Filtering, sorting, and searching alerts

You can filter alerts to be displayed in the table of alerts for one or several columns of the table, or search for alerts in certain table columns according to the search criteria you specify.

You can create, save, and remove filters, and start filtering and searching alerts based on the conditions specified in saved filters.

If you are using the

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy mode

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Filters are saved for each user on the server on which they were created.

You can also sort alerts in the table by Created or Updated, Importance, Source, and State columns.

By default, this section displays information only on alerts that were not processed by users. To also display information on processed alerts, turn on the Processed switch in the upper-right corner of the window.

Filtering alerts by VIP status

You can filter alerts and search for alerts in the alerts table based on the criterion, which indicates whether the alert has a status with special access rights. For example, alerts with the VIP status cannot be viewed by program users with the Security officer role.

To filter alerts by VIP status:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. Click the heading of the VIP column to expand the list of filter settings.
3. Configure alert filtering settings:
   • If you want the table of alerts to display only alerts that have the VIP status, select VIP.
   • If you want the table of alerts to display all alerts, select All.

   If neither is selected, the table shows all alerts.

The table of alerts displays only alerts matching the filter criteria you have set.

Filtering and searching alerts by time

You can filter alerts and search the alert table by Created attribute, which is the time when the alert was created, as sell as by Updated attribute, which is the time when the alert was updated.

To filter or search alerts by time:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. Click the Created link to open the list of alert display periods.
3. Select one of the following alert display periods from the Time list:
   • All, if you want the program to display all alerts in the table.
   • Last hour, if you want the program to display alerts that occurred during the last hour in the table.
   • Last day, if you want the program to display alerts that occurred during the last day in the table.
   • Custom range, if you want the program to display alerts that occurred during the period you specify in the table.
4. If you have selected the Custom range event display range, do the following:
   1. In the calendar that opens, specify the start and end dates of the alert display period.
   2. Click Apply.

   The calendar closes.

The table of alerts displays only alerts matching the filter criteria you have set.

Filtering alerts by level of importance

You can filter events detected by the program as well as search the table of events for specific events based on the Importance criterion, which indicates the alert importance for the Kaspersky Anti Targeted Attack Platform user depending on the impact this alert may have on computer or corporate LAN security based on Kaspersky experience.

To filter alerts by importance:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. Click to expand the filter settings list.
3. Select one or several of the following alert importance levels:
   • Low—Alert has a low level of importance.
   • Medium—Alert has a medium level of importance.
   • High—Alert has a high level of importance.

   If no value is selected, the table shows alerts of all importance levels.

4. Click Apply.

The table of alerts displays only alerts matching the filter criteria you have set.

Filtering and searching alerts by categories of objects detected

You can filter alerts and search the alerts table for specific alerts based on the Detected criterion, which indicates one or multiple categories of the object detected in the event. For example, if you want the table to display alerts about files infected by a specific virus, you can set a filter based on the name of this virus.

To filter or search alerts by category of the detected object:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. Click the Detected link to open the filter configuration window.
3. In the drop-down list, select one of the following alert filtering operators:
   • Contains
   • Does not contain
4. In the entry field, type the name of a category (for example, Trojan) or several characters from the name of a category.
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. Click Apply.

The table of alerts displays only alerts matching the filter criteria you have set.

Filtering and searching alerts by obtained information

You can filter alerts and search the alerts table for specific alerts based on the Details criterion, which refers to brief information about the alert. For example: the name of a detected file or URL address of a malicious link.

To filter or search alerts by obtained information:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. Click the Details link to open the filter configuration window.
3. In the drop-down list on the left, select one of the following search criteria:
   • Details. The search will encompass all data on the detected object
   • ID
   • File name
   • File type
   • MD5
   • SHA256
   • URL
   • Domain
   • User Agent
   • Subject
   • HTTP status
   • Object source
   • Object type
   • Autosend to Sandbox
   • TAA (IOA) rule
4. In the drop-down list on the right, select one of the following alert filtering operators:
   • Contains
   • Does not contain
   • Equal to
   • Not equal to
5. In the entry field, specify one or several characters of alert information.
6. To add a filter condition using a different criterion, click and specify the filter condition.
7. Click Apply.

The table of alerts displays only alerts matching the filter criteria you have set.

Filtering and searching alerts by source address

You can filter alerts and search the alerts table for specific alerts based on the Source criterion, which indicates the alert source address. For example, this can be the email address from which a malicious file was sent, or the IP address of the computer on your corporate LAN to which a malicious file was downloaded.

To filter or search alerts by source address:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. Click the Source link to open the filter configuration window.
3. In the drop-down list, select one of the following alert filtering operators:
   • Contains
   • Does not contain
   • Matches the pattern
   • Does not match the pattern
4. In the entry field, specify one or several characters of the alert source address.
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. Click Apply.

The table of alerts displays only alerts matching the filter criteria you have set.

Filtering and searching alerts by destination address

You can filter alerts and search the alerts table for specific alerts based on the Destination criterion, which indicates the alert destination address. For example, this can be the email address of your organization's mail domain to which a malicious file was sent, or the IP address of a computer on your corporate LAN to which a malicious file was downloaded.

