Contents
- For security officers: Getting started with the application web interface
- Kaspersky Anti Targeted Attack Platform Interface
- Selecting a tenant to manage in the web interface of the application
- Monitoring the performance of the application
- About widgets and layouts
- Adding a widget to the current layout
- Moving a widget in the current layout
- Changing the display of information in NDR widgets
- Removing a widget from the current layout
- Saving a layout to PDF
- Configuring the data display period in widgets
- Configuring the widget display scale
- Basics of managing "Alerts" type widgets
- Information in the Devices widget
- Information in the Events widget
- Viewing the working condition of modules and components of the application
- Managing technologies
- Viewing the alert table
- Configuring the alert table display
- Filtering, sorting, and searching alerts
- Filtering alerts by VIP status
- Filtering and searching alerts by time
- Filtering alerts by level of importance
- Filtering and searching alerts by categories of objects detected
- Filtering and searching alerts by obtained information
- Filtering and searching alerts by source address
- Filtering and searching alerts by destination address
- Filtering and searching alerts by server name
- Filtering and searching alerts by technology name
- Filtering and searching alerts by the status of their processing by the user
- Filtering and searching alerts by the name of the user to which they are assigned
- Sorting alerts in the table
- Quickly creating an alert filter
- Saving filters
- Resetting the alert filter
- Recommendations for processing alerts
- Recommendations for processing AM alerts
- Recommendations for processing TAA alerts
- Recommendations for processing SB alerts
- Recommendations for processing IOC alerts
- Recommendations for processing YARA alerts
- Recommendations for processing IDS alerts
- Recommendations for processing NDR:IDS and NDR:EA alerts
- Viewing alerts
- Viewing alert details
- General information about an alert of any type
- Information in the Object information section
- Information in the Alert details section
- Information in the Information about scanning using NDR technologies section
- Information in the Scan results section
- Information in the IDS rule section
- Information in the URL section
- Information in the IP addresses of detection-related devices section
- Information in the Network event section
- Scan results in Sandbox
- IOC scan results
- Information in the Hosts section
- Information in the Change log section
- Sending alert data
- Viewing alert relations
- User actions performed on alerts
- Monitoring network traffic events
- NDR event scores and severity levels
- NDR event registration technologies
- NDR event statuses
- Table of registered NDR events
- Configuring the table of registered events
- Viewing events nested inside an aggregate event
- Viewing details of an NDR event
- Changing the status of an NDR event
- Adding markers
- Copying NDR events to a text editor
- Downloading traffic for events
- Creating a directory for exporting events to a network share
- Events database threat hunting
- Searching for events in builder mode
- Searching for events in source code mode
- Converting a builder query for searching events in source code mode
- Event search criteria
- Operators
- Sorting events in the table
- Changing the event search conditions
- Searching for events by processing results in EPP applications
- Searching for events using conditions specified in an IOC or YAML file
- Creating a TAA (IOA) rule based on event search conditions
- Event information
- Recommendations for processing events
- Information about events in the tree of events
- Viewing the table of events
- Configuring the event table display
- Viewing information about an event
- Information about the "Process started" event
- Information about the "Process terminated" event
- Information about the "Module loaded" event
- Information about the "Remote connection" event
- Information about the "Prevention rule" event
- Information about the "Document blocked" event
- Information about the "File modified" event
- Information about the "System event log" event
- Information about the "Changes in the registry" event
- Information about the "Port listened" event
- Information about the "Driver loaded" event
- Information about the "DNS" event
- Information about the "LDAP" event
- Information about the "Named pipe" event
- Information about the "WMI" event
- Information about the "Alert" event
- Information about the "Alert processing result" event
- Information about the "Interpreted file run" event
- Information about the "AMSI scan" event
- Information about the "Interactive command input at the console" event
- Information about the "Code injection" event
- Information about the "Process access" event
- Event chain scanning by Kaspersky TAA (IOA) rules
- Managing assets
- Viewing the table of devices
- Viewing device information
- Automatically adding and updating devices
- Manually adding devices
- Automatically assigning device status
- Automatically grouping devices based on a criterion
- Manually arranging devices into groups
- Moving servers with components and groups to other groups on the network interactions map
- Device group tree
- Manually editing the device group tree
- Adding and removing device labels
- Group response
- Monitoring users on devices
- Monitoring file execution on devices
- Active device polling jobs
- Configuring address spaces
- Managing the network interactions map
- Nodes on the network interactions map
- Device groups on the network interactions map
- Links on the network interactions map
- Viewing object details
- Zooming the network interactions map
- Positioning the network map
- Pinning and unpinning nodes and groups
- Manually rearranging nodes and groups
- Automatically arranging nodes and groups
- Searching for nodes on the network interactions map
- Filtering objects on the network interactions map
- Saving and loading the display settings of the network interactions map
- Adding a new view and saving the current display settings of the network interactions map
- Refreshing a view while keeping the current display settings of the network interactions map
- Renaming a network interactions map view
- Deleting a network interactions map view
- Applying settings saved in the view to the network interactions map
- Monitoring network sessions
- Monitoring risks
- Configuring NDR event types
- Viewing the table of event types
- Editing the settings of a system event type
- Configuring automatic saving of traffic for system event types
- Configuring the forwarding of events through connectors
- Common substitution variables in Kaspersky Anti Targeted Attack Platform
- NDR event registration technologies
- System event types in Kaspersky Anti Targeted Attack Platform
- Configuring risk types
- System event types in Kaspersky Anti Targeted Attack Platform
- Managing Endpoint Agent host information
- Viewing the table of hosts with the Endpoint Agent component
- Configuring the display of the table of hosts with the Endpoint Agent component
- Viewing information about a host
- Filtering and searching hosts with the Endpoint Agent component by host name
- Filtering and searching hosts with the Endpoint Agent component that have been isolated from the network
- Filtering and searching hosts with the Endpoint Agent component by PCN and SCN server names
- Filtering and searching hosts with the Endpoint Agent component by computer IP address
- Filtering and searching hosts with the Endpoint Agent component by operating system version on the computer
- Filtering and searching hosts with the Endpoint Agent component by component version
- Filtering and searching hosts with the Endpoint Agent component by their activity
- Quickly creating a filter for hosts with the Endpoint Agent component
- Resetting the filter for hosts with the Endpoint Agent component
- Removing hosts with the Endpoint Agent component
- Supported interpreters and processes
- Network isolation of hosts with the Endpoint Agent component
- Automatically sending files from Kaspersky Endpoint Agent hosts to be scanned by the Sandbox component in accordance with Kaspersky TAA (IOA) rules
- Selecting operating systems to use when scanning objects in Sandbox
- Managing tasks
- Viewing the task table
- Viewing information about a task
- Creating a get file task
- Creating a forensic collection task
- Creating a registry key retrieval task
- Creating an NTFS metafile retrieval task
- Creating a process memory dump retrieval task
- Creating a disk image retrieval task
- Creating a RAM dump retrieval task
- Creating a process termination task
- Creating a task to scan hosts using YARA rules
- Creating a service management task
- Creating an application execution task
- Creating a file deletion task
- Creating a file quarantine task
- Creating a quarantined file recovery task
- Creating a copy of a task
- Deleting tasks
- Filtering tasks by creation time
- Filtering tasks by type
- Filtering tasks by name
- Filtering tasks by file name and path
- Filtering tasks by description
- Filtering tasks by server name
- Filtering tasks based on the name of the user that created the task
- Filtering tasks by processing status
- Clearing a task filter
- Managing policies (prevention rules)
- Viewing the prevention rule table
- Configuring prevention rule table display
- Viewing a prevention rule
- Creating a prevention rule
- Importing prevention rules
- Enabling and disabling a prevention rule
- Enabling and disabling presets
- Deleting prevention rules
- Filtering prevention rules by name
- Filtering prevention rules by type
- Filtering prevention rules by file hash
- Filtering prevention rules by server name
- Clearing a prevention rule filter
- Managing user-defined rules
- Using indicators of compromise (IOC) and attack (IOA) for Threat Hunting
- Managing user-defined TAA (IOA) rules
- Viewing the TAA (IOA) rule table
- Creating a TAA (IOA) rule based on event search conditions
- Importing TAA (IOA) rules
- Viewing custom TAA (IOA) rule details
- Searching for alerts and events in which TAA (IOA) rules were triggered
- Filtering and searching TAA (IOA) rules
- Resetting the TAA (IOA) rule filter
- Enabling and disabling TAA (IOA) rules
- Modifying a TAA (IOA) rule
- Deleting TAA (IOA) rules
- Managing user-defined IOC rules
- Viewing the table of IOC files
- Viewing information about an IOC file
- Uploading an IOC file
- Downloading an IOC file to a computer
- Enabling and disabling the automatic use of an IOC file when scanning hosts
- Deleting an IOC file
- Searching for alerts in IOC scan results
- Searching for events using an IOC file
- Filtering and searching IOC files
- Clearing an IOC file filter
- Configuring an IOC scan schedule
- Managing user-defined Intrusion Detection rules
- Managing user-defined YARA rules
- Managing objects in Storage and Quarantine
- Viewing the table of objects that were placed in Storage
- Viewing information about an object manually placed in Storage using the web interface
- Viewing information about an object placed in Storage by a get file task
- Viewing information about an object placed in Storage by a get data task
- Downloading objects from Storage
- Uploading objects to Storage
- Sending objects in Storage for scanning
- Deleting objects from Storage
- Filtering objects in Storage by object type
- Filtering objects in Storage by object description
- Filtering objects in Storage based on scan results
- Filtering objects in Storage based on the name of Central Node, PCN, or SCN server
- Filtering objects in Storage by object source
- Filtering objects based on the time they were placed in Storage
- Clearing a Storage objects filter
- Viewing the table of objects quarantined on computers with the Kaspersky Endpoint Agent component
- Viewing information about a quarantined object
- Restoring an object from quarantine
- Obtaining a copy of a quarantined object on a Kaspersky Anti Targeted Attack Platform server
- Removing information about the quarantined object from the table
- Filtering information about quarantined objects by object type
- Filtering information about quarantined objects by object description
- Filtering information about quarantined objects by host name
- Filtering information about quarantined objects by time
- Resetting the filter for information about quarantined objects
- Managing reports
- Managing common reports
- Viewing the table of templates and reports
- Creating a template
- Creating a report based on a template
- Viewing a report
- Downloading a report to a local computer
- Editing a template
- Filtering templates by name
- Filtering templates based on the name of the user that created the template
- Filtering templates by creation time
- Clearing a template filter
- Deleting a template
- Filtering reports by creation time
- Filtering reports by name
- Filtering reports by the name of the server with the Central Node component
- Filtering reports based on the name of the user that created the report
- Clearing a report filter
- Deleting a report
- Managing NDR reports
- Viewing the table of NDR report templates
- Viewing NDR report template details
- Viewing the table of NDR reports
- Manually generating an NDR report based on a template
- Duplicating an NDR report template
- Editing an NDR report template
- Exporting an NDR report to a file
- Deleting an NDR report template
- Deleting an NDR report
- Canceling NDR report generation
- Managing the settings for storing report files
- Managing common reports
- Managing rules for assigning the VIP status to alerts
- Viewing the table of VIP status assignment rules
- Creating a VIP status assignment rule
- Deleting a VIP status assignment rule
- Modifying a VIP status assignment rule
- Importing a list of VIP status assignment rules
- Exporting the list of data excluded from the scan
- Filtering and searching by type of VIP status assignment rule
- Filtering and searching by value of VIP status assignment rule
- Filtering and searching by description of VIP status assignment rule
- Clearing a VIP status assignment rule filter
- Managing allow rules for NDR events
- Managing the list of scan exclusions
- Viewing the table of data excluded from the scan
- Adding a scan exclusion rule
- Deleting a scan exclusion rule
- Editing a rule added to scan exclusions
- Exporting the list of data excluded from the scan
- Filtering rules in the scan exclusion list by criterion
- Searching for rules in the scan exclusion list by value
- Resetting the rule filter in the scan exclusion list
- Managing Intrusion Detection rule exclusions
- Managing TAA exclusions
- Managing ICAP exclusions
- Viewing the ICAP exclusion table
- Adding a rule to ICAP exclusions
- Removing rules from ICAP exclusions
- Editing or disabling a rule in the ICAP exclusion list
- Filtering rules in the ICAP exclusion list by criterion
- Filtering rules in the ICAP exclusion list by value
- Filtering rules in the ICAP exclusion list by state
- Clearing rule filter conditions in the ICAP exclusion list
- Managing mirrored traffic from SPAN ports
- Creating a list of passwords for archives
- Managing Central Node or Sensor server information
- Viewing server settings
- Viewing the table of servers with the Sandbox component
- Viewing the settings of the set of operating systems used for scanning objects in Sandbox
- Viewing the table of external systems
For security officers: Getting started with the application web interface
This section is intended for specialists who are in charge of providing data security within an organization. It contains information and instructions on configuring resources for the security of a corporate IT infrastructure and timely detection of threats.
