Recommendations for processing events

The event window displays recommendations for processing the event in the box between the event tree and the information text for users with the Senior security officer role.

You can follow the following recommendations:

• Isolate <host name> – isolate the host with Kaspersky Endpoint Agent program where the event was detected from the network. Applies to all event types.
• Create prevention rule – prohibit the execution of the file that was detected in the event. Applies to all event types except System event log and Host name changed.
• Create task — create a task. Applies to all event types except System event log and Host name changed.

Additionally, you can process the event by clicking the link with the name, path, MD5 or SHA256 hash of the file and the host name while viewing text information about the event in the lower part of the window.

Clicking the link with the file name or file path opens a list in which you can select one of the following actions:

• Find events.
• Find alerts.
• Run the following tasks:
  • Kill process.
  • Kill by unique PID.
  • Delete file.
  • Get file.
  • Get forensics.
  • Quarantine file.
• Copy value to clipboard.

Clicking the MD5 link opens a list in which you can select one of the following actions:

• Add to filter.
• Exclude from filter.
• Find on TIP

  Kaspersky information system Contains and displays reputation information for files and URL addresses.

  .
• Find events.
• Find alerts.
• Copy value to clipboard.

Clicking the SHA256 link opens a list in which you can select one of the following actions:

• Find events.
• Find alerts.
• Find on TIP.
• Find on virustotal.com.
• Find in Storage.
• Create prevention rule.
• Copy value to clipboard.

Clicking the link with the host name opens a list in which you can select one of the following actions:

• Find events.
• Find alerts.
• Run the following tasks:
  • Kill process.
  • Delete file.
  • Get file.
  • Get forensics.
  • Quarantine file.
  • Run program.
• Copy value to clipboard.

Users with the Security auditor and Security officer roles are not shown recommendations for processing events.

Following a recommendation to isolate a host

To follow a recommendation to isolate a host from the network:

1. In the recommendation box, select Isolate <host name>.

   This opens the host isolation settings window for the host from the event you are working on.

2. In the Disable isolation after field, enter the time in hours (1 to 9999) during which network isolation of the host will be active.
3. In the Exclusions for the host isolation rule settings group, in the Traffic direction list, select the direction of network traffic that must not be blocked:
   • Incoming/Outgoing.
   • Incoming.
   • Outgoing.
4. In the IP field, enter the IP address whose network traffic must not be blocked.

   You can use a proxy server to let Kaspersky Endpoint Agent for Windows connect to Kaspersky Anti Targeted Attack Platform. When you add this proxy server to exclusions, network resources that can be accessed through the proxy server are also added to exclusions. If network resources that are accessed through the proxy server are added to exclusions, but the proxy server itself is not, such exclusions do not work.

5. If you selected Incoming or Outgoing, in the Ports field, enter the connection ports.
6. If you want to add more than one exclusion, click Add and repeat the steps to fill in the Traffic direction, IP and Ports fields.
7. Click Save.

Information about host isolation is displayed in the Endpoint Agents section of the web interface.

You can also create a network isolation rule by clicking the Isolate <host name> link in the alert information and in the Endpoint Agents section of the web interface.

Users with the Security auditor and Security officer roles cannot isolate a host from the network.

Following a recommendation to prevent a file from running

To follow a recommendation to prevent a file from running:

1. In the recommendations box, select Create prevention rule.

   This opens the prevention rule creation window with the MD5 or SHA256 hash of the file from the event you are working on.

2. Configure the following settings:
   1. State is the state of the prevention rule:
      • If you want to enable the prevention rule, set the toggle switch to On.
      • If you want to disable the prevention rule, set the toggle switch to Off.
   2. Name is the name of the prevention rule.
   3. If you want the program to display a notification about prevention rule triggering to the user of the computer on which the prevention is applied, select the Notify user about blocking file execution check box.
   4. If you want to change the scope of the prevention rule, configure the Prevent on setting:
      • If you want to apply the prevention rule on all hosts of all servers, select All hosts.
      • If you want to apply the prevention rule on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to apply the prevention rule.

        This option is available only when

        distributed solution

        

        Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

        and
        multitenancy mode

        

        Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

        is enabled.

      • If you want to apply the prevention rule on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.
3. Click Add.

The file run prevention is created.

Information about the created prevention is displayed in the Prevention section of the web interface.

If you selected the Notify user about blocking file execution check box and an attempt is made to execute a file prevented from running, the user is notified that an execution prevention rule was triggered by this file.

Users with the Security auditor and Security officer roles cannot prevent file execution.

Following a recommendation to create a task

To follow a recommendation to create a task:

1. Click Create task, and in the recommendation box, expand the list of task types.
2. Select a task type:
   • Kill process
   • Get forensics
   • Start YARA scan
   • Service management
   • Get process memory dump
   • Get NTFS metafiles
   • Run program
   • Get file
   • Delete file
   • Quarantine file
   • Restore file from quarantine

   This opens the task creation window with preset values (for example, host name, file path, MD5 or SHA256 hash of the file) from the event you are working on.

3. If you want to modify preset values from the event, edit the corresponding fields.
4. If you want to add a comment for the task, enter it in the Description box.
5. If you are creating a Kill process, Delete file, Start YARA scan, or Service management task and you want to modify the scope of the task, change the value of the Task for setting:
   • If you want to run the task on all hosts of all servers, select the All hosts option.
   • If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.

     This option is available only when distributed solution and multitenancy mode is enabled.

   • If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.
6. Click Add.

The task is created.

Information about the created task is displayed in the Tasks section of the web interface.

Users with the Security auditor and Security officer roles cannot create tasks.