- Kaspersky Anti Targeted Attack Platform Help
- Kaspersky Anti Targeted Attack Platform
- What's new
- About Kaspersky Threat Intelligence Portal
- Distribution kit
- Hardware and software requirements
- Compatibility of Kaspersky Endpoint Agent for Windows versions with Kaspersky Anti Targeted Attack Platform versions
- Compatibility of Kaspersky Endpoint Agent for Windows versions with EPP applications
- Compatibility of Kaspersky Endpoint Security for Windows versions with Kaspersky Anti Targeted Attack Platform versions
- Compatibility of Kaspersky Endpoint Security for Linux versions with Kaspersky Anti Targeted Attack Platform versions
- Compatibility of Kaspersky Endpoint Security for Mac with Kaspersky Anti Targeted Attack Platform versions
- Compatibility of KUMA versions with versions of Kaspersky Anti Targeted Attack Platform
- Compatibility of XDR versions with versions of Kaspersky Anti Targeted Attack Platform
- Compatibility of KPSN versions with versions of Kaspersky Anti Targeted Attack Platform
- Compatibility of Kaspersky Anti Targeted Attack Platform with VK Cloud
- Limitations
- Data provision
- Service data of the application
- Data of the Central Node and Sensor components
- Sandbox component data
- Data transmitted between application components
- Data contained in application trace files
- Data of Kaspersky Endpoint Agent for Windows
- Kaspersky Endpoint Security for Windows data
- Kaspersky Endpoint Security for Linux data
- Kaspersky Endpoint Security for Mac data
- Application licensing
- About the End User License Agreement
- About the license certificate
- About the license
- About the license key
- About the key file
- About the activation code
- About the subscription
- Adding a license key
- Replacing the license key
- Removing a license key
- Viewing information about added license keys in the web interface of the Central Node
- Viewing the text of the End User License Agreement in the web interface of the Central Node
- Viewing the text of the Privacy Policy in the web interface of the Central Node
- Viewing information about the third-party code used in the application
- Viewing the text of the End User License Agreement in the web interface of the Sandbox
- Viewing the text of the End User License Agreement for the Endpoint Agent component
- Application modes based on the license
- Architecture of the application
- Operating principle of the application
- Distributed solution and multitenancy
- Distributed solution and multitenancy mode transition scenario
- Modifications of application settings for the distributed solution and multitenancy mode
- Assigning the PCN role to a server
- Assigning the SCN role to a server
- Viewing information about tenants, PCN and SCN servers
- Adding a tenant to the PCN server
- Deleting a tenant from the PCN server
- Renaming a tenant on the PCN server
- Disconnecting an SCN from PCN
- Modifications of application settings for disconnecting an SCN from PCN
- Sizing Guide
- Installing and performing initial configuration of the application
- Preparing for installing application components
- Preparing the IT infrastructure for installing application components
- Preparing the IT infrastructure for integration with a mail server used for receiving messages via POP3
- Preparing the IT infrastructure for integration with a mail server used for receiving messages via SMTP
- Preparing the virtual machine for installing the Sandbox component
- Preparing an installation disk image with the Central Node, Sensor, and Sandbox components
- Procedure for installing and configuring application components
- Installing the Sandbox component
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a disk for installing the Sandbox component
- Step 3. Assigning the host name
- Step 4. Selecting the controlling network interface in the list
- Step 5. Assigning the address and network mask of the controlling interface
- Step 6. Adding DNS server addresses
- Step 7. Configuring a static network route
- Step 8. Configuring the minimum password length for the Sandbox administrator password
- Step 9. Creating the Sandbox administrator account
- Deploying the Central Node component with Embedded Sensor as a cluster
- Deploying a storage server
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a server role
- Step 3. Selecting the deployment mode
- Step 4. Selecting a disk for installing the component
- Step 5. Selecting a network mask for server addressing
- Step 6. Selecting a network mask for addressing of application components
- Step 7. Selecting the cluster network interface
- Step 8. Selecting the external network interface
- Step 9. Selecting the method of obtaining IP addresses for network interfaces
- Step 10. Creating an administrator account and authenticating the server in the cluster
- Step 11. Adding DNS server addresses
- Step 12. Configuring time synchronization with an NTP server
- Step 13. Selecting disks for the Ceph storage
- Deploying the processing server
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a server role
- Step 3. Selecting a disk for installing the component
- Step 4. Selecting a network mask for cluster server addressing
- Step 5. Selecting a network mask for addressing of application components
- Step 6. Selecting the cluster network interface
- Step 7. Selecting the external network interface
- Step 8. Selecting the method of obtaining IP addresses for network interfaces
- Step 9. Authenticating the server in the cluster
- Step 10. Selecting the localization language for the NDR functionality and configuring the receipt of mirrored traffic from SPAN ports