The application allows multiple security officers to work together.
Kaspersky Anti Targeted Attack Platform Interface
The application is managed through the web interface. Sections of the application web interface differ depending on the role of the user: Administrator or Senior security officer (Senior security officer, Security officer, Security auditor).
The window of the application web interface contains the following:
- Sections in the left part and in the lower part of the application web interface window.
- Tabs in the upper part of the application web interface window for certain sections of the application.
- The workspace in the lower part of the application web interface window.
Sections of the application web interface window
The application web interface provides the following sections for users with the Senior security officer, Security officer, and Security auditor roles:
- Dashboard. Contains Kaspersky Anti Targeted Attack Platform Monitoring data.
For users with the Security auditor role, the Dashboard window contains the following sections: Alerts, System health.
- Alerts. Contains information about alerts in the network of the to which you have access.
- Network traffic events. Information about events and aggregate events in network traffic.
- Threat Hunting. Contains information about events found on hosts of the tenant to which you have access.
- Tasks. Contains information about tasks that you can use to manage files and application on hosts.
- Prevention. Contains information about policies that you can use to manage preventions of files running on selected hosts.
- Custom rules: TAA, Intrusion detection, IOC, YARA, Sandbox. Contains information for managing user-defined rules.
- Storage: Files, and Quarantine. Contains information for managing objects in quarantine and Storage.
- Assets. Contains information about computers with the Kaspersky Endpoint Agent component and their settings.
- Network map: Network interactions map, Topology map, Network sessions. Contains information about the interaction of devices at different periods of time, diagrams of physical connections of devices in the network and information about network sessions.
- Risks and anomalies. Contains information about the risks to which the resources of the information system are exposed.
- Reports: Generated reports and Templates. Contains a report builder and a list of generated reports about alerts.
- Logs: Application messages. Contains information about application performance.
- Settings: Connectors, Secrets, IOC scanning schedule, Endpoint Agents, KPSN reputation database, Notification rules, VIP status, Exclusions, Allow rules, Sandbox servers, Passwords for archives, and License. Contains information about connector settings, secrets, the IOC scan schedule, Endpoint Agent component settings, and the settings for publishing objects in KPSN and assigning the VIP status to alerts based on information contained in alerts, the list of allowed objects, and IDS, TAA (IOA), and ICAP rules excluded from scanning, passwords of archives, and added keys.
For users with the Security auditor role, the web interface of the application contains the following sections in addition to those listed above:
- Operating mode. Contains information about PCN and SCN servers and about tenants in and .
- Sensor servers. Contains information about Central Node components and Sensor components connected to them.
- Sandbox servers. Contains information about the connection of the Central Node component to Sandbox components.
- External systems. Contains information about application integration with mail sensors.
- Server configuration. Contains information about the sizing parameters of the application.
Workspace of the application web interface window
The workspace displays the information you choose to view in the sections and on the tabs of the application web interface window. It also contains control elements that you can use to configure how the information is displayed.
Selecting a tenant to manage in the web interface of the application
If you are using the distributed solution and multitenancy mode with a Senior security officer or Security officer account, before you begin using the web interface, you must select the tenant that you want to manage in the application web interface.
To select a tenant to manage in the web interface of the application:
- In the upper part of the application web interface menu, click the arrow next to the name of the tenant.
- In the Select tenant drop-down list, select a tenant.
You can also start typing the name of the tenant in the search box and select the tenant from the list of search results.
All actions in the application web interface are applied to the selected tenant. If you want to select a different tenant, repeat the steps to select the tenant.
Users with the Security auditor role cannot select a tenant to manage in the web interface.
Page topMonitoring the performance of the application
You can monitor application operation using the widgets in the Dashboard section of the application web interface window. You can add, delete, and move widgets, configure the display scale of widgets, and select the data display period.
About widgets and layouts
You can use widgets to monitor application operation.
A layout is the appearance of the workspace of the application web interface window in the Dashboard section. You can add, delete, and move widgets in the layout, as well as configure the scale of widgets.
If you are using the distributed solution and multitenancy mode, this section displays information for the selected tenant. NDR widgets display information only for the current or selected node.
By default, this section displays information only on alerts that were not processed by users. To also display information on processed alerts, enable the Show closed alerts toggle switch in the upper-right corner of the window.
The Dashboard section displays the following widgets:
- Alerts:
- Alerts by status. Displays the alert status depending on the Kaspersky Anti Targeted Attack Platform user processing the alert and on whether or not this alert has been processed.
- Alerts by technology. Displays the names of the application modules or components that generated the alert.
- Alerts by attack vector. Displays detected objects based on the vector of the attack.
- VIP alerts by importance. Displays the importance of alerts with VIP status depending on the impact that these alerts may have on the security of computers or the corporate LAN based on Kaspersky experience.
- Alerts by importance. Displays the importance of alerts for users of the Kaspersky Anti Targeted Attack Platform depending on the impact that these alerts may have on the security of computers or the corporate LAN based on Kaspersky experience.
The left part of each widget displays attack vectors, alert importance levels, alert states, and scanning technologies that generated the alerts. The right part of each widget displays the number of times the alerts were triggered during the selected period for data display in widgets.
Clicking the link with the name of the attack vector, alert importance level, alert state, and the scanning technology that generated the alert takes you to the Alerts section of the application web interface where you can view related alerts. Alerts are filtered based on the selected element.
- Top 10:
- Domains. 10 domains most frequently seen in alerts.
- IP addresses. 10 IP addresses most frequently seen in alerts.
- Sender's email addresses. 10 email senders most frequently seen in alerts.
- Recipient's email addresses. 10 email recipients most frequently seen in alerts.
- TAA hosts. 10 hosts that occur most frequently in events and alerts generated by the Targeted Attack Analyzer (TAA) technology.
- TAA rules. 10 TAA (IOA) rules that occur most frequently in events and alerts generated by the Targeted Attack Analyzer (TAA) technology.
- Sent to Sandbox by TAA rules. 10 TAA (IOA) rules that most frequently cause Kaspersky Anti Targeted Attack Platform to send files for scanning by the Sandbox component.
The left part of each widget lists the domains, email addresses of recipients, IP addresses and email addresses of message senders, host names, and TAA (IOA) rule names. The right part of each widget displays the number of times the alerts were triggered during the selected period for data display in widgets.
By clicking the link with the name of each domain, recipient address, IP address, and message sender address, you can go to the Alerts section of the application web interface and view related alerts.
Click the link with the host name and the name of the TAA (IOA) rule to go to the Events section of the application web interface and view related events.
Alerts and events are filtered based on the selected element.
- NDR:
- Network traffic event scores. Bar graph of the distribution of events by their scores for the selected period. The bars correspond to integer values of scores. You can change the data display mode to a pie chart with the distribution of events by severity levels. Depending on its score, an event may have a Low (0.0–3.9), Medium (4.0–7.9), or High (8.0–10.0) severity.
- Network traffic events by technology. How many events have been registered by which event registration technology during the selected period.
- Device security status. Distribution of devices by their security states.
- Frequent application users in network traffic events. User names most frequently registered in events based on information from EPP applications for the selected period.
- Frequent applications in network traffic events. Third-party applications most frequently registered in events based on information from EPP applications for the selected period.
- Frequent devices in network traffic events. The most frequently registered devices in events for the selected period.
- Frequent devices by risk count. The most frequently registered devices in detected risks for the selected period.
- Risk scores. Bar graph of the distribution of risks by their scores for the selected period. The bars correspond to integer values of scores. You can change the data display mode to a pie chart with the distribution of risks by severity levels. Depending on its score, a risk may have a Low (0.0–3.9), Medium (4.0–7.9), or High (8.0–10.0) severity.
- Custom widget. You can create widgets with arbitrary content. For example, you can use custom widgets to logically separate groups of widgets in the Dashboard section.
- Devices. Contains information about devices on the network (arranged by device category).
- Network traffic events. Contains information about the NDR events and aggregate events that have the most recent last-seen date and time.
- Situational awareness. Notifications about currently identified threats to system security (for example, Detected 10 unauthorized network interactions). The widget displays notifications in order of their importance.
- Protection by EPP applications. Ratio of the number of computers protected by EPP applications to the number of computers not protected by EPP applications. The total number of protected and unprotected computers is displayed in the center of the pie chart.
A computer is considered protected by an EPP application if Kaspersky Anti Targeted Attack Platform is aware of the following conditions being satisfied:
- An EPP application is installed on the computer.
- The Real-Time Protection task is running for the EPP application.
- The connection of the EPP application to the integration server has the Active status.
A computer is considered unprotected by an EPP application if at least one of the conditions is not satisfied. The check for the lack of EPP application protection is performed for all devices in Kaspersky Anti Targeted Attack Platform that contain the name of the Windows operating system (any version) as the installed operating system, or if the devices belong to one of the following categories:
- Server
- Workstation
For correct information to be displayed in NDR widgets, you must configure the synchronization of date and time between Central Node and Sensor components.
Widgets display only basic information that changes dynamically. If you need to view detailed information (for example, about devices with issues), you can navigate from the Dashboard section to other sections of the application web interface. You can navigate the web interface by clicking widgets.
Adding a widget to the current layout
To add a widget to the current layout:
- Select the Dashboard section in the application web interface window.
- In the upper part of the window, click the
button.
- In the drop-down list, select Customize.
- Click Widgets.
- In the Manage widgets window that opens:
- If you want to add a widget associated with alerts or rules, in the Alerts or Top 10 list, select the toggle switch next to the widget that you want to add.
- If you want to add a widget related to the NDR functionality, click the
button in the [NDR] list next to the name of the widget that you want to add.
- Close the Manage widgets window and click Apply.
The widget is added to the current layout.
Moving a widget in the current layout
To move a widget in the current layout:
- Select the Dashboard section in the application web interface window.
- In the upper part of the window, click the
button.
- In the drop-down list, select Customize.
- Select the widget that you want to move within the layout.
- Click and hold the upper part of the widget to drag and drop the widget to a different place in the layout.
- Click Apply.
The current layout is saved.
Changing the display of information in NDR widgets
After an NDR widget is added, it displays information in accordance with the default settings. If necessary, you can edit the display settings.
To edit NDR widget display settings:
- Select the Dashboard section in the application web interface window.
- In the upper part of the window, click the
button.
- In the drop-down list, select Customize.
- In the upper-right corner of the NDR widget that you want to configure, click the
button.
This opens the display settings window.
- Manage the settings of the widget.
Depending on the selected NDR widget, the window may contain the following settings:
- Change name – if the Change name check box is selected, you can define any name for the widget (different from the default name) in the Widget name field. The Change name setting is absent from custom widgets.
- Widget name – field for entering a widget name different from the default name.
- Edit description – if the Edit description check box is selected, you can provide any description for the widget (different from the default description) in the Widget description field. The Edit description setting is absent from custom widgets.
- Widget description – field for entering a widget name different from the default name.
- Refresh period – the time in seconds after which the displayed information is updated.
