Kaspersky Anti Targeted Attack Platform

Kaspersky Anti Targeted Attack Platform

Support Send link

Kaspersky Anti Targeted Attack Platform Help
Kaspersky Anti Targeted Attack Platform
- What's new
- About Kaspersky Threat Intelligence Portal
- Distribution kit
- Hardware and software requirements
- Limitations
Data provision
- Service data of the application
- Data of the Central Node and Sensor components
- Sandbox component data
- Data transmitted between application components
- Data contained in application trace files
- Data of Kaspersky Endpoint Agent for Windows
- Kaspersky Endpoint Security for Windows data
- Kaspersky Endpoint Security for Linux data
- Kaspersky Endpoint Security for Mac data
Application licensing
- About the End User License Agreement
- About the license certificate
- About the license
- About the license key
- About the key file
- About the activation code
- About the subscription
- Adding a license key
- Replacing the license key
- Removing a license key
- Viewing information about added license keys in the web interface of the Central Node
- Viewing the text of the End User License Agreement in the web interface of the Central Node
- Viewing the text of the Privacy Policy in the web interface of the Central Node
- Viewing information about the third-party code used in the application
- Viewing the text of the End User License Agreement in the web interface of the Sandbox
- Viewing the text of the End User License Agreement for the Endpoint Agent component
- Application modes based on the license
Architecture of the application
- Sensor component
- Central Node component
- Sandbox component
- Endpoint Agent component
Operating principle of the application
Distributed solution and multitenancy
- Distributed solution and multitenancy mode transition scenario
- Modifications of application settings for the distributed solution and multitenancy mode
- Assigning the PCN role to a server
- Assigning the SCN role to a server
- Viewing information about tenants, PCN and SCN servers
- Adding a tenant to the PCN server
- Deleting a tenant from the PCN server
- Renaming a tenant on the PCN server
- Disconnecting an SCN from PCN
- Modifications of application settings for disconnecting an SCN from PCN
Sizing Guide
- Common scenarios for deployment and installation of application components
- Sizing calculator
Installing and performing initial configuration of the application
- Preparing for installing application components
- Procedure for installing and configuring application components
- Installing the Sandbox component
- Deploying the Central Node component with Embedded Sensor as a cluster
- Installing the Central Node component with Embedded Sensor on a server
- Installing the Sensor component on a standalone server
- Optimization of network interface settings for the Sensor component
- Connecting and configuring external storage for the Sensor component
Configuring the sizing settings of the application
Configuring firewall rules
- Ports used on computers with Kaspersky Anti Targeted Attack Platform components
- Ports used by Kaspersky Anti Targeted Attack Platform services in a cluster configuration
- Ports used by services of a Central Node deployed as a server
- Ports used by services in a configuration with the Sensor component installed on a standalone server
- Ports for communication between network traffic analysis services
Configuring integration of the Endpoint Agent component with the KEDR functional block
- Configuring a trusted connection with Kaspersky Endpoint Agent
- Configuring a trusted connection with Kaspersky Endpoint Security
- Downloading the TLS certificate of the Central Node server
- Generating a TLS certificate for the Central Node server in the web interface of Kaspersky Anti Targeted Attack Platform
- Uploading an independently prepared TLS certificate for the Central Node server using the web interface of Kaspersky Anti Targeted Attack Platform
- Enabling the validation of the TLS certificate of the Endpoint Agent component in the web interface of Kaspersky Anti Targeted Attack Platform
- Generating a TLS certificate of the Endpoint Agent component in the web interface of Kaspersky Anti Targeted Attack Platform and downloading a crypto container
- Uploading an independently prepared TLS certificate of the Endpoint Agent component using the web interface of Kaspersky Anti Targeted Attack Platform
- Viewing the table of TLS certificates of the Endpoint Agent component in the web interface of Kaspersky Anti Targeted Attack Platform
- Filtering and searching TLS certificates of the Endpoint Agent component in the web interface of Kaspersky Anti Targeted Attack Platform
