- Kaspersky Anti Targeted Attack Platform Help
- Kaspersky Anti Targeted Attack Platform
- What's new
- About Kaspersky Threat Intelligence Portal
- Distribution kit
- Hardware and software requirements
- Compatibility of Kaspersky Endpoint Agent for Windows versions with Kaspersky Anti Targeted Attack Platform versions
- Compatibility of Kaspersky Endpoint Agent for Windows versions with EPP applications
- Compatibility of Kaspersky Endpoint Security for Windows versions with Kaspersky Anti Targeted Attack Platform versions
- Compatibility of Kaspersky Endpoint Security for Linux versions with Kaspersky Anti Targeted Attack Platform versions
- Compatibility of Kaspersky Endpoint Security for Mac with Kaspersky Anti Targeted Attack Platform versions
- Compatibility of KUMA versions with versions of Kaspersky Anti Targeted Attack Platform
- Compatibility of XDR versions with versions of Kaspersky Anti Targeted Attack Platform
- Compatibility of KPSN versions with versions of Kaspersky Anti Targeted Attack Platform
- Compatibility of Kaspersky Anti Targeted Attack Platform with VK Cloud
- Restrictions
- Data provision
- Service data of the application
- Data of the Central Node and Sensor components
- Sandbox component data
- Data transmitted between application components
- Data contained in application trace files
- Data of Kaspersky Endpoint Agent for Windows
- Kaspersky Endpoint Security for Windows data
- Kaspersky Endpoint Security for Linux data
- Kaspersky Endpoint Security for Mac data
- Application licensing
- About the End User License Agreement
- About the license certificate
- About the license
- About the license key
- About the key file
- About the activation code
- About the subscription
- Adding a license key
- Replacing the license key
- Removing a license key
- Viewing information about added license keys in the web interface of the Central Node
- Viewing the text of the End User License Agreement in the web interface of the Central Node
- Viewing the text of the Privacy Policy in the web interface of the Central Node
- Viewing information about the third-party code used in the application
- Viewing the text of the End User License Agreement in the web interface of the Sandbox
- Viewing the text of the End User License Agreement for the Endpoint Agent component
- Application modes based on the license
- Architecture of the application
- Operating principle of the application
- Distributed solution and multitenancy
- Distributed solution and multitenancy mode transition scenario
- Modifications of application settings for the distributed solution and multitenancy mode
- Assigning the PCN role to a server
- Assigning the SCN role to a server
- Processing SCN to PCN connection requests
- Viewing information about tenants, PCN and SCN servers
- Adding a tenant to the PCN server
- Deleting a tenant from the PCN server
- Renaming a tenant on the PCN server
- Disconnecting an SCN from PCN
- Modifications of application settings for disconnecting an SCN from PCN
- Decommissioning an SCN server
- Sizing Guide
- Installing and performing initial configuration of the application
- Preparing for installing application components
- Preparing the IT infrastructure for installing application components
- Preparing the IT infrastructure for integration with a mail server used for receiving messages via POP3
- Preparing the IT infrastructure for integration with a mail server used for receiving messages via SMTP
- Preparing the virtual machine for installing the Sandbox component
- Preparing an installation disk image with the Central Node, Sensor, and Sandbox components
- Procedure for installing and configuring application components
- Installing the Sandbox component
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a disk for installing the Sandbox component
- Step 3. Assigning the host name
- Step 4. Selecting the controlling network interface in the list
- Step 5. Assigning the address and network mask of the controlling interface
- Step 6. Adding DNS server addresses
- Step 7. Configuring a static network route
- Step 8. Configuring the minimum password length for the Sandbox administrator password
- Step 9. Creating the Sandbox administrator account
- Deploying the Central Node and Sensor components as a cluster
- Deploying a storage server
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a server role
- Step 3. Selecting the deployment mode
- Step 4. Selecting a disk for installing the component
- Step 5. Selecting a network mask for server addressing
