Information in the Scan results section

Support

Support for business applications

Kaspersky Anti Targeted Attack (KATA) Platform

For security officers: Getting started with the application web interface

Viewing alerts

Viewing alert details

Information in the Scan results section

8 November 2023

ID 247627

The Scan results section can display the following results of alert scanning:

The names of the application modules or components that generated the alert.
One or multiple categories of the detected object. For example, the name of the virus can be shown: Virus.Win32.Chiton.i.
Versions of databases of Kaspersky Anti Targeted Attack Platform modules and components that generated the alert.
Results of alert scanning by application modules and components:
- YARA—Results of streaming scans of files and objects received at the Central Node, or results of scanning hosts with the Endpoint Agent component. Possible values:
  - Category of the detected file in YARA rules (for example, category name susp_fake_Microsoft_signer can be displayed).
    Displayed for streaming scans.
    
    Click Create prevention rule to prevent the file from running.
    
    The Find on TIP button allows to find a file on the Kaspersky Threat Intelligence Portal.
    
    Kaspersky information system Contains and displays reputation information for files and URL addresses.
  - Path to the file and/or name of the memory dump.
    Displayed when scanning hosts with the Kaspersky Endpoint Agent component.
    
    Clicking the link with the file path opens a list in which you can select one of the following actions:
    - Find events.
    - Find alerts.
    - Copy value to clipboard.
  You can click Create task to create the following tasks:
  - Get data → File, Disk image, Memory dump
  - Delete file
  - Quarantine file
  Click Create prevention rule to prevent the file from running.
  
  The Find on TIP button allows to find a file on the Kaspersky Threat Intelligence Portal.
  
  You can click View in quarantine to display quarantined object details.
- SB (Sandbox)—Results of the file behavior analysis performed by the Sandbox component.
  You can click Sandbox detect to open a window with detailed information about the results of file behavior analysis.
  
  The Find on TIP button allows to find a file on the Kaspersky Threat Intelligence Portal.
  
  Click Create prevention rule to prevent the file from running.
  
  You can download a detailed log of file behavior analysis in all operating systems by clicking Download debug info.
  
  The file is downloaded in the form of a ZIP archive encrypted with the password "infected". The name of the scanned file inside the archive is replaced by the file's MD5 hash. The file extension of file inside the archive is not displayed.
  
  By default, the maximum hard drive space for storing file behavior scan logs is 300 GB in all operating systems. Upon reaching this limit, the application deletes the oldest file behavior scan logs and replaces them with new logs.
- URL (URL Reputation) is the category of a malicious, phishing URL or an URL that has been previously used by attackers for targeted attacks on corporate IT infrastructures.
- IDS (Intrusion Detection System) is the category of the detected object based on the Intrusion Detection System database or the name of the IDS user rule that was used to create the alert. For example, the displayed category can be Trojan-Clicker.Win32.Cycler.a.
  Click the link to display the category of the object in the Kaspersky Threats database.
- AM (Anti-Malware Engine)—Category of the detected object based on the anti-virus database. For example, the name of the virus can be shown: Virus.Win32.Chiton.i.
  Click the link to display the category of the object in the Kaspersky Threats database.
  
  The Find on TIP button allows to find a file on the Kaspersky Threat Intelligence Portal.
  
  Click Create prevention rule to prevent the file from running.
  
  Click Download to download the file to your computer's hard drive.
- TAA (Targeted Attack Analyzer)—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
  Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
  
  The MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) database contains descriptions of hacker behavior based on the analysis of real attacks. It is a structured list of known hacker techniques represented as a table.
- IOC—Name of the IOC file used to create the alert.
  Select an IOC file to open a window with the results of the IOC scan.
  
  Click All alert-related events to display the Threat Hunting event table in a new browser tab. A search filter is configured in the search criteria, for example, by MD5, FileFullName. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.

Kaspersky Professional Services

Implementation services. Health check and security system configuration. Contact us if you need expert help.

Kaspersky Premium Support (MSA): High‑priority incident processing

Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.