- Kaspersky Anti Targeted Attack Platform Help
- Kaspersky Anti Targeted Attack Platform
- What's new
- About Kaspersky Threat Intelligence Portal
- Distribution kit
- Hardware and software requirements
- Compatibility of Kaspersky Endpoint Agent for Windows versions with Kaspersky Anti Targeted Attack Platform versions
- Compatibility of Kaspersky Endpoint Agent for Windows versions with EPP applications
- Compatibility of Kaspersky Endpoint Security for Windows versions with Kaspersky Anti Targeted Attack Platform versions
- Compatibility of Kaspersky Endpoint Security for Linux versions with Kaspersky Anti Targeted Attack Platform versions
- Compatibility of Kaspersky Endpoint Security for Mac with Kaspersky Anti Targeted Attack Platform versions
- Compatibility of KUMA versions with versions of Kaspersky Anti Targeted Attack Platform
- Compatibility of XDR versions with versions of Kaspersky Anti Targeted Attack Platform
- Compatibility of KPSN versions with versions of Kaspersky Anti Targeted Attack Platform
- Compatibility of Kaspersky Anti Targeted Attack Platform with VK Cloud
- Limitations
- Data provision
- Service data of the application
- Data of the Central Node and Sensor components
- Sandbox component data
- Data transmitted between application components
- Data contained in application trace files
- Data of Kaspersky Endpoint Agent for Windows
- Kaspersky Endpoint Security for Windows data
- Kaspersky Endpoint Security for Linux data
- Kaspersky Endpoint Security for Mac data
- Application licensing
- About the End User License Agreement
- About the license certificate
- About the license
- About the license key
- About the key file
- About the activation code
- About the subscription
- Adding a license key
- Replacing the license key
- Removing a license key
- Viewing information about added license keys in the web interface of the Central Node
- Viewing the text of the End User License Agreement in the web interface of the Central Node
- Viewing the text of the Privacy Policy in the web interface of the Central Node
- Viewing information about the third-party code used in the application
- Viewing the text of the End User License Agreement in the web interface of the Sandbox
- Viewing the text of the End User License Agreement for the Endpoint Agent component
- Application modes based on the license
- Architecture of the application
- Operating principle of the application
- Distributed solution and multitenancy
- Distributed solution and multitenancy mode transition scenario
- Modifications of application settings for the distributed solution and multitenancy mode
- Assigning the PCN role to a server
- Assigning the SCN role to a server
- Viewing information about tenants, PCN and SCN servers
- Adding a tenant to the PCN server
- Deleting a tenant from the PCN server
- Renaming a tenant on the PCN server
- Disconnecting an SCN from PCN
- Modifications of application settings for disconnecting an SCN from PCN
- Sizing Guide
- Installing and performing initial configuration of the application
- Preparing for installing application components
- Preparing the IT infrastructure for installing application components
- Preparing the IT infrastructure for integration with a mail server used for receiving messages via POP3
- Preparing the IT infrastructure for integration with a mail server used for receiving messages via SMTP
- Preparing the virtual machine for installing the Sandbox component
- Preparing an installation disk image with the Central Node, Sensor, and Sandbox components
- Procedure for installing and configuring application components
- Installing the Sandbox component
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a disk for installing the Sandbox component
- Step 3. Assigning the host name
- Step 4. Selecting the controlling network interface in the list
- Step 5. Assigning the address and network mask of the controlling interface
- Step 6. Adding DNS server addresses
- Step 7. Configuring a static network route
- Step 8. Configuring the minimum password length for the Sandbox administrator password
- Step 9. Creating the Sandbox administrator account
- Deploying the Central Node component with Embedded Sensor as a cluster
- Deploying a storage server
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a server role
- Step 3. Selecting the deployment mode
- Step 4. Selecting a disk for installing the component
- Step 5. Selecting a network mask for server addressing
- Step 6. Selecting a network mask for addressing of application components
- Step 7. Selecting the cluster network interface
- Step 8. Selecting the external network interface