- Defined background – defines the color of the background on the custom widget. You can choose a background color that corresponds to one of the severity levels (Info, Warning, or Critical) or select Neutral to disable background coloring.
- Display mode – determines how data is displayed in the widget. You can configure the display of information as a bar chart or a pie chart.
- Take into account events with Resolved status – if Take into account events with Resolved status is selected, the widget displays data for all events.
- Include remediated and accepted risks – if Include remediated and accepted risks is selected, the widget displays data for all risks.
- Click Apply.
Removing a widget from the current layout
To remove a widget from the current layout:
- Select the Dashboard section in the application web interface window.
- In the upper part of the window, click the
button.
- In the drop-down list, select Customize.
- Click the
icon in the upper right corner of the widget that you want to remove from the layout.
The widget is removed from the workspace of the application web interface window.
- Click Apply.
The widget is removed from the current layout.
Saving a layout to PDF
NDR widgets in the layout are not saved to PDF.
To save a layout to PDF:
- Select the Dashboard section in the application web interface window.
- In the upper part of the window, click the
button.
- In the drop-down list, select Save as PDF.
This opens the Saving as PDF window.
- In the lower part of the window, in the Layout drop-down list, select the page orientation.
- Click Download.
The layout in PDF format is saved to the hard drive of your computer in the downloads folder of the browser.
- Click Close.
Configuring the data display period in widgets
You can configure the display of data in widgets for the following periods:
- Day.
- Week.
- Month.
For NDR widgets, you can use the following periods:
- 1h
- 12h
- 24h
- 7d
You can configure a data display period for each individual NDR widget.
Changing the display of information in widgets
To configure the display of data in widgets for a day (from 00:00 a.m. to 11:59 p.m.):
- Select the Dashboard section in the application web interface window.
- In the upper-right corner of the application web interface window, in the drop-down list of data display periods, select Day.
- In the calendar to the right of the Day period name, select the date for which you want to display data in the widget.
All widgets on the Dashboard page display data for the period you selected.
To configure the display of data on widgets for a week (Monday through Sunday):
- Select the Dashboard section in the application web interface window.
- In the upper-right corner of the application web interface window, in the drop-down list of data display periods, select Week.
- In the calendar to the right of the Week period name, select the week for which you want to display data in the widget.
All widgets on the Dashboard page display data for the period you selected.
To display data display in widgets for a month (calendar month):
- Select the Dashboard section in the application web interface window.
- In the upper-right corner of the application web interface window, in the drop-down list of data display periods, select Month.
- In the calendar to the right of the Month period name, select the month for which you want to display data in the widget.
All widgets on the Dashboard page display data for the period you selected.
Changing the display of information in widgets
To configure the display of information in an NDR widget:
- Select the Dashboard section in the application web interface window.
- In the upper-right corner of the NDR widget that you want to configure, click the button that stands for the time interval that you need.
The NDR widget displays information for the selected period.
Configuring the widget display scale
You can configure the display scale for "Alerts" type widgets. The icon in the upper right corner of a widget means you can configure the scale for that widget.
To configure the display scale for widgets:
- Select the Dashboard section in the application web interface window.
- In the upper part of the window, click the
button.
- In the drop-down list, select Customize.
- Click
in the upper right corner of the widget.
- In the drop-down list, select one of the following widget display sizes:
- 1x1.
- 2x1.
- 3x1.
The display scale of the selected widget is modified.
- Repeat the steps for all widgets for which you want to set the display scale.
- Click Save.
The display scale of widgets is configured.
Basics of managing "Alerts" type widgets
You can configure the display scale for all "Alerts" type widgets.
The left part of each widget displays the legend for colors used in widgets.
Example: The Alerts by importance widget displays the number of alerts of various importance. Importance—Alert importance for the Kaspersky Anti Targeted Attack Platform user depending on the impact this alert may have on computer or corporate LAN security based on Kaspersky experience. In the Alerts by importance widget, the following colors correspond to importance levels:
|
To the right of the legend, the number of alerts of each type for the selected period for displaying data in widgets is displayed.
By clicking the link with the type of each alert, you can go to the Alerts section of the application web interface and view all alerts of this type. Alerts are filtered based on the specific type.
Example: The Alerts by attack vector widget displays Files from email alerts, which indicate the number of files that Kaspersky Anti Targeted Attack Platform detected in mail traffic for the selected period. Clicking the Files from email link opens the Alerts section and displays all alerts associated with the detection of files in mail traffic for the selected period. Data will be filtered based on the following parameters: Object type=FILE and Object source=MAIL. |
The right part of each widget displays data columns. The vertical axis shows the number of events, and the horizontal axis shows the date and time of the alert creation. You can edit the period of data display in widgets and select the tenant for which information is displayed in the widget.
Position your mouse cursor on each data column to display the number of alerts counted for the period represented by the specific column. The number of unprocessed alerts is displayed by default. You can enable the display of processed alerts by selecting the Processed check box in the upper-right corner of the window. In this case, the total number of all alerts will be displayed.
Information in the Devices widget
The Devices widget in the Dashboard section belongs to the NDR functionality and displays information about devices in the list of devices known to the application.
The widget provides the following information:
- Information about how many devices the application knows for each category. This information is displayed in the upper part of the widgets as category icons. Under each category icon, the number of devices of that category is displayed. If the list of devices known to the application contains devices with issues, the icons of the corresponding categories have a warning badge.
- List of categories with devices with issues. This information is displayed in the middle part of the widget if such devices exist. The space for displaying graphics is limited by the size of the widget.
Devices with issues
The application considers that a device has issues in any of the following cases:
- The device has a status of Authorized and a security state other than OK.
- The device has a status of Unauthorized.
If any devices have issues, the following information is displayed for each category in the list:
- A line with the category icon, a text description, and a link with the number of devices with issues.
- A line with graphical representations of devices. This line is displayed if the widget has sufficient free space. The number of graphics in the line depends on the current size of the web browser window. If there are more devices with issues than represented in the line, the number of hidden devices is displayed on the right, in the
+ <number of devices>
format.
Device graphics
Graphical representations of devices include the following information:
- Device name.
- Device status. This is displayed as an icon if the device has a status of Unauthorized.
- Device security status. Displayed as a colored line on the left border of the graphic. The color of the line corresponds to the OK, Warning, or Critical states.
The graphics are displayed in the following order:
- Devices assigned a status of Unauthorized.
- Devices with a Critical security state.
- Devices with a Warning security state.
Navigating to other sections from the widget
You can use elements of the Devices widget interface to navigate to the devices table and display detailed information about devices. The following options are available to achieve this.
Navigating to the table of devices and filtering the table
To navigate to the table of devices and view information about all devices in the selected category:
In the upper part of the Devices widget, click the icon of the relevant category.
This opens the Assets section containing the devices table. Filtering by the selected device category is applied to the table.
To navigate to the table of devices and view information about devices with issues that belong to a certain category:
In the list of categories of devices with issues, click the link with the number of devices of the relevant category. The link is displayed at the end of the line with the category icon and the text comment with issues.
This opens the Assets section containing the devices table. Filtering is applied in the table by IDs of devices with issues that belong to a certain category.
The devices table is filtered based on the IDs of those devices that were displayed in the Devices widget when you proceeded to the devices table. After navigating to the table of devices, the filtering conditions are not updated. If you want to view the current number of devices with issues, you can go to the Dashboard section again.
To go to the table of devices and view information about a device with issues:
In the Devices widget, click the graphical element that represents the relevant device.
This opens the Assets section containing the devices table. Filtering by device ID is applied to the table.
To go to the table of devices without changing the current table filtering conditions:
Click the Show all devices in the Devices widget.
This opens the Assets section containing the devices table. The table displays devices that match filtering conditions that have been configured for the table of devices.
Navigating to the table of devices and searching the table
To go to the devices table and find devices in the table:
- In the Devices widget, enter your search query into the Search devices field.
- Click Search.
This opens the Assets section containing the devices table. The table displays devices that match your search criteria.
Page topInformation in the Events widget
The Network traffic events widget in the Dashboard section displays general information about the NDR events and aggregate events that have the most recent last-seen date and time.
The widget displays the following elements:
- A histogram of NDR events and aggregate events for the selected period. This information is displayed in the upper part of the widget. The histogram displays the distribution of NDR events and aggregate events by severity level.
- A list of information about registered NDR events and aggregate events, sorted by their last-seen date and time. This information is displayed in the middle part of the widget.
Statistics of NDR events and aggregate events
On the distribution histogram of NDR and aggregate events, the bars correspond to the total number of events for each time interval. Inside the bars, the colors stand for severity levels of events. The following colors correspond to the severity levels:
- Blue. This color is used for Low-severity NDR events and aggregate events.
- Yellow. This color is used for Medium-severity NDR events and aggregate events.
- Red. This color is used for High-severity NDR events and aggregate events.
You can hover over a bar to view information about it. The pop-up window displays information about the date and time of the interval, as well as the number of NDR events and aggregate events by severity level.
The length of the time intervals depends on the selected display period. You can select a period for the histogram with the following buttons:
- 1h: one-hour period, subdivided into one-minute intervals.
- 12h: 12-hour period, subdivided into one-hour intervals.
- 24h: 24-hour period, subdivided into one-hour intervals.
- 7d: seven-day period, subdivided into one-day intervals.
List of NDR events and aggregate events
The list of NDR events and aggregate events in the Network traffic events widget is updated in on-line mode. NDR events and aggregate events with the most recent last-seen date and time are placed at the top of the list.
The number of displayed items in the list of NDR events and aggregate events is limited by the size of the widget.
For each event in the list, the following information is provided:
- Title of the NDR event or aggregate event.
- Last-seen date and time.
- Icon that stands for the severity of the NDR event or aggregate event:
– Low severity level
– Medium severity level
– High severity level
Aggregate events in the list are marked with .
Navigating to other sections from the widget
You can use the controls of the Network traffic events interface to go to the events table and display detailed information about NDR events and aggregate events. The following options are available to achieve this.
Navigating to the table of network traffic events and filtering the table
You can view detailed information about an NDR event or aggregate event by clicking the event in the list of the Network traffic events widget. Doing so opens the Network traffic events section in which the table will be filtered based on the ID of the selected NDR event or aggregate event. The filtering criteria also include the period from the date and time of registration of an NDR event or aggregate event to the current moment (without specifying the right bound of the period).
If you want to go to the table of network traffic events without changing the current filtering conditions of the table in the Network traffic events section, click the Show all events link in the Network traffic events widget.
Navigating to the table of events and searching the table
To go to the devices table and find devices in the table:
- In the Network traffic events widget, enter your search query into the Search events field.
- Click Search.
This opens the Network traffic events section. The table of events displays NDR events and aggregate events that match the search criteria.
Page topViewing the working condition of modules and components of the application
If modules or components of the application encounter errors that the administrator is advised to look at, a yellow warning box is displayed in the upper part of the Dashboard section of the application web interface.
Users with the Administrator or Security auditor role can gain access to information about the working condition of the Central Node, PCN, or SCN server that the user is currently managing.
Users with the Senior security officer, Security officer, or Security auditor role can gain access to the following information about the working condition:
- If you are using a standalone Central Node server, the user can access information about the working condition of the Central Node server which the user is currently managing.
- If you are using the distributed solution and multitenancy mode, and the user is managing an SCN server, the user can gain access to information about the working condition of that SCN server for tenants to whose data the user has access.
- If you are using the distributed solution and multitenancy mode, and the user is managing the PCN server, the user can gain access to information about the working condition of the PCN server and all SCN servers connected to that server, for tenants to whose data the user has access.
For details about the working condition of application modules and components,
click View details to open the System health window.
In the System health window, one of the following icons is displayed depending on the working condition of the application modules and components:
if the modules and components of the application are working normally.
- An icon with the number of problems (for example,
) if problems are found that the administrator is recommended to pay attention to. In this case, detailed problem information is displayed in the right part of the System health window.
