Monitoring network traffic events

The application registers events when analyzing network traffic. Network traffic analysis is part of the NDR functionality.

A network traffic event (also referred to as an NDR event) is a record containing information about the detection of certain changes or conditions in network traffic that require the attention of an information security professional. NDR events are registered and sent to the Central Node. The server processes the received events and stores them in the database.

An aggregate event is a special type of event that is registered when a specific sequence of NDR events is received. Aggregate events group NDR events that have some common characteristics or are related to the same process.

The application registers aggregate events in accordance with event correlation rules. An event correlation rule describes the conditions for scanning sequences of events. When a sequence of NDR events is detected that matches the conditions of the rule, the application registers an aggregate event that mentions the name of the triggered rule. Aggregate events are registered with system event type code 8000000001.

Event correlation rules are built into the application and are applied independently of the security policy.

After the application is installed, the original event correlation rules are used. To improve the effectiveness of the rules, Kaspersky regularly updates the databases with rule sets. You can update correlation rules by installing updates.

The Kaspersky Anti Targeted Attack Platform server registers NDR events in accordance with the settings specified for registering event types. You can configure these settings in the Configure event types section.

To reduce the number of frequently repeated NDR events that do not require user attention, you can create allow rules for events. NDR events that match allow rules are not registered. For example, you can use an allow rule to temporarily disable the registration of all events from a specific monitoring point. You can view allow rules for events in the Settings section, Allow rules subsection. The EVT type is specified for such rules.

The application stores NDR events and aggregate events in a database on the Central Node. The total amount of stored records cannot exceed the configured limit. If the amount exceeds the limit, the application automatically deletes the oldest records. However, if a minimum storage duration is configured, the corresponding message is logged in the application message log when deleting records whose age is less than the minimum duration. You can configure the event and incident storage settings.

You can view information about NDR events and aggregate events in the Network traffic events section. This section displays detailed information about NDR events and aggregate events and allows loading information for any period from the server database.

Actions with network traffic events are available to users with the Security officer or Senior security officer role. Users with the Security auditor role can view events.

NDR events are generated if a valid KATA+NDR license key is present. After the license key expires, created events remain available for viewing, but related alerts are not created.

NDR event scores and severity levels

NDR events in Kaspersky Anti Targeted Attack Platform are scored on a scale from 0.0 to 10.0.

If an NDR event is associated with a device, the application takes into account the available information about the device when calculating the score. The importance level of the device and the risks associated with this device are taken into account.

The base score specified for the NDR event type in the table of event types is used as the baseline for calculating the score.

If an NDR event is not associated with a device, the score of the event is equal to the base score.

The score determines the severity level of the NDR event. Depending on the numerical value of the score, an NDR event can have one of the following severity levels:

• Low (scores 0.0–3.9)

  Low-severity NDR events usually do not require immediate response.

• Medium (scores 4.0–7.9)

  Medium-severity NDR events contain information that must be looked at. These events may require a response.

• High (scores 8.0–10.0)

  High-severity NDR events contain information that can have critical impact. These events require an immediate response.

NDR event registration technologies

Kaspersky Anti Targeted Attack Platform registers NDR events using one of the following technologies:

• Intrusion Detection (IDS)

  This technology registers NDR events related to the detection of anomalies in traffic that are indicators of attacks (for example, an NDR event can be registered indicators of ARP spoofing are detected).

• External (EXT)

  This technology registers aggregate and nested NDR events that are received by the Kaspersky Anti Targeted Attack Platform from third-party systems using the methods of the Kaspersky Anti Targeted Attack Platform API.

• Asset Management (AM)

  This technology registers NDR events involving the detection of information about devices in traffic or in data received from EPP applications (for example, an NDR event can be registered when a device is found to have a new IP address).

• Endpoint Protection Platform (EPP)

  This technology registers NDR events for threats detected by Kaspersky applications that protect workstations and servers (for example, a malware detection event).

NDR event statuses

NDR event statuses allow the application to display the course of processing the received information by security officers.

The following statuses can be assigned to NDR events and aggregate events:

• New.

  This status is assigned to all NDR and aggregate events when they are registered in Kaspersky Anti Targeted Attack Platform.

