom rules and their properties, as well as information about how to manage custom rules.
About custom rules
IOA (Indicator of Attack) rules allow detection of suspicious events in the organization's infrastructure and allow creating alerts automatically. New custom rules can also be created by using a query in the Threat Hunting section.
Kaspersky Endpoint Detection and Response Expert has two types of rules: custom IOA rules and Kaspersky rules. Custom IOA rules are created by the specialists of your organization. Kaspersky rules are pre-defined rules that are uploaded automatically. If you want to exclude an event which triggers a Kaspersky rule from the list of suspicious events, you can add an exclusion to the Kaspersky rule.
The table below shows the differences between custom IOA rules and Kaspersky IOA rules.
Comparison table of custom rules and Kaspersky rules
Feature |
Custom IOA rules |
Kaspersky IOA rules |
Recommendations on responding to the event |
No. |
Yes (you can view recommendations in alert details). |
Correspondence to techniques in MITRE ATT&CK database |
No. |
Yes (you can view the description of the technique according to the MITRE database in alert details). |
Display in the custom rules list |
Yes. |
No. |
Ability to disable database lookup for this rule |
Disabling rules. |
Adding rules to exclusions. |
Ability to delete or add the rule |
You can delete or add a rule. |
Rules are updated together with application databases, and you cannot delete these rules. |
Viewing and configuring custom rules list
The table of custom rules contains information about custom rules that are used to scan events and create alerts. Custom rules are divided into custom IOA rules and exclusions from Kaspersky rules.
To view custom rules:
- In the main menu, go to MONITORING & REPORTING → CUSTOM RULES.
The custom rule section is divided into two tabs.
- Go to the Custom IOA rules or Exclusions from Kaspersky rules tab.
The list of custom rules is displayed.
Table columns
The custom rules table has the following columns:
Sorting the values
To sort values in a custom rules table:
- In the main menu, go to MONITORING & REPORTING → CUSTOM RULES.
The custom rule section is divided into two tabs.
- Go to the Custom IOA rules or Exclusions from Kaspersky rules tab.
- Click the name of a column, and then choose descending or ascending order.
The values are sorted. The arrow next to the column name shows the sort direction. The sorting parameters are saved for further use.
Page top
Viewing custom rule details
Custom rule details are a page in the interface that contains all of the information related to the custom rule.
To view custom rule details:
- In the main menu, go to MONITORING & REPORTING →CUSTOM RULES.
- The Custom rules section is divided into two tabs. Go to the Custom IOA rules or Exclusions from Kaspersky rules tab.
- Select a rule for which you want to view information.
This opens a window containing information about the rule.
Page top
About custom rule details
Custom rules details contain information about a custom rule.
Custom IOA rule details
Custom IOA rule details contain the following fields:
Actions available in custom IOA rule details:
- Find events. Click the link to display the telemetry events table in the Threat hunting section. The table is filtered by the rule name.
- Go to Alerts marked by the rule. Click the link to view alerts generated by the IOA rule triggering. The list of alerts is in the Alerts section.
- Go to incidents marked by the rule. Click the link to view incidents generated by the IOA rule triggering. The list of incidents opens in the Incidents section.
- Editing details of the rule.
Exclusions from Kaspersky rules
An exclusion from Kaspersky contains the following fields:
Actions available in exclusion details:
- Find events. Click the link to display the telemetry events table in the Threat hunting section. The table is filtered by rule name.
- Go to Alerts marked by the rule. Click the link to view alerts generated by the IOA rule triggering. The list of alerts opens in the Alerts section.
- Go to incidents marked by the rule. Click the link to view incidents generated by the IOA rule triggering. The list of incidents opens in the Incidents section.
- Editing details of the rule.
Configuring custom rules table
To configure the columns:
- In the main menu, go to MONITORING & REPORTING → CUSTOM RULES.
- In the Custom rule section that opens, go to the Custom IOA rules or Exclusions from Kaspersky rules tab.
- Click the Columns settings button.
- In the window that opens:
- If you want to change the displayed columns in the table of events, select the columns you want to display.
- If you want to change the order of displayed columns, move the event fields.
- Click the Save button.
The table is configured.