The System health window contains the following sections:
- Component health contains information on the operational status of application modules and components, quarantine, and database update on all servers where the application is running.
Example:
If the databases of one or more application components have not been updated in 24 hours, the
icon is displayed next to the name of the server on which the application modules and components are installed.
To resolve the problem, make sure that update servers are accessible. If you are using a proxy server to connect to update servers, make sure the proxy server has no errors pertaining to the connection to Kaspersky Anti Targeted Attack Platform servers.
- Processed—Status of receiving and processing incoming data. The status is generated based on the following criteria:
- State of receiving data from servers with the Sensor component, from the server or virtual machine with the mail sensor, from hosts with the Endpoint Agent component.
- Information about exceeding the maximum allowed time that objects wait in the queue to be scanned by application modules and components.
- Connection with servers—Status of the connection between the PCN server and connected SCN servers (displayed if you are using the distributed solution and multitenancy mode).
If problems are detected with the performance of application modules or components and you cannot resolve those problems on your own, please contact Kaspersky Technical Support.
Managing technologies
Kaspersky Anti Targeted Attack Platform uses various technologies to analyze network traffic. You can enable or disable the technologies individually. For the Device Activity Detection (AM) technology, you can select the mode: learning mode or monitoring mode.
We recommend enabling the learning mode for a predetermined time to have the application automatically switch the technology to monitoring mode at the right time. The monitoring mode is the normal mode of the technology (as opposed to the learning mode, in which the application only accumulates data for future use). When setting up the learning mode, you can configure the time when you want the technology to switch to monitoring mode.
You can specify the same technology settings for all components and monitoring points, or you can specify special settings for some components and/or monitoring points. Technology settings can be automatically inherited from parent objects to child objects. If technology inheritance is enabled for a component or monitoring point, the technology settings specified for the parent object (Central Node or Sensor) are applied to that object. If technology inheritance is disabled, you can configure special settings for technologies on that component or monitoring point.
By default, all technologies are enabled after application installation. Learning mode is enabled by default for technologies that support modes.
Enabling or disabling technologies
You can enable or disable technologies for Central Node and Sensor components and monitoring points. However, enabling and disabling technologies for Sensor components and monitoring points is available if technology inheritance is disabled on these objects.
Some technologies include methods that can be enabled or disabled individually. If a technology or method is disabled, the application does not monitor device interactions using the technology or method. However, you can still manage application settings related to disabled technologies or methods (for example, add or edit rules).
The following technologies and methods support enabling and disabling:
- Asset Management, hereinafter also "AM":
- Device Activity Detection.
- Device Information Detection.
- Network Session Detection.
- Intrusion Detection, hereinafter also "IDS":
- Rule-based Intrusion Detection.
- ARP Spoofing Detection.
- IP Protocol Anomaly Detection.
- TCP Protocol Anomaly Detection.
- Brute-force Attack and Scan Detection.
To change the state of technologies and methods:
- Select the Sensor servers section in the window of the application web interface.
- Click the card of the relevant component or monitoring point.
This opens a window with information about the component or monitoring point.
- If you want to change the state of technologies and methods for a Sensor component or a monitoring point, set the Inherit Server technologies toggle switch to Disabled.
- Use the toggle switches in the left part of the window to enable or disable technologies and/or methods. You can enable or disable all technologies and methods simultaneously by clicking Enable all or Disable all.
- After enabling or disabling a technology or method, wait until the changes are applied. The switch does not become available again until the transition to the other state is completed.
The state of technology and methods is changed.
Configuring Device Activity Detection mode
You can configure the learning mode or enable the monitoring mode for the Device Activity Detection (AM) technology.
To change and configure the mode of the technology:
- Select the Sensor servers section in the window of the application web interface.
- Click the card of the relevant component or monitoring point.
This opens a window with information about the component or monitoring point.
- If you want to configure the mode of the technology for a Sensor component or a monitoring point, set the Inherit Server technologies toggle switch to Disabled.
- In the drop-down list to the right of the technology name, select a mode (Learning or Monitoring).
- After selecting the mode, wait for the changes to be applied. Before the mode is applied, the Changing status is displayed in the drop-down list.
- If you want to specify the date and time when the technology must switch from learning mode to monitoring mode, click the Set until link and select a date and time. If a date and time has been configured before, the date and time is displayed next to the name of the mode.
The mode of the technology is configured.
Managing technology inheritance
You can enable technology inheritance if you want technology settings configured for the parent object to be automatically applied to a Sensor component or monitoring point. This means the Sensor component gets the technology settings of the Central Node component, and the monitoring point gets the settings of the component on which the monitoring point was added (Central Node or Sensor).
If necessary, you can disable technology inheritance for the Sensor component or the monitoring point. You may need to do this to specify special technology settings.
To enable or disable technology inheritance for a Sensor component or monitoring point:
- Select the Sensor servers section in the window of the application web interface.
- Click the card of the relevant component or monitoring point.
This opens a window with information about the component or monitoring point.
- Set the Inherit Server technologies toggle switch as necessary.
Technology inheritance for a Sensor component or monitoring point is enabled or disabled.
Viewing the alert table
Detected signs of targeted attacks and intrusions into the corporate IT infrastructure are displayed as a table of alerts.
The table of alerts does not display information on objects which satisfy at least one of the following conditions:
- The object has reputation Trusted in the KSN database.
- The object is digitally signed by a trusted vendor:
- Kaspersky.
- Google.
- Apple.
- Microsoft.
Information about these alerts is saved to the application log. You can view this information.
Information about alerts in the application log is rotated every night when the maximum allowed number of alerts is reached:
- Alerts generated by the (IDS) Intrusion Detection System and (URL) URL Reputation components have a maximum of 100,000 alerts for each component.
- All other alerts have a maximum of 20,000 alerts for each module or component.
If you are using the distributed solution and multitenancy mode, rotation is performed on all SCNs and then synchronization with the PCN is performed. After synchronization, all deleted alerts are automatically deleted from the PCN.
NDR alerts are generated if a valid KATA+NDR license key is present. After the license key expires, created alerts remain available for viewing, but new alerts are not created.
The alerts table is in the Alerts section. It displays general KATA alerts and NDR alerts.
By default, this section displays information only on alerts that were not processed by users. To also display information on processed alerts, enable the Show closed alerts toggle switch in the upper-right corner of the window.
You can sort alerts in the table by Created or Updated, Importance, Source, and State columns.
The table of alerts contains the following information:
- VIP specifies if the alert has a status with special access rights. For example, alerts with the VIP status cannot be viewed by users with the Security officer role.
- Created is the time when the alert was created, and Updated is the time when the alert was updated.
—Alert importance for the Kaspersky Anti Targeted Attack Platform user depending on the impact this alert may have on computer or corporate LAN security based on Kaspersky experience.
Alerts can have one of the following importance levels:
- High, marked with the
symbol—the alert has a high level of importance.
- Medium, marked with the
symbol—the alert has a medium level of importance.
- Low, marked with the
symbol—the alert has a low level of importance.
- High, marked with the
- Detected—One or multiple categories of detected objects. For example, when the application detects a file infected with the Trojan-Downloader.JS.Cryptoload.ad virus, the Detected field shows the Trojan-Downloader.JS.Cryptoload.ad category for this alert.
- Details—Brief summary of the alert. For example: the name of a detected file or URL address of a malicious link.
- Source—Address of the source of the detected object. For example, this can be the email address from which a malicious file was sent, or the URL from which a malicious file was downloaded.
- Destination—Destination address of a detected object. For example, this can be the email address of your organization's mail domain to which a malicious file was sent, or the IP address of a computer on your corporate LAN to which a malicious file was downloaded.
- Technologies are names of the application modules or components that generated the alert while scanning.
The Technologies column may indicate the following application modules and components:
- (YARA) YARA.
- (SB) Sandbox.
- (URL) URL Reputation.
- (IDS) Intrusion Detection System.
- (AM) Anti-Malware Engine.
- (TAA) Targeted Attack Analyzer.
- (IOC) IOC.
- (NDR: IDS) Intrusion Detection System.
- (NDR: EA) External Analysis.
- State—Alert status depending on whether or not this alert has been processed by the user of Kaspersky Anti Targeted Attack Platform.
Alerts can have one of the following states:
- New for new alerts.
- In process for alerts that are already being processed by Kaspersky Anti Targeted Attack Platform user.
- Rescan for alerts resulting from a rescan of an object.
- Servers is the list of names of servers which created the alert. Servers belong to the tenant that you are managing in the application web interface. This column is displayed if you are using the distributed solution and multitenancy mode.
- Assigned to is the name of the user to which the alert is assigned.
If information in the table column is displayed as a link, you can click the link to open the filter menu, in which you can select the settings for filtering by this column.
The Intrusion Detection System module consolidates information about processed network events in one alert when the following conditions are simultaneously met:
- The name of the triggered rule, version of application databases, and source all match for network events.
- No more than 24 hours elapsed between the events.
One alert is displayed for all network events that meet these conditions. The alert notification contains information only about the first network event.
Page topConfiguring the alert table display
You can show or hide columns and change the order of columns in the alert table.
To configure the alert table display:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- In the heading part of the table, click
.
This opens the Customize table window.
- If you want to show a column in the table, select the check box next to the name of the parameter that you want displayed in the table.
If you want to hide a parameter in the table, clear the check box.
At least one check box must be selected.
- If you want to change the order of columns in the table, move the mouse cursor to the row with the relevant parameter, click
and move the row to its new place.
- If you want to restore default table display settings, click Restore defaults.
- Click Apply.
The alert table display is configured.
Page topFiltering, sorting, and searching alerts
You can filter alerts to be displayed in the table of alerts for one or several columns of the table, or search for alerts in certain table columns according to the search criteria you specify.
You can create, save, and remove filters, and start filtering and searching alerts based on the conditions specified in saved filters.
If you are using the distributed solution and multitenancy mode, you cannot save filters on the PCN.
Filters are saved for each user on the server on which they were created.
You can also sort alerts in the table by Created or Updated, Importance, Source, and State columns.
By default, this section displays information only on alerts that were not processed by users. To also display information on processed alerts, enable the Show closed alerts toggle switch in the upper-right corner of the window.
Filtering alerts by VIP status
You can filter alerts and search for alerts in the alerts table based on the criterion, which indicates whether the alert has a status with special access rights. For example, alerts with the VIP status cannot be viewed by users with the Security officer role.
To filter alerts by VIP status:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click the heading of the VIP column to expand the list of filter settings.
- Configure alert filtering settings:
- If you want the table of alerts to display only alerts that have the VIP status, select VIP.
- If you want the table of alerts to display all alerts, select All.
If neither is selected, the table shows all alerts.
The table of alerts displays only alerts matching the filter criteria you have set.
Filtering and searching alerts by time
You can filter alerts and search for them in the table of alerts based on the Created value, that is, the time when the alert was created, and the Updated value, that is, the time when the alert was updated.
To filter or search alerts by time:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click the Created or Updated link to open the list of alert display periods.
- In the drop-down list, select one of the following alert display periods:
- All if you want the application to display all alerts in the table.
- Last hour if you want the application to display alerts that occurred during the last hour in the table.
- Last day if you want the application to display alerts that occurred during the last day in the table.
- Custom range if you want the application to display alerts that occurred during the period you specify in the table.
- If you have selected the Custom range event display range, do the following:
- In the calendar that opens, specify the start and end dates of the alert display period.
- Click Apply.
The calendar closes.
The table of alerts displays only alerts matching the filter criteria you have set.
Filtering alerts by level of importance
You can filter alerts based on the Importance criterion, which indicated the alert importance for the Kaspersky Anti Targeted Attack Platform user depending on the impact this alert may have on computer or corporate LAN security based on Kaspersky experience.
To filter alerts by importance:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click
to expand the filter settings list.
- Select one or several of the following alert importance levels:
- Low for low-importance alerts.
- Medium for medium-importance alerts.
- High for high-importance alerts.
If no value is selected, the table shows alerts of all importance levels.