- Purging hard disks on storage servers
- Deploying a storage server
- Installing the Central Node component with Embedded Sensor on a server
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a server role
- Step 3. Selecting a disk for installing the component
- Step 4. Allocating the disk for the Targeted Attack Analyzer component's database
- Step 5. Selecting a network mask for server addressing
- Step 6. Selecting a network mask for addressing of application components
- Step 7. Selecting the external network interface
- Step 8. Selecting the method of obtaining IP addresses for network interfaces
- Step 9. Creating the administrator account
- Step 10. Selecting the localization language for the NDR functionality
- Step 11. Adding DNS server addresses
- Step 12. Configuring time synchronization with an NTP server
- Step 13. Configuring receipt of mirrored traffic from SPAN ports
- Installing the Sensor component on a standalone server
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a server role
- Step 3. Selecting a disk for installing the component
- Step 4. Selecting a network mask for server addressing
- Step 5. Selecting a network mask for addressing of application components
- Step 6. Selecting the external network interface
- Step 7. Selecting the method of obtaining IP addresses for network interfaces
- Step 8. Creating the administrator account
- Step 9. Adding DNS server addresses
- Step 10. Configuring time synchronization with an NTP server
- Step 11. Configuring receipt of mirrored traffic from SPAN ports
- Optimization of network interface settings for the Sensor component
- Connecting and configuring external storage for the Sensor component
- Preparing for installing application components
- Configuring the sizing settings of the application
- Configuring firewall rules
- Ports used on computers with Kaspersky Anti Targeted Attack Platform components
- Ports used by Kaspersky Anti Targeted Attack Platform services in a cluster configuration
- Ports used by services of a Central Node deployed as a server
- Ports used by services in a configuration with the Sensor component installed on a standalone server
- Ports for communication between network traffic analysis services
- Configuring integration of the Endpoint Agent component with the KEDR functional block
- Configuring a trusted connection with Kaspersky Endpoint Agent
- Configuring the validation of the Kaspersky Endpoint Agent TLS certificate by the Central Node server and uploading a crypto container to Kaspersky Endpoint Agent
- Uploading a TLS certificate of the Central Node server or Sensor to Kaspersky Endpoint Agent
- Configuring the integration and trusted connection with Kaspersky Anti Targeted Attack Platform on the Kaspersky Endpoint Agent side
- Configuring a trusted connection with Kaspersky Endpoint Security
- Downloading the TLS certificate of the Central Node server
- Generating a TLS certificate for the Central Node server in the web interface of Kaspersky Anti Targeted Attack Platform
- Uploading an independently prepared TLS certificate for the Central Node server using the web interface of Kaspersky Anti Targeted Attack Platform
- Enabling the validation of the TLS certificate of the Endpoint Agent component in the web interface of Kaspersky Anti Targeted Attack Platform
- Generating a TLS certificate of the Endpoint Agent component in the web interface of Kaspersky Anti Targeted Attack Platform and downloading a crypto container
- Uploading an independently prepared TLS certificate of the Endpoint Agent component using the web interface of Kaspersky Anti Targeted Attack Platform
- Viewing the table of TLS certificates of the Endpoint Agent component in the web interface of Kaspersky Anti Targeted Attack Platform
- Filtering and searching TLS certificates of the Endpoint Agent component in the web interface of Kaspersky Anti Targeted Attack Platform
- Deleting TLS certificates of the Endpoint Agent component in the web interface of Kaspersky Anti Targeted Attack Platform
- Configuring traffic redirection from the Endpoint Agent component to the Sensor server
- Configuring a trusted connection with Kaspersky Endpoint Agent
- Configuring integration of the Endpoint Agent component with the NDR functional block
- Integration servers table
- Scenario for preparing to receive data from the Endpoint Agent component
- Adding an integration server
- Creating a communication data package for clients of an integration server
- Enabling or disabling an integration server
- Editing integration server settings
- Removing an integration server
- Getting started with the application
- Managing accounts of application administrators and users
- Creating an administrator account for the application web interface
- Creating a user account for the application web interface
- Configuring user account table display
- Viewing the user account table
- Filtering user accounts
- Clearing the account filter
- Changing access rights of an application web interface user account
- Enabling and disabling an administrator account or user account of the application web interface
- Changing the password of an application administrator or user account
- Changing the password of your account
- Authentication using domain accounts
- Participation in Kaspersky Security Network and use of Kaspersky Private Security Network
- Managing the Sandbox component through the web interface
- Updating the Sandbox component databases
- Configuring connection between the Sandbox and Central Node components
- Configuring the Sandbox component network interfaces
- Setting the Sandbox system date and time