- Deleting TLS certificates of the Endpoint Agent component in the web interface of Kaspersky Anti Targeted Attack Platform
- Configuring traffic redirection from the Endpoint Agent component to the Sensor server
Configuring integration of the Endpoint Agent component with the NDR functional block
- Integration servers table
- Scenario for preparing to receive data from the Endpoint Agent component
- Adding an integration server
- Creating a communication data package for clients of an integration server
- Enabling or disabling an integration server
- Editing integration server settings
- Removing an integration server
Getting started with the application
- Getting started with the application web interface with an administrator account
- Getting started with the application administrator menu
- Getting started with the application in Technical Support Mode
Managing accounts of application administrators and users
- Creating an administrator account for the application web interface
- Creating a user account for the application web interface
- Configuring user account table display
- Viewing the user account table
- Filtering user accounts
- Clearing the account filter
- Changing access rights of an application web interface user account
- Enabling and disabling an administrator account or user account of the application web interface
- Changing the password of an application administrator or user account
- Changing the password of your account
Authentication using domain accounts
- Creating a keytab file
- Configuring integration with Active Directory
- Disabling integration with Active Directory.
Participation in Kaspersky Security Network and use of Kaspersky Private Security Network
- Viewing the KSN Statement and configuring participation in KSN
- Enabling the use of KPSN
- Configuring a connection to a local reputation database of KPSN
- Configuring information to be saved to a local reputation database of KPSN
- Declining participation in KSN and use of KPSN
Managing the Sandbox component through the web interface
- Updating the Sandbox component databases
- Configuring connection between the Sandbox and Central Node components
  - Processing connection requests from the Central Node servers in the Sandbox web interface
- Configuring the Sandbox component network interfaces
- Setting the Sandbox system date and time
- Installing and configuring images of operating systems and applications required for the operation of the Sandbox component
- Managing operating system and application images in the Sandbox Storage
- Managing virtual machine templates
- Managing virtual machines
- Setting the maximum number of simultaneously running virtual machines
- Changing the number of license keys for a virtual machine with a custom operating system image
- Downloading the Sandbox system log to the hard drive
- Exporting Sandbox settings
- Importing Sandbox settings
- Restarting the Sandbox server
- Powering off the Sandbox server
- Changing the Sandbox administrator account password
For administrators: Getting started with the application web interface
- Kaspersky Anti Targeted Attack Platform Interface
- Monitoring the performance of the application
  - About widgets and layouts
  - Selecting a tenant and a server to manage in the Dashboard section
  - Adding a widget to the current layout
  - Moving a widget in the current layout
  - Changing the display of information in NDR widgets
  - Removing a widget from the current layout
  - Saving a layout to PDF
  - Configuring the data display period in widgets
  - Monitoring the receipt and processing of incoming data
  - Monitoring the queues for data processing by application modules and components
  - Monitoring the processing of data by the Sandbox component
  - Viewing the working condition of modules and components of the application
- Managing Central Node or Sensor server information
  - Viewing information about Central Node or Sensor servers
  - Viewing network interface information
  - Identifying the Ethernet port associated with a network interface
- Managing Central Node, PCN, or SCN servers using the application web interface
  - Changing the server name
  - Configuring the date and time on the server
  - Generating or uploading a TLS certificate of the server
  - Downloading the TLS certificate of the server
  - Assigning a server DNS name
  - Configuring DNS settings
  - Configuring settings of the network interface
  - Configuring the default network route
  - Configuring proxy server connection settings
  - Configuring the mail server connection
  - Managing traffic saving settings
  - Managing the settings for saving traffic dump files
  - Selecting operating systems to use when scanning objects in Sandbox
  - Password policies