- Click Apply.
The table of alerts displays only alerts matching the filter criteria you have set.
Filtering and searching alerts by categories of objects detected
You can filter alerts and search the alerts table for specific alerts based on the Detected criterion, which indicates one or multiple categories of the object detected in the event. For example, if you want the table to display alerts about files infected by a specific virus, you can set a filter based on the name of this virus.
To filter or search alerts by category of the detected object:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click the Detected link to open the filter configuration window.
- In the drop-down list, select one of the following alert filtering operators:
- Contain
- Not contain
- In the entry field, type the name of a category (for example, Trojan) or several characters from the name of a category.
- To add a filter condition using a different criterion, click
and specify the filter condition.
- Click Apply.
The table of alerts displays only alerts matching the filter criteria you have set.
Filtering and searching alerts by obtained information
You can filter alerts and search the alerts table for specific alerts based on the Details criterion, which refers to brief information about the alert. For example: the name of a detected file or URL address of a malicious link.
To filter or search alerts by obtained information:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click the Details link to open the filter configuration window.
- In the drop-down list on the left, select one of the following search criteria:
- Details. The search will encompass all data on the detected object.
- ID.
- File name.
- File type.
- MD5.
- SHA256.
- URL.
- Domain.
- User Agent.
- Subject.
- HTTP status.
- Object source.
- Object type.
- Autosend to Sandbox.
- TAA (IOA) rule.
- Event ID (NDR).
- Asset ID (NDR).
- In the drop-down list on the right, select one of the following alert filtering operators:
- Contain
- Not contain
- Equal to
- Not equal to
- In the text box, enter one or several characters of alert information.
- To add a filter condition using a different criterion, click
and specify the filter condition.
- Click Apply.
The table of alerts displays only alerts matching the filter criteria you have set.
Filtering and searching alerts by source address
You can filter alerts and search the alerts table for specific alerts based on the Source criterion, which indicates the alert source address. For example, this can be the email address from which a malicious file was sent, or the IP address of the computer on your corporate LAN to which a malicious file was downloaded.
To filter or search alerts by source address:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click the Source link to open the filter configuration window.
- In the drop-down list, select one of the following alert filtering operators:
- Contain
- Not contain
- Matches
- Not matches
- In the text box, type one or more characters of the source address of the detected object.
- To add a filter condition using a different criterion, click
and specify the filter condition.
- Click Apply.
The table of alerts displays only alerts matching the filter criteria you have set.
Filtering and searching alerts by destination address
You can filter alerts and search the alerts table for specific alerts based on the Destination criterion, which indicates the alert destination address. For example, this can be the email address of your organization's mail domain to which a malicious file was sent, or the IP address of a computer on your corporate LAN to which a malicious file was downloaded.
To filter or search alerts by destination address:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click the Destination link to open the filter configuration window.
- In the drop-down list, select one of the following alert filtering operators:
- Contain
- Not contain
- Matches
- Not matches
- In the text box, type one or more characters of the destination address of the detected objects.
- To add a filter condition using a different criterion, click
and specify the filter condition.
- Click Apply.
The table of alerts displays only alerts matching the filter criteria you have set.
Filtering and searching alerts by server name
You can filter alerts and search for alerts in the alerts table based on the Servers criterion, which indicates the name of servers that created the alert.
If you are using the distributed solution and multitenancy mode, servers belong to the tenant that you are managing in the application web interface. Filtering is available only on the PCN.
To filter or search alerts by server name:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click Servers to expand the list of servers on which alerts were created.
- Select check boxes next to one or multiple server names.
- Click Apply.
The table of alerts displays only alerts matching the filter criteria you have set.
Filtering and searching alerts by technology name
You can filter alerts and search the alerts table for specific alerts based on the Technologies criterion, which indicates the names of application modules or components that created the alert.
To filter alerts by technology name:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click the Technologies link to open the filter configuration window.
- In the drop-down list, select one of the following alert filtering operators:
- Contain if you want the application to display alerts generated by the specified application module or component.
- Not contain if you want the application to hide alerts generated by the specified application module or component.
- Equal to if you want the application to display alerts generated by the specified application module or component.
- Not equal to if you want the application to hide alerts generated by the specified application module or component.
- In the drop-down list to the right of the alert filtering operator that you have selected, select the name of the technology which you want to filter alerts:
- (YARA) YARA.
- (SB) Sandbox.
- (URL) URL Reputation.
- (IDS) Intrusion Detection System.
- (AM) Anti-Malware Engine.
- (TAA) Targeted Attack Analyzer.
- (IOC) IOC.
- (NDR: IDS) Intrusion Detection System.
- (NDR: EA) External Analysis.
For example, if you want the application to display alerts generated as a result of scanning by the Sandbox component, select the Contain filtering operator and the name of the (SB) Sandbox component.
- To add a filter condition using a different criterion, click
and specify the filter condition.
- Click Apply.
The table of alerts displays only alerts matching the filter criteria you have set.
Filtering and searching alerts by the status of their processing by the user
You can filter alerts and search for them in the table of alerts based on the State criterion—alert status depending on whether or not this alert has been processed by the Kaspersky Anti Targeted Attack Platform user.
To filter or search alerts by the status of their processing by the Kaspersky Anti Targeted Attack Platform user:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- To include processed alerts in the filter, turn on the Processed switch in the upper right corner of the window.
- Click the State link to open a list of possible alert options depending on the status of their processing by the Kaspersky Anti Targeted Attack Platform user.
- Select one of the following values:
- New if you want the application to display new alerts that are not being processed by any user yet.
- In process if you want the application to display alerts that a user of Kaspersky Anti Targeted Attack Platform is already processing.
- Rescan if you want the application to display alerts that resulted from a rescan.
- Click Apply.
The table of alerts displays only alerts matching the filter criteria you have set.
Filtering and searching alerts by the name of the user to which they are assigned
You can filter or find alerts in the alert table by the Assigned to attribute, that is, the name of the user to which the alert is assigned.
To filter or find alerts by the name of the user to which they are assigned:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click the Assigned to link to open the filter configuration window.
- Select the check box next to the name of the user that you need.
If you want to find a user name in the list, start typing the user name in the text box, then select the check box next to the found user name.
You can select multiple user names.
- Click Apply.
Only alerts assigned to the specified user are displayed in the alert table.
Page topSorting alerts in the table
You can sort alerts in the table by Created or Updated, Importance, Source, and State columns.
To sort alerts in the table of alerts:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- If you want to sort the alerts by date, click one of the icons to the right of the Created (if the table is displaying alert creation dates) or Updated (if the table is displaying alert update dates) column header:
to display newer alerts at the top of the table.
to display older alerts at the top of the table.
- If you want to sort the alerts by the level of importance, to the right of the
icon, click one of the following icons:
to display high importance alerts at the top of the table.
to display low importance alerts at the top of the table.
- If you want to sort alerts by the address of the source of the detected object, click one of the icons to the right of the Source column header:
to sort alphabetically, A–Z.
to sort alphabetically, Z–A.
- If you want to sort alerts by the state of processing by the user, click one of the icons to the right of the State column header:
to sort alerts in order of processing New - Rescan - In process - Closed.
to sort alerts in order of processing Closed - In process - Rescan - New.
Quickly creating an alert filter
To quickly create an alert filter:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Do the following to quickly add filter conditions to the filter being created:
- Position the mouse cursor on the link containing the table column value that you want to add as a filter condition.
- Left-click it.
This opens a list of actions to perform on the value.
- In the list that opens, select one of the following actions:
- Filter by this value, if you want to include this value in the filter condition.
- Exclude from filter, if you want to exclude the value from the filter condition.
- If you want to add several filter conditions to the filter being created, perform the actions to quickly add each filter condition to the filter being created.
The table of alerts displays only alerts matching the filter criteria you have set.
Saving filters
You can save the set of filters to the alert table.
To save applied filters:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Configure filtering settings for one or more columns of the table.
- Click Saved filters and select Save current filter.
The filter is saved with the default name that contains the selected filtering settings.
- If you want to rename a saved filter:
- Click Saved filters.
The list of saved filters is displayed.
- Hover over a filter and click
.
- Rename the filter and click
.
- Click Saved filters.
The filter is saved.
Page topResetting the alert filter
To clear the alert filter for one or more filtering criteria:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click
to the right of the header of the alerts table column for which you want to clear the filter conditions.
If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.
The selected filters are cleared.
The table of alerts displays only alerts matching the filter criteria you have set.
Recommendations for processing alerts
Information about alerts produced by AM (Anti-Malware Engine), SB (Sandbox), YARA, IOC,IDS (Intrusion Detection System), NDR: IDS, and NDR: EA technologies that is displayed in the right part of the window includes recommendations on processing these alerts.
To view alert details:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click the line containing the alert whose information you want to view.
This opens a window containing information about the alert.
Recommendations for processing AM alerts
In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts or events that have attributes in common with the alert you are working on.
You can follow the following recommendations:
- Under Qualifying, expand the Find similar alerts list.
A list of attributes is displayed that can be used to find similar alerts, and the number of similar alerts for each attribute.
Select one of the following attributes:
- By MD5. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the MD5 hash. The MD5 hash of the file from the alert you are working on is highlighted in yellow.
- By SHA256. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the SHA256 hash. The SHA256 hash of the file from the alert you are working on is highlighted in yellow.
- By host name. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The host name from the alert you are working on is highlighted in yellow.
- By sender address. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The sender address of the email message from the alert you are working on is highlighted in yellow.
- By recipient address. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Destination column. The recipient address of the email message from the alert you are working on is highlighted in yellow.
- By URL. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the URL from the alert you are working on.
- Under Qualifying, select Find similar events. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, the Detection processing result event type is selected and a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.
The action is only available if you are using
and a KEDR license key has been added. - Under Investigation, select Find similar events. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.
The action is only available if you are using KEDR functionality and a KEDR license key has been added.
Recommendations for processing TAA alerts
In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts or events that have attributes in common with the alert you are working on.
You can follow the following recommendations:
- Under Qualifying, expand the Find similar alerts list.
A list of attributes is displayed that can be used to find similar alerts, and the number of similar alerts for each attribute.
Select one of the following attributes:
- By rule name (TAA alerts). Clicking the link opens the Alerts alert table in a new browser tab; the alerts are filtered by Detected and Technologies columns, that is, the name of the TAA (IOA) rule that was used to create the alert, and the name of the (TAA) Targeted Attack Analyzer technology.
- By rule name (SB alerts). Clicking the link opens the Alerts alert table in a new browser tab; the alerts are filtered by Detected and Technologies columns, that is, the name of the TAA (IOA) rule that was used to create the alert, and the name of the (SB) Sandbox technology.
- Under Investigation, select Find similar events. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.
The action is only available if you are using KEDR functionality and a KEDR license key has been added.
Recommendations for processing SB alerts
In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts or events that have attributes in common with the alert you are working on.
You can follow the following recommendations:
- Under Qualifying, expand the Find similar alerts list.
A list of attributes is displayed that can be used to find similar alerts, and the number of similar alerts for each attribute.
Select one of the following attributes:
- By MD5. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the MD5 hash. The MD5 hash of the file from the alert you are working on is highlighted in yellow.
- By SHA256. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the SHA256 hash. The SHA256 hash of the file from the alert you are working on is highlighted in yellow.
- By host name. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The host name from the alert you are working on is highlighted in yellow.
- By sender address. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The sender address of the email message from the alert you are working on is highlighted in yellow.
- By recipient address. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Destination column. The recipient address of the email message from the alert you are working on is highlighted in yellow.
- By URL. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the URL from the alert you are working on.
- By URL from Sandbox. Click the link to display the Alerts table in a new browser tab. The alerts are filtered by the Details column, that is, the URL address from the alert you are working on, as well as all URLs that were found to be relevant by the Sandbox component as the alert was processed.
- Under Qualifying, select Find similar EPP events. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, the Detection processing result event type is selected and a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.
The action is only available if you are using KEDR functionality and a KEDR license key has been added.