To filter or search alerts by destination address:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. Click the Destination link to open the filter configuration window.
3. In the drop-down list, select one of the following alert filtering operators:
   • Contains
   • Does not contain
   • Matches the pattern
   • Does not match the pattern
4. In the text box, type one or more characters of the destination address of the detected objects.
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. Click Apply.

The table of alerts displays only alerts matching the filter criteria you have set.

Filtering and searching alerts by server name

You can filter alerts and search for alerts in the alerts table based on the Servers criterion, which indicates the name of servers that created the alert.

If you are using distributed solution and multitenancy mode, servers belong to the tenant that you are managing in the program web interface. Filtering is available only on the PCN.

To filter or search alerts by server name:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. Click Servers to expand the list of servers which created alerts.
3. Select check boxes next to one or multiple server names.
4. Click Apply.

The table of alerts displays only alerts matching the filter criteria you have set.

Filtering and searching alerts by technology name

You can filter alerts and search the alerts table for specific alerts based on the Technologies criterion, which indicates the names of program modules or components that generated the alert.

To filter alerts by technology name:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. Click the Technologies link to open the filter configuration window.
3. In the drop-down list, select one of the following alert filtering operators:
   • Contains, if you want the program to display alerts generated by a program module or component that you specify.
   • Does not contain, if you want the program to hide alerts generated by a program module or component that you specify.
   • Equal to, if you want the program to display alerts generated by a program module or component that you specify.
   • Not equal to, if you want the program to hide alerts generated by a program module or component that you specify.
4. In the drop-down list to the right of the alert filtering operator that you have selected, select the name of the technology which you want to filter alerts:
   • (YARA) YARA.
   • (SB) Sandbox.
   • (URL) URL Reputation.
   • (IDS) Intrusion Detection System.
   • (AM) Anti-Malware Engine.
   • (TAA) Targeted Attack Analyzer.
   • (IOC) IOC.

   For example, if you want the program to display alerts generated by the Sandbox component, select the Contains filtering operator and the name of the (SB) Sandbox component.

5. To add a filter condition using a different criterion, click and specify the filter condition.
6. Click Apply.

The table of alerts displays only alerts matching the filter criteria you have set.

Filtering and searching alerts by the status of their processing by the user

You can filter alerts and search for them in the table of alerts based on the State criterion—alert status depending on whether or not this alert has been processed by the Kaspersky Anti Targeted Attack Platform user.

To filter or search alerts by the status of their processing by the Kaspersky Anti Targeted Attack Platform user:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. To include processed alerts in the filter, turn on the Processed switch in the upper right corner of the window.
3. Click the State link to open a list of possible alert options depending on the status of their processing by the Kaspersky Anti Targeted Attack Platform user.
4. Select one of the following values:
   • New, if you want the program to display new alerts that are not being processed by any user yet.
   • In process, if you want the program to display alerts that a user of Kaspersky Anti Targeted Attack Platform is already processing.
   • Rescan, if you want the program to display alerts that resulted from a rescan.
5. In the User name field, specify a user name if you want to find alerts that have been assigned to a specific user with the Senior security officer or Security officer role.
6. Click Apply.

The table of alerts displays only alerts matching the filter criteria you have set.

Sorting alerts in the table

You can sort alerts in the table by Created or Updated, Importance, Source, and State columns.

To sort alerts in the alert table:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. If you want to sort the alerts by date, click one of the icons to the right of the Created (if the table is displaying alert creation dates) or Updated (if the table is displaying alert update dates) column header:
   •   to display newer alerts at the top of the table.
   •   to display older alerts at the top of the table.
3. If you want to sort the alerts by the level of importance, to the right of the icon, click one of the following icons:
   •   to display high importance alerts at the top of the table.
   •   to display low importance alerts at the top of the table.
4. If you want to sort alerts by the address of the source of the detected object, click one of the icons to the right of the Source column header:
   •   to sort alphabetically, A–Z.
   •   to sort alphabetically, Z–A.
5. If you want to sort alerts by the state of processing by the user, click one of the icons to the right of the State column header:
   •   to sort alerts in order of processing New - Rescan - In process - Closed.
   •   to sort alerts in order of processing Closed - In process - Rescan - New.

Quickly creating an alert filter

To quickly create an alert filter:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. Do the following to quickly add filter conditions to the filter being created:
   1. Position the mouse cursor on the link containing the table column value that you want to add as a filter condition.
   2. Left-click it.

      This opens a list of actions to perform on the value.

   3. In the list that opens, select one of the following actions:
      • Add to filter, if you want to include this value in the filter condition.
      • Exclude from filter, if you want to exclude the value from the filter condition.

3. If you want to add several filter conditions to the filter being created, perform the actions to quickly add each filter condition to the filter being created.

The table of alerts displays only alerts matching the filter criteria you have set.

Clearing an alert filter

To clear the alert filter for one or more filtering criteria:

1. Select the Alerts section in the window of the program web interface.

   This opens the table of alerts.

2. Click to the right of the header of the alerts table column for which you want to clear the filter conditions.

   If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.

The selected filters are cleared.

The table of alerts displays only alerts matching the filter criteria you have set.