- Step 9. Selecting the method of obtaining IP addresses for network interfaces
- Step 10. Creating an administrator account and authenticating the server in the cluster
- Step 11. Adding DNS server addresses
- Step 12. Configuring time synchronization with an NTP server
- Step 13. Selecting disks for the Ceph storage
- Deploying the processing server
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a server role
- Step 3. Selecting a disk for installing the component
- Step 4. Selecting a network mask for cluster server addressing
- Step 5. Selecting a network mask for addressing of application components
- Step 6. Selecting the cluster network interface
- Step 7. Selecting the external network interface
- Step 8. Selecting the method of obtaining IP addresses for network interfaces
- Step 9. Authenticating the server in the cluster
- Step 10. Selecting the localization language for the NDR functionality and configuring the receipt of mirrored traffic from SPAN ports
- Purging hard disks on storage servers
- Deploying a storage server
- Installing the Central Node component with Embedded Sensor on a server
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a server role
- Step 3. Selecting a disk for installing the component
- Step 4. Allocating the disk for the Targeted Attack Analyzer component's database
- Step 5. Selecting a network mask for server addressing
- Step 6. Selecting a network mask for addressing of application components
- Step 7. Selecting the external network interface
- Step 8. Selecting the method of obtaining IP addresses for network interfaces
- Step 9. Creating the administrator account
- Step 10. Selecting the localization language for the NDR functionality
- Step 11. Adding DNS server addresses
- Step 12. Configuring time synchronization with an NTP server
- Step 13. Configuring receipt of mirrored traffic from SPAN ports
- Installing the Sensor component on a standalone server
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a server role
- Step 3. Selecting a disk for installing the component
- Step 4. Selecting a network mask for server addressing
- Step 5. Selecting a network mask for addressing of application components
- Step 6. Selecting the external network interface
- Step 7. Selecting the method of obtaining IP addresses for network interfaces
- Step 8. Creating the administrator account
- Step 9. Adding DNS server addresses
- Step 10. Configuring time synchronization with an NTP server
- Step 11. Configuring receipt of mirrored traffic from SPAN ports
- Optimization of network interface settings for the Sensor component
- Connecting and configuring external storage for the Sensor component
- Preparing for installing application components
- Configuring the sizing settings of the application
- Configuring firewall rules
- Ports used on computers with Kaspersky Anti Targeted Attack Platform components
- Ports used by Kaspersky Anti Targeted Attack Platform services in a cluster configuration
- Ports used by services of a Central Node deployed as a server
- Ports used by services in a configuration with the Sensor component installed on a standalone server
- Ports for communication between network traffic analysis services
- Configuring integration of the Endpoint Agent component with the KEDR functional block
- Configuring a trusted connection with Kaspersky Endpoint Agent
- Configuring the validation of the Kaspersky Endpoint Agent TLS certificate by the Central Node server and uploading a crypto container to Kaspersky Endpoint Agent
- Uploading a TLS certificate of the Central Node server or Sensor to Kaspersky Endpoint Agent
- Configuring the integration and trusted connection with Kaspersky Anti Targeted Attack Platform on the Kaspersky Endpoint Agent side
- Configuring a trusted connection with Kaspersky Endpoint Security
- Downloading the TLS certificate of the Central Node server
- Generating a TLS certificate for the Central Node server in the web interface of Kaspersky Anti Targeted Attack Platform
- Uploading an independently prepared TLS certificate for the Central Node server using the web interface of Kaspersky Anti Targeted Attack Platform
- Enabling the validation of the TLS certificate of the Endpoint Agent component in the web interface of Kaspersky Anti Targeted Attack Platform
- Generating a TLS certificate of the Endpoint Agent component in the web interface of Kaspersky Anti Targeted Attack Platform and downloading a crypto container
- Uploading an independently prepared TLS certificate of the Endpoint Agent component using the web interface of Kaspersky Anti Targeted Attack Platform