- Under Investigation, select Find similar events. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.
The action is only available if you are using KEDR functionality and a KEDR license key has been added.
Recommendations for processing IOC alerts
In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts that have attributes in common with the alert you are working on.
You can follow the following recommendations:
- Under Qualifying, select Find similar alerts by host name. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The host name from the alert you are working on is highlighted in yellow.
- Under Qualifying, select Find similar alerts by IOC. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Detected column, the name of the IOC file from the alert you are working on.
- In the Quick response section, select Isolate <host name>. This opens the network isolation rule creation window.
Recommendations for processing YARA alerts
In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts or events that have attributes in common with the alert you are working on.
You can follow the following recommendations:
- Under Qualifying, expand the Find similar alerts list.
A list of attributes is displayed that can be used to find similar alerts, and the number of similar alerts for each attribute.
Select one of the following attributes:
- By MD5. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the MD5 hash. The MD5 hash of the file from the alert you are working on is highlighted in yellow.
- By SHA256. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the SHA256 hash. The SHA256 hash of the file from the alert you are working on is highlighted in yellow.
- By host name. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The host name from the alert you are working on is highlighted in yellow.
- By sender address. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The sender address of the email message from the alert you are working on is highlighted in yellow.
- By recipient address. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Destination column. The recipient address of the email message from the alert you are working on is highlighted in yellow.
- By URL. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the URL from the alert you are working on.
- Under Qualifying, select Find similar alerts by host name. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, the Detection processing result event type is selected and a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.
The action is only available if you are using KEDR functionality and a KEDR license key has been added.
- Under Investigation, select Find similar events. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, a search filter is configured, for example, by RemoteIP, MD5, SHA256, URI. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.
The action is only available if you are using KEDR functionality and a KEDR license key has been added.
- In the Quick response section, select Isolate <host name>. This opens the network isolation rule creation window.
Recommendations for processing IDS alerts
In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts or events that have attributes in common with the alert you are working on.
You can follow the following recommendations:
- Under Qualifying, select Find similar alerts by IP address. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The host name or IP address from the alert you are working on is highlighted in yellow.
- Under Qualifying, select Find similar alerts by URL. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column, the URL. The URL from the alert you are working on is highlighted in yellow.
- Under Qualifying, select Add to exclusions.
This opens the Add IDS rule to exclusions window. If you want to add an IDS rule that was used to create the alert to exclusions, enter a comment in the Description field and click Add.
The IDS rule is added to exclusions and is displayed in the exclusion list in the Settings section, Exclusions subsection on the IDS tab in the application web interface.
- Under Investigation, select Find similar events by URL. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, the search filter is configured to use the URI from the alert you are working on.
- Under Investigation, select Find similar events by IP address. Click the link to display the Threat Hunting event table in a new browser tab. In the search criteria, the search filter is configured to use the RemoteIP from the alert you are working on.
- In the Investigation section, click Download IDS artifact to download the file with alert data.
- In the Investigation section, click Download PCAP file to download the file with intercepted traffic data.
Recommendations for processing NDR:IDS and NDR:EA alerts
In the right part of the window, the Recommendations section displays recommendations that you can follow, as well as the number of alerts or events that have attributes in common with the alert you are working on.
You can follow the following recommendations:
- Under Qualifying, select Find similar alerts by source IP. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Source column. The host name or IP address from the alert you are working on is highlighted in yellow.
- Under Qualifying, select Find similar alerts by destination IP. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Destination column. The host name or IP address from the alert you are working on is highlighted in yellow.
- Under Qualifying, select Find similar events by URL. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column. The URL from the alert you are working on is highlighted in yellow.
- Under Qualifying, select Find similar alerts by intrusion detection rule. Click the link to display the Alerts alert table in a new browser tab. The alerts are filtered by the Details column. The scan result from the alert you are working on is highlighted in yellow.
- In the Download section, click Download PCAP file to download the file with intercepted traffic data.
Viewing alerts
The web interface of Kaspersky Anti Targeted Attack Platform displays the following types of alerts that the user should keep track of:
- A file has been downloaded or an attempt was made to download a file to a corporate LAN computer. The application detected this file in mirrored traffic on the organization's local network or in ICAP data of HTTP and FTP traffic, as well as HTTPS traffic if the administrator has configured SSL certificate replacement on the proxy server.
- A file has been sent to the email address of a user on the corporate LAN. The application detected this file in copies of email messages received via the POP3 or SMTP protocol, or received from the virtual machine or server with Kaspersky Secure Mail Gateway if it is being used in your organization.
- A website link was opened on a corporate LAN computer. The application detected this website link in mirrored traffic on the organization's local network or in ICAP data of HTTP and FTP traffic, as well as HTTPS traffic if the administrator has configured SSL certificate replacement on the proxy server.
- Network activity has occurred in which the IP address or domain name of a corporate LAN computer was detected. The application detected this network activity in mirrored traffic on the organization's local network.
- Processes have been started on a corporate LAN computer. The application detected the processes using the Endpoint Agent component installed on computers belonging to the corporate IT infrastructure.
If a file was detected, the following information may be displayed in the application web interface depending on which application modules or components generated the alert:
- General information about the alert and the detected file (for example, the IP address of the computer on which the file was detected, and the name of the detected file).
- Results of the virus scan of the file performed by AM Engine.
- Results of scanning the file for signs of intrusion into the corporate IT infrastructure, performed by the YARA module.
- Results of the file behavior analysis performed by the Sandbox component.
- Results of analysis of APK executable files in the cloud infrastructure using machine learning technology.
If a website link was detected, the following information may be displayed in the application web interface depending on which application modules or components generated the alert:
- General information about the alert and the detected website link (for example, the IP address of the computer on which the website link was detected, and the address of the website link).
- Results of the link scan performed by the URL Reputation module for detecting of signs of malware, phishing URL addresses and URL addresses previously used by hackers for targeted attacks on the corporate IT infrastructure.
If the application detects network activity of the IP address or domain name of a computer on a corporate LAN, the application web interface may display the following information:
- Details of the alert and detected network activity.
- Results of web traffic scanning for signs of intrusion into the corporate IT infrastructure according to preset rules, performed by the Intrusion Detection System module (IDS).
- Results of network activity scanning performed using Kaspersky TAA (IOA) rules.
- Results of network activity scanning performed using TAA (IOA), IDS, IOC user rules.
If the application detects processes running on a corporate LAN computer where the Endpoint Agent component is installed, the application web interface can display the following information:
- General information about the alert and processes running on the computer.
- Results of network activity scanning performed for the computer using Kaspersky TAA (IOA) rules.
- Results of network activity scanning performed for the computer using TAA (IOA), IOC user rules.
Alerts can be managed by users with the following roles: Security officer and Senior security officer. Users with the Security auditor role can view alerts.
Viewing alert details
To view alert details:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click the line containing the alert whose information you want to view.
This opens a window containing information about the alert.
General information about an alert of any type
The title of the alert details window displays the alert ID. The or
icon will be displayed next to the status depending on whether the alert has VIP status.
The upper part of the window containing alert information may display the following general information about the alert:
- State—Alert status depending on whether or not this alert has been processed by the user of Kaspersky Anti Targeted Attack Platform.
- Importance—Alert importance for the Kaspersky Anti Targeted Attack Platform user depending on the impact this alert may have on computer or corporate LAN security based on Kaspersky experience.
- Server is the name of the server where the detection was generated. Servers belong to the organization you are managing in the application web interface. This column is displayed if you are using the distributed solution and multitenancy mode.
- Host—Domain name of the computer where the alert occurred.
- Data source—Source of the data. For example, SMTP Sensor or SPAN Sensor.
- Time created is the time when the alert was created.
- Time updated is the time when the alert details were updated.
You can configure email notifications about new alerts.
Information in the Object information section
The Object information section can display the following event information about the detected object:
- File name.
To expand the Copy value to clipboard action, click the link with the file name.
- File type. For example: ExecutableWin32.
The Find on Kaspersky TIP button allows to find a file on the
.Click Create prevention rule to prevent the file from running.
Click Download to download the file to your computer's hard drive.
The file is downloaded in the form of a ZIP archive encrypted with the password "infected". The name of the file inside the archive is replaced by the file's MD5 hash. The file extension of file inside the archive is not displayed.
- File size in kilobytes.
- MD5—MD5 hash of a file.
Clicking the link with MD5 opens a list in which you can select one of the following actions:
- Find on Kaspersky TIP.
- Find events.
- Find alerts.
- Create prevention rule.
- Copy value to clipboard.
- SHA256—SHA256 hash of a file.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find events.
- Find alerts.
- Create prevention rule.
- Copy value to clipboard.
- Sender's email address—Email address from which the message containing the file was sent.
- Recipient's email address—One or more email addresses to which the message containing the file was sent.
- Original sender email address—Source email address from which the message containing the file was sent.
This field is populated with data from the 'Received' header.
- Original recipient email address—Source email address(es) to which the message containing the file was sent.
This field is populated with data from the 'Received' header.
- Subject—Message subject.
- Sender server IP —IP address of the first mail server in the message delivery chain.
Clicking the Sender server IP link with opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
- Headers—Extended set of email message headers. For example, it can contain information about email addresses of the message sender and recipients, about mail servers that relayed the message, and the type of content in the email message.
Information in the Alert details section
The Alert details section can display the following information about an alert:
,
or
—Alert importance for the Kaspersky Anti Targeted Attack Platform user depending on the impact this alert may have on computer or corporate LAN security based on Kaspersky experience.
- Time is the time when the alert was created.
- Detected—One or multiple categories of detected objects. For example, when the application detects a file infected with the Trojan-Downloader.JS.Cryptoload.ad virus, the Detected field shows the Trojan-Downloader.JS.Cryptoload.ad category for this alert.
- Method—HTTP request method. For example, Get, Post, or Connect.
- URL—Detected URL. It may also contain a response code.
Clicking the link with URL opens a list in which you can select one of the following actions:
- Find on Kaspersky TIP by URL.
- Find on Kaspersky TIP by domain name.
- Find events.
- Find alerts.
- Copy value to clipboard.
- Referer—URL from which the user was redirected to the website link requiring attention. In the HTTP protocol, it is one of the headers in the client's request containing the request source URL.
- Destination IP—IP address of the resource requested by the user or the application.
Clicking the link with Destination IP opens a list in which you can select one of the following actions:
- Find on Kaspersky TIP.
- Find events.
- Find alerts.
- Copy value to clipboard.
- User name—Name of the user account whose actions led to the event.
- Request/Response—Length of the request and response.
Information in the Information about scanning using NDR technologies section
The Information about scanning using NDR technologies section can display the following results:
- Monitoring point: the name of the monitoring point whose traffic was the reason for the registration of a network traffic event and the creation of an alert.
- Network interface ID: the ID of the monitoring point whose traffic was the reason for the registration of a network traffic event and the creation of an alert.
Information in the Scan results section
The Scan results section can display the following results:
- The names of the application modules or components that generated the alert.
- One or multiple categories of the detected object. For example, the name of the virus can be shown: Virus.Win32.Chiton.i.
- Versions of databases of Kaspersky Anti Targeted Attack Platform modules and components that generated the alert.
- Results of alert scanning by application modules and components:
- YARA—Results of streaming scans of files and objects received at the Central Node, or results of scanning hosts with the Endpoint Agent component. Possible values:
- Category of the detected file in YARA rules (for example, category name susp_fake_Microsoft_signer can be displayed).
Displayed for streaming scans.
Click Create prevention rule to prevent the file from running.
The Find on Kaspersky TIP button allows to find a file on the Kaspersky Threat Intelligence Portal.
- Path to the file and/or name of the memory dump.
Displayed when scanning hosts with the Kaspersky Endpoint Agent component.
Clicking the link with the file path opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
You can click Create task to create the following tasks:
- Get data → File, Disk image, Memory dump.
- Delete file.
- Quarantine file.
Click Create prevention rule to prevent the file from running.