- Step 6. Selecting a network mask for addressing of application components
- Step 7. Selecting the cluster network interface
- Step 8. Selecting the external network interface
- Step 9. Selecting the method of obtaining IP addresses for network interfaces
- Step 10. Creating an administrator account and authenticating the server in the cluster
- Step 11. Adding DNS server addresses
- Step 12. Configuring time synchronization with an NTP server
- Step 13. Selecting disks for the Ceph storage
- Deploying the processing server
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a server role
- Step 3. Selecting a disk for installing the component
- Step 4. Selecting a network mask for cluster server addressing
- Step 5. Selecting a network mask for addressing of application components
- Step 6. Selecting the cluster network interface
- Step 7. Selecting the external network interface
- Step 8. Selecting the method of obtaining IP addresses for network interfaces
- Step 9. Authenticating the server in the cluster
- Step 10. Configuring receipt of mirrored traffic from SPAN ports
- Purging hard drives on storage servers
- Deploying a storage server
- Installing the Central Node and Sensor components on the server
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a server role
- Step 3. Selecting a disk for installing the component
- Step 4. Allocating the disk for the Targeted Attack Analyzer component's database
- Step 5. Selecting a network mask for server addressing
- Step 6. Selecting a network mask for addressing of application components
- Step 7. Selecting the external network interface
- Step 8. Selecting the method of obtaining IP addresses for network interfaces
- Step 9. Creating the administrator account
- Step 10. Adding DNS server addresses
- Step 11. Configuring time synchronization with an NTP server
- Step 12. Configuring receipt of mirrored traffic from SPAN ports
- Installing the Sensor component on a standalone server
- Step 1. Viewing the End User License Agreement and Privacy Policy
- Step 2. Selecting a server role
- Step 3. Selecting a disk for installing the component
- Step 4. Selecting a network mask for server addressing
- Step 5. Selecting a network mask for addressing of application components
- Step 6. Selecting the external network interface
- Step 7. Selecting the method of obtaining IP addresses for network interfaces
- Step 8. Creating the administrator account
- Step 9. Adding DNS server addresses
- Step 10. Configuring time synchronization with an NTP server
- Step 11. Configuring receipt of mirrored traffic from SPAN ports
- Optimization of network interface settings for the Sensor component
- Connecting and configuring external storage for the Sensor component
- Preparing for installing application components
- Configuring the sizing settings of the application
- Configuring the integration of Kaspersky Anti Targeted Attack Platform with the Kaspersky Endpoint Agent component
- Configuring the trusted connection of Kaspersky Anti Targeted Attack Platform with the Kaspersky Endpoint Agent application
- Configuring the connection with the Central Node server without validating the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.
- Configuring the connection with the Central Node server with validation of the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.
- Configuring the connection with the Sensor server without validating the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.
- Configuring the connection with the Sensor server with validation of the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.
- Downloading the TLS certificate of the Central Node server
- Generating a TLS certificate for the Central Node server in the web interface of Kaspersky Anti Targeted Attack Platform
- Uploading an independently prepared TLS certificate for the Central Node server using the web interface of Kaspersky Anti Targeted Attack Platform
- Uploading a TLS certificate of the Central Node server or Sensor to Kaspersky Endpoint Agent
- Enabling the validation of the Kaspersky Endpoint Agent TLS certificate in the web interface of Kaspersky Anti Targeted Attack Platform
- Generating a TLS certificate of Kaspersky Endpoint Agent in the web interface of Kaspersky Anti Targeted Attack Platform and downloading a cryptographic container
- Uploading an independently prepared TLS certificate of Kaspersky Endpoint Agent using the web interface of Kaspersky Anti Targeted Attack Platform.