    - Enforced password change after the first successful authentication
    - Enforced regular password change
- Managing the Sensor component
  - Connecting the Sensor component to the Central Node
    - Connecting the Sensor component using a communication data package
    - Adding and connecting the Sensor component automatically over the network
  - Managing the certificate of the Sensor component
  - Logging in to the web interface of the Sensor component
  - Changing the server name
  - Managing monitoring points
  - Configuring the maximum size of a scanned file
  - Configuring HTTP packet body dumping
  - Configuring integration with a mail server via SMTP
  - Configuring integration with a proxy server via ICAP
  - Configuring recording of mirrored traffic from SPAN ports
  - Configuring integration with a mail server via POP3
- Managing the cluster
  - Viewing the table of servers of the cluster
  - Adding a server to a cluster
  - Increasing the disk space on the storage server
  - Decommissioning servers
    - Removing a server from a cluster
  - Starting up and shutting down the cluster
- Notifications about the maximum allowed CPU and RAM load for the Central Node and Sensor servers
  - Configuring the maximum allowable CPU and RAM load of the Central Node and Sensor servers
- Configuring the SNMP protocol connection
  - Description of MIB objects of Kaspersky Anti Targeted Attack Platform
- Managing Endpoint Agent host information
  - Selecting a tenant to manage in the Endpoint Agents section
  - Viewing the table of hosts with the Endpoint Agent component on a standalone Central Node server
  - Viewing information about a host
  - Filtering and searching hosts with the Endpoint Agent component by host name
  - Filtering and searching hosts with the Endpoint Agent component that have been isolated from the network
  - Filtering and searching hosts with the Endpoint Agent component by PCN and SCN server names
  - Filtering and searching hosts with the Endpoint Agent component by computer IP address
  - Filtering and searching hosts with the Endpoint Agent component by operating system version on the computer
  - Filtering and searching hosts with the Endpoint Agent component by component version
  - Filtering and searching hosts with the Endpoint Agent component by their activity
  - Quickly creating a filter for hosts with the Endpoint Agent component
  - Resetting the filter for hosts with the Endpoint Agent component
  - Configuring activity indicators of the Endpoint Agent component
  - Removing hosts with the Endpoint Agent component
  - Automatic removal of inactive hosts
  - Supported interpreters and processes
- Configuring integration with the Sandbox component
  - Viewing the table of servers with the Sandbox component
  - Creating a request to connect to the server with the Sandbox component
  - Enabling and disabling a connection with the Sandbox component
  - Deleting a connection with the Sandbox component
- Manually sending files from Endpoint Agent hosts to be scanned by Sandbox
  - Enabling and disabling the manual sending of files from Endpoint Agent hosts to be scanned by Sandbox
- Configuring integration with external systems
  - Viewing the table of external systems
  - Processing a request from an external system
  - Removing an external system from the list of those allowed to integrate
  - Configuring the priority for processing traffic from mail sensors
- Configuring integration with Kaspersky Managed Detection and Response
  - Enabling the MDR integration
  - Disabling the MDR integration
  - Replacing the MDR configuration file
- Configuring integration with an SIEM system
  - Enabling and disabling information logging to a remote log
  - Configuring the main settings for SIEM system integration
  - Uploading a TLS certificate
  - Enabling and disabling TLS encryption of the connection with the SIEM system
  - Content and properties of syslog messages about alerts
- Renewing the certificate for connecting to the Central Node using the API
- Managing connectors
  - Managed and unmanaged connectors
  - Sending events, application messages, and audit records to third-party systems
  - Automatic network access control for devices via Cisco Switch connectors
  - Adding a connector
  - Viewing the table of connectors
  - Enabling or disabling a connector
  - Editing connector settings
  - Creating a new communication data package for a connector
  - Deleting a connector
  - Adding and deleting connector types
- Managing account credentials secrets for remote connections
  - Adding a secret
  - Viewing table of secrets
  - Protecting against compromise of secrets when connected to remote devices
  - Editing the settings of a secret