Page top
Creating custom IOA rules
To create a new custom rule:
- In the main menu, go to MONITORING & REPORTING → CUSTOM RULES.
- Go to Custom IOA rules tab.
- Click the New rule button.
- In the window that opens, fill in the required fields and optional ones, if needed.
- Click the Create button.
The custom IOA rule is created. You can also create IOA rules from queries in the Threat hunting section. If you do not want to use a created rule for scanning events, you can disable or delete it.
Page top
Creating exclusions from Kaspersky IOA rules
You can create exclusions from rules made by Kaspersky from alert details and event details. If you do not want to use a created exclusion for scanning events, you can delete it.
To create an exclusion from alert details:
- Do one of the following:
- In the main menu, go to MONITORING & REPORTING → Alerts, and then open the details of the alert that is triggered by the Kaspersky IOA rule.
- In the main menu, go to MONITORING & REPORTING → Threat hunting, and then open the details of the event that is triggered by the Kaspersky IOA rule.
- Make the necessary changes in the following fields:
- Click the Save button.
The exclusion is created. You can view and manage exclusions in the Custom rules section.
Page top
Editing custom rules
To edit a custom IOA rule:
- In the main menu, go to MONITORING & REPORTING → CUSTOM RULES.
- In the Custom rules section that opens, go to the Custom IOA rules or Exclusions from Kaspersky rules tab.
- Open the custom IOA rule details or exclusion from Kaspersky rule details, and then edit the desired fields.
Clicking the Edit query button opens the query in the Threat hunting section. Change the search conditions in the query search box and save it.
Changing values in the Use or Action fields of Kaspersky rules creates exclusions from Kaspersky rules.
- Click the Save button.
The changes are saved.
Page top
Enabling and disabling custom rules
Enabling and disabling are available only for custom IOA rules. If you want to remove exclusions from Kaspersky IOA rule, set default values in the Use and Action fields of the rule.
To change the state of Kaspersky EDR Expert custom IOA rules:
- In the main menu, go to MONITORING & REPORTING → CUSTOM RULES.
- Go to Custom IOA rules tab.
- Select the rule or rules that you want to delete.
- Click the Enable or Disable button.
The status of a rule or multiple rules is changed.
Page top
Deleting IOA custom rules
You can delete a single custom IOA rule, multiple rules, or all rules at once.
To delete a rule:
- In the main menu, go to MONITORING & REPORTING → CUSTOM RULES.
- In the Custom rule section that opens, go to Custom IOA rules.
- Select the rule or rules that you want to delete.
- Click the Delete button.
The action confirmation window opens.
- Click Yes to confirm the deletion.
The rule is deleted. The rule will not be used for scanning events.
Page top
Deleting exclusions
You can delete a single exclusion, multiple exclusions, or all exclusions at once.
To delete an exclusion:
- In the main menu, go to MONITORING & REPORTING → CUSTOM RULES.
- In the Custom rule section that opens, go to the Exclusions from Kaspersky rules tab.
- Select an exclusion or exclusions that you want to delete.
- Click the Delete button.
The action confirmation window opens.
- Click Yes to confirm the deletion.
The exclusion is deleted.The Kaspersky IOA rule will be used for scanning events, without the exclusion. Values in the Action and Use fields of the Kaspersky rule will return to default.
Page top
Response actions
This section contains information about response actions on detected threats that are available in Kaspersky Endpoint Detection and Response Expert.
About network isolation
Kaspersky Endpoint Detection and Response Expert provides the ability to isolate devices from the network on demand (manually) or as an automatic action in response to detected threats.
After enabling network isolation, the application breaks all active network connections on the devices and blocks new TCP/IP network connections, except for the connections listed below:
- Connections specified as network isolation exclusions
- Connections initiated by the services of a compatible EPP application
- Connections initiated by Kaspersky Security Center Network Agent
Device isolation from the network can be performed manually as a result of applying the EPP application settings on the device or in the alert details, or automatically as a result of detection responses actions when performing the IOC Scan task. You can unlock an isolated device manually from the alert details in the EPP application settings on the device or from the command line. You can also configure the period after which to disable network isolation automatically.