- Installing and configuring images of operating systems and applications required for the operation of the Sandbox component
- Managing operating system and application images in the Sandbox Storage
- Managing virtual machine templates
- Managing virtual machines
- Setting the maximum number of simultaneously running virtual machines
- Changing the number of license keys for a virtual machine with a custom operating system image
- Downloading the Sandbox system log to the hard drive
- Exporting Sandbox settings
- Importing Sandbox settings
- Restarting the Sandbox server
- Powering off the Sandbox server
- Changing the Sandbox administrator account password
- For administrators: Getting started with the application web interface
- Kaspersky Anti Targeted Attack Platform Interface
- Monitoring the performance of the application
- About widgets and layouts
- Selecting a tenant and a server to manage in the Dashboard section
- Adding a widget to the current layout
- Moving a widget in the current layout
- Changing the display of information in NDR widgets
- Removing a widget from the current layout
- Saving a layout to PDF
- Configuring the data display period in widgets
- Monitoring the receipt and processing of incoming data
- Monitoring the queues for data processing by application modules and components
- Monitoring the processing of data by the Sandbox component
- Viewing the working condition of modules and components of the application
- Managing Central Node or Sensor server information
- Managing Central Node, PCN, or SCN servers using the application web interface
- Changing the server name
- Configuring the date and time on the server
- Generating or uploading a TLS certificate of the server
- Downloading the TLS certificate of the server
- Assigning a server DNS name
- Configuring DNS settings
- Configuring settings of the network interface
- Configuring the default network route
- Configuring proxy server connection settings
- Configuring the mail server connection
- Managing traffic saving settings
- Managing the settings for saving traffic dump files
- Selecting operating systems to use when scanning objects in Sandbox
- Password policies
- Managing the Sensor component
- Connecting the Sensor component to the Central Node
- Managing the certificate of the Sensor component
- Logging in to the web interface of the Sensor component
- Changing the server name
- Managing monitoring points
- Configuring the maximum size of a scanned file
- Configuring HTTP packet body dumping
- Configuring integration with a mail server via SMTP
- Configuring integration with a proxy server via ICAP
- Configuring recording of mirrored traffic from SPAN ports
- Configuring integration with a mail server via POP3
- Managing the cluster
- Notifications about the maximum allowed CPU and RAM load for the Central Node and Sensor servers
- Configuring the SNMP protocol connection
- Managing Endpoint Agent host information
- Selecting a tenant to manage in the Endpoint Agents section
- Viewing the table of hosts with the Endpoint Agent component on a standalone Central Node server
- Viewing information about a host
- Filtering and searching hosts with the Endpoint Agent component by host name
- Filtering and searching hosts with the Endpoint Agent component that have been isolated from the network
- Filtering and searching hosts with the Endpoint Agent component by PCN and SCN server names
- Filtering and searching hosts with the Endpoint Agent component by computer IP address
- Filtering and searching hosts with the Endpoint Agent component by operating system version on the computer
- Filtering and searching hosts with the Endpoint Agent component by component version
- Filtering and searching hosts with the Endpoint Agent component by their activity
- Quickly creating a filter for hosts with the Endpoint Agent component
- Resetting the filter for hosts with the Endpoint Agent component
- Configuring activity indicators of the Endpoint Agent component
- Removing hosts with the Endpoint Agent component
- Automatic removal of inactive hosts
- Supported interpreters and processes
- Configuring integration with the Sandbox component
- Manually sending files from Endpoint Agent hosts to be scanned by Sandbox
- Configuring integration with external systems
- Configuring integration with Kaspersky Managed Detection and Response
- Configuring integration with an SIEM system
- Renewing the certificate for connecting to the Central Node using the API
- Managing connectors
- Managed and unmanaged connectors
- Sending events, application messages, and audit records to third-party systems
- Automatic network access control for devices via Cisco Switch connectors
- Adding a connector
- Viewing the table of connectors
- Enabling or disabling a connector
- Editing connector settings
- Creating a new communication data package for a connector
- Deleting a connector
- Adding and deleting connector types
- Managing account credentials secrets for remote connections
- Updating application databases
- Creating a list of passwords for archives
- Configuring integration with ArtX TLSproxy
- For security officers: Getting started with the application web interface
- Kaspersky Anti Targeted Attack Platform Interface
- Selecting a tenant to manage in the web interface of the application
- Monitoring the performance of the application
- About widgets and layouts
- Adding a widget to the current layout
- Moving a widget in the current layout
- Changing the display of information in NDR widgets
- Removing a widget from the current layout
- Saving a layout to PDF
- Configuring the data display period in widgets