- Category of the detected file in YARA rules (for example, category name susp_fake_Microsoft_signer can be displayed).
- The Find on Kaspersky TIP button allows to find a file on the Kaspersky Threat Intelligence Portal.
You can click View in quarantine to display quarantined object details.
- SB (Sandbox)—Results of the file behavior analysis performed by the Sandbox component.
You can click Sandbox detection to open a window with detailed information about the results of file behavior analysis.
The Find on Kaspersky TIP button allows to find a file on the Kaspersky Threat Intelligence Portal.
Click Create prevention rule to prevent the file from running.
You can download a detailed log of file behavior analysis in all operating systems by clicking Download debug info.
The file is downloaded in the form of a ZIP archive encrypted with the password "infected". The name of the scanned file inside the archive is replaced by the file's MD5 hash. The file extension of file inside the archive is not displayed.
By default, the maximum hard drive space for storing file behavior scan logs is 300 GB in all operating systems. Upon reaching this limit, the application deletes the oldest file behavior scan logs and replaces them with new logs.
- URL (URL Reputation) is the category of a malicious, phishing URL or an URL that has been previously used by attackers for targeted attacks on corporate IT infrastructures.
- IDS (Intrusion Detection System) is the category of the detected object based on the Intrusion Detection System database or the name of the IDS user rule that was used to create the alert. For example, the displayed category can be Trojan-Clicker.Win32.Cycler.a.
Click the link to display the category of the object in the Kaspersky Threats database.
- AM (Anti-Malware Engine)—Category of the detected object based on the anti-virus database. For example, the name of the virus can be shown: Virus.Win32.Chiton.i.
Click the link to display the category of the object in the Kaspersky Threats database.
The Find on Kaspersky TIP button allows to find a file on the Kaspersky Threat Intelligence Portal.
Click Create prevention rule to prevent the file from running.
Click Download to download the file to your computer's hard drive.
- TAA (Targeted Attack Analyzer)—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered
as well as recommendations for reacting to the event. - IOC—Name of the IOC file used to create the alert.
Select an IOC file to open a window with the results of the IOC scan.
Click All events related to the alert to display the Threat Hunting event table in a new browser tab. A search filter is configured in the search criteria, for example, by MD5, FileFullName. The filtering values are populated with the properties of the alert you are working on. For example, the MD5 hash of the file in the alert.
- YARA—Results of streaming scans of files and objects received at the Central Node, or results of scanning hosts with the Endpoint Agent component. Possible values:
- NDR: IDS is the reason of the alert. Corresponds to the name of the network traffic event that caused the alert to be created. Such NDR events are registered using the IDS technology and are associated with the detection of anomalies in traffic that are indicators of attack (for example, an event based on the detection of ARP spoofing indicators).
- NDR: EA (External Analysis) is the reason why the alert was created. Event received from an external system using the Kaspersky Anti Targeted Attack Platform API NDR. When the event is registered, the title and description are determined by the external system. The event is registered using the EXT technology.
Information in the IDS rule section
The IDS rule section displays information about the alert made by the IDS (Intrusion Detection System) technology as a hex-editor matrix.
The hex-editor or hexadecimal editor is an application for editing data where data is represented as a sequence of bytes.
The upper part of the matrix displays the length of the IDS rule.
The left part of the matrix displays the data of the rule in text format.
The Rule details subsection of the IDS rule section displays the header of the IDS rule and data of the IDS alert in the Suricata format. For example, it can display information about the direction of the traffic (flow
), the HTTP request method (http_method
), the HTTP header (http_header
), the security ID (sid
).
Information in the URL section
Under URL, the URL that triggered the alert is displayed.
Clicking the URL link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP by URL.
- Find on Kaspersky TIP by domain name.
- Copy value to clipboard.
Information in the IP addresses of detection-related devices section
Under IP addresses of alert-related devices, information about devices associated with the alert is displayed:
- Protocol.
- Source IP.
- Source MAC.
- Destination IP.
- Destination MAC.
Information in the Network event section
The Network event section can show the following information about the link to the website opened on the computer:
- Date and Time—Date and time of the network event.
- Method—Type of HTTP request, for example, GET or POST.
- Source IP—IP address of the computer on which the website link was opened.
- Destination IP—IP address of the computer on which the website link was opened.
- URL—Type of the HTTP request, for example, GET or POST, and the URL of the website.
If the alert is created for a file extracted from traffic, the URL specifies the protocol used to transmit the traffic from which the file was extracted. Possible protocols: HTTP, HTTPS, FTP, SMTP, POP3, SMB, NFS.
Clicking the link with the URL opens a list in which you can select one of the following actions:
- Find on Kaspersky TIP by URL.
- Find on Kaspersky TIP by domain name.
- Find events.
- Find alerts.
- Copy value to clipboard.
- User Agent—Information about the browser that was used to download the file or to attempt to download the file, or to open the website link. It is the text string included in the HTTP request, which normally contains the name and version of the browser as well as the name and version of the operating system installed on the user's computer.
Scan results in Sandbox
The object scan results window in Sandbox can display the following alert details:
- File—Full name and path of the scanned file.
- File size—Size of the file.
- MD5—MD5 hash of a file.
- Clicking the link with MD5 opens a list in which you can select one of the following actions:
- Find on Kaspersky TIP.
- Find events.
- Find alerts.
- Create prevention rule.
- Copy value to clipboard.
- Detected—One or multiple categories of detected objects. For example, when the application detects a file infected with the Trojan-Downloader.JS.Cryptoload.ad virus, the Detected field shows the Trojan-Downloader.JS.Cryptoload.ad category for this alert.
- Time processed—Time when the file was scanned.
- Database versions—Versions of the databases of modules and components of Kaspersky Anti Targeted Attack Platform that created the alert.
You can click New prevention rule in the upper right corner of the window to prevent the file from running.
Information about the file behavior analysis results is provided for each operating system in which the Sandbox component performed a scan. For the Windows 7 operating system (64-bit), you can view file activity logs for two Sandbox component scan modes: Quick scan mode and Full logging mode.
The following activity logs may be available for each scan mode:
- Activity list—Actions of the file within the operating system.
- Activity tree—Graphical representation of the file analysis process.
- HTTP activity log—Log of the file's HTTP activity. It contains the following information:
- Destination IP—IP address to which the file is attempting to go from the operating system.
- Method—HTTP request method, for example, GET or POST.
- URL—URL of the website link that the file is attempting to open from the operating system.
Clicking links in the Destination IP column opens a list in which you can select one of the following actions:
- Find on Kaspersky TIP.
- Find events.
- Find alerts.
- Copy value to clipboard.
Clicking a link in the URL column opens a list in which you can select one of the following actions:
- Find on Kaspersky TIP by URL.
- Find on Kaspersky TIP by domain name.
- Find events.
- Find alerts.
- Copy value to clipboard.
- IDS activity log—Log of the file's network activity. It contains the following information:
- Source IP—IP address of the host on which the file is saved.
- Destination IP—IP address to which the file is attempting to go from the operating system.
- Method—HTTP request method, for example, GET or POST.
- URL—URL of the website link that the file is attempting to open from the operating system.
Clicking links in the Destination IP column opens a list in which you can select one of the following actions:
- Find on Kaspersky TIP.
- Find events.
- Find alerts.
- Copy value to clipboard.
Clicking a link in the URL column opens a list in which you can select one of the following actions:
- Find on Kaspersky TIP by URL.
- Find on Kaspersky TIP by domain name.
- Find events.
- Find alerts.
- Copy value to clipboard.
- DNS activity log—Log of the file's DNS activity. It contains the following information:
- Request type (Request or Response).
- DNS name—Domain name of the server.
- Type—Type of DNS request, for example A or CNAME.
- Host—Host name or IP address that was interacted with.
Clicking a link in the DNS name or Host columns opens a list in which you can select one of the following actions:
- Find on Kaspersky TIP.
- Find events.
- Find alerts.
- Copy value to clipboard.
- Screenshots—Contains screenshots taken during the execution of the file.
You can view the screenshots in the application web interface or download a Zip archive containing the screenshots.
You can click Download full log in the lower part of each scanning mode (Quick scan mode and Full logging mode) to download the log of file behavior analysis in each operating system to your computer
IOC scan results
Depending on the type of processed object, the indicator of compromise search result window can display the following information:
- ARP protocol:
- IP address from the ARP table.
- Physical address from the ARP table.
- DNS record:
- Type and name of the DNS record.
- IP address of the protected computer.
- Windows Log event:
- Entry ID in the event log.
- Data source name in the log.
- Log name.
- User account.
- Event time.
- File:
- MD5 hash of the file.
- SHA256 hash of the file.
- Full name of the file (including path).
- File size.
- Port:
- Remote IP address with which a connection was established at the time of the scan.
- Remote port with which a connection was established at the time of the scan.
- IP address of the local adapter.
- Port open on the local adapter.
- Protocol as a number (in accordance with the IANA standard).
- Process:
- Process name.
- Process arguments.
- Path to process file.
- Windows ID (PID) of the process.
- Windows ID (PID) of the parent process.
- Name of the user account that started the process.
- Date and time when the process started.
- Service:
- Service name.
- Service description.
- Path and name of the DLL service (for svchost).
- Path and name of the executable file of the service.
- Windows ID (PID) of the service.
- Service type (for example, kernel driver or adapter).
- Service status.
- Service run mode.
- User:
- User account name.
- Volume:
- Volume name.
- Volume letter.
- Volume type.
- Registry:
- Windows registry value.
- Registry hive value.
- Path to registry key (without hive or value name).
- Registry parameter.
- Environment variables:
- Physical (MAC) address of the protected computer.
- System (environment).
- OS name with version.
- Network name of the protected device.
- Domain and group to which the protected computer belongs.
The IOC section displays the structure of the IOC file. If the processed object matches a condition of the IOC rule, that condition is highlighted. If the processed object matches multiple conditions, the text of the whole branch is highlighted.
Information in the Hosts section
The Hosts section displays the following information about hosts on which the TAA (IOA) rule was triggered:
- Host name—IP address or domain name of the computer where the event occurred. Clicking the link opens the Threat Hunting section with the search condition containing the ID of the selected rule and the selected host.
- IP—IP address of the computer where the event occurred.
If you are using dynamic IP addresses, the field displays the IP address assigned to the computer at the moment when the alert was created or updated.
The application does not support IPv6. If you are using IPv6, the IP address of the computer is not displayed.
- Number of events—Number of events that occurred on the host.
- Find events. Clicking the link opens the Threat Hunting section with the search condition containing the ID of the selected rule.
Information in the Change log section
The Change log section can display the following detection information:
- Date and time of alert modification.
- Author of modifications.
For example, System or the application user name.
- Modification that occurred with the alert.
For example, an alert may be assigned to a VIP group, or it may be marked as processed.
Sending alert data
You can provide Kaspersky with data about an alert (except the URL Reputation and IOC technologies) for further analysis.
To do so, you must copy the alert data to the clipboard and then email it to Kaspersky.
Alert data may contain information about your organization that you consider to be confidential. You must consult with the security department of your organization for approval to send this data to Kaspersky for further analysis.
To copy alert details to the clipboard:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click the line containing the alert whose information you want to view.
This opens a window containing information about the alert.
- Click the Provide the alert details to Kaspersky link in the lower part of the window containing alert information.
This opens the Show more window.
- View the alert data to be sent to Kaspersky.
- If you want to copy this data, click the Copy to clipboard button.
The alert data will be copied to the clipboard. You will be able to send it to Kaspersky for further analysis.
Viewing alert relations
From the alert card, you can go to the table of events, assets, or network sessions associated with this alert.
To view the relations of an alert:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Open the alert whose relations you want to view.
- In the alert card, click the arrow next to the Show related button.
- Select a relation of the alert from the list:
- Events.
- Assets.
- Network sessions.
This opens the corresponding section of the web interface with a table of relations.
Page topUser actions performed on alerts
When managing the application web interface using a Senior security officer or Security officer account, you can take the following actions on alerts:
- Assign an alert to yourself or to another user of the application web interface.