You can configure network isolation exclusions. Network connections that meet the conditions of the specified exclusion will not be blocked on the devices after network isolation is enabled.
For more information on managing network isolation manually by using the EPP application settings on the device, configuring the settings to automatically apply network isolation by using the Kaspersky Security Center policy, and configuring exclusions and the ability to manage network isolation by using the command line, refer to Kaspersky Endpoint Security for Windows Online Help.
Page top
About moving file to quarantine
One of the possible response actions when a threat is detected is to quarantine the file.
Quarantine is a special local repository on a device with an EPP application that supports Kaspersky Endpoint Detection and Response Expert functionality and which is intended for storing files that are probably infected by viruses or cannot be disinfected at the time when they are detected. Quarantined files are stored on the protected device in an encrypted form and therefore do not compromise the device security.
The file can be quarantined manually or automatically, as a result of alert response actions.
For more information on creating a Move file to Quarantine task, refer to Kaspersky Endpoint Security for Windows Help.
Restoring files from the Quarantine is also available from the command line. For details, refer to Kaspersky Endpoint Security for Windows Online Help.
The objects are quarantined under the system account (SYSTEM), unless another account is specified in the Move file to Quarantine task. When being restored from the Quarantine, the file is moved to its original location. If the original location does not exist, then the file is moved to a special folder on the device (%ProgramData%\qb\restored), from which you can manually move it to the destination folder.
Page top
Viewing a list of quarantined files
To view a list of quarantined files,
in the main window of Kaspersky Security Center Cloud Console go to the Repositories → Quarantine section.
For more information about working with Quarantine, refer to Kaspersky Security Center Online Help.
Page top
Specifying settings for storing files in the Quarantine
To specify the settings for storing files in the Quarantine, do the following:
- In the main window of Kaspersky Security Center Cloud Console go to the Devices → Policies and profiles section.
- Click the name of the policy you want to configure.
The policy properties window opens.
- Select the Application settings tab.
- In the Repositories section, select Quarantine and specify the required settings.
For more information on the configurable quarantine settings, refer to Kaspersky Endpoint Security for Windows Online Help.
About deleting files
One of the possible response actions when a threat is detected is to delete the file from the device.
For details on how to create the Delete file task, refer to Kaspersky Endpoint Security for Windows Online Help.
Page top
About running critical areas scan
One of the possible response actions when a threat is detected is to run Critical Areas Scan on the device.
Critical Areas Scan can be run manually or automatically, as a result of response to alerts.
For details on Critical Areas Scan, refer to Kaspersky Endpoint Security for Windows Online Help.
Page top
About IOC scan
An Indicator of Compromise (also referred to as IOC) is a set of data about an object or activity that indicates unauthorized access to the device (data compromise). For example, many unsuccessful attempts to sign in to the system can constitute an Indicator of Compromise. The IOC Scan task allows finding Indicators of Compromise on the device and performing threat response actions.
IOC files are used to search for IOCs. IOC files contain a set of indicators that are compared to the indicators of an event. If the compared indicators match, the EPP application considers the event to be an alert. IOC files must conform to the OpenIOC standard.
When an IOC is detected on a device, Kaspersky Endpoint Detection and Response Expert performs the specified response action. The following response actions are available for detected IOCs:
- Isolate device from the network.
- Run Critical Areas Scan.
- Move the copy to the quarantine, and then delete the object.
About execution prevention
You can configure execution prevention rules for executable files and scripts, as well as for opening Office-format files on the selected devices. For example, you can prevent launching applications whose usage is considered unsafe on the selected device protected by Kaspersky Endpoint Detection and Response Expert. The application identifies the files by their paths or checksums by using MD5 and SHA256 hash algorithms.
The Execution prevention rule is a set of criteria that are considered when preventing an object from execution. The object must meet all the criteria of the Execution prevention rule in order for the application to block it from execution.
Kaspersky Endpoint Detection and Response Expert has the following modes for applying execution prevention rules:
- Block and log the report. In this mode, the EPP application blocks the execution of objects or opening of documents that match the execution prevention rules criteria.
- Log an event only. In this mode, the EPP application records to the Windows Event Log and to Kaspersky Security Center an event about attempts to execute objects or open documents that meet the criteria of the Execution prevention rules, but does not block the execution or opening of these objects.
