Kaspersky Next XDR Expert

Viewing alert details

Expand all | Collapse all

Alert details are a page in the interface that contains all of the information related to the alert, including the alert properties.

To view alert details:

  1. In the main menu, go to Monitoring & reporting Alerts.
  2. In the alert table, click the ID of the required alert.

The alert details are displayed.

If necessary, you can refresh the information in the alert details by clicking the refresh (The Refresh icon.) icon next to the alert name.

The toolbar in the upper part of the alert details allows you to perform the following actions:

Alert details contain the following sections:

  • Summary

    The summary section contains the following alert properties:

    • Analyst. An analyst to which the alert is assigned.
    • Tenant. The name of the tenant in which the alert was detected.
    • Assets. The number of user accounts and devices related to the alert.
    • Severity. Possible values: Low, Medium, High, or Critical. The alert severity shows the impact this alert may have on computer security or corporate LAN security based on Kaspersky experience.
    • Rules. The rules that were triggered to detect the alert. By clicking the ellipsis icon next to the rule name, you can open the shortcut menu. Use this menu to learn more details about the rule, find alerts or incidents that were detected by the same rule, or search the rule triggering events in Threat hunting for the period between the first and the last event of the alert.

      When you click Go to Threat hunting in the menu, the Threat hunting section opens in the same tab. If you want to open the Threat hunting section in a new browser tab, click and hold the Ctrl key, and then click Go to Threat hunting in the menu.

    • Registered. A date and time when the alert was added to the alert table.
    • First event. A date and time of the first event related to the alert.
    • Last event. A date and time of the most recent event related to the alert.
    • External reference. Link to an entity in an external system (for example, a link to a Jira ticket). You can click the Edit button at the top to specify the external reference.
    • Linked to. The incident to which the alert is linked.
    • Technology. The technology that detected the alert.
    • MITRE tactic. A tactic or several tactics detected in the alert. The tactics are defined in the MITRE ATT&CK knowledge base.
    • MITRE technique. A technique or several techniques detected in the alert. The techniques are defined in the MITRE ATT&CK knowledge base.
    • Additional data. Additional information on the alert. You can edit a value in this field only by using a playbook. The field is displayed if you added a value.
  • Details

    In the Details section, you can track the telemetry events related to the alert.

    The event table displays the search result that you define through an SQL query.

    The toolbar of the event table allows you to perform the following actions:

    • Download events. You can click this button to download information about related events as a CSV file (in UTF-8 encoding).
    • Find in Threat hunting. You can click this button to open the Threat hunting section. This section allows you to search through all of the events related to the tenants that you have access to, and not only the events related to the current alert. By default, the opened event table contains all of the events that occurred during the time period between the first and the last event of the alert. For example, you can run a search query to find all of the events in which the device was affected.

      In the Threat hunting section, you can link events to alerts manually. This might be helpful if you discover that some events relate to an alert, but they were not linked to the alert automatically. For details, refer to the instructions on linking or unlinking events to or from alerts.

      You can go back to the incident details by clicking Alert investigation or by clicking the back button in your browser.

    • Unlink from alert. You can select an event or several events in the table, and then click this button to unlink the selected events from the alert.
  • Assets

    In the Assets section, you can view the devices and users affected by or involved in the alert.

    The asset table contains the following columns:

    • Asset type

      Possible values: device or user.

    • Asset name
    • Asset ID
    • Has signs of

      Possible values: attacker or victim.

    • Authorization status

      This parameter is only applied to device asset type. A device authorization status is defined by KICS for Networks. You can change the authorization status by applying the corresponding response action to a device.

    • Administration Server

      The Administration Server that manages the device.

    • Administration Group

      The administration group to which the device belongs.

    • Categories

      Asset categories which include the asset.

    By clicking a user name or a device name, you can:

    • Search the user name or the device ID in Threat hunting for the period between the first and the last event of the alert.

      When after clicking a user name or a device name you select Go to Threat hunting in the menu, the Threat hunting section opens in the same tab. If you want to open the Threat hunting section in a new browser tab, click and hold the Ctrl key, and then click Go to Threat hunting in the menu.