- Viewing the table of TLS certificates of the Endpoint Agent component in the web interface of Kaspersky Anti Targeted Attack Platform
- Filtering and searching TLS certificates of the Endpoint Agent component in the web interface of Kaspersky Anti Targeted Attack Platform
- Deleting TLS certificates of the Endpoint Agent component in the web interface of Kaspersky Anti Targeted Attack Platform
- Configuring traffic redirection from the Endpoint Agent component to the Sensor server
- Configuring a trusted connection with Kaspersky Endpoint Agent
- Configuring integration of the Endpoint Agent component with the NDR functional block
- Integration servers table
- Scenario for preparing to receive data from the Endpoint Agent component
- Adding an integration server
- Creating a communication data package for clients of an integration server
- Enabling or disabling an integration server
- Editing integration server settings
- Removing an integration server
- Getting started with the application
- Managing accounts of application administrators and users
- Creating an administrator account for the application web interface
- Creating a user account for the application web interface
- Configuring user account table display
- Viewing the user account table
- Filtering user accounts
- Clearing the account filter
- Changing access rights of an application web interface user account
- Enabling and disabling an administrator account or user account of the application web interface
- Changing the password of an application administrator or user account
- Changing the password of your account
- Authentication using domain accounts
- Participation in Kaspersky Security Network and use of Kaspersky Private Security Network
- Managing the Sandbox component through the web interface
- Updating the Sandbox component databases
- Configuring connection between the Sandbox and Central Node components
- Configuring the Sandbox component network interfaces
- Setting the Sandbox system date and time
- Installing and configuring images of operating systems and applications required for the operation of the Sandbox component
- Managing operating system and application images in the Sandbox Storage
- Managing virtual machine templates
- Managing virtual machines
- Setting the maximum number of simultaneously running virtual machines
- Changing the number of license keys for a virtual machine with a custom operating system image
- Downloading the Sandbox system log to the hard drive
- Exporting Sandbox settings
- Importing Sandbox settings
- Restarting the Sandbox server
- Powering off the Sandbox server
- Changing the Sandbox administrator account password
- For administrators: Getting started with the application web interface
- Kaspersky Anti Targeted Attack Platform Interface
- Monitoring the performance of the application
- About widgets and layouts
- Selecting a tenant and a server to manage in the Dashboard section
- Adding a widget to the current layout
- Moving a widget in the current layout
- Changing the display of information in NDR widgets
- Removing a widget from the current layout
- Saving a layout to PDF
- Configuring the data display period in widgets
- Monitoring the receipt and processing of incoming data
- Monitoring the queues for data processing by application modules and components
- Monitoring the processing of data by the Sandbox component
- Viewing the working condition of modules and components of the application
- Managing Central Node or Sensor server information
- Managing Central Node, PCN, or SCN servers using the application web interface
- Changing the server name
- Configuring the date and time on the server
- Generating or uploading a TLS certificate of the server
- Downloading the TLS certificate of the server
- Assigning a server DNS name
- Configuring DNS settings
- Configuring settings of the network interface
- Configuring the default network route
- Configuring proxy server connection settings
- Configuring the mail server connection
- Managing traffic saving settings
- Managing the settings for saving traffic dump files
- Selecting operating systems to use when scanning objects in Sandbox
- Password policies
- Managing the Sensor component
- Connecting the Sensor component to the Central Node
- Managing the certificate of the Sensor component
- Logging in to the web interface of the Sensor component
- Changing the server name
- Managing monitoring points
- Configuring the maximum size of a scanned file
- Configuring HTTP packet body dumping
- Configuring integration with a mail server via SMTP
- Configuring integration with a proxy server via ICAP
- Configuring recording of mirrored traffic from SPAN ports