- Configuring the widget display scale
- Basics of managing "Alerts" type widgets
- Information in the Devices widget
- Information in the Events widget
- Viewing the working condition of modules and components of the application
- Managing technologies
- Viewing the alert table
- Configuring the alert table display
- Filtering, sorting, and searching alerts
- Filtering alerts by VIP status
- Filtering and searching alerts by time
- Filtering alerts by level of importance
- Filtering and searching alerts by categories of objects detected
- Filtering and searching alerts by obtained information
- Filtering and searching alerts by source address
- Filtering and searching alerts by destination address
- Filtering and searching alerts by server name
- Filtering and searching alerts by technology name
- Filtering and searching alerts by the status of their processing by the user
- Filtering and searching alerts by the name of the user to which they are assigned
- Sorting alerts in the table
- Quickly creating an alert filter
- Saving filters
- Resetting the alert filter
- Recommendations for processing alerts
- Recommendations for processing AM alerts
- Recommendations for processing TAA alerts
- Recommendations for processing SB alerts
- Recommendations for processing IOC alerts
- Recommendations for processing YARA alerts
- Recommendations for processing IDS alerts
- Recommendations for processing NDR:IDS and NDR:EA alerts
- Viewing alerts
- Viewing alert details
- General information about an alert of any type
- Information in the Object information section
- Information in the Alert details section
- Information in the Information about scanning using NDR technologies section
- Information in the Scan results section
- Information in the IDS rule section
- Information in the URL section
- Information in the IP addresses of detection-related devices section
- Information in the Network event section
- Scan results in Sandbox
- IOC scan results
- Information in the Hosts section
- Information in the Change log section
- Sending alert data
- Viewing alert relations
- User actions performed on alerts
- Monitoring network traffic events
- NDR event scores and severity levels
- NDR event registration technologies
- NDR event statuses
- Table of registered NDR events
- Configuring the table of registered events
- Viewing events nested inside an aggregate event
- Viewing details of an NDR event
- Changing the status of an NDR event
- Adding markers
- Copying NDR events to a text editor
- Downloading traffic for events
- Creating a directory for exporting events to a network share
- Events database threat hunting
- Searching for events in builder mode
- Searching for events in source code mode
- Converting a builder query for searching events in source code mode
- Event search criteria
- Operators
- Sorting events in the table
- Changing the event search conditions
- Searching for events by processing results in EPP applications
- Searching for events using conditions specified in an IOC or YAML file
- Creating a TAA (IOA) rule based on event search conditions
- Event information
- Recommendations for processing events
- Information about events in the tree of events
- Viewing the table of events
- Configuring the event table display
- Viewing information about an event
- Information about the "Process started" event
- Information about the "Process terminated" event
- Information about the "Module loaded" event
- Information about the "Remote connection" event
- Information about the "Prevention rule" event
- Information about the "Document blocked" event
- Information about the "File modified" event
- Information about the "System event log" event
- Information about the "Changes in the registry" event
- Information about the "Port listened" event
- Information about the "Driver loaded" event
- Information about the "DNS" event
- Information about the "LDAP" event
- Information about the "Named pipe" event
- Information about the "WMI" event
- Information about the "Alert" event
- Information about the "Alert processing result" event
- Information about the "Interpreted file run" event
- Information about the "AMSI scan" event
- Information about the "Interactive command input at the console" event
- Information about the "Code injection" event
- Information about the "Process access" event
- Event chain scanning by Kaspersky TAA (IOA) rules
- Managing assets
- Viewing the table of devices
- Viewing device information
- Automatically adding and updating devices
- Manually adding devices
- Automatically assigning device status
- Automatically grouping devices based on a criterion
- Manually arranging devices into groups
- Moving servers with components and groups to other groups on the network interactions map
- Device group tree
- Manually editing the device group tree
- Adding and removing device labels
- Group response
- Monitoring users on devices
- Monitoring file execution on devices
- Active device polling jobs
- Configuring address spaces
- Working with the network interactions map
- Nodes on the network interactions map
- Device groups on the network interactions map
- Links on the network interactions map
- Viewing object details
- Zooming the network interactions map
- Positioning the network map
- Pinning and unpinning nodes and groups
- Manually rearranging nodes and groups
- Automatically arranging nodes and groups
- Searching for nodes on the network interactions map
- Filtering objects on the network interactions map
- Saving and loading the display settings of the network interactions map
- Adding a new view and saving the current display settings of the network interactions map
