Recommendations for processing TAA alerts

In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts or events that have attributes in common with the alert you are working on.

You can follow the following recommendations:

• Under Qualifying, expand the Find similar alerts list.

  A list of attributes is displayed that can be used to find similar alerts, and the number of similar alerts for each attribute.

  Select one of the following attributes:

  • By rule name (TAA alerts). Clicking the link opens the Alerts alert table in a new browser tab; the alerts are filtered by Detected and Technologies columns, that is, the name of the TAA (IOA) rule that was used to create the alert, and the name of the (TAA) Targeted Attack Analyzer technology.
  • By rule name (SB alerts). Clicking the link opens the Alerts alert table in a new browser tab; the alerts are filtered by Detected and Technologies columns, that is, the name of the TAA (IOA) rule that was used to create the alert, and the name of the (SB) Sandbox technology.
• Under Investigation, select Find similar events. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.

  The action is only available if you are using KEDR functionality and a KEDR license key has been added.

  Kaspersky Endpoint Detection and Response. Functional block of the Kaspersky Anti Targeted Attack Platform program, which provides protection for the local area network of the organization.