Kaspersky Anti Targeted Attack Platform
6.0
English

Contents

Searching events by processing results in EPP applications

To search events by processing results in

EPP applications
in builder mode:

  1. Select the Threat Hunting section, Builder tab in the application web interface window.

    This opens the event search form.

  2. To search events by processing status:
    1. In the search criteria drop-down lost in the Detect and processing result group, select ThreatStatus.
    2. In the drop-down list of comparison operators, select one of the following options:
      • = (equals)
      • != (does not equal)
    3. In the drop-down list of event processing status, select one of the following options:
      • Object clean.
      • Object disinfected.
      • False positive.
      • Object added by user.
      • Object added to exclusions.
      • Object deleted.
      • Object quarantined.
      • Object not found.
      • Object rolled back.
      • Object cannot be processed.
      • Object not processed.
      • Processing terminated.
      • Unknown.
  3. To search events by reasons why they were not processed:
    1. In the search criteria drop-down lost in the Detect and processing result group, select UntreatedReason.
    2. In the drop-down list of comparison operators, select one of the following options:
      • = (equals)
      • != (does not equal)
    3. In the drop-down list of reasons why the events were not processed, select one of the following options:
      • Object already processed.
      • Application is running in Report only mode.
      • Failed to back up object.
      • Failed to copy object.
      • Device not ready.
      • Object blocked.
      • No rights to perform action.
      • Object not curable.
      • Object not overwritable.
      • Object not found.
      • No free space on disk.
      • Processing canceled.
      • Processing postponed.
      • Processing task stopped.
      • Error reading data.
      • Reason unknown.
      • This is a critical system object.
      • Data write error.
      • Data write not supported.
      • Object write-protected.
  4. If you want to add a new condition, use the AND or OR logical operator and repeat the necessary actions for adding a condition.
  5. If you want to add a group of conditions, click the Group button and repeat the actions necessary for adding conditions.
  6. If you want to delete a group of conditions, click the Remove group button.
  7. If you want to search events that occurred during a specific period, in the Any time drop-down list select one of the following event search periods:
    • Any time if you want the table to display events found as far back as the records go.
    • Last hour if you want the table to display events that were found during the last hour.
    • Last day if you want the table to display events found during the last day.
    • Custom range if you want the table to display events found during the period you specify.
  8. If you have selected the Custom range display period for found events:
    1. In the calendar that opens, specify the start and end dates of the event display range.
    2. Click Apply.

    The calendar closes.

  9. Click Search.

The table of events that satisfy the search criteria is displayed.

See also

Events database threat hunting

Searching events in builder mode

Searching events in source code mode

Sorting events in the table

Changing the event search conditions

Uploading an IOC file and searching for events based on conditions defined in the IOC file

Creating a TAA (IOA) rule based on event search conditions
Page top
[Topic 247641]