- Configuring integration with a mail server via POP3
- Managing the cluster
- Notifications about the maximum allowed CPU and RAM load for the Central Node and Sensor servers
- Configuring the SNMP protocol connection
- Managing Endpoint Agent host information
- Selecting a tenant to manage in the Endpoint Agents section
- Viewing the table of hosts with the Endpoint Agent component on a standalone Central Node server
- Viewing information about a host
- Filtering and searching hosts with the Endpoint Agent component by host name
- Filtering and searching hosts with the Endpoint Agent component that have been isolated from the network
- Filtering and searching hosts with the Endpoint Agent component by PCN and SCN server names
- Filtering and searching hosts with the Endpoint Agent component by computer IP address
- Filtering and searching hosts with the Endpoint Agent component by operating system version on the computer
- Filtering and searching hosts with the Endpoint Agent component by component version
- Filtering and searching hosts with the Endpoint Agent component by their activity
- Quickly creating a filter for hosts with the Endpoint Agent component
- Resetting the filter for hosts with the Endpoint Agent component
- Configuring activity indicators of the Endpoint Agent component
- Removing hosts with the Endpoint Agent component
- Automatic removal of inactive hosts
- Supported interpreters and processes
- Configuring integration with the Sandbox component
- Manually sending files from Endpoint Agent hosts to be scanned by Sandbox
- Configuring integration with external systems
- Configuring integration with Kaspersky Managed Detection and Response
- Configuring integration with an SIEM system
- Renewing the certificate for connecting to the Central Node using the API
- Managing connectors
- Managed and unmanaged connectors
- Sending events, application messages, and audit records to third-party systems
- Automatic network access control for devices via Cisco Switch connectors
- Adding a connector
- Viewing the table of connectors
- Enabling or disabling a connector
- Editing connector settings
- Creating a new communication data package for a connector
- Deleting a connector
- Adding and deleting connector types
- Managing account credentials secrets for remote connections
- Updating application databases
- Creating a list of passwords for archives
- Configuring integration with ArtX TLSproxy
- For security officers: Getting started with the application web interface
- Kaspersky Anti Targeted Attack Platform Interface
- Selecting a tenant to manage in the web interface of the application
- Monitoring the performance of the application
- About widgets and layouts
- Adding a widget to the current layout
- Moving a widget in the current layout
- Changing the display of information in NDR widgets
- Removing a widget from the current layout
- Saving a layout to PDF
- Configuring the data display period in widgets
- Configuring the widget display scale
- Basics of managing "Alerts" type widgets
- Information in the Devices widget
- Information in the Events widget
- Viewing the working condition of modules and components of the application
- Managing technologies
- Viewing the alert table
- Configuring the alert table display
- Filtering, sorting, and searching alerts
- Filtering alerts by VIP status
- Filtering and searching alerts by time
- Filtering alerts by level of importance
- Filtering and searching alerts by categories of objects detected
- Filtering and searching alerts by obtained information
- Filtering and searching alerts by source address
- Filtering and searching alerts by destination address
- Filtering and searching alerts by server name
- Filtering and searching alerts by technology name
- Filtering and searching alerts by the status of their processing by the user
- Filtering and searching alerts by the name of the user to which they are assigned
- Sorting alerts in the table
- Quickly creating an alert filter
- Saving filters
- Resetting the alert filter
- Recommendations for processing alerts
- Recommendations for processing AM alerts
- Recommendations for processing TAA alerts
- Recommendations for processing SB alerts
- Recommendations for processing IOC alerts
- Recommendations for processing YARA alerts
- Recommendations for processing IDS alerts
- Recommendations for processing NDR:IDS and NDR:EA alerts
- Viewing alerts
- Viewing alert details
- General information about an alert of any type
- Information in the Object information section
- Information in the Alert details section