For information on enabling, configuring execution prevention settings, and managing execution prevention rules from the command line, refer to Kaspersky Endpoint Security for Windows Help.
Page top
About process start task
The process start task allows you to start files remotely on the device. For example, you can remotely start a utility that creates a file with the computer configuration, and then get the created file by using the Get file task.
For details on how to create the Start process task, refer to Kaspersky Endpoint Security for Windows Online Help.
Page top
About terminating process task
The process termination task allows you to terminate processes remotely on the device. For example, you can remotely terminate the internet speed testing utility that was started by using the Process start task.
For details on how to create the Terminate process task, refer to Kaspersky Endpoint Security for Windows Online Help.
Page top
About getting file task
The Get file task allows you to get files from user devices. For example, you can configure getting an event log file created by a third-party application. As a result of the execution of the task, the file is saved in Quarantine. You can download this file from the Quarantine to your computer by using Kaspersky Security Center Cloud Console. On the user's computer, the file remains in its original folder.
For details on how to create the Get file task, refer to Kaspersky Endpoint Security for Windows Online Help.
Page top
Monitoring and reporting
This section describes the monitoring and reporting features of Kaspersky EDR Expert. These features give you an overview of the IT infrastructure's protection status.
You can monitor the protection status by using the widgets in the Dashboard section of the console. You can add widgets, change their location on the Dashboard, and select the data display period.
About widgets in Kaspersky EDR Expert
This section describes features of the widgets related only to Kaspersky EDR Expert. For general information about widgets, please refer to the Kaspersky Security Center Cloud Console documentation.
To track the protection status of the organization's IT infrastructure, you can add and configure the following widgets on the Dashboard:
- Widgets to monitor alerts:
- New alerts (EDR Expert)
- Closed alerts (EDR Expert)
- Closed alerts unlinked from incidents (EDR Expert)
- Widgets to monitor incidents:
- New incidents (EDR Expert)
- Closed incidents (EDR Expert)
The widgets display data only when the following conditions are met:
- The console is connected to a physical Administration Server. The widgets do not display data when the console is connected to a virtual Server.
- You have the access right to read and modify alerts and incidents.
- Kaspersky EDR Expert is integrated into Kaspersky Security Center Cloud Console. When the Kaspersky EDR Expert license has expired or the activation code for Kaspersky EDR Expert is removed from the repository, you may be provided a grace period for renewal during which the application continues to function. The widgets still display the data during the grace period, but data that appears or is changed during the grace period is not included in the displayed data.
Adding widgets to the Dashboard
You can add widgets to the Dashboard at any time. For the widgets to display data, a number of conditions must be met.
To add widgets to monitor alerts or incidents:
- In the Dashboard section, select Add or restore web widget.
- In the window that opens, click the Security operations category, and then select the widget that you want to add to the Dashboard.
- Click the Add button.
The selected widget is added to the Dashboard. You can configure the appearance of the widgets to monitor alerts and incidents.
Configuring the widgets to monitor alerts
To monitor alerts, you can add and configure the following widgets on the Dashboard:
- New alerts (EDR Expert)
By using this widget, you can monitor the number of alerts that were registered in the IT infrastructure for a time period.
- Closed alerts (EDR Expert)
By using this widget, you can monitor the number of alerts that were closed for a time period. The widget displays all of the alerts that currently have the Closed status and were closed during the selected time period.
- Closed alerts unlinked from incidents (EDR Expert)
By using this widget, you can monitor the number of alerts that currently have the Closed status, are not linked to incidents, and were closed during the selected time period.
For the general instructions on configuring and managing widgets, refer to Kaspersky Security Center Cloud Console documentation.
Configuring time period to display
For a widget, you can change the time period for which you want to monitor the statistics on the alerts.
To change a time period to display on a widget:
- Go to Monitoring & Reporting → Dashboard.
- Click the Settings icon () on the widget that you want to change.
- Select Show settings.
- In the widget settings window that opens, change the time period to display:
- From start date to end date
Specify the start date and the end date of the time interval.
- From start date until now
Specify the start date of the time interval.
- Specify the number of days before today
- From start date to end date
- Click the Save button.