- Refreshing a view while keeping the current display settings of the network interactions map
- Renaming a network interactions map view
- Deleting a network interactions map view
- Applying settings saved in the view to the network interactions map
- Monitoring network sessions
- Monitoring risks
- Configuring NDR event types
- Viewing the table of event types
- Editing the settings of a system event type
- Configuring automatic saving of traffic for system event types
- Configuring the forwarding of events through connectors
- Common substitution variables in Kaspersky Anti Targeted Attack Platform
- NDR event registration technologies
- System event types in Kaspersky Anti Targeted Attack Platform
- Configuring risk types
- System event types in Kaspersky Anti Targeted Attack Platform
- Managing Endpoint Agent host information
- Viewing the table of hosts with the Endpoint Agent component
- Configuring the display of the table of hosts with the Endpoint Agent component
- Viewing information about a host
- Filtering and searching hosts with the Endpoint Agent component by host name
- Filtering and searching hosts with the Endpoint Agent component that have been isolated from the network
- Filtering and searching hosts with the Endpoint Agent component by PCN and SCN server names
- Filtering and searching hosts with the Endpoint Agent component by computer IP address
- Filtering and searching hosts with the Endpoint Agent component by operating system version on the computer
- Filtering and searching hosts with the Endpoint Agent component by component version
- Filtering and searching hosts with the Endpoint Agent component by their activity
- Quickly creating a filter for hosts with the Endpoint Agent component
- Resetting the filter for hosts with the Endpoint Agent component
- Removing hosts with the Endpoint Agent component
- Configuring activity indicators of the Endpoint Agent component
- Supported interpreters and processes
- Network isolation of hosts with the Endpoint Agent component
- Automatically sending files from Kaspersky Endpoint Agent hosts to be scanned by the Sandbox component in accordance with Kaspersky TAA (IOA) rules
- Selecting operating systems to use when scanning objects in Sandbox
- Managing tasks
- Viewing the task table
- Viewing information about a task
- Creating a get file task
- Creating a forensic collection task
- Creating a registry key retrieval task
- Creating an NTFS metafile retrieval task
- Creating a process memory dump retrieval task
- Creating a disk image retrieval task
- Creating a RAM dump retrieval task
- Creating a process termination task
- Creating a task to scan hosts using YARA rules
- Creating a service management task
- Creating an application execution task
- Creating a file deletion task
- Creating a file quarantine task
- Creating a quarantined file recovery task
- Creating a copy of a task
- Deleting tasks
- Filtering tasks by creation time
- Filtering tasks by type
- Filtering tasks by name
- Filtering tasks by file name and path
- Filtering tasks by description
- Filtering tasks by server name
- Filtering tasks based on the name of the user that created the task
- Filtering tasks by processing status
- Clearing a task filter
- Managing policies (prevention rules)
- Viewing the prevention rule table
- Configuring prevention rule table display
- Viewing a prevention rule
- Creating a prevention rule
- Importing prevention rules
- Enabling and disabling a prevention rule
- Enabling and disabling presets
- Deleting prevention rules
- Filtering prevention rules by name
- Filtering prevention rules by type
- Filtering prevention rules by file hash
- Filtering prevention rules by server name
- Clearing a prevention rule filter
- Managing user-defined rules
- Using indicators of compromise (IOC) and attack (IOA) for Threat Hunting
- Managing user-defined TAA (IOA) rules
- Viewing the TAA (IOA) rule table
- Creating a TAA (IOA) rule based on event search conditions
- Importing TAA (IOA) rules
- Viewing custom TAA (IOA) rule details
- Searching for alerts and events in which TAA (IOA) rules were triggered
- Filtering and searching TAA (IOA) rules
- Resetting the TAA (IOA) rule filter
- Enabling and disabling TAA (IOA) rules
- Modifying a TAA (IOA) rule
- Deleting TAA (IOA) rules
- Managing user-defined IOC rules
- Viewing the table of IOC files
- Viewing information about an IOC file
- Uploading an IOC file
- Downloading an IOC file to a computer
- Enabling and disabling the automatic use of an IOC file when scanning hosts
- Deleting an IOC file
- Searching for alerts in IOC scan results
- Searching for events using an IOC file
- Filtering and searching IOC files
- Clearing an IOC file filter
- Configuring an IOC scan schedule
- Managing user-defined Intrusion Detection rules
- Managing user-defined YARA rules
- Managing objects in Storage and Quarantine
- Viewing the table of objects that were placed in Storage
- Viewing information about an object manually placed in Storage using the web interface
- Viewing information about an object placed in Storage by a get file task
- Viewing information about an object placed in Storage by a get data task
- Downloading objects from Storage
- Uploading objects to Storage
- Sending objects in Storage for scanning
- Deleting objects from Storage
- Filtering objects in Storage by object type
- Filtering objects in Storage by object description
- Filtering objects in Storage based on scan results
- Filtering objects in Storage based on the name of Central Node, PCN, or SCN server
- Filtering objects in Storage by object source
