Monitoring users on devices

Kaspersky Anti Targeted Attack Platform can monitor user accounts on devices known to the application. When monitoring users, the application automatically gets information about user accounts registered in the operating systems of the devices. Based on this information, the application generates user tables.

When getting information about user accounts, the application uses this information to monitor all user accounts on devices with the exception of some local system users, which only operating system services can use. For example, the application does not monitor the LocalSystem and NetworkService accounts on Windows devices.

To use the user monitoring functionality, Asset Management methods must be enabled to detect device activity and device information. These methods must be enabled on all servers with application components from which information is received.

User monitoring is based of information received from the following types of sources:

1. Telemetry (Endpoint Agent)

   Information about devices and the processes running on these devices is received when the Endpoint Agent component is integrated with the NDR functionality.

2. External source

   Information is received from systems that use the Kaspersky Anti Targeted Attack Platform API NDR and send information about users to Kaspersky Anti Targeted Attack Platform.

Sources are listed in order of decreasing priority of information coming in from these sources. The application processes information about users in accordance with the priority of the received information. User information from a higher-priority source may override information from other sources. The application also automatically removes users from tables if information about such a user had been obtained from an External source, but the users are missing in new information received from these sources.

You can view information about users in the Assets section on the Users tab.

When viewing the table of users, you can configure, filter, search, and sort users, as well as navigate to related items. The table of all users can contain up to 200,000 users.

The application displays the following information about device users in the table and in the details area of the selected user:

• User ID is the user ID assigned in Kaspersky Anti Targeted Attack Platform.
• User name is the name of the user account without the domain name or host name of the device.
• Full name is the name of the user account with the domain name or host name of the device.
• Groups lists names of user groups of which the user is a member.
• Device is the name and address of the device.
• Origin is the source of information about the user.
• SID is the user's security ID.
• Account status is the status corresponding to the received value for enabling or disabling the account.
• Lock is the status corresponding to the received value of the account blocking setting.
• Change password at next logon is an attribute that reflects whether the user must change the password at next logon.
• Block password change by user is an attribute that reflects whether the user is prohibited from changing the user's own password.
• Password validity period is the status corresponding to the received value of the setting that enables or disables the validity period limit for the user's password.
• Data received is the date and time when the information about the user account was last received.
• Description is the description specified for the user account.

When monitoring users, the application registers events using the Asset Management technology. Events are registered with system event type code 4000005600. Events are registered when user accounts are automatically added, modified, or deleted on devices.

You can edit the available settings of event types.

Page top