The widget on the Dashboard page displays data for the period you selected.
Viewing data details
The Total field on a widget shows the total number of alerts that are currently represented in the chart for the selected time period. Click the Total link to view all of the represented alerts in the alert table.
On a widget, the time period is divided into time intervals represented by columns. You can select a time interval to apply: a day, four hours, or an hour. Point to a chart column to view the number of alerts for the time interval. Click a chart column to open the list of alerts for the selected time interval in the alert table.
Configuring the widgets to monitor incidents
To monitor incidents, you can add and configure the following widgets on the Dashboard:
- New incidents (EDR Expert)
By using this widget, you can monitor the number of incidents that were created in the IT infrastructure for a time period.
- Closed incidents (EDR Expert)
By using this widget, you can monitor the number of incidents that were closed for a time period. The widget displays all of the incidents that currently have the Closed status and were closed during the selected time period.
For the general instructions on configuring and managing widgets, refer to Kaspersky Security Center Cloud Console documentation.
Configuring time period to display
For a widget, you can change the time period for which you want to monitor the statistics on the incidents.
To change a time period to display on a widget:
- Go to Monitoring & Reporting → Dashboard.
- Click the Settings icon () on the widget that you want to change.
- Select Show settings.
- In the widget settings window that opens, change the time period to display:
- From start date to end date
Specify the start date and the end date of the time interval.
- From start date until now
Specify the start date of the time interval.
- Specify the number of days before today
- From start date to end date
- Click the Save button.
The widget on the Dashboard page displays data for the period you selected.
Viewing data details
The Total field on a widget shows the total number of incidents that are currently represented in the chart for the selected time period. Click the Total link to open all of the represented incidents in the incident table.
On a widget, the time period is divided into time intervals represented by columns. You can select a time interval to apply: a day, four hours, or an hour. Point to a chart column to view the number of incidents for the time interval. Click a chart column to open the list of incidents for the selected time interval in the incident table.
Contact Customer Service
This section describes how to get technical support and the terms on which it is available.
How to get technical support
If you can't find a solution to your issue in the Kaspersky Endpoint Detection and Response Expert documentation or in any of the sources of information about Kaspersky Endpoint Detection and Response Expert, contact Kaspersky Customer Service. Technical Support specialists will answer all your questions about installing and using Kaspersky Endpoint Detection and Response Expert.
Kaspersky provides support of Kaspersky Endpoint Detection and Response Expert during its lifecycle (see the application support lifecycle page). Before contacting Technical Support, please read the support rules.
You can contact Technical Support in one of the following ways:
- By visiting the Technical Support website
- By sending a request to Technical Support from the Kaspersky CompanyAccount portal
Technical support via Kaspersky CompanyAccount
Kaspersky CompanyAccount is a portal for companies that use Kaspersky applications. The Kaspersky CompanyAccount portal is designed to facilitate interaction between users and Kaspersky specialists through online requests. You can use Kaspersky CompanyAccount to track the status of your online requests and store a history of them as well.
You can register all of your organization's employees under a single account on Kaspersky CompanyAccount. A single account lets you centrally manage electronic requests from registered employees to Kaspersky and also manage the privileges of these employees via Kaspersky CompanyAccount.
The Kaspersky CompanyAccount portal is available in the following languages:
- English
- Spanish
- Italian
- German
- Polish
- Portuguese
- Russian
- French
- Japanese
To learn more about Kaspersky CompanyAccount, visit the Technical Support website.
Page top
Termination of the Kaspersky Endpoint Detection and Response Expert solution usage
If you decide to stop using Kaspersky Endpoint Detection and Response Expert, revoke your consent for the terms of using the Kaspersky EDR Expert solution.
To revoke your consent for the terms of using the Kaspersky EDR Expert solution:
- Go to the Threat Hunting section, and then click the Kaspersky EDR Expert settings link.
A page with the Kaspersky EDR Expert settings opens.
- On the Settings tab, click the Revoke consent button.
- Confirm that you want to revoke your consent for the terms of using the Kaspersky Endpoint Detection and Response Expert.
Your consent with the terms of using Kaspersky EDR Expert solution is revoked.
