Viewing alerts

The web interface of Kaspersky Anti Targeted Attack Platform displays the following types of alerts to inform users:

• A file has been downloaded or an attempt was made to download a file to a corporate LAN computer. The program detected this file in mirrored traffic on the organization's local network or in ICAP data of HTTP and FTP traffic, as well as HTTPS traffic if the administrator has configured SSL certificate replacement on the proxy server.
• A file has been sent to the email address of a user on the corporate LAN. The program detected this file in copies of email messages received via the POP3 or SMTP protocol, or received from the virtual machine or server with Kaspersky Secure Mail Gateway if it is being used in your organization.
• A website link was opened on a corporate LAN computer. The program detected this website link in mirrored traffic on the organization's local network or in ICAP data of HTTP and FTP traffic, as well as HTTPS traffic if the administrator has configured SSL certificate replacement on the proxy server.
• Network activity has occurred in which the IP address or domain name of a corporate LAN computer was detected. The program detected this network activity in mirrored traffic on the organization's local network.
• Processes have been started on a corporate LAN computer. The program detected the processes using the Kaspersky Endpoint Agent program installed on computers belonging to the corporate IT infrastructure.

If a file was detected, the following information may be displayed in the program web interface depending on which program modules or components generated the alert:

• General information about the alert and the detected file (for example, the IP address of the computer on which the file was detected, and the name of the detected file).
• Results of the virus scan of the file performed by AM Engine.
• Results of scanning the file for signs of intrusion into the corporate IT infrastructure, performed by the YARA module.
• Results of analysis of the file's behavior in Windows XP SP3 (32-bit), Windows 7 (64-bit), Windows 10 (64-bit), and CentOS 7.8 operating systems, performed by the Sandbox component.
• Results of analysis of APK executable files in the cloud infrastructure using machine learning technology.

If a website link was detected, the following information may be displayed in the program web interface depending on which program modules or components generated the alert:

• General information about the alert and the detected website link (for example, the IP address of the computer on which the website link was detected, and the address of the website link).
• Results of the link scan performed by the URL Reputation module for detecting of signs of malware, phishing URL addresses and URL addresses previously used by hackers for targeted attacks on the corporate IT infrastructure.

If the program detects network activity of the IP address or domain name of a computer on a corporate LAN, the program web interface may display the following information:

• General information about the alert and the detected network activity.
• Results of web traffic scanning for signs of intrusion into the corporate IT infrastructure according to preset rules, performed by the Intrusion Detection System module (IDS).
• Results of network activity scanning performed using Kaspersky TAA (IOA) rules.
• Results of network activity scanning performed using TAA (IOA), IDS, IOC user rules.

If the program detects processes running on a corporate LAN computer where the Kaspersky Endpoint Agent program is installed, the program web interface can display the following information:

• General information about the alert and processes running on the computer.
• Results of network activity scanning performed for the computer using Kaspersky TAA (IOA) rules.
• Results of network activity scanning performed for the computer using TAA (IOA), IOC user rules.

Viewing alert details

To view alert details:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. Click the line containing the alert whose information you want to view.

   This opens a window containing information about the alert.

General information about an alert of any type

Regardless of the technology that was used to create the alert, the header of the window containing the alert information displays the alert ID. The or icon will be displayed next to the status depending on whether the alert has VIP status.

The upper part of the window containing alert information may display the following general information about the alert:

• State—Alert status depending on whether or not this alert has been processed by the user of Kaspersky Anti Targeted Attack Platform.
• Importance—Alert importance for the Kaspersky Anti Targeted Attack Platform user depending on the impact this alert may have on computer or corporate LAN security based on Kaspersky experience.
• Server is the name of the server where the alert was generated. Servers belong to the tenant that you are managing in the program web interface.
• Host—Domain name of the computer where the alert occurred.
• Data source—Source of the data. For example, SMTP Sensor or SPAN Sensor.
• Time created—Time when the alert was generated.
• Time updated—Time when information about the alert was updated.

Information in the Object information section

The Object information section can display the following event information about the detected object:

• File name.

  To expand the Copy value to clipboard action, click the link with the file name.

• File type. For example: ExecutableWin32.

  The Find on TIP button allows to find a file on the

  Kaspersky Threat Intelligence Portal

  Kaspersky information system Contains and displays reputation information for files and URL addresses.

  Kaspersky information system Contains and displays reputation information for files and URL addresses.

  .

  Click Create prevention rule to prevent the file from running.

  Click Download to download the file to your computer's hard drive.

  The file is downloaded in the form of a ZIP archive encrypted with the password "infected". The name of the file inside the archive is replaced by the file's MD5 hash. The file extension of file inside the archive is not displayed.

• File size in kilobytes.
• MD5—MD5 hash of a file.

