About threat notifications

Kaspersky Threat Intelligence Portal provides notifications about detected threats and vulnerabilities that could compromise the security of your organization.

Threat notifications may include information about compromised credentials, data leakages, vulnerable services on the network perimeter, insider threats, and various other security concerns. To receive threat notifications, you must add assets first.

Threat notifications are displayed on the Digital Footprint () → Threats page. This page represents the total number of detected threats and their danger level (Critical, High, Medium, Low, Info).

If necessary, you can customize the table view: add or remove columns, change their order. To do this, click the Column options button, and select or clear the required column names. Drag the icon by the required column name to change its location in the table. Also, if you used filters to view certain notifications, you can clear all selections by clicking the Clear filters () button to view all available notifications.

For more convenient viewing, you can use horizontal scrolling in the Threats table. In this case, the Threat ID column is frozen when scrolling.

For each threat, the following data is displayed:

• Date

  Date and time when the threat was detected.

  You can sort items in ascending or descending order. Additionally, filters allow you to display threat notifications detected on a specific date or during a certain period. Predefined filters for Month and Year are also available, letting you set a period that ends on the current date.

• Threat ID

  Threat notification identifier.

  You can click the item to copy it or open a new tab for a detailed description.

  Also, there are icons that allow editing notification state or download additional information associated with the vulnerability, provided as an encrypted archive, if available. Use the password infected to unpack the archive.

  The archive may contain objects that could harm your device or data, if handled improperly. By downloading, you agree that you are informed and accept full responsibility for the handling of downloaded objects contained in the archive. You can only use the downloaded content to increase the level of protection of your devices and systems.

  The archive may contain the following:

  • JSON file including metadata about an attack
  • Screenshot in PNG format (optional)
  • HTML page downloaded using a phishing web address (optional)
• Threat name

  Threat notification name.

• Risk

  Danger level of the detected threat (Critical, High, Medium, Low, Info).

  You can sort items by danger level in ascending or descending order. Also, you can use filters to only display threat notifications with certain danger levels.

• Category

  Threat category, such as APT victim, Botnet tracking, Compromised account, Compromised resource, Darknet, Defacement, Employee email address, External perimeter, Leakage, Malware, Pastebin entries, pDNS record, Person, Surface web, and Vulnerability. Other threat categories may also appear.

  Notification about newly discovered security issues on the company's network perimeter resource. Provides information about vulnerable or misconfigured service, and short-term recommendations for remediation.

  Notification about publications in various social media.

  Information on the company's employees (email address, position, social network accounts, and more) found in public sources.

  Notification about malicious IP addresses resolved from Customer domains.

  Information about new posts on the online content hosting service Pastebin resources related to Customer assets.

  Notifications about malicious activity that involve company's resources. Provides alerts on:

  • Communicating samples, that tried to communicate with the company's resources when they were executed in a Sandbox.
  • Downloaded samples, that were downloaded from the company's resources.
  • Referrer samples, that embed web address pattern strings with company's domains.
  • Botnet activity against the company's resources.

  Provides any kind of information related to the company that was found on online content hosting services such as Pastebin. Compromised employee accounts, client's bank cards, credentials for access to the internal systems, as well as other sensitive information.

  Notification about newly discovered external perimeter vulnerabilities and applications that have accidentally been granted external access.

  Notification about new discovered email addresses related to Customer.

  Defacement (also website or web defacement) is an attack on a website that alters its visual appearance or informational content.

  Recently published topics, comments, or advertisements on the Dark web forums, shops, communication channels, and onion sites.

  Notification about a resource that is usually legitimate but is infected or compromised at the moment of the analysis.

  Notification about accounts that are accessed by an unauthorized user with login details.

  Notification about a botnet, that is a network of malware-infected devices remotely controlled by cybercriminals. The user of an infected device is usually unaware of its malicious activity.

  Notification about customer IP addresses associated with APT threats.

  You can use filters to only display threat notifications from certain categories.

• Object

  Object associated with the detected threat (domain, IP address, keyword).

  You can use filters to only display threat notifications for certain objects.

• Tags

  Tags associated with the threat: for example, threat name according to the Kaspersky classification, Common Vulnerabilities and Exposures (CVE), or keywords.

  You can use filters to only display threat notifications that are associated with certain tags.

  If you have selected multiple values in the Object and/or Tags filters, a list of notifications matching any of the specified values is displayed (using "OR" logic).

• Threat description

  Description of the threat and recommendations on how to mitigate associated risks. You can expand or collapse the description and recommendations for easier viewing.

• State

  Threat notification state can be one of the following:

  • New—New threat notification. This state is assigned to all new notifications automatically when created, and can also be assigned by the user.
  • Active—Threat notification is being processed.
  • Resolved—Threat notification processing completed.
  • Rejected—Threat notification rejected. This status is assigned if the notification is out of scope, is not related to the customer's assets, or the notification will not be processed by the customer's team as a security incident.
  • Pending—Threat notification processing is currently pending.

  You can sort items in ascending or descending order. Also, you can use filters to only display threat notifications assigned to a certain state.

• Assigned to

  The person responsible for the threat notification. By default, Unassigned is specified for a new threat notification.

  If an assigned user is removed, their name is highlighted in red.

  You can use filters to only display threat notifications assigned to a certain user.

• Comment

  Commend added to a notification.

Page top