- Information in the Information about scanning using NDR technologies section
- Information in the Scan results section
- Information in the IDS rule section
- Information in the URL section
- Information in the IP addresses of detection-related devices section
- Information in the Network event section
- Scan results in Sandbox
- IOC scan results
- Information in the Hosts section
- Information in the Change log section
- Sending alert data
- Viewing alert relations
- User actions performed on alerts
- Monitoring network traffic events
- NDR event scores and severity levels
- NDR event registration technologies
- NDR event statuses
- Table of registered NDR events
- Configuring the table of registered events
- Viewing events nested inside an aggregate event
- Viewing details of an NDR event
- Changing the status of an NDR event
- Adding markers
- Copying NDR events to a text editor
- Downloading traffic for events
- Creating a directory for exporting events to a network share
- Events database threat hunting
- Searching for events in builder mode
- Searching for events in source code mode
- Converting a builder query for searching events in source code mode
- Event search criteria
- Operators
- Sorting events in the table
- Changing the event search conditions
- Searching for events by processing results in EPP applications
- Searching for events using conditions specified in an IOC or YAML file
- Creating a TAA (IOA) rule based on event search conditions
- Event information
- Recommendations for processing events
- Information about events in the tree of events
- Viewing the table of events
- Configuring the event table display
- Viewing information about an event
- Information about the "Process started" event
- Information about the "Process terminated" event
- Information about the "Module loaded" event
- Information about the "Remote connection" event
- Information about the "Prevention rule" event
- Information about the "Document blocked" event
- Information about the "File modified" event
- Information about the "System event log" event
- Information about the "Changes in the registry" event
- Information about the "Port listened" event
- Information about the "Driver loaded" event
- Information about the "DNS" event
- Information about the "LDAP" event
- Information about the "Named pipe" event
- Information about the "WMI" event
- Information about the "Alert" event
- Information about the "Alert processing result" event
- Information about the "Interpreted file run" event
- Information about the "AMSI scan" event
- Information about the "Interactive command input at the console" event
- Information about the "Code injection" event
- Information about the "Process access" event
- Event chain scanning by Kaspersky TAA (IOA) rules
- Managing assets
- Viewing the table of devices
- Viewing device information
- Automatically adding and updating devices
- Manually adding devices
- Automatically assigning device status
- Automatically grouping devices based on a criterion
- Manually arranging devices into groups
- Moving servers with components and groups to other groups on the network interactions map
- Device group tree
- Manually editing the device group tree
- Adding and removing device labels
- Group response
- Monitoring users on devices
- Monitoring file execution on devices
- Active device polling jobs
- Configuring address spaces
- Working with the network interactions map
- Nodes on the network interactions map
- Device groups on the network interactions map
- Links on the network interactions map
- Viewing object details
- Zooming the network interactions map
- Positioning the network map
- Pinning and unpinning nodes and groups
- Manually rearranging nodes and groups
- Automatically arranging nodes and groups
- Searching for nodes on the network interactions map
- Filtering objects on the network interactions map
- Saving and loading the display settings of the network interactions map
- Adding a new view and saving the current display settings of the network interactions map
- Refreshing a view while keeping the current display settings of the network interactions map
- Renaming a network interactions map view
- Deleting a network interactions map view
- Applying settings saved in the view to the network interactions map
- Monitoring network sessions
- Monitoring risks
- Configuring NDR event types
- Viewing the table of event types
- Editing the settings of a system event type
- Configuring automatic saving of traffic for system event types
- Configuring the forwarding of events through connectors
- Common substitution variables in Kaspersky Anti Targeted Attack Platform