- Viewing the table of Kaspersky Endpoint Agent TLS certificates in the web interface of Kaspersky Anti Targeted Attack Platform
- Filtering and searching Kaspersky Endpoint Agent TLS certificates in the web interface of Kaspersky Anti Targeted Attack Platform
- Deleting Kaspersky Endpoint Agent TLS certificates in the web interface of Kaspersky Anti Targeted Attack Platform
- Configuring the validation of the Kaspersky Endpoint Agent TLS certificate by the Central Node server and uploading a cryptographic container to Kaspersky Endpoint Agent
- Configuring traffic redirection from Kaspersky Endpoint Agent to the Sensor server
- Generating a TLS certificate for the Sensor server in the administrator menu of the Sensor server
- Uploading an independently prepared TLS certificate for the Sensor server in the administrator menu of the Sensor server
- Downloading the TLS certificate of the Sensor server to your computer
- Configuring the integration and trusted connection with Kaspersky Anti Targeted Attack Platform on the Kaspersky Endpoint Agent side
- Configuring the trusted connection of Kaspersky Anti Targeted Attack Platform with the Kaspersky Endpoint Agent application
- Getting started with the application
- Managing accounts of application administrators and users
- Creating an administrator account for the application web interface
- Creating a user account for the application web interface
- Configuring user account table display
- Viewing the user account table
- Filtering user accounts
- Clearing the account filter
- Changing access rights of an application web interface user account
- Enabling and disabling an administrator account or user account of the application web interface
- Changing the password of an application administrator or user account
- Changing the password of your account
- Authentication using domain accounts
- Participation in Kaspersky Security Network and use of Kaspersky Private Security Network
- Managing the Sandbox component through the web interface
- Updating the Sandbox component databases
- Configuring connection between the Sandbox and Central Node components
- Configuring the Sandbox component network interfaces
- Setting the Sandbox system date and time
- Installing and configuring images of operating systems and applications required for the operation of the Sandbox component
- Managing operating system and application images in the Sandbox Storage
- Managing virtual machine templates
- Managing virtual machines
- Setting the maximum number of simultaneously running virtual machines
- Changing the number of license keys for a virtual machine with a custom operating system image
- Downloading the Sandbox system log to the hard drive
- Exporting Sandbox settings
- Importing Sandbox settings
- Restarting the Sandbox server
- Powering off the Sandbox server
- Changing the Sandbox administrator account password
- For administrators: Getting started with the application web interface
- Kaspersky Anti Targeted Attack Platform Interface
- Monitoring the performance of the application
- About widgets and layouts
- Selecting a tenant and a server to manage in the Dashboard section
- Adding a widget to the current layout
- Moving a widget in the current layout
- Removing a widget from the current layout
- Saving a layout to PDF
- Configuring the data display period in widgets
- Monitoring the receipt and processing of incoming data
- Monitoring the queues for data processing by application modules and components
- Monitoring the processing of data by the Sandbox component
- Viewing the working condition of modules and components of the application
- Managing Central Node, PCN, or SCN servers using the application web interface
- Configuring the date and time on the server
- Generating or uploading a TLS certificate of the server
- Downloading the TLS certificate of the server
- Assigning a server DNS name
- Configuring DNS settings
- Configuring settings of the network interface
- Configuring the default network route
- Configuring proxy server connection settings
- Configuring the mail server connection
- Selecting operating systems to use when scanning objects in Sandbox
- Managing the Sensor component
- Viewing the table of servers with the Sensor component
- Processing a connection request from the Sensor component
- Configuring the maximum size of a scanned file
- Configuring receipt of mirrored traffic from SPAN ports and the http-body parameter
- Selecting network protocols for receiving mirrored traffic from SPAN ports
- Configuring integration with a mail server via SMTP
- Configuring TLS encryption of connections with a mail server via SMTP
- Configuring integration with a proxy server via ICAP
- Configuring raw network traffic recording
- Configuring integration with a mail server via POP3
- Managing the cluster
- Notifications about the maximum allowed CPU and RAM load for the Central Node and Sensor servers