- Filtering objects based on the time they were placed in Storage
- Clearing a Storage objects filter
- Viewing the table of objects quarantined on computers with the Kaspersky Endpoint Agent component
- Viewing information about a quarantined object
- Restoring an object from quarantine
- Obtaining a copy of a quarantined object on a Kaspersky Anti Targeted Attack Platform server
- Removing information about the quarantined object from the table
- Filtering information about quarantined objects by object type
- Filtering information about quarantined objects by object description
- Filtering information about quarantined objects by host name
- Filtering information about quarantined objects by time
- Resetting the filter for information about quarantined objects
- Managing reports
- Managing common reports
- Viewing the table of templates and reports
- Creating a template
- Creating a report based on a template
- Viewing a report
- Downloading a report to a local computer
- Editing a template
- Filtering templates by name
- Filtering templates based on the name of the user that created the template
- Filtering templates by creation time
- Clearing a template filter
- Deleting a template
- Filtering reports by creation time
- Filtering reports by name
- Filtering reports by the name of the server with the Central Node component
- Filtering reports based on the name of the user that created the report
- Clearing a report filter
- Deleting a report
- Managing NDR reports
- Viewing the table of NDR report templates
- Viewing NDR report template details
- Viewing the table of NDR reports
- Manually generating an NDR report based on a template
- Duplicating an NDR report template
- Editing an NDR report template
- Exporting an NDR report to a file
- Deleting an NDR report template
- Deleting an NDR report
- Canceling NDR report generation
- Managing the settings for storing report files
- Managing common reports
- Managing rules for assigning the VIP status to alerts
- Viewing the table of VIP status assignment rules
- Creating a VIP status assignment rule
- Deleting a VIP status assignment rule
- Modifying a VIP status assignment rule
- Importing a list of VIP status assignment rules
- Exporting the list of data excluded from the scan
- Filtering and searching by type of VIP status assignment rule
- Filtering and searching by value of VIP status assignment rule
- Filtering and searching by description of VIP status assignment rule
- Clearing a VIP status assignment rule filter
- Managing allow rules for NDR events
- Managing the list of scan exclusions
- Viewing the table of data excluded from the scan
- Adding a scan exclusion rule
- Deleting a scan exclusion rule
- Editing a rule added to scan exclusions
- Exporting the list of data excluded from the scan
- Filtering rules in the scan exclusion list by criterion
- Searching for rules in the scan exclusion list by value
- Resetting the rule filter in the scan exclusion list
- Managing Intrusion Detection rule exclusions
- Managing TAA exclusions
- Managing ICAP exclusions
- Viewing the ICAP exclusion table
- Adding a rule to ICAP exclusions
- Removing rules from ICAP exclusions
- Editing or disabling a rule in the ICAP exclusion list
- Filtering rules in the ICAP exclusion list by criterion
- Filtering rules in the ICAP exclusion list by value
- Filtering rules in the ICAP exclusion list by state
- Clearing rule filter conditions in the ICAP exclusion list
- Managing mirrored traffic from SPAN ports
- Creating a list of passwords for archives
- Managing Central Node or Sensor server information
- Viewing server settings
- Viewing the table of servers with the Sandbox component
- Viewing the settings of the set of operating systems used for scanning objects in Sandbox
- Viewing the table of external systems
- Managing user-defined Sandbox rules
- Viewing the table of user-defined Sandbox rules
- Configuring the Sandbox rule table display
- Filtering and searching Sandbox rules
- Clearing a Sandbox rule filter
- Viewing the information of a user-defined Sandbox rule
- Creating a user-defined Sandbox rule for scanning files
- Creating a user-defined Sandbox rule for URL scanning
- Copying a user-defined Sandbox rule
- Importing user-defined Sandbox rules for file scanning
- Editing a user-defined Sandbox rule
- Enabling or disabling user-disabling Sandbox rules
- Exporting user-defined Sandbox rules for file scanning
- Deleting user-defined Sandbox rules
- List of extensions for file categories
- Sending notifications
- Viewing the table of rules for sending notifications
- Creating a rule for sending notifications about alerts
- Creating a rule for sending notifications about the operation of application components
- Enabling and disabling a rule for sending notifications
- Modifying a rule for sending notifications
- Deleting a rule for sending notifications
- Filtering and searching notification forwarding rules by rule type
- Filtering and searching notification forwarding rules based on the notification subject
- Filtering and searching notification forwarding rules by email address
- Filtering and searching notification forwarding rules based on their state
- Clearing a notification forwarding rule filter
- Managing logs
- Viewing application messages
- Viewing information about files that have been sent for scanning to the Kaspersky Anti Targeted Attack Platform
- Managing Kaspersky Endpoint Agent for Windows
- Managing Kaspersky Endpoint Security for Windows
- Managing Kaspersky Endpoint Security for Linux
- Managing Kaspersky Endpoint Security for Mac
- Backing up and restoring data
- Upgrading Kaspersky Anti Targeted Attack Platform