  - Deleting secrets
- Updating application databases
  - Selecting a database update source
  - Updating databases manually
- Creating a list of passwords for archives
- Configuring integration with ArtX TLSproxy
For security officers: Getting started with the application web interface
- Kaspersky Anti Targeted Attack Platform Interface
- Selecting a tenant to manage in the web interface of the application
- Monitoring the performance of the application
  - About widgets and layouts
  - Adding a widget to the current layout
  - Moving a widget in the current layout
  - Changing the display of information in NDR widgets
  - Removing a widget from the current layout
  - Saving a layout to PDF
  - Configuring the data display period in widgets
  - Configuring the widget display scale
  - Basics of managing "Alerts" type widgets
  - Information in the Devices widget
  - Information in the Events widget
  - Viewing the working condition of modules and components of the application
- Managing technologies
  - Enabling or disabling technologies
  - Configuring Device Activity Detection mode
  - Managing technology inheritance
- Viewing the alert table
- Configuring the alert table display
- Filtering, sorting, and searching alerts
  - Filtering alerts by VIP status
  - Filtering and searching alerts by time
  - Filtering alerts by level of importance
  - Filtering and searching alerts by categories of objects detected
  - Filtering and searching alerts by obtained information
  - Filtering and searching alerts by source address
  - Filtering and searching alerts by destination address
  - Filtering and searching alerts by server name
  - Filtering and searching alerts by technology name
  - Filtering and searching alerts by the status of their processing by the user
  - Filtering and searching alerts by the name of the user to which they are assigned
  - Sorting alerts in the table
  - Quickly creating an alert filter
  - Saving filters
  - Resetting the alert filter
- Recommendations for processing alerts
  - Recommendations for processing AM alerts
  - Recommendations for processing TAA alerts
  - Recommendations for processing SB alerts
  - Recommendations for processing IOC alerts
  - Recommendations for processing YARA alerts
  - Recommendations for processing IDS alerts
  - Recommendations for processing NDR:IDS and NDR:EA alerts
- Viewing alerts
  - Viewing alert details
  - General information about an alert of any type
  - Information in the Object information section
  - Information in the Alert details section
  - Information in the Information about scanning using NDR technologies section
  - Information in the Scan results section
  - Information in the IDS rule section
  - Information in the URL section
  - Information in the IP addresses of detection-related devices section
  - Information in the Network event section
  - Scan results in Sandbox
  - IOC scan results
  - Information in the Hosts section
  - Information in the Change log section
  - Sending alert data
  - Viewing alert relations
- User actions performed on alerts
  - Assigning alerts to a specific user
  - Marking the completion of single alert processing
  - Marking the completion of alerts processing
  - Modifying the status of VIP alerts
  - Adding a comment to an alert
- Monitoring network traffic events
  - NDR event scores and severity levels
  - NDR event registration technologies
  - NDR event statuses
  - Table of registered NDR events
  - Configuring the table of registered events
  - Viewing events nested inside an aggregate event
  - Viewing details of an NDR event
  - Changing the status of an NDR event
  - Adding markers
  - Copying NDR events to a text editor
  - Downloading traffic for events
  - Creating a directory for exporting events to a network share
- Events database threat hunting
  - Searching for events in builder mode
  - Searching for events in source code mode
  - Converting a builder query for searching events in source code mode
  - Event search criteria
  - Operators
  - Sorting events in the table
  - Changing the event search conditions
  - Searching for events by processing results in EPP applications
  - Searching for events using conditions specified in an IOC or YAML file
  - Creating a TAA (IOA) rule based on event search conditions
- Event information
  - Recommendations for processing events
    - Following a recommendation to isolate a host
    - Following a recommendation to prevent a file from running
    - Following a recommendation to create a task
  - Information about events in the tree of events
    - Viewing parent process information in the tree of events
    - Viewing information about events initiated by the parent process in the tree of events
