Kaspersky Anti Targeted Attack Platform

About widgets and layouts

You can use widgets to monitor application operation.

A layout is the appearance of the workspace of the application web interface window in the Dashboard section. You can add, delete, and move widgets in the layout, as well as configure the scale of widgets.

If you are using the

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy mode

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

By default, this section displays information only on alerts that were not processed by users. To also display information on processed alerts, enable the Show closed alerts toggle switch in the upper-right corner of the window.

The Dashboard section displays the following widgets:

• Alerts:
  • Alerts by status. Displays the alert status depending on the Kaspersky Anti Targeted Attack Platform user processing the alert and on whether or not this alert has been processed.
  • Alerts by technology. Displays the names of the application modules or components that generated the alert.
  • Alerts by attack vector. Displays detected objects based on the vector of the attack.
  • VIP alerts by importance. Displays the importance of alerts with VIP status depending on the impact that these alerts may have on the security of computers or the corporate LAN based on Kaspersky experience.
  • Alerts by importance. Displays the importance of alerts for users of the Kaspersky Anti Targeted Attack Platform depending on the impact that these alerts may have on the security of computers or the corporate LAN based on Kaspersky experience.

  The left part of each widget displays attack vectors, alert importance levels, alert states, and scanning technologies that generated the alerts. The right part of each widget displays the number of times the alerts were triggered during the selected period for data display in widgets.

  Clicking the link with the name of the attack vector, alert importance level, alert state, and the scanning technology that generated the alert takes you to the Alerts section of the application web interface where you can view related alerts. Alerts are filtered based on the selected element.

• Top 10:
  • Domains. 10 domains most frequently seen in alerts.
  • IP addresses. 10 IP addresses most frequently seen in alerts.
  • Sender's email addresses. 10 email senders most frequently seen in alerts.
  • Recipient's email addresses. 10 email recipients most frequently seen in alerts.
  • TAA hosts. 10 hosts that occur most frequently in events and alerts generated by the Targeted Attack Analyzer (TAA) technology.
  • TAA rules. 10 TAA (IOA) rules that occur most frequently in events and alerts generated by the Targeted Attack Analyzer (TAA) technology.
  • Sent to Sandbox by TAA rules. 10 TAA (IOA) rules that most frequently cause Kaspersky Anti Targeted Attack Platform to send files for scanning by the Sandbox component.

  The left part of each widget lists the domains, email addresses of recipients, IP addresses and email addresses of message senders, host names, and TAA (IOA) rule names. The right part of each widget displays the number of times the alerts were triggered during the selected period for data display in widgets.

  By clicking the link with the name of each domain, recipient address, IP address, and message sender address, you can go to the Alerts section of the application web interface and view related alerts.

  Click the link with the host name and the name of the TAA (IOA) rule to go to the Events section of the application web interface and view related events.

  Alerts and events are filtered based on the selected element.

• NDR:
  • Network traffic event scores. Bar graph of the distribution of events by their scores for the selected period. The bars correspond to integer values of scores. You can change the data display mode to a pie chart with the distribution of events by severity levels. Depending on its score, an event may have a Low (0.0–3.9), Medium (4.0–7.9), or High (8.0–10.0) severity.
  • Network traffic events by technology. How many events have been registered by which event registration technology during the selected period.
  • Device security status. Distribution of devices by their security states.
  • Frequent application users in network traffic events. User names most frequently registered in events based on information from EPP applications for the selected period.
  • Frequent applications in network traffic events. Third-party applications most frequently registered in events based on information from EPP applications for the selected period.
  • Frequent devices in network traffic events. The most frequently registered devices in events for the selected period.
  • Frequent devices by risk count. The most frequently registered devices in detected risks for the selected period.
  • Risk scores. Bar graph of the distribution of risks by their scores for the selected period. The bars correspond to integer values of scores. You can change the data display mode to a pie chart with the distribution of risks by severity levels. Depending on its score, a risk may have a Low (0.0–3.9), Medium (4.0–7.9), or High (8.0–10.0) severity.
  • Custom widget. You can create widgets with arbitrary content. For example, you can use custom widgets to logically separate groups of widgets in the Dashboard section.
  • Devices. Contains information about devices on the network (arranged by device category).
  • Network traffic events. Contains information about the NDR events and aggregate events that have the most recent last-seen date and time.
  • Situational awareness. Notifications about currently identified threats to system security (for example, Detected 10 unauthorized network interactions). The widget displays notifications in order of their importance.
  • Protection by EPP applications. Ratio of the number of computers protected by EPP applications to the number of computers not protected by EPP applications. The total number of protected and unprotected computers is displayed in the center of the pie chart.

    A computer is considered protected by an EPP application if Kaspersky Anti Targeted Attack Platform is aware of the following conditions being satisfied:

    • An EPP application is installed on the computer.
    • The Real-Time Protection task is running for the EPP application.
    • The connection of the EPP application to the integration server has the Active status.

    A computer is considered unprotected by an EPP application if at least one of the conditions is not satisfied. The check for the lack of EPP application protection is performed for all devices in Kaspersky Anti Targeted Attack Platform that contain the name of the Windows operating system (any version) as the installed operating system, or if the devices belong to one of the following categories:

    • Server
    • Workstation

  For correct information to be displayed in NDR widgets, you must configure the synchronization of date and time between Central Node and Sensor components.

  Widgets display only basic information that changes dynamically. If you need to view detailed information (for example, about devices with issues), you can navigate from the Dashboard section to other sections of the application web interface. You can navigate the web interface by clicking widgets.