Viewing the table of events

The events table is displayed in the Threat Hunting section of the application web interface window after completion of Threat Hunting in the events database. You can sort events in the table by the Event time, Event type, Host, and User name columns.

If you are using the distributed solution and multitenancy mode, events in the table are grouped by hosts of the selected servers and tenants.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

The table of events contains the following information:

1. Event time—Date and time when the event was detected.
2. Event type, for example, Process started.
3. Host name—Name of the host on which the alert was generated.
4. Details—Information about the event.
5. User name—Name of the user on the computer with the Endpoint Agent component whose user account was used to detect the event.

In the events table, the Details column displays the set of data for each type of event in the Event type column (see the table below).

Set of data in the Details column for each event type in the Event column

If you are using Kaspersky Endpoint Agent as the Endpoint Agent component, information about the AMSI scan event is available when Kaspersky Anti Targeted Attack Platform is integrated with Kaspersky Endpoint Agent for Windows 3.10 or later and when Kaspersky Endpoint Agent is integrated with Kaspersky Endpoint Security for Windows 11.5 or later. If Kaspersky Endpoint Security for Windows is not installed on the computer and is not integrated with Kaspersky Endpoint Agent, information about the AMSI scan event is not logged in the event database and is not displayed in the Kaspersky Anti Targeted Attack Platform web interface.

If Kaspersky Endpoint Agent is used in the role of the Endpoint Agent component, the Central Node server generates Scan: detect and Scan: detect processing result events based on data received from EPP applications. If EPP applications are not installed on the computer and are not integrated with Kaspersky Endpoint Agent, information about these events is not logged in the event database and is not displayed in the Kaspersky Anti Targeted Attack Platform web interface.

Clicking the link with the name of the event type, data, additional information and user name opens a list in which you can select the action to perform on the object. Depending on the value in the cell, you can perform one of the following actions:

• For all values in the cell:
  • Filter by this value.
  • Exclude from filter.
  • Copy value to clipboard.
• Host name:
  • Find events.
  • Find alerts.
  • Isolate from network.
• File name:
  • Kill process.
  • Kill by unique PID.
  • Delete file.
  • Get file.
  • Get forensics.
  • Quarantine file.
• MD5 hash:
  • Find events.
  • Find alerts.
  • Find on TIP.

    Kaspersky information system Contains and displays reputation information for files and URL addresses.

  • Create prevention rule.
  • Find in Storage.
• SHA256 hash:
  • Find events.
  • Find alerts.
  • Find on TIP.
  • Find on virustotal.com.
  • Create prevention rule.
  • Find in Storage.