- Configuring the SNMP protocol connection
- Managing Endpoint Agent host information
- Selecting a tenant to manage in the Endpoint Agents section
- Viewing the table of hosts with the Endpoint Agent component on a standalone Central Node server
- Viewing information about a host
- Filtering and searching hosts with the Endpoint Agent component by host name
- Filtering and searching hosts with the Endpoint Agent component that have been isolated from the network
- Filtering and searching hosts with the Endpoint Agent component by PCN and SCN server names
- Filtering and searching hosts with the Endpoint Agent component by computer IP address
- Filtering and searching hosts with the Endpoint Agent component by operating system version on the computer
- Filtering and searching hosts with the Endpoint Agent component by component version
- Filtering and searching hosts with the Endpoint Agent component by their activity
- Quickly creating a filter for hosts with the Endpoint Agent component
- Resetting the filter for hosts with the Endpoint Agent component
- Configuring activity indicators of the Endpoint Agent component
- Removing hosts with the Endpoint Agent component
- Automatic removal of inactive hosts
- Supported interpreters and processes
- Configuring integration with the Sandbox component
- Configuring integration with external systems
- Configuring integration with Kaspersky Managed Detection and Response
- Configuring integration with an SIEM system
- Managing the activity log
- Updating application databases
- Creating a list of passwords for archives
- Configuring integration with ArtX TLSproxy
- For security officers: Getting started with the application web interface
- Kaspersky Anti Targeted Attack Platform Interface
- Selecting a tenant to manage in the web interface of the application
- Monitoring the performance of the application
- About widgets and layouts
- Adding a widget to the current layout
- Moving a widget in the current layout
- Removing a widget from the current layout
- Saving a layout to PDF
- Configuring the data display period in widgets
- Configuring the widget display scale
- Basics of managing "Alerts" type widgets
- Viewing the working condition of modules and components of the application
- Viewing the alert table
- Configuring the alert table display
- Filtering, sorting, and searching alerts
- Filtering alerts by VIP status
- Filtering and searching alerts by time
- Filtering alerts by level of importance
- Filtering and searching alerts by categories of objects detected
- Filtering and searching alerts by obtained information
- Filtering and searching alerts by source address
- Filtering and searching alerts by destination address
- Filtering and searching alerts by server name
- Filtering and searching alerts by technology name
- Filtering and searching alerts by the status of their processing by the user
- Sorting alerts in the table
- Quickly creating an alert filter
- Clearing an alert filter
- Recommendations for processing alerts
- Viewing alerts
- Viewing alert details
- General information about an alert of any type
- Information in the Object information section
- Information in the Alert information section
- Information in the Scan results section
- Information in the IDS rule section
- Information in the Network event section
- Scan results in Sandbox
- IOC scan results
- Information in the Hosts section
- Information in the Change log section
- Sending alert data
- Viewing alert details
- User actions performed on alerts
- Events database threat hunting
- Searching events in design mode
- Searching events in source code mode
- Sorting events in the table
- Changing the event search conditions
- Searching events by processing results in EPP applications
- Uploading an IOC file and searching for events based on conditions defined in the IOC file
- Creating a TAA (IOA) rule based on event search conditions
- Event information
- Recommendations for processing events
- Information about events in the tree of events
- Viewing the table of events
- Configuring the event table display
- Viewing information about an event
- Information about the "Process started" event
- Information about the "Process terminated" event
- Information about the "Module loaded" event
- Information about the "Remote connection" event
- Information about the "Prevention rule" event
- Information about the "Document blocked" event
- Information about the "File modified" event
- Information about the "System event log" event
- Information about the "Changes in the registry" event
- Information about the "Port listened" event
- Information about the "Driver loaded" event
- Information about the "Alert" event
- Information about the "Alert processing result" event
- Information about the "Interpreted file run" event
- Information about the "AMSI scan" event
- Information about the "Interactive command input at the console" event
- Event chain scanning by Kaspersky TAA (IOA) rules
