Support

Support for business applications

Kaspersky Anti Targeted Attack (KATA) Platform

For security officers: Getting started with the application web interface

Recommendations for processing alerts

Recommendations for processing IOC alerts

Kaspersky Anti Targeted Attack (KATA) Platform
Нет результатов
Knowledge Base Online Help
FAQ Download Forum Contact support Recovery tools

Recommendations for processing IOC alerts

8 November 2023

ID 247619

In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts that have attributes in common with the alert you are working on.

You can follow the following recommendations:

  • Under Qualifying, select Find similar alerts by host name. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The host name from the alert you are working on is highlighted in yellow.
  • Under Qualifying, select Find similar alerts by IOC. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Detected column, the name of the IOC file from the alert you are working on.
  • In the Quick response section, select Isolate <host name>. This opens the network isolation rule creation window.

To create a host isolation rule, enter the following settings:

  1. In the Disable isolation after field, enter the time in hours (1 to 9,999) during which network isolation of the host will be active.
  2. In the Exclusions for the host isolation rule settings group, in the Traffic direction list, select the direction of network traffic that must not be blocked:
    • Incoming/Outgoing.
    • Incoming.
    • Outgoing.
  3. In the IP field, enter the IP address whose network traffic must not be blocked.

    If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, you can use a proxy server for the connection of Kaspersky Endpoint Agent for Windows with Kaspersky Anti Targeted Attack Platform. When you add this proxy server to exclusions, network resources that can be accessed through the proxy server are also added to exclusions. If network resources that are accessed through the proxy server are added to exclusions, but the proxy server itself is not, such exclusions do not work.

  4. If you selected Incoming or Outgoing, in the Ports field, enter the connection ports.
  5. If you want to add more than one exclusion, click Add and repeat the steps to fill in the Traffic direction, IP and Ports fields.
  6. Click Save.

See also

Recommendations for processing alerts

Recommendations for processing AM alerts

Recommendations for processing TAA alerts

Recommendations for processing SB alerts

Recommendations for processing YARA alerts

Recommendations for processing IDS alerts

Kaspersky Professional Services
Implementation services. Health check and security system configuration. Contact us if you need expert help.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.