  Clicking the link with MD5 opens a list in which you can select one of the following actions:

  • Find on TIP.
  • Find events.
  • Find alerts.
  • Create prevention rule.
  • Copy value to clipboard.
• SHA256—SHA256 hash of a file.

  Clicking the SHA256 link opens a list in which you can select one of the following actions:

  • Find on TIP.
  • Find on virustotal.com.
  • Find events.
  • Find alerts.
  • Create prevention rule.
  • Copy value to clipboard.
• Sender email—Email address from which the message containing the file was sent.
• Recipient email—One or more email addresses to which the message containing the file was sent.
• Original sender email—Source email address from which the message containing the file was sent.

  This field is populated with data from the 'Received' header.

• Original recipient email—Source email address(es) to which the message containing the file was sent.

  This field is populated with data from the 'Received' header.

• Subject—Message subject.
• Sender server IP —IP address of the first mail server in the message delivery chain.

  Clicking the Sender server IP link with opens a list in which you can select one of the following actions:

  • Find events.
  • Find alerts.
  • Copy value to clipboard.
• Headers—Extended set of email message headers. For example, it can contain information about email addresses of the message sender and recipients, about mail servers that relayed the message, and the type of content in the email message.

Information in the Alert information section

The Alert details section can display the following information about an alert:

• ,  or —Alert importance for the Kaspersky Anti Targeted Attack Platform user depending on the impact this alert may have on computer or corporate LAN security based on Kaspersky experience.
• Time—Time when the program generated the alert.
• Detected—One or multiple categories of detected objects. For example, when the program detects a file infected with the Trojan-Downloader.JS.Cryptoload.ad virus, the Detected—Field shows Trojan-Downloader.JS.Cryptoload.ad for this alert.
• Method—HTTP request method. For example, Get, Post, or Connect.
• URL—Detected URL. It may also contain a response code.

  Clicking the link with URL opens a list in which you can select one of the following actions:

  • Find on TIP by URL.
  • Find on TIP by domain name.
  • Find events.
  • Find alerts.
  • Copy value to clipboard.
• Referrer—URL from which the user was redirected to the website link requiring attention. In the HTTP protocol, it is one of the headers in the client's request containing the request source URL.
• Destination IP—IP address of the resource requested by the user or the program.

  Clicking the link with Destination IP opens a list in which you can select one of the following actions:

  • Find on TIP.
  • Find events.
  • Find alerts.
  • Copy value to clipboard.
• User name—Name of the user account whose actions led to the event.
• Request/Response—Length of the request and response.

Information in the Scan results section

The Scan results section can display the following results of alert scanning:

• The names of the program modules or components that generated the alert.
• One or multiple categories of the detected object. For example, the name of the virus can be shown: Virus.Win32.Chiton.i.
• Versions of databases of Kaspersky Anti Targeted Attack Platform modules and components that generated the alert.
• Results of alert scanning by program modules and components:
  • YARA—Results of streaming scans of files and objects received at the Central Node, or results of scanning Kaspersky Endpoint Agent hosts. Possible values:
    • Category of the detected file in YARA rules (for example, category name susp_fake_Microsoft_signer can be displayed).

      Displayed for streaming scans.

      Click Create prevention rule to prevent the file from running.

      The Find on TIP button allows to find a file on the Kaspersky Threat Intelligence Portal.

    • Path to the file and/or name of the memory dump.

      Displayed when scanning Kaspersky Endpoint Agent hosts.

      Clicking the link with the file path opens a list in which you can select one of the following actions:

      • Find events.
      • Find alerts.
      • Copy value to clipboard.

    You can click Create task to create the following tasks:

    • Get data → File, Disk image, Memory dump
    • Delete file
    • Quarantine file

    Click Create prevention rule to prevent the file from running.

    The Find on TIP button allows to find a file on the Kaspersky Threat Intelligence Portal.

    You can click View in quarantine to display quarantined object details.

  • SB (Sandbox)—Results of the file behavior analysis performed by the Sandbox component.

    You can click Sandbox detect to open a window with detailed information about the results of file behavior analysis.

    The Find on TIP button allows to find a file on the Kaspersky Threat Intelligence Portal.

    Click Create prevention rule to prevent the file from running.

    You can download a detailed log of file behavior analysis in all operating systems by clicking Download debug info.

    The file is downloaded in the form of a ZIP archive encrypted with the password "infected". The name of the scanned file inside the archive is replaced by the file's MD5 hash. The file extension of file inside the archive is not displayed.

    By default, the maximum hard drive space for storing file behavior scan logs is 300 GB in all operating systems. Upon reaching this limit, the program deletes the oldest file behavior scan logs and replaces them with new logs.