    • Search the user name or the device ID in other alerts.
    • Search the user name or the device ID in other incidents.
    • Copy the user name or the device name in the clipboard.

    You can also click a device name to open the device properties.

    By clicking a user ID or a device ID, you can:

    • Search the user ID or the device ID in Threat hunting for the period between the first and the last event of the alert.

      When after clicking a user ID or a device ID you select Go to Threat hunting in the menu, the Threat hunting section opens in the same tab. If you want to open the Threat hunting section in a new browser tab, click and hold the Ctrl key, and then click Go to Threat hunting in the menu.

    • Search the user ID or the device ID in other alerts.
    • Search the user ID or the device ID in other incidents.
    • Copy the user ID or the device ID in the clipboard.

    You can also click a device ID to open the device properties.

  • Files

    In the Files section, you can upload, download or delete files related to the alert.

    You can upload files of any extension. Duplicate file names are allowed.

    Limitations:

    • The number of files cannot exceed 100 per alert.
    • Total file size cannot exceed 26.2 MB per alert.

    To upload files, click the Upload button and select one or multiple files. If you attempt to upload files exceeding the limitations, the Uploading files panel displaying a warning message will open. In this panel, you can remove files from the upload queue until the warning message disappears and click the Upload button to upload files. If you click the Upload button ignoring the warning message, upload will fail and the file list will include files that could not be uploaded with a warning icon next to the file names.

    Click a file to open the Edit file panel that displays file details. In this panel, you can edit file description.

    Use check boxes to select a file or multiple files. Select a file and click the Download button to download it. Select a file or multiple files and click the Delete button to delete the selected files.

    The Write permission in the Alerts and incidents functional area is required to upload and delete files and edit file descriptions. The Read permission in the Alerts and incidents functional area is required to download files.

  • Observables

    In the Observables section, you can view the observables related to the alert. The observables may include:

    • MD5 hash
    • IP address
    • URL
    • Domain name
    • SHA256
    • UserName
    • HostName

    By clicking a link in the Value column, you can:

    • Search the observable value in Threat hunting for the period between the first and the last event of the alert.

      When after clicking a link in the Value column you select Go to Threat hunting in the menu, the Threat hunting section opens on the same tab. If you want to open the Threat hunting section in a new browser tab, click and hold the Ctrl key, and then click Go to Threat hunting in the menu.

    • Search the observable value in other alerts.
    • Search the observable value in other incidents.
    • Copy the observable value in the clipboard.

    The toolbar of this section contains the following buttons:

    • Request status from Kaspersky TIP. Use this button to obtain detailed information about the selected observable from Kaspersky Threat Intelligence Portal (Kaspersky TIP). As a result, the information is updated in the Status update column. Requires integration with Kaspersky Threat Intelligence Portal (Premium access).
    • Enrich data from Kaspersky TIP. Use this button to obtain detailed information about all of the listed observables from Kaspersky TIP. As a result, the information is updated in the Enrichment column. Use a link in the Enrichment column to open the obtained enrichment details about an observable. Requires integration with Kaspersky Threat Intelligence Portal (Premium access).
    • Move to quarantine. Use this button to move the device on which the file is located to quarantine. This button is only available for hash (MD5 or SHA256) observables.
    • Add prevention rule. Use this button to add a rule that prevents the file from running. This button is only available for hash (MD5 or SHA256) observables.
    • Delete prevention rule. Use this button to delete the rule that prevents the file from running. This button is only available for hash (MD5 or SHA256) observables.
    • Terminate process. Use this button to terminate processes associated with the file. This button is only available for hash (MD5 or SHA256) observables.
  • Similar closed alerts

    In the Similar closed alerts section you can view the list of closed alerts that have the same affected artifacts as the current alert. The affected artifacts include observables and affected devices. The similar closed alerts can help you investigate the current alert.

    By using the list, you can evaluate the degree of similarity of the current alert and other alerts. The similarity is calculated as follows:

    Similarity = M / T * 100

    Here, 'M' is a number of artifacts that matched in the current and a similar alert, and 'T' is total number of artifacts in the current alert.

    If the similarity is 100%, the current alert has nothing new in comparison with the similar alert. If the similarity is 0%, the current and the similar alert are completely different. Alerts that have a similarity of 0% are not included in the list.

