Working with alert details

This section contains information about actions that can be performed directly from the detection details window ("alert" in Kaspersky Security Center Linux version 15.1 and later).

About alert details

Alert details contain all available information about the detected threat and allow you to manage alert response actions.

Alert details contain the following information:

• Threat development chain graph that provides visual information about the objects involved, such as key processes on the device, network connections, libraries, registry hives. It is used to analyze the causes of the threat.
• General information about the alert, including detection mode (for example, detection during on-demand scan or during automatic scan).
• Information about the protected device on which the alert occurs (for example, device name, IP address, MAC address, user list, operating system).
• Information about detected object.
• Registry changes associated with the alert.
• History of the file presence on the device.
• Response actions performed by the application.

The following information is also available in the detection details generated by the Kaspersky Industrial CyberSecurity for Linux Nodes application version 1.5 and later:

• Recommendations for responding to detection. Each recommendation is provided with a link that you can use to apply the selected response method.
• Information about the trust group, digital signature, file distribution and other data.

  This block of information is available if the Kaspersky Security Network function is enabled in the Kaspersky Industrial CyberSecurity for Linux Nodes application at the time of detection.

The listed data is specified at the time of detection of the threat. The solution does not update the listed data; therefore, it may differ from the data displayed on the Kaspersky Threat Intelligence Portal. To view the latest data, use the links to the Kaspersky Threat Intelligence Portal data in the detection details.

You can perform the following response actions from the alert details:

• isolate the device on which the alert occurred;
• quarantine file;

  This action is not available on computers running Linux operating systems with Kaspersky Industrial CyberSecurity for Linux Nodes version 1.5 installed.

• create an IOC Scan task;
• prevent execution of the detected file.

  This action is not available on computers running Linux operating systems with Kaspersky Industrial CyberSecurity for Linux Nodes version 1.5 installed.

Alert details are automatically deleted one month after creation.

If the amount of information in the alert details exceeds 100 KB, or if more than 20 alerts occurred on the device during a day, then the alert data is stored on the device locally and connection to the device is required to access this data.

Configuring threat report for viewing alert details

To configure the capability to open the alert details window from the Report on threats:

1. In the main Kaspersky Security Center Web Console window select Monitoring & Reporting → Reports.
2. In the list of reports, select the Report on threats template and click the Open report template properties button.
3. In the report properties window that opens, go to the Fields tab.
4. Make sure that the Open alert field is available in the list of report fields in the Details fields group of settings.
5. If the Open alert field is not available in the list, follow these steps:
   1. Click the Add button.
   2. At the right side of the window, select the Open alert field from the drop-down list.
   3. Click OK.
6. Click the Save button.

Page top

Viewing alert details

Alert details are available in the list of alerts. The list of alerts is available in the Report on threats or in the Alerts subsection of the Monitoring & Reporting section in Kaspersky Security Center Web Console.

If you add a license key for Kaspersky Industrial CyberSecurity Endpoint Detection and Response, the Alerts subsection will automatically appear in the main menu in the Monitoring & Reporting section. You can also configure the displaying of the Alerts subsection in the properties of Kaspersky Security Center Windows or Kaspersky Security Center Linux interface.

To view the alert details in the Monitoring and reporting section:

1. In the main Kaspersky Security Center Web Console window select Monitoring & Reporting → Alerts.
2. Select the alert and click the Details link.

   The alert details are displayed.

To view the alert details in the report on threats:

1. In the main Kaspersky Security Center Web Console window select Monitoring & Reporting → Reports.
2. Select the Report on threats template and click the Show report button.
3. In the report window on the Details tab, select the alert and click the Open alert details link.

   The alert details are displayed.

To display the alert details, Kaspersky Industrial CyberSecurity Endpoint Detection and Response needs to get data from the device on which the alert occurred. If the data or the device is not available, an error message is displayed. The device response time may take several minutes.

To view information about a detected threat in Kaspersky Industrial CyberSecurity for Linux Nodes, please refer to the Application Help.

Applying network isolation to a device

To isolate a device from the network from the alert details window:

1. Open the alert details window.
2. In the Computer section, click the Isolate the computer from the network button to apply network isolation to this device.

Read the Kaspersky Endpoint Agent Help about enabling or disabling network isolation on a device through Kaspersky Security Center and about managing network isolation.

Read the Kaspersky Industrial CyberSecurity for Linux Nodes Help about enabling and disabling network isolation on a device and setting up exceptions from network isolation.

Moving a file to Quarantine from alert details

To move a file to Quarantine from the alert details:

1. Open the alert details.
2. In the File section click the Quarantine button.

   The file will be deleted from the device, and its copy will be quarantined.

This action is not available on computers running Linux operating systems with Kaspersky Industrial CyberSecurity for Linux Nodes version 1.5 installed.

Creating IOC Scan task from alert details

To create IOC Scan task from the alert details:

1. Open the alert details.
2. On the All alert events tab, select the items from which you want to create an IOC Scan task.
3. Click Create IOC.
4. Select the triggering criteria for the compromise indicator:
   • If you want the indicator of compromise to be triggered when any of the selected objects is detected, select OR on the right side of the screen.
   • If you want the indicator of compromise to be triggered when all the selected objects are detected, select AND on the right side of the screen.
5. Select the actions to be taken when the IOC is triggered:
   • Isolate device from the network.
   • Run critical areas scan.
   • Move the copy to the quarantine, and delete the object.
6. Click Create task.

You can view the created tasks in the Devices → Tasks section.

When you create an IOC Scan task for the selected object (file or process) from the alert details, an

Preventing a file execution from the alert details

File execution prevention rules are applied to the device on which alert occurred if an active Kaspersky Endpoint Agent policy for Kaspersky Industrial CyberSecurity Endpoint Detection and Response is applied to this device. If the device, on which the alert occurred, is not managed by an active policy, the Execution prevention rule will not be created.

To prevent file execution from the alert details:

1. Open the alert details.
2. In the File section click the Prevent execution button.

The file execution will be prevented. Execution prevention rule will be added to the policy for the group the device belongs to.

This action is not available on computers running Linux operating systems with Kaspersky Industrial CyberSecurity for Linux Nodes version 1.5 installed.