• In process.

  You can assign this status to NDR events and aggregate events that are being processed (for example, during the investigation of the reasons why these events or incidents were registered).

• Resolved.

  You can assign this status to NDR events and aggregate events that already have been processed (for example, the investigation of the reasons of their registration is closed).

  After the Resolved status is assigned, the application ignores NDR events and aggregate events with this status when determining the security status of devices displayed in the table of device and on the network interactions map.

Statuses of NDR events and aggregate events must be changed manually. You can assign statuses sequentially in the order from New to Resolved. However, you can skip the In process status. After changing the status of an NDR event or aggregate event, you cannot re-assign one of the previous statuses.

If the Resolved status is assigned to an aggregate event, the status of all nested NDR events is automatically changed to Resolved, and the associated alerts are also closed.

If the Resolved status is assigned to an NDR event, aggregate events under which this NDR event is nested and the associated alerts are not closed.

Table of registered NDR events

You can view the table of registered NDR events and aggregate events in the Network traffic events section.

By default, the table of registered NDR events and aggregate events is updated in real time. At the top of the table, events with the most recent last-seen date and time values are displayed.

The last-seen date and time of an NDR or aggregate event may not be the same as the date and time of its registration. For an NDR event, the last-seen date and time may be updated during the regeneration period of that event type. For an aggregate event, the last-seen date and time is updated to match the last-seen date and time of nested NDR events.

Parameters of NDR events and aggregate events are displayed in the following columns of the table:

• Start.

  For an NDR event, the date and time when the event was registered. For an aggregate event, the date and time when the first nested event was registered. You can view the date together with the time, or just the date or time by itself. To choose the information to display, select the check boxes opposite the Date and Time settings.

• Last seen

  For an NDR event, the last-seen date and time of the NDR event. May contain the date and time of the event registration or the date and time when the event repetition counter was incremented if the event registration conditions recurred during the regeneration period. The value of the regenerate counter is displayed in the Total appearances column. For an aggregate event, the latest last-seen date and time among events included in the aggregate event. Just like with the Start column, you can view the date together with the time, or just the date or time by itself.

• Title.

  The title configured for the NDR event type.

• Score.

  The calculated score for the NDR event. This numerical value determines the severity level of the NDR event. Depending on the severity level, the score can be displayed in one of the following colors:

  • Red for a High-severity event.
  • Yellow for a Medium-severity event.
  • Blue for a Low-severity event.
• Source.

  Address of the source of network packets. You can enable or disable the display of addresses and ports of address information by using the following settings (their abbreviated names displayed in table columns are indicated in the parentheses): IP address, Port number (P), MAC address, VLAN ID (VID), and Application-level address. If additional address spaces were added to the application, you can show or hide address space names by using the Show address spaces setting when configuring the devices table.

• Destination.

  Address of the destination of network packets. The display of address information can be configured the same way as the Source column.

• Protocol.

  Application layer protocol for which the event was registered.

• Technology.

  Icon corresponding to the technology used to register the NDR event.

• Total appearances.

  For an NDR event, the value of the repetition counter after the registration of the NDR event during the regeneration period. A value greater than 1 means that the conditions for registering an NDR event recurred N – 1 times. For an aggregate event, this column displays a value of 1.

• ID.

  Unique identifier of the registered NDR or aggregate event.

• Application.

  Information about applications that caused the conditions for registering the NDR event. The NDR event stores information about applications received from EPP applications.

• Application user.

  Information about the user account that started the application specified in the Application column.

• Status.

  Icon corresponding to the status of the NDR event or aggregate event.

• Description.

  The description specified for the NDR event type.

• End.

  For an NDR event, the date and time when the Resolved status was assigned or the regeneration period of the NDR event. For an aggregate event, the latest resolution date and time across nested NDR events. Just like with the Start column, you can view the date together with the time, or just the date or time by itself.

• Triggered rule.

  For an NDR event, the name of the Process Control rule or Intrusion Detection rule that, when triggered, caused the NDR event to be registered. For an aggregate event, the name of the correlation rule that, when triggered, caused the aggregate event to be registered.

• Monitoring point.

  Monitoring point whose traffic invoked registration of the NDR event.