- NDR event registration technologies
- System event types in Kaspersky Anti Targeted Attack Platform
- Configuring risk types
- System event types in Kaspersky Anti Targeted Attack Platform
- Managing Endpoint Agent host information
- Viewing the table of hosts with the Endpoint Agent component
- Configuring the display of the table of hosts with the Endpoint Agent component
- Viewing information about a host
- Filtering and searching hosts with the Endpoint Agent component by host name
- Filtering and searching hosts with the Endpoint Agent component that have been isolated from the network
- Filtering and searching hosts with the Endpoint Agent component by PCN and SCN server names
- Filtering and searching hosts with the Endpoint Agent component by computer IP address
- Filtering and searching hosts with the Endpoint Agent component by operating system version on the computer
- Filtering and searching hosts with the Endpoint Agent component by component version
- Filtering and searching hosts with the Endpoint Agent component by their activity
- Quickly creating a filter for hosts with the Endpoint Agent component
- Resetting the filter for hosts with the Endpoint Agent component
- Removing hosts with the Endpoint Agent component
- Configuring activity indicators of the Endpoint Agent component
- Supported interpreters and processes
- Network isolation of hosts with the Endpoint Agent component
- Automatically sending files from Kaspersky Endpoint Agent hosts to be scanned by the Sandbox component in accordance with Kaspersky TAA (IOA) rules
- Selecting operating systems to use when scanning objects in Sandbox
- Managing tasks
- Viewing the task table
- Viewing information about a task
- Creating a get file task
- Creating a forensic collection task
- Creating a registry key retrieval task
- Creating an NTFS metafile retrieval task
- Creating a process memory dump retrieval task
- Creating a disk image retrieval task
- Creating a RAM dump retrieval task
- Creating a process termination task
- Creating a task to scan hosts using YARA rules
- Creating a service management task
- Creating an application execution task
- Creating a file deletion task
- Creating a file quarantine task
- Creating a quarantined file recovery task
- Creating a copy of a task
- Deleting tasks
- Filtering tasks by creation time
- Filtering tasks by type
- Filtering tasks by name
- Filtering tasks by file name and path
- Filtering tasks by description
- Filtering tasks by server name
- Filtering tasks based on the name of the user that created the task
- Filtering tasks by processing status
- Clearing a task filter
- Managing policies (prevention rules)
- Viewing the prevention rule table
- Configuring prevention rule table display
- Viewing a prevention rule
- Creating a prevention rule
- Importing prevention rules
- Enabling and disabling a prevention rule
- Enabling and disabling presets
- Deleting prevention rules
- Filtering prevention rules by name
- Filtering prevention rules by type
- Filtering prevention rules by file hash
- Filtering prevention rules by server name
- Clearing a prevention rule filter
- Managing user-defined rules
- Using indicators of compromise (IOC) and attack (IOA) for Threat Hunting
- Managing user-defined TAA (IOA) rules
- Viewing the TAA (IOA) rule table
- Creating a TAA (IOA) rule based on event search conditions
- Importing TAA (IOA) rules
- Viewing custom TAA (IOA) rule details
- Searching for alerts and events in which TAA (IOA) rules were triggered
- Filtering and searching TAA (IOA) rules
- Resetting the TAA (IOA) rule filter
- Enabling and disabling TAA (IOA) rules
- Modifying a TAA (IOA) rule
- Deleting TAA (IOA) rules
- Managing user-defined IOC rules
- Viewing the table of IOC files
- Viewing information about an IOC file
- Uploading an IOC file
- Downloading an IOC file to a computer
- Enabling and disabling the automatic use of an IOC file when scanning hosts
- Deleting an IOC file
- Searching for alerts in IOC scan results
- Searching for events using an IOC file
- Filtering and searching IOC files
- Clearing an IOC file filter
- Configuring an IOC scan schedule
- Managing user-defined Intrusion Detection rules
- Managing user-defined YARA rules
- Managing objects in Storage and Quarantine
- Viewing the table of objects that were placed in Storage
- Viewing information about an object manually placed in Storage using the web interface
- Viewing information about an object placed in Storage by a get file task
- Viewing information about an object placed in Storage by a get data task
- Downloading objects from Storage
- Uploading objects to Storage