- Upgrading Central Node installed on a server from version 6.1 to 7.0.3
- Upgrading Central Node installed as a cluster from version 6.1 to version 7.0.3
- Preparing to install the upgrade in distributed solution and multitenancy mode
- Upgrading Sensor installed on a standalone server
- Contents and amount of information kept when upgrading the Kaspersky Anti Targeted Attack Platform
- Updating Kaspersky Anti Targeted Attack Platform from version 7.0 to version 7.0.1
- Updating Kaspersky Anti Targeted Attack Platform from version 7.0.1 to version 7.0.3
- Using Kaspersky Anti Targeted Attack Platform API KATA and KEDR
- Integrating an external system with Kaspersky Anti Targeted Attack Platform
- API for scanning objects of external systems
- API that external systems can use to receive information about application alerts
- API that external systems can use to receive information about application events
- API for managing Threat Response actions
- Request for getting the list of hosts with the Endpoint Agent component
- Request for information about network isolation and the existence of prevention rules for hosts with the Kaspersky Endpoint Agent component
- Host network isolation management
- Managing prevention rules
- Managing the application run task
- Using Kaspersky Anti Targeted Attack Platform API NDR
- Sources of information about the application
- Contacting the Technical Support Service
- Glossary
- Advanced persistent threat (APT)
- Alert
- Alternate data stream
- Anti-Malware Engine
- Backdoor program
- Central Node
- Communication channel bandwidth
- CSRF attack
- Detection
- Distributed solution
- Dump
- End User License Agreement
- Endpoint Agent component
- ICAP client
- ICAP data
- Intrusion Detection System
- IOA
- IOC
- IOC file
- Kaspersky Anti Targeted Attack Platform
- Kaspersky Private Security Network
- Kaspersky Secure Mail Gateway
- Kaspersky Security Network (KSN)
- Kaspersky Threat Intelligence Portal
- KATA
- KEDR
- Kerberos authentication
- Keytab file
- Local reputation database of KPSN
- Malicious web addresses
- MIB (Management Information Base)
- Mirrored traffic
- MITM attack
- MITRE technique
- Multitenancy
- New generation threats
- NTP server
- OpenIOC
- Phishing URL addresses
- Sandbox
- Sensor
- Service principal name (SPN)
- SIEM system
- Signature
- SPAN
- Syslog
- TAA (IOA) rule
- Targeted attack
- Targeted Attack Analyzer
- Tenant
- TLS encryption
- Tracing
- VIP status
- YARA
- YARA rules
- Zero-day attack
- Zero-day vulnerability
- Information about third-party code
- Trademark notices
For security officers: Getting started with the application web interface > Events database threat hunting > Event search criteria
Event search criteria
Event search criteria
You can use the following criteria to search for events in builder mode:
- General information:
- Host is the host name.
- HostIP is the IP address of the host.
- EventType is the type of the event.
- UserName is the name of the user.
- OsFamily is the family of the operating system.
- OsVersion is the version of the operating system being used on the host.
- TAA properties:
- IOAId is the TAA (IOA) rule ID.
- IOATag is the information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- IOATechnique is the MITRE technique.
- IOATactics is the MITRE tactic.
- IOAImportance is the importance level that is assigned to an event generated using this TAA (IOA) rule.
- IOAConfidence is the level of confidence depending on the likelihood of false alarms caused by the rule.
- File properties:
- CreationTime is the event creation time.
- FileName is the name of the file.
- FilePath is the path to the directory where the file is located.
- FileFullName is the full path to the file. Includes the path to the directory and the file name.
- ModificationTime is the file modification time.
- FileSize is the size of the file.
- MD5 is the MD5 hash of the file.
- SHA256 is the SHA256 hash of the file.
- SimilarDLLPath is the malicious DLL placed in a directory on the standard search path to make the operating system load it before the original DLL.
- Linux processes:
- LogonRemoteHost is the IP address of the host that initiated remote access.
- RealUserName is the name of the user assigned when the user was registered in the system.
- EffectiveUserName is the user name that was used to log in to the system.
- FileOwnerUserName is the name of the file owner.
- RealGroupName is the name of the user group.
- EffectiveGroupName is the name of the user group that is used for operation.
- Environment is system environment variables.
- ProcessType is the type of the process.
- OperationResult is the result of the operation.
- Process started:
- PID is the process ID.
- ParentFileFullName is the path to the parent process file.
- ParentMD5 is the MD5 hash of the parent process file.
- ParentSHA256 is the SHA256 hash of the parent process file.
- StartupParameters is the options that the process was started with.
- ParentPID is the parent process ID.
- ParentStartupParameters is the parent process startup settings.
- Remote connection:
- HTTPMethod is the HTTP request method. For example, Get, Post, or Connect.
- ConnectionDirection is the direction of the connection (inbound or outbound).
- LocalIP is the IP address of the local computer from which the remote connection attempt was made.
- LocalPort is the IP address of the local computer from which the remote connection attempt was made.
- RemoteHostName is the name of the computer that was the target of the remote connection attempt.
- RemoteIP is the IP address of the computer that was the target of the remote connection attempt.