• Event type.

  Numeric code assigned to the NDR event type.

• Marker.

  A set of icons that you can assign to any NDR or aggregate event to easily find NDR or aggregate events based on a criterion that is not present in the table.

When viewing the table of network traffic events, you can configure, filter, search, and sort records and navigate to related items.

Configuring the table of registered events

You can configure the display of the event table as follows:

• Show or hide the information panel.
• Show or hide events included in incidents.
• Show or hide the columns of the table and reorder the columns.

To configure the event table display:

1. In the Network traffic events section, click the icon.

   This opens the table display configuration window.

2. If you want to show the information panel displaying the number of events with New or In process status, select the Display information panel check box.
3. Under Display embedded lists, select a display mode for NDR events nested in aggregate events:
   • Flat. In this mode, the table of events displays all NDR events without regard to event nesting.
   • Tree. In this mode, aggregate events are displayed as a tree of nested events and other aggregate events. If you want nested items to be displayed regardless of the current filtering and search settings, select the Show embedded events when filtering check box.
4. Under Displayed columns, select check boxes next to the parameters that you want to view in the table. You must select at least one parameter.
5. If you want to display the columns in a different order, select the name of the column that you want to move left or right in the table, and click the buttons with the up and down arrows.

   For the Start, Last seen, and End columns, you can also change the order in which the date and time values are displayed, and for the Source and Destination columns, you can change the order in which the source and destination addresses of network packets are displayed. To do this, select the value that you want to move left or right in the table, and click the buttons with the up and down arrows.

The selected columns are displayed in the new order in the table in the Network traffic events section.

Viewing events nested inside an aggregate event

You can use the following modes to view NDR events nested in aggregate events in the table of network traffic events:

• Flat mode. In this mode, the table of NDR events displays all events without regard to event nesting.
• Tree mode. In this mode, aggregate events are displayed as trees that can be collapsed and expanded using the and buttons next to the titles of aggregate events.

You can change the display mode when configuring the table of events.

Viewing details of an NDR event

Details of NDR and aggregate events are displayed in the details area in the Network traffic events section of the application web interface.

To view the details of an NDR or aggregate event:

In the Network traffic events section, select an event.

The details area is displayed in the right part of the web interface window, displaying detailed information about the selected NDR or aggregate event.

Changing the status of an NDR event

You can change the following statuses of NDR events and aggregate events:

• New. This status can be changed to In process or Resolved.
• In process. This status can be changed to Resolved.

The Resolved status cannot be changed.

If the NDR event is associated with a risk, when assigning the Resolved status to this event, you can also change the risk status to Accepted.

To change the status of NDR events and aggregate events when managing the table of events:

1. In the Network traffic events section in the table of events, select the NDR events or aggregate events whose status you want to change.
2. Open the Change status drop-down list in the toolbar.
3. In the drop-down list, select the command for the status that you want to assign.

   Some items of the drop-down list are not available in the following cases:

   • The In process item is unavailable if the selected items do not include NDR events or aggregate events with the New status.
   • The Resolved item is unavailable if the selected items do not include NDR events or aggregate events with the New or In process status.

   If all NDR events or aggregate events that satisfy the current filtering and search conditions are selected, and the number of selected items is greater than 1000, the application does not check their statuses. In this case, the In process and Resolved items are both available. However, the In process item can be used to assign the In process status only to events and incidents that have the New status.

   A window with a confirmation prompt opens.

4. If the selected NDR events are associated with risks, and you want to simultaneously assign a status of Accepted to all these risks, select Assign the Accepted status for all risks related to the event if one event is selected or Assign the Accepted status for all risks related to the events if multiple events are selected.

   Risks may become associated with events when registering certain types of NDR events using the Asset Management technology.

5. In the prompt window, click OK.

Adding markers

Users with the Senior security officer role can assign markers to NDR events and aggregate events in the Network traffic events section of the application web interface.

A marker is an icon that helps you find NDR events and aggregate events by criteria that are not present in the table.

To assign a marker to an NDR or aggregate event:

1. In the Network traffic events section, in the row with the NDR event or aggregate event, click in the column.
2. In the menu that is displayed, select the marker that you want to assign to this NDR event or aggregate event.