    - Viewing host information in the tree of events
  - Viewing the table of events
  - Configuring the event table display
  - Viewing information about an event
  - Information about the "Process started" event
  - Information about the "Process terminated" event
  - Information about the "Module loaded" event
  - Information about the "Remote connection" event
  - Information about the "Prevention rule" event
  - Information about the "Document blocked" event
  - Information about the "File modified" event
  - Information about the "System event log" event
  - Information about the "Changes in the registry" event
  - Information about the "Port listened" event
  - Information about the "Driver loaded" event
  - Information about the "DNS" event
  - Information about the "LDAP" event
  - Information about the "Named pipe" event
  - Information about the "WMI" event
  - Information about the "Alert" event
  - Information about the "Alert processing result" event
  - Information about the "Interpreted file run" event
  - Information about the "AMSI scan" event
  - Information about the "Interactive command input at the console" event
  - Information about the "Code injection" event
  - Information about the "Process access" event
- Event chain scanning by Kaspersky TAA (IOA) rules
  - Enabling or disabling event chain scanning by Kaspersky TAA (IOA) rules
  - Viewing events marked by a Kaspersky TAA (IOA) rule
- Managing assets
  - Viewing the table of devices
  - Viewing device information
  - Automatically adding and updating devices
  - Manually adding devices
  - Automatically assigning device status
  - Automatically grouping devices based on a criterion
    - Automatically grouping devices based on a criterion, starting from the root of the group tree
    - Automatically grouping devices in a selected device group
  - Manually arranging devices into groups
  - Moving servers with components and groups to other groups on the network interactions map
  - Device group tree
  - Manually editing the device group tree
  - Adding and removing device labels
  - Group response
  - Monitoring users on devices
  - Monitoring file execution on devices
  - Active device polling jobs
- Configuring address spaces
  - About address space rules
  - About address space subnets
  - Adding an address space
  - Creating a subnet list for Asset Management
  - Viewing information about devices with IP addresses from the selected subnets
  - Changing an address space
  - Deleting an address space
- Working with the network interactions map
  - Nodes on the network interactions map
  - Device groups on the network interactions map
  - Links on the network interactions map
  - Viewing object details
  - Zooming the network interactions map
  - Positioning the network map
  - Pinning and unpinning nodes and groups
  - Manually rearranging nodes and groups
  - Automatically arranging nodes and groups
  - Searching for nodes on the network interactions map
  - Filtering objects on the network interactions map
  - Saving and loading the display settings of the network interactions map
- Monitoring network sessions
  - Network sessions table
  - Viewing network session details
  - Downloading network session traffic
  - Searching network packets
  - Preconfigured network packet search rules
- Monitoring risks
  - About risks of the Vulnerability category
  - Implementation scenario for a continuous risk management process
  - Viewing the risk table
  - Viewing risk information
  - Manually changing risk status
  - Viewing risk information while managing the table of devices
- Configuring NDR event types
  - Viewing the table of event types
  - Editing the settings of a system event type
  - Configuring automatic saving of traffic for system event types
  - Configuring the forwarding of events through connectors
  - Common substitution variables in Kaspersky Anti Targeted Attack Platform
  - NDR event registration technologies
  - System event types in Kaspersky Anti Targeted Attack Platform
- Configuring risk types
  - Viewing the table of risk types
  - Changing the base score for a risk type
  - Managing the settings for storing risks
- System event types in Kaspersky Anti Targeted Attack Platform
  - System event types of the Intrusion Detection technology
  - System event types of the Asset Management technology
  - System event types of the External systems technology
  - System event types of the Endpoint Protection Platform technology
- Managing Endpoint Agent host information
  - Viewing the table of hosts with the Endpoint Agent component
  - Configuring the display of the table of hosts with the Endpoint Agent component
  - Viewing information about a host