- Managing Endpoint Agent host information
- Viewing the table of hosts with the Endpoint Agent component
- Configuring the display of the table of hosts with the Endpoint Agent component
- Viewing information about a host
- Filtering and searching hosts with the Endpoint Agent component by host name
- Filtering and searching hosts with the Endpoint Agent component that have been isolated from the network
- Filtering and searching hosts with the Endpoint Agent component by PCN and SCN server names
- Filtering and searching hosts with the Endpoint Agent component by computer IP address
- Filtering and searching hosts with the Endpoint Agent component by operating system version on the computer
- Filtering and searching hosts with the Endpoint Agent component by component version
- Filtering and searching hosts with the Endpoint Agent component by their activity
- Quickly creating a filter for hosts with the Endpoint Agent component
- Resetting the filter for hosts with the Endpoint Agent component
- Removing hosts with the Endpoint Agent component
- Configuring activity indicators of the Endpoint Agent component
- Supported interpreters and processes
- Network isolation of hosts with the Endpoint Agent component
- Automatically sending files from Kaspersky Endpoint Agent hosts to be scanned by the Sandbox component in accordance with Kaspersky TAA (IOA) rules
- Selecting operating systems to use when scanning objects in Sandbox
- Managing tasks
- Viewing the task table
- Viewing information about a task
- Creating a get file task
- Creating a forensic collection task
- Creating a registry key retrieval task
- Creating an NTFS metafile retrieval task
- Creating a process memory dump retrieval task
- Creating a disk image retrieval task
- Creating a RAM dump retrieval task
- Creating a process termination task
- Creating a task to scan hosts using YARA rules
- Creating a service management task
- Creating an application execution task
- Creating a file deletion task
- Creating a file quarantine task
- Creating a quarantined file recovery task
- Creating a copy of a task
- Deleting tasks
- Filtering tasks by creation time
- Filtering tasks by type
- Filtering tasks by name
- Filtering tasks by file name and path
- Filtering tasks by description
- Filtering tasks by server name
- Filtering tasks based on the name of the user that created the task
- Filtering tasks by processing status
- Clearing a task filter
- Managing policies (prevention rules)
- Viewing the prevention rule table
- Configuring prevention rule table display
- Viewing a prevention rule
- Creating a prevention rule
- Importing prevention rules
- Enabling and disabling a prevention rule
- Enabling and disabling presets
- Deleting prevention rules
- Filtering prevention rules by name
- Filtering prevention rules by type
- Filtering prevention rules by file hash
- Filtering prevention rules by server name
- Clearing a prevention rule filter
- Managing user-defined rules
- Using indicators of compromise (IOC) and attack (IOA) for Threat Hunting
- Managing user-defined TAA (IOA) rules
- Viewing the TAA (IOA) rule table
- Creating a TAA (IOA) rule based on event search conditions
- Importing a TAA (IOA) rule
- Viewing custom TAA (IOA) rule details
- Searching for alerts and events in which TAA (IOA) rules were triggered
- Filtering and searching TAA (IOA) rules
- Resetting the TAA (IOA) rule filter
- Enabling and disabling TAA (IOA) rules
- Modifying a TAA (IOA) rule
- Deleting TAA (IOA) rules
- Managing user-defined IOC rules
- Viewing the table of IOC files
- Viewing information about an IOC file
- Uploading an IOC file
- Downloading an IOC file to a computer
- Enabling and disabling the automatic use of an IOC file when scanning hosts
- Deleting an IOC file
- Searching for alerts in IOC scan results
- Searching for events using an IOC file
- Filtering and searching IOC files
- Clearing an IOC file filter
- Configuring an IOC scan schedule
- Managing user-defined IDS rules
- Importing a user-defined IDS rule
- Viewing the information of a user-defined IDS rule
- Enabling and disabling the use of an IDS rule when scanning events
- Configuring the importance of alerts generated by the user-defined IDS rule
- Replacing a user-defined IDS rule
- Exporting a user-defined IDS rule file to the computer
- Deleting a user-defined IDS rule
- Managing user-defined YARA rules
- Managing objects in Storage and quarantine
- Viewing the table of objects that were placed in Storage
- Viewing information about an object manually placed in Storage using the web interface
- Viewing information about an object placed in Storage by a get file task
- Viewing information about an object placed in Storage by a get data task
- Downloading objects from Storage
- Uploading objects to Storage
- Sending objects in Storage for scanning
- Deleting objects from Storage
- Filtering objects in Storage by object type
