Recommendations for processing SB alerts

In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts or events that have attributes in common with the alert you are working on.

You can follow the following recommendations:

• Under Qualifying, expand the Find similar alerts list.

  A list of attributes is displayed that can be used to find similar alerts, and the number of similar alerts for each attribute.

  Select one of the following attributes:

  • By MD5. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the MD5 hash. The MD5 hash of the file from the alert you are working on is highlighted in yellow.
  • By SHA256. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the SHA256 hash. The SHA256 hash of the file from the alert you are working on is highlighted in yellow.
  • By host name. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The host name from the alert you are working on is highlighted in yellow.
  • By sender address. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The sender address of the email message from the alert you are working on is highlighted in yellow.
  • By recipient address. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Destination column. The recipient address of the email message from the alert you are working on is highlighted in yellow.
  • By URL. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the URL from the alert you are working on.
  • By URL from Sandbox. Click the link to display the Alerts table in a new browser tab. The alerts are filtered by the Details column, that is, the URL address from the alert you are working on, as well as all URLs that were found to be relevant by the Sandbox component as the alert was processed.
• Under Qualifying, select Find similar EPP events. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, the Scan: detect processing result event type is selected and a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.

  The action is only available if you are using KEDR functionality and a KEDR license key has been added.

  Kaspersky Endpoint Detection and Response. Functional block of the Kaspersky Anti Targeted Attack Platform program, which provides protection for the local area network of the organization.

• Under Investigation, select Find similar events. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.

  The action is only available if you are using KEDR functionality and a KEDR license key has been added.