   You can select one of seven markers provided by the application. The meaning of each marker is up to you to decide.

3. If you need to remove a marker, select No marker in the menu.

Users with the Senior security officer and Security auditor roles can view NDR events or aggregate events with a marker.

Copying NDR events to a text editor

You can copy information about NDR events and aggregate events from the table of network traffic events to any text editor. Information is copied from the columns currently displayed in the table.

Events can be copied if no more than 200 NDR events and aggregate events are selected.

To copy NDR and aggregate events into a text editor:

1. In the Network traffic events section, select the NDR events and aggregate events that you want to copy to a text editor.
2. Right-click to open the context menu of one of the selected events.
3. In the context menu, select one of the following commands:
   • Copy details of the event if a single NDR or aggregate event is selected.
   • Copy details of the selected events if multiple NDR events or aggregate events are selected.
4. Open any text editor.
5. In the text editor window, paste the events (for example, by pressing Ctrl+v).

The copied event information can be edited in the text editor. Information about multiple events is delimited by empty lines.

Downloading traffic for events

When viewing the table of events, you can download traffic related to registered NDR events and aggregate events. Traffic is downloaded as a PCAP file (if one event is selected) or as a ZIP archive containing PCAP files (if multiple events are selected).

You can download traffic if no more than 200 events are selected in the table of events (also counting events nested inside aggregate events).

Traffic for events is downloaded from the application database. Traffic can be stored in the database for registered NDR events if traffic saving is enabled for these events. The application can also directly save traffic in the database upon request to download traffic, using traffic dump files. These files are used for temporary storage and are automatically deleted as new traffic arrives (the rotation period depends on the amount of traffic and the application storage configuration). To guarantee the availability of traffic for download, we recommend enabling traffic saving for the relevant event types and configuring traffic storage in the database in accordance with the rate of traffic accumulation the rate of event registration.

To download a traffic file for NDR events or aggregate events:

1. In the Network traffic events section, select the NDR events and aggregate events for which you want to download traffic.
2. Click Download traffic.
3. If file generation takes a long time (more than 15 seconds), the file generation operation becomes a background operation. In that case, follow these steps to download the file:
   1. Click the button in the application web interface menu.

      This opens the list of background operations.

   2. Wait for the file generation operation to complete.
   3. Click the Download file button.

Your browser saves the downloaded file. Depending on your browser's settings, a window may be displayed on your screen in which you can specify the path and name of the downloaded file.

Creating a directory for exporting events to a network share

You can export events and save a file with exported events on a network share of the Server computer. For the network share, you can use the Network File System (NFS) protocol, which lets you mount a share of another computer (for example, an NFS server export point) in the local file system of the Server computer. The directory is created and the network share is mounted using standard tools of the operating system.

When using the NFS protocol, the rpcbind software package is activated in the operating system. Keep in mind that attackers may try to use this software package to carry out some types of DDoS attacks. To eliminate the threat of intrusion, you must configure the firewall. In CentOS Stream, we recommend using the firewalld utility to configure the firewall.

Manually creating a directory and mounting a network share

To create a directory for saving files to a network share:

1. Open the console of your operating system.
2. Create a local directory in which you will mount the network share. To do so, enter the following command:

   mkdir <full path to the local directory>

   For example:

   mkdir ~/nfsshare

3. After creating the directory, enter the command to mount the network share:

   sudo mount -t nfs <name or IP address of the remote computer>:\

   <full path to the network share>\

   <full path to the local directory>

   For example:

   sudo mount -t nfs nfs-server.example:/nfsshare ~/nfsshare

4. Confirm the success of the mounting:

   mount | grep <full path to the local directory>

   For example:

   mount | grep ~/nfsshare

   If the mount is successful, the displayed information contains the name or IP address of the remote computer, the name of the network share, and the name of the parent directory.

Automatically mounting a network share

To configure automatic mounting of a network share in the CentOS operating system:

Open the /etc/fstab file for editing as root and add the following line to the file:

<name or IP address of the remote computer>:<full path to the network share> <full path to the local directory> nfs defaults 0 0

For example:

nfs-server.example:/nfsshare /home/user1/nfsshare nfs defaults 0 0