- Filtering objects in Storage by object description
- Filtering objects in Storage based on scan results
- Filtering objects in Storage based on the name of Central Node, PCN, or SCN server
- Filtering objects in Storage by object source
- Filtering objects based on the time they were placed in Storage
- Clearing a Storage objects filter
- Viewing the table of objects quarantined on computers with the Kaspersky Endpoint Agent component
- Viewing information about a quarantined object
- Restoring an object from Quarantine
- Obtaining a copy of a quarantined object on a Kaspersky Anti Targeted Attack Platform server
- Removing information about the quarantined object from the table
- Filtering information about quarantined objects by object type
- Filtering information about quarantined objects by object description
- Filtering information about quarantined objects by host name
- Filtering information about quarantined objects by time
- Resetting the filter for information about quarantined objects
- Managing reports
- Viewing the table of templates and reports
- Creating a template
- Creating a report based on a template
- Viewing a report
- Downloading a report to a local computer
- Editing a template
- Filtering templates by name
- Filtering templates based on the name of the user that created the template
- Filtering templates by creation time
- Clearing a template filter
- Deleting a template
- Filtering reports by creation time
- Filtering reports by name
- Filtering reports by the name of the server with the Central Node component
- Filtering reports based on the name of the user that created the report
- Clearing a report filter
- Deleting a report
- Managing rules for assigning the VIP status to alerts
- Viewing the table of VIP status assignment rules
- Creating a VIP status assignment rule
- Deleting a VIP status assignment rule
- Modifying a VIP status assignment rule
- Importing a list of VIP status assignment rules
- Exporting the list of data excluded from the scan
- Filtering and searching by type of VIP status assignment rule
- Filtering and searching by value of VIP status assignment rule
- Filtering and searching by description of VIP status assignment rule
- Clearing a VIP status assignment rule filter
- Managing the list of scan exclusions
- Viewing the table of data excluded from the scan
- Adding a scan exclusion rule
- Deleting a scan exclusion rule
- Editing a rule added to scan exclusions
- Exporting the list of data excluded from the scan
- Filtering rules in the scan exclusion list by criterion
- Searching rules in the scan exclusion list by value
- Resetting the rule filter in the scan exclusion list
- Managing IDS exclusions
- Managing TAA exclusions
- Managing ICAP exclusions
- Viewing the ICAP exclusion table
- Adding a rule to ICAP exclusions
- Removing rules from ICAP exclusions
- Editing or disabling a rule in the ICAP exclusion list
- Filtering rules in the ICAP exclusion list by criterion
- Filtering rules in the ICAP exclusion list by value
- Filtering rules in the ICAP exclusion list by state
- Clearing rule filter conditions in the ICAP exclusion list
- Creating a list of passwords for archives
- Viewing server settings
- Viewing the table of servers with the Sandbox component
- Viewing the settings of the set of operating systems used for scanning objects in Sandbox
- Viewing the table of servers with the Sensor component
- Managing raw network traffic
- Viewing the table of external systems
- Viewing information about files that have sent for scanning to the Kaspersky Anti Targeted Attack Platform
- Managing user-defined Sandbox rules
- Viewing the table of user-defined Sandbox rules
- Configuring the Sandbox rule table display
- Filtering and searching Sandbox rules
- Clearing a Sandbox rule filter
- Viewing the information of a user-defined Sandbox rule
- Creating a user-defined Sandbox rule for scanning files
- Creating a user-defined Sandbox rule for URL scanning
- Copying a user-defined Sandbox rule
- Importing user-defined Sandbox rules for file scanning
- Editing a user-defined Sandbox rule
- Enabling or disabling user-disabling Sandbox rules
- Exporting user-defined Sandbox rules for file scanning
- Deleting user-defined Sandbox rules
- List of extensions for file categories
- Sending notifications
- Viewing the table of rules for sending notifications
- Creating a rule for sending notifications about alerts
- Creating a rule for sending notifications about the operation of application components
- Enabling and disabling a rule for sending notifications
- Modifying a rule for sending notifications
- Deleting a rule for sending notifications
- Filtering and searching notification forwarding rules by rule type
- Filtering and searching notification forwarding rules based on the notification subject
- Filtering and searching notification forwarding rules by email address
- Filtering and searching notification forwarding rules based on their status