- Sending objects in Storage for scanning
- Deleting objects from Storage
- Filtering objects in Storage by object type
- Filtering objects in Storage by object description
- Filtering objects in Storage based on scan results
- Filtering objects in Storage based on the name of Central Node, PCN, or SCN server
- Filtering objects in Storage by object source
- Filtering objects based on the time they were placed in Storage
- Clearing a Storage objects filter
- Viewing the table of objects quarantined on computers with the Kaspersky Endpoint Agent component
- Viewing information about a quarantined object
- Restoring an object from quarantine
- Obtaining a copy of a quarantined object on a Kaspersky Anti Targeted Attack Platform server
- Removing information about the quarantined object from the table
- Filtering information about quarantined objects by object type
- Filtering information about quarantined objects by object description
- Filtering information about quarantined objects by host name
- Filtering information about quarantined objects by time
- Resetting the filter for information about quarantined objects
- Managing reports
- Managing common reports
- Viewing the table of templates and reports
- Creating a template
- Creating a report based on a template
- Viewing a report
- Downloading a report to a local computer
- Editing a template
- Filtering templates by name
- Filtering templates based on the name of the user that created the template
- Filtering templates by creation time
- Clearing a template filter
- Deleting a template
- Filtering reports by creation time
- Filtering reports by name
- Filtering reports by the name of the server with the Central Node component
- Filtering reports based on the name of the user that created the report
- Clearing a report filter
- Deleting a report
- Managing NDR reports
- Viewing the table of NDR report templates
- Viewing NDR report template details
- Viewing the table of NDR reports
- Manually generating an NDR report based on a template
- Duplicating an NDR report template
- Editing an NDR report template
- Exporting an NDR report to a file
- Deleting an NDR report template
- Deleting an NDR report
- Canceling NDR report generation
- Managing the settings for storing report files
- Managing common reports
- Managing rules for assigning the VIP status to alerts
- Viewing the table of VIP status assignment rules
- Creating a VIP status assignment rule
- Deleting a VIP status assignment rule
- Modifying a VIP status assignment rule
- Importing a list of VIP status assignment rules
- Exporting the list of data excluded from the scan
- Filtering and searching by type of VIP status assignment rule
- Filtering and searching by value of VIP status assignment rule
- Filtering and searching by description of VIP status assignment rule
- Clearing a VIP status assignment rule filter
- Managing allow rules for NDR events
- Managing the list of scan exclusions
- Viewing the table of data excluded from the scan
- Adding a scan exclusion rule
- Deleting a scan exclusion rule
- Editing a rule added to scan exclusions
- Exporting the list of data excluded from the scan
- Filtering rules in the scan exclusion list by criterion
- Searching for rules in the scan exclusion list by value
- Resetting the rule filter in the scan exclusion list
- Managing Intrusion Detection rule exclusions
- Managing TAA exclusions
- Managing ICAP exclusions
- Viewing the ICAP exclusion table
- Adding a rule to ICAP exclusions
- Removing rules from ICAP exclusions
- Editing or disabling a rule in the ICAP exclusion list
- Filtering rules in the ICAP exclusion list by criterion
- Filtering rules in the ICAP exclusion list by value
- Filtering rules in the ICAP exclusion list by state
- Clearing rule filter conditions in the ICAP exclusion list
- Managing mirrored traffic from SPAN ports
- Creating a list of passwords for archives
- Managing Central Node or Sensor server information
- Viewing server settings
- Viewing the table of servers with the Sandbox component
- Viewing the settings of the set of operating systems used for scanning objects in Sandbox
- Viewing the table of external systems
- Managing user-defined Sandbox rules
- Viewing the table of user-defined Sandbox rules
- Configuring the Sandbox rule table display
- Filtering and searching Sandbox rules
- Clearing a Sandbox rule filter
- Viewing the information of a user-defined Sandbox rule
- Creating a user-defined Sandbox rule for scanning files
- Creating a user-defined Sandbox rule for URL scanning
- Copying a user-defined Sandbox rule
- Importing user-defined Sandbox rules for file scanning
- Editing a user-defined Sandbox rule