If you want to remove the information about your organization from the Kaspersky EDR Expert infrastructure, please contact Technical Support.
Page top
Sources of information about the application
This section lists the sources of information about the application.
You can select the most suitable information source, depending on the level of importance and urgency of the issue.
Page top
Glossary
Alert
An event in the organization's IT infrastructure that was marked as unusual or suspicious and that may pose a threat to the security of the organization's IT infrastructure.
Asset
A device with an installed Kaspersky EPP application (for example, Kaspersky Endpoint Security for Windows).
Endpoint Protection Platform (EPP)
An integrated system of complex protection for endpoint devices (for example, mobile devices, computers, or laptops) that includes various security technologies. An example of an Endpoint Protection Platform is Kaspersky Endpoint Security for Business.
EPP application
An application included in a protection system for endpoint devices (Endpoint Protection Platform, or EPP). EPP applications are installed on endpoint devices within the IT infrastructure of an organization (for example, mobile devices, computers, or laptops). An example of an EPP application is Kaspersky Endpoint Security for Windows, as part of the EPP solution Kaspersky Endpoint Security for Business.
Event
Any significant occurrence in the system, an application or managed devices that requires a user to be notified.
Incident
An activity evaluated as critical by the detection technology and which requires immediate reaction from Kaspersky Endpoint Detection and Response.
IOA
An indicator of attack (or IOA) is the description of suspicious behavior of objects in an organization's IT infrastructure, which can be a sign of attack targeted at this organization.
IOA rule
A rule containing the description of a suspicious activity in the system that could be a sign of a targeted attack.
IOC
An indicator of compromise (or IOC) shows the evidence on a device that points to a security breach.
MITRE tactic
The objective that an attacker wanted to achieve during a cyber attack on the Client infrastructure.
MITRE technique
The method used by the attacker to perform malicious actions during a cyberattack on the Client infrastructure. Each MITRE tactic contains an array of MITRE techniques.
Response
Incident response is a structured methodology for handling security incidents, breaches, and cyberthreats.
Telemetry
Data that is sent from assets to Kaspersky Endpoint Detection and Response.
Tenant
A tenant is an organization to which you supply Kaspersky Endpoint Detection and Response.
Page top
Known issues
Kaspersky Endpoint Detection and Response has a number of limitations that are not critical to the operation of the application:
- In the alert and incident tables, the columns that combine two or more data types can only be sorted by one of the data types:
- The column that combines the alert ID and alert severity can only be sorted by the alert ID.
- The column that combines the alert registration date and method of linking to an incident can only be sorted by the alert registration date.
- The column that combines the alert status, resolution, and incident ID can only be sorted by the alert status.
- The column that combines the incident creation date and creation method can only be sorted by the incident creation date.
- The column that combines the incident ID and incident name can only be sorted by the incident ID.
- In the Treat Hunting section, the web page may stop responding if more than 1,000 events are loaded in the list.
- A Kaspersky rule cannot be disabled by setting the Never value of the Use option. The rule will keep triggering and producing new alerts.
- If you rename a Kaspersky rule, the rule details cannot be opened from an event that was marked by this rule before the rule was renamed.
- In the Treat Hunting section, a query by a device name for a custom time period may be processed for up to 20 minutes.
- In the details of a Kaspersky IOA rule, the links to MITRE sub-techniques are formed incorrectly. The linked webpages cannot be opened.
- If you create a query by a non-string value by using alert details, the value is automatically specified as a string value in the query field.
- In the Treat Hunting section, a query made by using the AnyUserName field works incorrectly.
- When you move an IOC scan task to another device group, the details for this task become unavailable.
Information about third-party code
Third-party code has been used in the development of the solution.
For information about the third-party code in Kaspersky Endpoint Detection and Response Expert, contact Kaspersky Endpoint Detection and Response Expert Support.
Information about the third-party code used in Kaspersky Endpoint Detection and Response Expert is contained in the file legal_notices.txt.
Page top
Trademark notices
Registered trademarks and service marks are the property of their respective owners.
Amazon, Amazon Web Services, AWS are trademarks of Amazon.com, Inc. or its affiliates.
Microsoft, Windows are trademarks of the Microsoft group of companies.
Page top