  - Filtering and searching hosts with the Endpoint Agent component by host name
  - Filtering and searching hosts with the Endpoint Agent component that have been isolated from the network
  - Filtering and searching hosts with the Endpoint Agent component by PCN and SCN server names
  - Filtering and searching hosts with the Endpoint Agent component by computer IP address
  - Filtering and searching hosts with the Endpoint Agent component by operating system version on the computer
  - Filtering and searching hosts with the Endpoint Agent component by component version
  - Filtering and searching hosts with the Endpoint Agent component by their activity
  - Quickly creating a filter for hosts with the Endpoint Agent component
  - Resetting the filter for hosts with the Endpoint Agent component
  - Removing hosts with the Endpoint Agent component
  - Configuring activity indicators of the Endpoint Agent component
  - Supported interpreters and processes
- Network isolation of hosts with the Endpoint Agent component
  - Creating a network isolation rule
  - Adding an exclusion from a network isolation rule
  - Deleting a network isolation rule
  - Limitations that are relevant to network isolation
- Automatically sending files from Kaspersky Endpoint Agent hosts to be scanned by the Sandbox component in accordance with Kaspersky TAA (IOA) rules
  - Enabling and disabling the automatic sending of files from hosts with the Endpoint Agent component to be scanned by the Sandbox component
- Selecting operating systems to use when scanning objects in Sandbox
  - Viewing the table of servers with the Sandbox component
  - Selecting operating systems to use when scanning objects in Sandbox
- Managing tasks
  - Viewing the task table
  - Viewing information about a task
  - Creating a get file task
  - Creating a forensic collection task
  - Creating a registry key retrieval task
  - Creating an NTFS metafile retrieval task
  - Creating a process memory dump retrieval task
  - Creating a disk image retrieval task
    - Converting a file from RAW to EWF format
  - Creating a RAM dump retrieval task
  - Creating a process termination task
  - Creating a task to scan hosts using YARA rules
  - Creating a service management task
  - Creating an application execution task
  - Creating a file deletion task
  - Creating a file quarantine task
  - Creating a quarantined file recovery task
  - Creating a copy of a task
  - Deleting tasks
  - Filtering tasks by creation time
  - Filtering tasks by type
  - Filtering tasks by name
  - Filtering tasks by file name and path
  - Filtering tasks by description
  - Filtering tasks by server name
  - Filtering tasks based on the name of the user that created the task
  - Filtering tasks by processing status
  - Clearing a task filter
- Managing policies (prevention rules)
  - Viewing the prevention rule table
  - Configuring prevention rule table display
  - Viewing a prevention rule
  - Creating a prevention rule
  - Importing prevention rules
  - Enabling and disabling a prevention rule
  - Enabling and disabling presets
  - Deleting prevention rules
  - Filtering prevention rules by name
  - Filtering prevention rules by type
  - Filtering prevention rules by file hash
  - Filtering prevention rules by server name
  - Clearing a prevention rule filter
- Managing user-defined rules
  - Using indicators of compromise (IOC) and attack (IOA) for Threat Hunting
  - Managing user-defined TAA (IOA) rules
  - Managing user-defined IOC rules
  - Managing user-defined Intrusion Detection rules
  - Managing user-defined YARA rules
- Managing objects in Storage and Quarantine
  - Viewing the table of objects that were placed in Storage
  - Viewing information about an object manually placed in Storage using the web interface
  - Viewing information about an object placed in Storage by a get file task
  - Viewing information about an object placed in Storage by a get data task
  - Downloading objects from Storage
  - Uploading objects to Storage
  - Sending objects in Storage for scanning
  - Deleting objects from Storage
  - Filtering objects in Storage by object type
  - Filtering objects in Storage by object description
  - Filtering objects in Storage based on scan results
  - Filtering objects in Storage based on the name of Central Node, PCN, or SCN server
  - Filtering objects in Storage by object source
  - Filtering objects based on the time they were placed in Storage
  - Clearing a Storage objects filter
  - Viewing the table of objects quarantined on computers with the Kaspersky Endpoint Agent component
  - Viewing information about a quarantined object
  - Restoring an object from quarantine
  - Obtaining a copy of a quarantined object on a Kaspersky Anti Targeted Attack Platform server
