Support

Support for business applications

Kaspersky Anti Targeted Attack (KATA) Platform

For security officers: Getting started with the application web interface

Events database threat hunting

Searching events in design mode

Kaspersky Anti Targeted Attack (KATA) Platform
Нет результатов
Knowledge Base Online Help
FAQ Download Forum Contact support Recovery tools

Searching events in design mode

8 November 2023

ID 247638

To define event search conditions in design mode:

  1. Select the Threat Hunting section, Builder tab in the application web interface window.

    This opens the event search form.

  2. In the drop-down list, select an event search criterion.

    You can view a description of the event search criteria in the Event search criteria section.

  3. In the drop-down list, select an operator.

    For a list of available operators, see the Operators section.

    Each type of value of the field has its own relevant set of operators. For example, when the EventType field value type is selected, the = and != operators will be available.

  4. Depending on the selected type of field value, perform one of the following actions:
    • In the field, specify one or several characters by which you want to perform an event search.
    • In the drop-down list, select the field value option by which you want to perform an event search.

    For example, to search for a full match based on a user name, enter the user name.

  5. If you want to add a new condition, use the AND or OR logical operator and repeat the necessary actions for adding a condition.
  6. If you want to add a group of conditions, click the Group button and repeat the actions necessary for adding conditions.
  7. If you want to delete a group of conditions, click the Remove group button.
  8. If you want to search events that occurred during a specific period, in the Any time drop-down list select one of the following event search periods:
    • Any time if you want the table to display events found as far back as the records go.
    • Last hour if you want the table to display events that were found during the last hour.
    • Last day if you want the table to display events found during the last day.
    • Custom range if you want the table to display events found during the period you specify.
  9. If you selected Custom range:
    1. In the calendar that opens, specify the start and end dates of the event display range.
    2. Click Apply.

    The calendar closes.

  10. Click Search.

    The table of events that satisfy the search criteria is displayed.

    If you are using the distributed solution and multitenancy mode, found events are grouped in tiers: Server – Tenant names – Server names.

  11. Click the name of the server for which you want to view events.

The host table of the selected server is displayed. Event grouping levels are displayed above the table.

See also

Events database threat hunting

Searching events in source code mode

Sorting events in the table

Changing the event search conditions

Searching events by processing results in EPP applications

Uploading an IOC file and searching for events based on conditions defined in the IOC file

Creating a TAA (IOA) rule based on event search conditions

Kaspersky Professional Services
Implementation services. Health check and security system configuration. Contact us if you need expert help.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.