    The calculated value is rounded off to the nearest whole number. If similarity is equal to a value between 0% and 1%, the application does not round such a value down to 0%. In this case, the value is displayed as less than 1%.

    Clicking an alert ID opens the alert details.

    Customizing the similar closed alerts list

    You can customize the table by using the following options:

    • Filter the alerts by selecting the term for which the alerts have been updated. By default, the list contains the alerts that have been updated for the last 30 days.
    • Click the Columns settings icon (icon_columns), and then select which columns to display and in which order.
    • Click the Filter icon (icon_filter), and then select and configure the filters that you want to apply. If you select several filters, they are applied simultaneously by logical AND operator.
    • Click a column header, and then select the sorting options. You can sort the alerts in ascending or descending order.

  • Similar incidents

    In the Similar incidents section, you can view the list of incidents that have the same affected artifacts as the current alert. The affected artifacts include observables and affected devices. The similar incidents can help you decide if the current alert may be linked to an existing incident.

    By using the list, you can evaluate the degree of similarity of the current alert and the incidents. The similarity is calculated as follows:

    Similarity = M / T * 100

    Here, 'M' is a number of artifacts that matched in the current alert and a similar incident, and 'T' is total number of artifacts in the current alert.

    If the similarity is 100%, the current alert has nothing new in comparison with the similar incident. If the similarity is 0%, the current alert and the similar incident are completely different. Incidents that have similarity of 0% are not included in the list.

    The calculated value is rounded off to the nearest whole number. If the similarity is equal to a value between 0% and 1%, the application does not round such a value down to 0%. In this case, the value is displayed as less than 1%.

    Clicking an incident ID opens the incident details.

    Customizing the similar incidents list

    You can customize the table by using the following options:

    • Filter the incidents by selecting the term for which the incidents have been updated. By default, the list contains the incidents that have been updated for the last 30 days.
    • Click the Columns settings icon (icon_columns), and then select which columns to display and in which order.
    • Click the Filter icon (icon_filter), and then select and configure the filters that you want to apply. If you select several filters, they are applied simultaneously by logical AND operator.
    • Click a column header, and then select the sorting options. You can sort the incidents in ascending or descending order.
  • Comments

    In the Comments section, you can leave comments related to the alert. For example, you can enter a comment about investigation results or when you change the alert properties, such as the alert assignee or status.

    You can edit or remove your own comments. The comments of other users cannot be modified or removed.

    To save your comment, press Enter. To start a new line, press Shift+Enter. To edit or delete your comment, use the buttons on the top right.

    The Write permission in the Alerts and incidents functional area is required to leave comments.

  • History

    In the Alert event log section, you can track the changes that were made to the alert as a work item:

    • Changing alert status
    • Changing alert assignee
    • Linking alert to an incident
    • Unlinking alert from an incident
    • Uploading a file to the alert
    • Deleting a file from the alert

    In the Response history section, you can review the log of manual and playbook response actions. The table contains the following columns:

    • Time. The time when the event occurred.
    • Launched by. Name of the user who launched the response action.
    • Events. Description of the event.
    • Response parameters. Response action parameters that are specified in the response action.
    • Asset. Number of the assets for which the response action was launched. You can click the link with the number of the assets to view the asset details.
    • Action status. Execution status of the response action. The following values can be shown in this column:
      • Awaiting approval—Response action awaiting approval for launch.
      • In progress—Response action is in progress.
      • Success—Response action is completed without errors or warnings.
      • Warning—Response action is completed with warnings.
      • Error—Response action is completed with errors.
      • Terminated—Response action is completed because the user interrupted the execution.
      • Approval time expired—Response action is completed because the approval time for the launch has expired.
      • Rejected—Response action is completed because the user rejected the launch.
    • Playbook. Name of the playbook in which the response action was launched. You can click the link to view the playbook details.
    • Response action. Name of the response action that was performed.
    • Asset type. Type of asset for which the response action was launched. Possible values: Device or User.
    • Asset tenant. The tenant that is the owner of the asset for which the response action was launched.

See also:

About alerts

Assigning alerts to analysts

Changing an alert status

Linking alerts to incidents

Page top
[Topic 221315]