  - Removing information about the quarantined object from the table
  - Filtering information about quarantined objects by object type
  - Filtering information about quarantined objects by object description
  - Filtering information about quarantined objects by host name
  - Filtering information about quarantined objects by time
  - Resetting the filter for information about quarantined objects
- Managing reports
  - Managing common reports
  - Managing NDR reports
- Managing rules for assigning the VIP status to alerts
  - Viewing the table of VIP status assignment rules
  - Creating a VIP status assignment rule
  - Deleting a VIP status assignment rule
  - Modifying a VIP status assignment rule
  - Importing a list of VIP status assignment rules
  - Exporting the list of data excluded from the scan
  - Filtering and searching by type of VIP status assignment rule
  - Filtering and searching by value of VIP status assignment rule
  - Filtering and searching by description of VIP status assignment rule
  - Clearing a VIP status assignment rule filter
- Managing allow rules for NDR events
  - Viewing the table of allow rules
  - Creating an allow rule with blank settings or settings from a template
  - Creating an allow rule from a registered event
  - Copying an allow rule
  - Editing the settings of an allow rule
  - Enabling or disabling allow rules
  - Deleting allow rules
- Managing the list of scan exclusions
  - Viewing the table of data excluded from the scan
  - Adding a scan exclusion rule
  - Deleting a scan exclusion rule
  - Editing a rule added to scan exclusions
  - Exporting the list of data excluded from the scan
  - Filtering rules in the scan exclusion list by criterion
  - Searching for rules in the scan exclusion list by value
  - Resetting the rule filter in the scan exclusion list
- Managing Intrusion Detection rule exclusions
  - Viewing the table of Intrusion Detection rules added to exclusions
  - Adding an Intrusion Detection rule to exclusions
  - Editing the description of an Intrusion Detection rule added to exclusions
  - Removing Intrusion Detection rules from exclusions
- Managing TAA exclusions
  - Viewing the table of TAA (IOA) rules added to exclusions
  - Adding a TAA (IOA) rule to exclusions
  - Viewing a TAA (IOA) rule added to exclusions
  - Removing a TAA (IOA) rule from exclusions
- Managing ICAP exclusions
  - Viewing the ICAP exclusion table
  - Adding a rule to ICAP exclusions
  - Removing rules from ICAP exclusions
  - Editing or disabling a rule in the ICAP exclusion list
  - Filtering rules in the ICAP exclusion list by criterion
  - Filtering rules in the ICAP exclusion list by value
  - Filtering rules in the ICAP exclusion list by state
  - Clearing rule filter conditions in the ICAP exclusion list
- Managing mirrored traffic from SPAN ports
- Creating a list of passwords for archives
- Managing Central Node or Sensor server information
- Viewing server settings
- Viewing the table of servers with the Sandbox component
- Viewing the settings of the set of operating systems used for scanning objects in Sandbox
- Viewing the table of external systems
Managing user-defined Sandbox rules
- Viewing the table of user-defined Sandbox rules
- Configuring the Sandbox rule table display
- Filtering and searching Sandbox rules
- Clearing a Sandbox rule filter
- Viewing the information of a user-defined Sandbox rule
- Creating a user-defined Sandbox rule for scanning files
- Creating a user-defined Sandbox rule for URL scanning
- Copying a user-defined Sandbox rule
- Importing user-defined Sandbox rules for file scanning
- Editing a user-defined Sandbox rule
- Enabling or disabling user-disabling Sandbox rules
- Exporting user-defined Sandbox rules for file scanning
- Deleting user-defined Sandbox rules
- List of extensions for file categories
Sending notifications
- Viewing the table of rules for sending notifications
- Creating a rule for sending notifications about alerts
- Creating a rule for sending notifications about the operation of application components
- Enabling and disabling a rule for sending notifications
- Modifying a rule for sending notifications
- Deleting a rule for sending notifications
- Filtering and searching notification forwarding rules by rule type
- Filtering and searching notification forwarding rules based on the notification subject
- Filtering and searching notification forwarding rules by email address
- Filtering and searching notification forwarding rules based on their state
- Clearing a notification forwarding rule filter
Managing logs
- Managing the activity log
- Managing the NDR user activity log
- Setting the maximum storage space limit for trace logs
