Kaspersky Anti Targeted Attack Platform
6.0
English

Contents

Event search criteria

The following criteria can be used to search for events:

  • General information:
    • Host is the host name.
    • HostIP is the IP address of the host.
    • EventType is the type of the event.
    • UserName is the name of the user.
    • OsFamily is the family of the operating system.
    • OsVersion is the version of the operating system being used on the host.
  • TAA properties:
    • IOAId is the TAA (IOA) rule ID.
    • IOATag is the information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
    • IOATechnique is the MITRE technique.
    • IOATactics is the MITRE tactic.
    • IOAImportance is the importance level that is assigned to an event generated using this TAA (IOA) rule.
    • IOAConfidence is the level of confidence depending on the likelihood of false alarms caused by the rule.
  • File properties:
    • CreationTime is the event creation time.
    • FileName is the name of the file.
    • FilePath is the path to the directory where the file is located.
    • FileFullName is the full path to the file. Includes the path to the directory and the file name.
    • ModificationTime is the file modification time.
    • FileSize is the size of the file.
    • MD5 is the MD5 hash of the file.
    • SHA256 is the SHA256 hash of the file.
    • SimilarDLLPath is the malicious DLL placed in a directory on the standard search path to make the operating system load it before the original DLL.
  • Linux processes:
    • LogonRemoteHost is the IP address of the host that initiated remote access.
    • RealUserName is the name of the user assigned when the user was registered in the system.
    • EffectiveUserName is the user name that was used to log in to the system.
    • Environment is system environment variables.
    • ProcessType is the type of the process.
    • OperationResult is the result of the operation.
    • FileOwnerUserName is the name of the file owner.
    • RealGroupName is the name of the user group.
    • EffectiveGroupName is the name of the user group that is used for operation.
  • Process started:
    • PID is the process ID.
    • ParentFileFullName is the path to the parent process file.
    • ParentMD5 is the MD5 hash of the parent process file.
    • ParentSHA256 is the SHA256 hash of the parent process file.
    • StartupParameters is the options that the process was started with.
    • ParentPID is the parent process ID.
    • ParentStartupParameters is the parent process startup settings.
  • Remote connection:
    • HTTPMethod is the HTTP request method. For example, Get, Post, or Connect.
    • ConnectionDirection is the direction of the connection (inbound or outbound).
    • LocalIP is the IP address of the local computer from which the remote connection attempt was made.
    • LocalPort is the IP address of the local computer from which the remote connection attempt was made.
    • RemoteHostName is the name of the computer that was the target of the remote connection attempt.
    • RemoteIP is the IP address of the computer that was the target of the remote connection attempt.
    • RemotePort is the port of the computer that was the target of the remote connection attempt.
    • URl is the address of the resource to which the HTTP request was made.
  • Registry modified:
    • RegistryKey is the registry key.
    • RegistryValueName is the name of the registry value.
    • RegistryValue is the data of the registry value.
    • RegistryOperationType is the type of the operation with the registry.
    • RegistryPreviousKey is the previous registry key.
    • RegistryPreviousValue is the previous name of the registry value.
  • System event log:
    • WinLogEventID is the type ID of the security event in the Windows log.
    • LinuxEventType is the type of the event. This criterion is used for Linux and macOS operating systems.
    • WinLogName is the name of the log.
    • WinLogEventRecordID is the log entry ID.
    • WinLogProviderName is the ID of the system that logged the event.
    • WinLogTargetDomainName is the domain name of the remote computer.
    • WinLogObjectName is the name of the object that initiated the event.
    • WinlogPackageName is the name of the package that initiated the event.
    • WinLogProcessName is the name of the process that initiated the event.
  • Detect and processing result:
    • DetectName is the name of the detected object.
    • RecordID is the ID of the triggered rule.
    • ProcessingMode is the scanning mode.
    • ObjectName is the name of the object.
    • ObjectType is the type of the object.
    • ThreatStatus is the detection mode.
    • UntreatedReason is the event processing status.
    • ObjectContent (for AMSI events too) is the content of the script sent for scanning.
    • ObjectContentType (for AMSI events too) is the type of script content.
  • Console interactive input:
    • InteractiveInputText is the text entered on the command line.
    • InteractiveInputType is the input type (console or pipe).
  • File modified:
    • FileOperationType is the type of the file operation.
    • FilePreviousPath is the path to the directory where the file was previously located.
    • FilePreviousName is the previous name of the file.
    • FilePreviousFullName is the full name of the file including the path to the directory where the file was previously located and/or the previous file name.
    • DroppedFileType is the type of the modified file.
Page top
[Topic 249034]