  • URL (URL Reputation) is the category of a malicious, phishing URL or an URL that has been previously used by attackers for targeted attacks on corporate IT infrastructures.
  • IDS (Intrusion Detection System) is the category of the detected object based on the Intrusion Detection System database or the name of the IDS user rule that was used to create the alert. For example, the displayed category can be Trojan-Clicker.Win32.Cycler.a.

    Click the link to display the category of the object in the Kaspersky Threats database.

  • AM (Anti-Malware Engine)—Category of the detected object based on the anti-virus database. For example, the name of the virus can be shown: Virus.Win32.Chiton.i.

    Click the link to display the category of the object in the Kaspersky Threats database.

    The Find on TIP button allows to find a file on the Kaspersky Threat Intelligence Portal.

    Click Create prevention rule to prevent the file from running.

    Click Download to download the file to your computer's hard drive.

  • TAA (Targeted Attack Analyzer)—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.

    Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered

    MITRE technique

    The MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) database contains descriptions of hacker behavior based on the analysis of real attacks. It is a structured list of known hacker techniques represented as a table.

    as well as recommendations for reacting to the event.

  • IOC—Name of the IOC file used to create the alert.

    Select an IOC file to open a window with the results of the IOC scan.

    Click All alert-related events to display the Threat Hunting event table in a new browser tab. A search filter is configured in the search criteria, for example, by MD5, FileFullName. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.

Information in the IDS rule section

The IDS rule section displays information about the alert made by the IDS (Intrusion Detection System) technology as a hex-editor matrix.

The hex-editor or hexadecimal editor is an application for editing data where data is represented as a sequence of bytes.

The upper part of the matrix displays the length of the IDS rule.

The left part of the matrix displays the data of the rule in text format.

The Rule details subsection of the IDS rule section displays the header of the IDS rule and data of the IDS alert in the Suricata format. For example, it can display information about the direction of the traffic (flow), the HTTP request method (http_method), the HTTP header (http_header), the security ID (sid).

Information in the Network event section

The Network event section can show the following information about the link to the website opened on the computer:

• Date and Time—Date and time of the network event.
• Method—Type of HTTP request, for example, GET or POST.
• Source IP—IP address of the computer on which the website link was opened.
• Destination IP—IP address of the computer on which the website link was opened.
• URL—Type of the HTTP request, for example, GET or POST, and the URL of the website.

  Clicking the link with the URL opens a list in which you can select one of the following actions:

  • Find on TIP by URL.
  • Find on TIP by domain name.
  • Find events.
  • Find alerts.
  • Copy value to clipboard.
• User Agent—Information about the browser that was used to download the file or to attempt to download the file, or to open the website link. It is the text string included in the HTTP request, which normally contains the name and version of the browser as well as the name and version of the operating system installed on the user's computer.

Scan results in Sandbox

The object scan results window in Sandbox can display the following alert details:

• File—Full name and path of the scanned file.
• File size—Size of the file.
• MD5—MD5 hash of a file.

  Clicking the link with MD5 opens a list in which you can select one of the following actions:

  • Find on TIP.
  • Find events.
  • Find alerts.
  • Create prevention rule.
  • Copy value to clipboard.
• Detected—One or multiple categories of detected objects. For example, when the program detects a file infected with the Trojan-Downloader.JS.Cryptoload.ad virus, the Detected—Field shows Trojan-Downloader.JS.Cryptoload.ad for this alert.
• Time processed—Time when the file was scanned.
• Database versions—Versions of the databases of modules and components of Kaspersky Anti Targeted Attack Platform that generated the alert.

You can click New prevention rule in the upper right corner of the window to prevent the file from running.

Information about the file behavior analysis results is provided for each operating system in which the Sandbox component performed a scan. For the Windows 7 operating system (64-bit), you can view file activity logs for two Sandbox component scan modes: Quick scan mode and Full logging mode.

The following activity logs may be available for each scan mode:

• Activity list—Actions of the file within the operating system.
• Activity tree—Graphical representation of the file analysis process.
• HTTP activity log—Log of the file's HTTP activity. It contains the following information:
  • Destination IP—IP address to which the file is attempting to go from the operating system.
  • Method—HTTP request method, for example, GET or POST.
  • URL—URL of the website link that the file is attempting to open from the operating system.

  Clicking links in the Destination IP column opens a list in which you can select one of the following actions:

  • Find on TIP.
  • Find events.
  • Find alerts.
  • Copy value to clipboard.

  Clicking a link in the URL column opens a list in which you can select one of the following actions:

  • Find on TIP by URL.
  • Find on TIP by domain name.
  • Find events.
  • Find alerts.
  • Copy value to clipboard.
• IDS activity log—Log of the file's network activity. It contains the following information:
  • Source IP—IP address of the host on which the file is saved.
  • Destination IP—IP address to which the file is attempting to go from the operating system.
  • Method—HTTP request method, for example, GET or POST.
  • URL—URL of the website link that the file is attempting to open from the operating system.

