Contents
Managing the NDR user activity log
This section contains information about managing logs of the NDR functionality.
Users with the Administrator role can manage the log. Users with the Security auditor role can view the log.
Logs are available when using any type of Kaspersky Anti Targeted Attack Platform license key.
Managing log storage settings
You can edit the settings of log record storage in the Central Node database.
To change the log storage settings:
- Log in to the web interface with the application administrator account.
- Select the Sensor servers section.
- Select the card of the Central Node server.
The details area is displayed in the right part of the web interface window.
- Click Edit.
In the details area, tabs are displayed, on which you can manage the settings of the server.
- On the General tab, configure the following settings in the Events, Audit entries, and Application messages sections:
- Use the Max volume setting to set a size limit for stored records. You can select the unit of measure for the value: MB or GB.
When editing this setting, keep in mind the estimated maximum number of records for the specified volume. You also need to take into account that the sum total of all size limits may not exceed the specified maximum storage capacity for the node.
- If necessary, use the Storage time (days) setting to limit the storage duration of records, and specify the duration in days.
- Use the Max volume setting to set a size limit for stored records. You can select the unit of measure for the value: MB or GB.
- Click Save.
Log storage is configured.
Page topEnabling and disabling user activity audit
You can enable or disable user activity audit for the NDR functionality.
User activity audit is enabled by default.
To enable or disable user activity audit:
- Connect to the Central Node server using the web interface.
- Select the Logs section, Audit subsection.
- Enable or disable user activity audit using the User activity audit switch in the toolbar.
- Wait for the changes to be applied. The switch does not become available again until the transition to the other state is completed.
Viewing user activity audit records
Kaspersky Anti Targeted Attack Platform can save information about actions performed by users of the NDR functionality. Information is saved in the audit log if user activity audit is enabled.
You can view audit records when connecting to the Central Node server using the web interface. If necessary, you can also configure audit records to be sent to third-party systems through connectors.
Only users with the Administrator role can view audit records.
To view audit records:
- Connect to the Central Node server using the web interface.
- Select the Logs section, Audit subsection.
The table displays audit records corresponding to the specified filtering and search conditions.
Audit record settings are displayed in the following columns of the table:
- Date and time.
Date and time when user activity information was recorded.
- Action.
Registered action performed by the user.
- Result.
Result of the registered action (successful or unsuccessful).
- User.
Name of the user that performed the registered action.
- User node.
IP address of the node where the registered action was performed.
- Description.
Additional information about the registered action.
When viewing the table of audit records, you can use the configuration, filtering, searching, and sorting functionality.
Page top