- Setting the maximum storage space limit for trace logs
Viewing application messages
Viewing information about files that have been sent for scanning to the Kaspersky Anti Targeted Attack Platform
Managing Kaspersky Endpoint Agent for Windows
Managing Kaspersky Endpoint Security for Windows
Managing Kaspersky Endpoint Security for Linux
Managing Kaspersky Endpoint Security for Mac
Backing up and restoring data
- Backing up and restoring the data of the Central Node server
- Backing up and restoring the data of the Central Node server deployed as a cluster
- Backing up and restoring the data of the Central Node server in distributed solution and multitenancy mode
- Contents of exported data
Upgrading Kaspersky Anti Targeted Attack Platform
- Upgrading Central Node installed on a server from version 6.1 to 7.0.3
- Upgrading Central Node installed as a cluster from version 6.1 to version 7.0.3
- Preparing to install the upgrade in distributed solution and multitenancy mode
- Upgrading Sensor installed on a standalone server
- Contents and amount of information kept when upgrading the Kaspersky Anti Targeted Attack Platform
- Updating Kaspersky Anti Targeted Attack Platform from version 7.0 to version 7.0.1
- Updating Kaspersky Anti Targeted Attack Platform from version 7.0.1 to version 7.0.3
Using Kaspersky Anti Targeted Attack Platform API KATA and KEDR
- Integrating an external system with Kaspersky Anti Targeted Attack Platform
- API for scanning objects of external systems
- API that external systems can use to receive information about application alerts
  - Request to display alert information
  - Scope of transmitted data
- API that external systems can use to receive information about application events
- API for managing Threat Response actions
Using Kaspersky Anti Targeted Attack Platform API NDR
- Ensuring security when using Kaspersky Anti Targeted Attack Platform API
- Creating and using connectors for Kaspersky Anti Targeted Attack Platform API
Sources of information about the application
Contacting the Technical Support Service
- How to obtain Technical Support
- Technical Support via Kaspersky CompanyAccount
Glossary
- Advanced persistent threat (APT)
- Alert
- Alternate data stream
- Anti-Malware Engine
- Backdoor program
- Central Node
- Communication channel bandwidth
- CSRF attack
- Detection
- Distributed solution
- Dump
- End User License Agreement
- Endpoint Agent component
- ICAP client
- ICAP data
- Intrusion Detection System
- IOA
- IOC
- IOC file
- Kaspersky Anti Targeted Attack Platform
- Kaspersky Private Security Network
- Kaspersky Secure Mail Gateway
- Kaspersky Security Network (KSN)
- Kaspersky Threat Intelligence Portal
- KATA
- KEDR
- Kerberos authentication
- Keytab file
- Local reputation database of KPSN
- Malicious web addresses
- MIB (Management Information Base)
- Mirrored traffic
- MITM attack
- MITRE technique
- Multitenancy
- New generation threats
- NTP server
- OpenIOC
- Phishing URL addresses
- Sandbox
- Sensor
- Service principal name (SPN)
- SIEM system
- Signature
- SPAN
- Syslog
- TAA (IOA) rule
- Targeted attack
- Targeted Attack Analyzer
- Tenant
- TLS encryption
- Tracing
- VIP status
- YARA
- YARA rules
- Zero-day attack
- Zero-day vulnerability
Information about third-party code
Trademark notices

For security officers: Getting started with the application web interface > Events database threat hunting

Events database threat hunting

When managing the application web interface, you can generate search queries and use IOC and YAML files to search the events database for threats, for tenants to whose data you have access.

To form search queries through the events database, you can use builder mode or source code mode.

In builder mode, you can create and modify search queries using drop-down lists with options for the type of field value and operators.

In source code mode, you can create and modify search queries using text commands.

You can upload an IOC file or a YAML file with a Sigma rule and search for events in accordance with the conditions specified in this file.

Users with the Senior security officer, Security officer roles can also create TAA (IOA) rules based on event search conditions.

In this section

Searching events in design mode

Searching for events in source code mode

Conversion to a query to search events in source code mode

Event search criteria

Sorting events in the table

Changing the event search conditions

Searching for events by processing results in EPP applications

Searching for events using conditions specified in an IOC or YAML file

Creating a TAA (IOA) rule based on event search conditions

Article ID: 247636, Last review: Apr 18, 2025

Page top