- Clearing a notification forwarding rule filter
- Managing Kaspersky Endpoint Agent for Windows
- Managing Kaspersky Endpoint Security for Windows
- Managing Kaspersky Endpoint Security for Linux
- Managing Kaspersky Endpoint Security for Mac
- Backing up and restoring data
- Upgrading Kaspersky Anti Targeted Attack Platform
- Interaction with external systems via API
- Integrating an external system with Kaspersky Anti Targeted Attack Platform
- API for scanning objects of external systems
- API that external systems can use to receive information about application alerts
- API that external systems can use to receive information about application events
- API for managing Threat Response actions
- Request for getting the list of hosts with the Endpoint Agent component
- Request for information about network isolation and the existence of prevention rules for hosts with the Kaspersky Endpoint Agent component
- Host network isolation management
- Managing prevention rules
- Managing the application run task
- Sources of information about the application
- Contacting the Technical Support Service
- Glossary
- Advanced persistent threat (APT)
- Alternate data stream
- Anti-Malware Engine
- Backdoor program
- Central Node
- Communication channel bandwidth
- CSRF attack
- Distributed solution
- Dump
- End User License Agreement
- Endpoint Agent component
- ICAP client
- ICAP data
- Intrusion Detection System
- IOA
- IOC
- IOC file
- Kaspersky Anti Targeted Attack Platform
- Kaspersky Private Security Network
- Kaspersky Secure Mail Gateway
- Kaspersky Security Network (KSN)
- Kaspersky Threat Intelligence Portal
- KATA
- KEDR
- Kerberos authentication
- Keytab file
- Local reputation database of KPSN
- Malicious web addresses
- MIB (Management Information Base)
- Mirrored traffic
- MITM attack
- MITRE technique
- Multitenancy
- New generation threats
- NTP server
- OpenIOC
- Phishing URL addresses
- Sandbox
- Sensor
- Service principal name (SPN)
- SIEM system
- Signature
- SPAN
- Syslog
- TAA (IOA) rule
- Targeted attack
- Targeted Attack Analyzer
- Tenant
- TLS encryption
- Tracing
- VIP status
- YARA
- YARA rules
- Zero-day attack
- Zero-day vulnerability
- Information about third-party code
- Trademark notices
For security officers: Getting started with the application web interface > Managing IDS exclusions
Managing IDS exclusions
Managing IDS exclusions
Users with the Senior security officer role can add Kaspersky IDS rules to scan exclusions. Kaspersky Anti Targeted Attack Platform does not create detections when scanning by excluded IDS rules.
You can add to exclusions only IDS rules defined by Kaspersky. If you do not want to apply a user-defined IDS rule when scanning, you can disable this rule or delete it.
If you want to configure a singular exclusion, for example, for a specific source address, you can:
- Open information about the IDS detection for which you want to create a singular exception.
- Copy the IDS detection data in Suricata format and save it in any way that you find convenient.
- Add the Kaspersky IDS rule that generated the detection to exclusions from scanning.
- Add a new rule based on the properties of the excluded Kaspersky rule to the list of user-defined IDS rules in one of the following ways:
- If the system already has user-defined IDS rules, export a file with the rules and add a new rule to this file with conditions that narrow down the rule using the Suricata syntax. An example of creating user-defined IDS rules is shown below.
- If no user-defined IDS rules exist in the system yet, create a text file and add to it a rule with qualifying conditions using the Suricata syntax. An example of creating user-defined IDS rules is shown below.
- Import a file with the added rule.
We do not recommend using the above method of creating singular exclusions on a regular basis because a large number of user-defined IDS rules can get out of control and reduce the level of protection of the corporate LAN. We strongly recommended monitoring the results of the created exclusions. We also strongly recommended testing the user-defined rules in a test environment before importing. User-defined IDS rules may cause performance issues, in which case stable operation of Kaspersky Anti Targeted Attack Platform is not guaranteed.
Users with the Security auditor role can view the list of IDS rules added to exclusions, and view the properties of a selected rule.
Users with the Security officer role cannot view the list of IDS rules added to exclusions.
Examples of creating user-defined IDS rules based on the properties of an excluded Kaspersky rule
If you do not want one or more of the source and/or destination addresses to be included in the IDS detection, you can use the ! (NOT) operator.
Example: For an IDS detection with data:
You can create the following user-defined IDS rules with singular exclusions:
|
|
Article ID: 247774, Last review: Dec 17, 2024 |