  Clicking links in the Destination IP column opens a list in which you can select one of the following actions:

  • Find on TIP.
  • Find events.
  • Find alerts.
  • Copy value to clipboard.

  Clicking a link in the URL column opens a list in which you can select one of the following actions:

  • Find on TIP by URL.
  • Find on TIP by domain name.
  • Find events.
  • Find alerts.
  • Copy value to clipboard.
• DNS activity log —Log of the file's DNS activity. It contains the following information:
  • Request type (Request or Response).
  • DNS name —Domain name of the server.
  • Type —Type of DNS request, for example A or CNAME.
  • Host—Host name or IP address that was interacted with.

  Clicking a link in the DNS name or Host columns opens a list in which you can select one of the following actions:

  • Find on TIP.
  • Find events.
  • Find alerts.
  • Copy value to clipboard.

You can click Download full log in the lower part of each scanning mode (Quick scan mode and Full logging mode) to download the log of file behavior analysis in each operating system to your computer

IOC scan results

Depending on the type of processed object, the indicator of compromise search result window can display the following information:

• ARP protocol:
  • IP address from the ARP table.
  • Physical address from the ARP table.
• DNS record:
  • Type and name of the DNS record.
  • IP address of the protected computer.
• Windows Log event:
  • Entry ID in the event log.
  • Data source name in the log.
  • Log name.
  • User account.
  • Event time.
• File:
  • MD5 hash of the file.
  • SHA256 hash of the file.
  • Full name of the file (including path).
  • File size.
• Port:
  • Remote IP address with which a connection was established at the time of the scan.
  • Remote port with which a connection was established at the time of the scan.
  • IP address of the local adapter.
  • Port open on the local adapter.
  • Protocol as a number (in accordance with the IANA standard).
• Process:
  • Process name.
  • Process arguments.
  • Path to process file.
  • Windows ID (PID) of the process.
  • Windows ID (PID) of the parent process.
  • Name of the user account that started the process.
  • Date and time when the process started.
• Service:
  • Service name.
  • Service description.
  • Path and name of the DLL service (for svchost).
  • Path and name of the executable file of the service.
  • Windows ID (PID) of the service.
  • Service type (for example, kernel driver or adapter).
  • Service status.
  • Service run mode.
• User:
  • User account name.
• Volume:
  • Volume name.
  • Volume letter.
  • Volume type.
• Registry:
  • Windows registry value.
  • Registry hive value.
  • Path to registry key (without hive or value name).
  • Registry parameter.
• Environment variables:
  • Physical (MAC) address of the protected computer.
  • System (environment).
  • OS name with version.
  • Network name of the protected device.
  • Domain and group to which the protected computer belongs.

The IOC section displays the structure of the IOC file. If the processed object matches a condition of the IOC rule, that condition is highlighted. If the processed object matches multiple conditions, the text of the whole branch is highlighted.

Information in the Hosts section

The Hosts section displays the following information about hosts on which the TAA (IOA) rule was triggered:

• Host name—IP address or domain name of the computer where the event occurred. Clicking the link opens the Threat Hunting section with the search condition containing the ID of the selected rule and the selected host.
• IP—IP address of the computer where the event occurred.

  If you are using dynamic IP addresses, the field displays the IP address assigned to the computer at the moment when the alert was created or updated.

  The program does not support IPv6. If you are using IPv6, the IP address of the computer is not displayed.

• Number of events—Number of events that occurred on the host.
• Find events. Clicking the link opens the Threat Hunting section with the search condition containing the ID of the selected rule.

Information in the Change log section

The Change log section can display the following alert information:

• Date and time of alert modification.
• Author of modifications.

  For example, System or the program user name.

• Modification that occurred with the alert.

  For example, an alert may be assigned to a VIP group, or it may be marked as processed.

Sending alert data

You can provide Kaspersky with data about an alert (except the URL Reputation and IOC technologies) for further analysis.

To do so, you must copy the alert data to the clipboard and then email it to Kaspersky.

Alert data may contain information about your organization that you consider to be confidential. You must consult with the security department of your organization for approval to send this data to Kaspersky for further analysis.

To copy alert details to the clipboard:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. Click the line containing the alert whose information you want to view.

   This opens a window containing information about the alert.

3. Click the Provide the alert details to Kaspersky link in the lower part of the window containing alert information.

   This opens the Details window.

4. View the alert data to be sent to Kaspersky.
5. If you want to copy this data, click the Copy to clipboard button.

   The alert data will be copied to the clipboard. You will be able to send it to Kaspersky for further analysis.