- RemotePort is the port of the computer that was the target of the remote connection attempt.
- URl is the address of the resource to which the HTTP request was made.
- TlsVersion is the version of the protocol.
- TlsSni is the Server Name Indication, that is, the name of the resource to which the connection is being established.
- TlsCertificateMd5 is the MD5 hash of the TLS certificate.
- TlsCertificateSha1 is the SHA1 hash of the TLS certificate.
- TlsCertificateSubjectNames are the primary and secondary DNS names.
- TlsCertificateIssuerName is the name of the organization of the certificate owner.
- TlsCertificateSerialNumber is the serial number of the certificate.
- TlsCertificateCheckResult is the certificate verification result.
- TlsCipherSuite are the cipher suites of the certificate.
- TlsCertificateValidFrom is the date from which the certificate expiration date is calculated.
- TlsCertificateValidTo is the date after which the certificate expires.
- DNS:
- DnsServerIpAddress is the IP address of the DNS server.
- DnsQueryDomainName is the domain name from the request.
- DnsAnswerData is the response data.
- DnsQueryTypeId is the record type ID.
- LDAP:
- LDAPSearchFilter is the search filter.
- LDAPSearchDistinguishedName is the distinguished name.
- LDAPSearchAttributeList is a list of search attributes.
- LDAPSearchScope is the search scope.
- Named pipe:
- PipeName is the named pipe.
- PipeOperationType is the type of the operation with the named pipe.
- WMI:
- WmiOperationType is the WMI operation type: WMI activity or WMI event consumer name.
- WmiHostName is the name of the machine.
- WmiUserName is the user name.
- WmiNamespaceName is the namespace.
- WmiQuery is the text of the query.
- WmiFilterName is the event filter.
- WmiConsumerName is the name of the event consumer.
- WmiConsumerText is the source code of the event consumer.
- Registry modified:
- RegistryKey is the registry key.
- RegistryValueName is the name of the registry value.
- RegistryValue is the data of the registry value.
- RegistryOperationType is the type of the operation with the registry.
- RegistryPreviousKey is the previous registry key.
- RegistryPreviousValue is the previous name of the registry value.
- System event log:
- WinLogEventID is the type ID of the security event in the Windows log.
- LinuxEventType is the type of the event. This criterion is used for Linux and macOS operating systems.
- WinLogName is the name of the log.
- WinLogEventRecordID is the log entry ID.
- WinLogProviderName is the ID of the system that logged the event.
- WinLogTargetDomainName is the domain name of the remote computer.
- WinLogObjectName is the name of the object that initiated the event.
- WinlogPackageName is the name of the package that initiated the event.
- WinLogProcessName is the name of the process that initiated the event.
- Detect and processing result:
- DetectName is the name of the detected object.
- RecordID is the ID of the triggered rule.
- ProcessingMode is the scanning mode.
- ObjectName is the name of the object.
- ObjectType is the type of the object.
- ThreatStatus is the detection mode.
- UntreatedReason is the event processing status.
- ObjectContent (for AMSI events too) is the content of the script sent for scanning.
- ObjectContentType (for AMSI events too) is the type of script content.
- Console interactive input:
- InteractiveInputText is the text entered on the command line.
- InteractiveInputType is the input type (console or pipe).
- File modified:
- FileOperationType is the type of the file operation.
- FilePreviousPath is the path to the directory where the file was previously located.
- FilePreviousName is the previous name of the file.
- FilePreviousFullName is the full name of the file including the path to the directory where the file was previously located and/or the previous file name.
- DroppedFileType is the type of the modified file.
- Code injection and process access:
- AccessMethod is the access method.
- InjectAddress is the address space of the recipient process.
- InjectedDllName is the name of the injected DLL.
- ModifiedStartupParameters are the modified startup parameters.
- InjectedDllPath is the path to the injected DLL.
- CallTrace is the call trace.
- TargetStartupParameters is the command that was used to start the recipient process.
- Process access:
- AccessOperationType is the operation type: Process access is open or Duplicate handle.
- ProccessAccessRights are the requested process access rights.
- HandleSourceStartupParameters is the command that starts the source handle.
- HandletargetStartupParameters is the command to start the target handle.
- Other:
- File type is the type of the file.
- TlsJa3Md5 contains decimal byte values for the following fields in the client hello packet: TLS version, cipher suite, list of TLS protocol extensions, elliptic curves, and elliptic curve formats.
- TlsJa3sMd5 contains decimal byte values for the following fields in the server hello packet: TLS version, cipher suite, and list of TLS protocol extensions.
- DotNetAssemblyName is the name of the .NET assembly.
- DotNetAssemblyFlags contains .NET assembly flags.
To view the list of event search fields in source code mode, you can download this file.
Article ID: 249034, Last review: Apr 18, 2025