- Enabling or disabling user-disabling Sandbox rules
- Exporting user-defined Sandbox rules for file scanning
- Deleting user-defined Sandbox rules
- List of extensions for file categories
- Sending notifications
- Viewing the table of rules for sending notifications
- Creating a rule for sending notifications about alerts
- Creating a rule for sending notifications about the operation of application components
- Enabling and disabling a rule for sending notifications
- Modifying a rule for sending notifications
- Deleting a rule for sending notifications
- Filtering and searching notification forwarding rules by rule type
- Filtering and searching notification forwarding rules based on the notification subject
- Filtering and searching notification forwarding rules by email address
- Filtering and searching notification forwarding rules based on their state
- Clearing a notification forwarding rule filter
- Managing logs
- Viewing application messages
- Viewing information about files that have been sent for scanning to the Kaspersky Anti Targeted Attack Platform
- Managing Kaspersky Endpoint Agent for Windows
- Managing Kaspersky Endpoint Security for Windows
- Managing Kaspersky Endpoint Security for Linux
- Managing Kaspersky Endpoint Security for Mac
- Backing up and restoring data
- Upgrading Kaspersky Anti Targeted Attack Platform
- Upgrading Central Node installed on a server from version 6.1 to 7.0.3
- Upgrading Central Node installed as a cluster from version 6.1 to version 7.0.3
- Preparing to install the upgrade in distributed solution and multitenancy mode
- Upgrading Sensor installed on a standalone server
- Contents and amount of information kept when upgrading the Kaspersky Anti Targeted Attack Platform
- Updating Kaspersky Anti Targeted Attack Platform from version 7.0 to version 7.0.1
- Updating Kaspersky Anti Targeted Attack Platform from version 7.0.1 to version 7.0.3
- Using Kaspersky Anti Targeted Attack Platform API KATA and KEDR
- Integrating an external system with Kaspersky Anti Targeted Attack Platform
- API for scanning objects of external systems
- API that external systems can use to receive information about application alerts
- API that external systems can use to receive information about application events
- API for managing Threat Response actions
- Request for getting the list of hosts with the Endpoint Agent component
- Request for information about network isolation and the existence of prevention rules for hosts with the Kaspersky Endpoint Agent component
- Host network isolation management
- Managing prevention rules
- Managing the application run task
- Using Kaspersky Anti Targeted Attack Platform API NDR
- Sources of information about the application
- Contacting the Technical Support Service
- Glossary
- Advanced persistent threat (APT)
- Alert
- Alternate data stream
- Anti-Malware Engine
- Backdoor program
- Central Node
- Communication channel bandwidth
- CSRF attack
- Detection
- Distributed solution
- Dump
- End User License Agreement
- Endpoint Agent component
- ICAP client
- ICAP data
- Intrusion Detection System
- IOA
- IOC
- IOC file
- Kaspersky Anti Targeted Attack Platform
- Kaspersky Private Security Network
- Kaspersky Secure Mail Gateway
- Kaspersky Security Network (KSN)
- Kaspersky Threat Intelligence Portal
- KATA
- KEDR
- Kerberos authentication
- Keytab file
- Local reputation database of KPSN
- Malicious web addresses
- MIB (Management Information Base)
- Mirrored traffic
- MITM attack
- MITRE technique
- Multitenancy
- New generation threats
- NTP server
- OpenIOC
- Phishing URL addresses
- Sandbox
- Sensor
- Service principal name (SPN)
- SIEM system
- Signature
- SPAN
- Syslog
- TAA (IOA) rule
- Targeted attack
- Targeted Attack Analyzer
- Tenant
- TLS encryption
- Tracing
- VIP status
- YARA
- YARA rules
- Zero-day attack
- Zero-day vulnerability
- Information about third-party code
- Trademark notices
For security officers: Getting started with the application web interface > Recommendations for processing alerts
Recommendations for processing alerts
Recommendations for processing alerts
Information about alerts produced by AM (Anti-Malware Engine), SB (Sandbox), YARA, IOC,IDS (Intrusion Detection System), NDR: IDS, and NDR: EA technologies that is displayed in the right part of the window includes recommendations on processing these alerts.
To view alert details:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click the line containing the alert whose information you want to view.
This opens a window containing information about the alert.
Article ID: 196721, Last review: Apr 18, 2025