You can view all alerts assigned to a specific user by filtering alerts based on the status of their processing by the user.
- Mark the alert as processed.
You can view all alerts that have been processed by a specific user by filtering alerts based on the status of their processing by the user.
- Add a comment to an alert.
You can find commented alerts based on keywords within comments by filtering alerts based on received information.
- Mark the alert as .
This action is available only to users with the Senior security officer role. Users with this role can view all alerts with the VIP status by filtering alerts by VIP status.
Users with the Security auditor role can view information about alerts but cannot edit this information.
Assigning alerts to a specific user
Users with the Senior security officer role can assign an alert or multiple alerts to themselves or to another user of the application web interface with the Senior security officer or Security officer role.
To assign an alert to yourself or to another user of the application web interface:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Select the check boxes next to the alert or alerts that you want to assign to yourself or to another user.
You can select all alerts by selecting the check box in the table header.
- In the pane that is displayed in the lower part of the window, expand the list of users by clicking on the arrow to the right of the Assign to button.
- Select the user to whom you want to assign the alerts.
This opens the action confirmation window. You can also leave a comment that will be displayed in the alert change history.
- Click Proceed.
The alerts will be assigned to the selected user.
You can view all alerts assigned to a specific user by filtering alerts based on the status of their processing by the user.
Users with the Security auditor role cannot assign alerts to themselves or to other users of the application web interface. Users with the Senior security officer and Security officer roles also cannot assign alerts to users with the Security auditor role.
Users with the Senior security officer and Security officer roles, while managing an alert, can assign this alert to themselves or to another user of the application web interface with the Senior security officer or Security officer role.
To assign an alert to yourself or another user while managing the alert:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Open the alert that you want to assign to yourself or to another user of the application.
This opens the card of the alert.
- If you want to assign the alert to yourself, click Assign to @Me.
- If you want to assign the alert to another user of the application, click the arrow to the right of the Assign to button and select the user to which you want to assign the alert.
The alert is assigned to the selected user.
Page topMarking the completion of single alert processing
Users with the Security auditor role cannot assign and process alerts.
To close an individual alert in the table of alerts:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- In the State column of the alert that you want to close, click the status of the alert.
- In the list of actions, select Close alert.
The alert is closed.
To close an alert while managing the alert:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Open the alert that you want to close.
- In the upper-right corner of the window, click Close alert.
The alert is closed. If the alert was assigned to a different user, it is marked as processed by you.
You can view all alerts that have been processed by a specific user by filtering alerts based on the status of their processing by the user or by using the Show closed alerts toggle switch.
If an alert based on a scan using the TAA (IOA), IDS, or URL technology that is similar to a processed alert is received within the day (from 00:00 a.m. to 11:59 p.m.), the application either creates a new alert or updates the information in the identical alert with the New or In process status.
When you close an NDR alert, the aggregate event and nested NDR events associated with the alert are marked as resolved, and other alerts associated with these events are also closed. If a closed NDR alert is reopened, the associated closed NDR event is not reopened.
Page topMarking the completion of alerts processing
Users with the Security officer role cannot perform bulk operations on alerts. Users with the Security auditor role cannot assign and process alerts.
To close one or more alerts:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Select the check boxes opposite those alerts that you want to close.
You can select all alerts by selecting the check box in the table header.
- In the pane that appears in the lower part of the window, click the Close alert button.
This opens the action confirmation window.
You can also leave a comment that will be displayed in the alert change history.
- Click Proceed.
The selected alerts are closed. If the alerts were assigned to other users, they are marked as closed by you.
You can view all closed alerts by filtering alerts based on the status of their processing by the user or by using the Show closed alerts toggle switch.
If an alert based on a scan using the TAA (IOA), IDS, or URL technology that is similar to a processed alert is received within the day (from 00:00 a.m. to 11:59 p.m.), the application either creates a new alert or updates the information in the identical alert with the New or In process status.
When you close an NDR alert, the aggregate event and nested NDR events associated with the alert are marked as resolved, and other alerts associated with these events are also closed. If a closed NDR alert is reopened, the associated closed NDR event is not reopened.
Page topModifying the status of VIP alerts
Users with the Senior security officer role can assign the VIP status to alerts or clear the VIP status of alerts.
To toggle the VIP status for alerts:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Select the check boxes for alerts for which you want to change the VIP status.
You can select all alerts by selecting the check box in the table header.
- Do one of the following:
- If you want to mark alerts as VIP, click the Mark as VIP button in the pane that appears in the lower part of the window.
- If you want to remove the VIP status from alerts, in the pane that is displayed in the lower part of the window, in the Mark as VIP drop-down list, select Mark as non-VIP.
This opens the action confirmation window.
You can also leave a comment that will be displayed in the alert change history.
- Click Proceed.
The VIP status of alerts is changed.
Users with the Senior security officer and Security auditor roles can view all events with the VIP status by filtering alerts by VIP status.
Page topAdding a comment to an alert
Users with the Senior security officer and Security officer roles can add a comment to an alert.
To add a comment to an alert:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Select an alert for which you want to add a comment.
This opens a window containing information about the alert.
- In the comment field under the Change log section, enter a comment for the alert.
- Click Add.
The comment will be added to the alert and will be displayed in the Change log section of this alert.
You can find commented alerts based on keywords within comments by filtering alerts based on received information.
Users with the Security auditor role can view comments for alerts but cannot edit the comments.
Page topMonitoring network traffic events
The application registers events when analyzing network traffic. Network traffic analysis is part of the NDR functionality.
A network traffic event (also referred to as an NDR event) is a record containing information about the detection of certain changes or conditions in network traffic that require the attention of an information security professional. NDR events are registered and sent to the Central Node. The server processes the received events and stores them in the database.
An aggregate event is a special type of event that is registered when a specific sequence of NDR events is received. Aggregate events group NDR events that have some common characteristics or are related to the same process.
The application registers aggregate events in accordance with event correlation rules. An event correlation rule describes the conditions for scanning sequences of events. When a sequence of NDR events is detected that matches the conditions of the rule, the application registers an aggregate event that mentions the name of the triggered rule. Aggregate events are registered with system event type code 8000000001.
Event correlation rules are built into the application and are applied independently of the security policy.
After the application is installed, the original event correlation rules are used. To improve the effectiveness of the rules, Kaspersky regularly updates the databases with rule sets. You can update correlation rules by installing updates.
The Kaspersky Anti Targeted Attack Platform server registers NDR events in accordance with the settings specified for registering event types. You can configure these settings in the Configure event types section.
To reduce the number of frequently repeated NDR events that do not require user attention, you can create allow rules for events. NDR events that match allow rules are not registered. For example, you can use an allow rule to temporarily disable the registration of all events from a specific monitoring point. You can view allow rules for events in the Settings section, Allow rules subsection. The EVT type is specified for such rules.
The application stores NDR events and aggregate events in a database on the Central Node. The total amount of stored records cannot exceed the configured limit. If the amount exceeds the limit, the application automatically deletes the oldest records. However, if a minimum storage duration is configured, the corresponding message is logged in the application message log when deleting records whose age is less than the minimum duration. You can configure the event and incident storage settings.
You can view information about NDR events and aggregate events in the Network traffic events section. This section displays detailed information about NDR events and aggregate events and allows loading information for any period from the server database.
Actions with network traffic events are available to users with the Security officer or Senior security officer role. Users with the Security auditor role can view events.
NDR events are generated if a valid KATA+NDR license key is present. After the license key expires, created events remain available for viewing, but related alerts are not created.
NDR event scores and severity levels
NDR events in Kaspersky Anti Targeted Attack Platform are scored on a scale from 0.0 to 10.0.
If an NDR event is associated with a device, the application takes into account the available information about the device when calculating the score. The importance level of the device and the risks associated with this device are taken into account.
The base score specified for the NDR event type in the table of event types is used as the baseline for calculating the score.
If an NDR event is not associated with a device, the score of the event is equal to the base score.
The score determines the severity level of the NDR event. Depending on the numerical value of the score, an NDR event can have one of the following severity levels:
- Low (scores 0.0–3.9)
Low-severity NDR events usually do not require immediate response.
- Medium (scores 4.0–7.9)
Medium-severity NDR events contain information that must be looked at. These events may require a response.
- High (scores 8.0–10.0)
High-severity NDR events contain information that can have critical impact. These events require an immediate response.
NDR event registration technologies
Kaspersky Anti Targeted Attack Platform registers NDR events using one of the following technologies:
- Intrusion Detection (IDS)
This technology registers NDR events related to the detection of anomalies in traffic that are indicators of attacks (for example, an NDR event can be registered indicators of ARP spoofing are detected).
- External (EXT)
This technology registers aggregate and nested NDR events that are received by the Kaspersky Anti Targeted Attack Platform from third-party systems using the methods of the Kaspersky Anti Targeted Attack Platform API.
- Asset Management (AM)
This technology registers NDR events involving the detection of information about devices in traffic or in data received from EPP applications (for example, an NDR event can be registered when a device is found to have a new IP address).
- Endpoint Protection Platform (EPP)
This technology registers NDR events for threats detected by Kaspersky applications that protect workstations and servers (for example, a malware detection event).
NDR event statuses
NDR event statuses allow the application to display the course of processing the received information by security officers.
The following statuses can be assigned to NDR events and aggregate events:
- New.
This status is assigned to all NDR and aggregate events when they are registered in Kaspersky Anti Targeted Attack Platform.
- In process.
You can assign this status to NDR events and aggregate events that are being processed (for example, during the investigation of the reasons why these events or incidents were registered).
- Resolved.
You can assign this status to NDR events and aggregate events that already have been processed (for example, the investigation of the reasons of their registration is closed).
After the Resolved status is assigned, the application ignores NDR events and aggregate events with this status when determining the security status of devices displayed in the table of device and on the network interactions map.
Statuses of NDR events and aggregate events must be changed manually. You can assign statuses sequentially in the order from New to Resolved. However, you can skip the In process status. After changing the status of an NDR event or aggregate event, you cannot re-assign one of the previous statuses.
If the Resolved status is assigned to an aggregate event, the status of all nested NDR events is automatically changed to Resolved, and the associated alerts are also closed.
If the Resolved status is assigned to an NDR event, aggregate events under which this NDR event is nested and the associated alerts are not closed.
Page topTable of registered NDR events
You can view the table of registered NDR events and aggregate events in the Network traffic events section.
By default, the table of registered NDR events and aggregate events is updated in real time. At the top of the table, events with the most recent last-seen date and time values are displayed.
The last-seen date and time of an NDR or aggregate event may not be the same as the date and time of its registration. For an NDR event, the last-seen date and time may be updated during the regeneration period of that event type. For an aggregate event, the last-seen date and time is updated to match the last-seen date and time of nested NDR events.
Parameters of NDR events and aggregate events are displayed in the following columns of the table:
- Start.
For an NDR event, the date and time when the event was registered. For an aggregate event, the date and time when the first nested event was registered. You can view the date together with the time, or just the date or time by itself. To choose the information to display, select the check boxes opposite the Date and Time settings.
- Last seen
For an NDR event, the last-seen date and time of the NDR event. May contain the date and time of the event registration or the date and time when the event repetition counter was incremented if the event registration conditions recurred during the regeneration period. The value of the regenerate counter is displayed in the Total appearances column. For an aggregate event, the latest last-seen date and time among events included in the aggregate event. Just like with the Start column, you can view the date together with the time, or just the date or time by itself.
- Title.
The title configured for the NDR event type.
- Score.
The calculated score for the NDR event. This numerical value determines the severity level of the NDR event. Depending on the severity level, the score can be displayed in one of the following colors:
- Red for a High-severity event.
- Yellow for a Medium-severity event.
- Blue for a Low-severity event.
- Source.
Address of the source of network packets. You can enable or disable the display of addresses and ports of address information by using the following settings (their abbreviated names displayed in table columns are indicated in the parentheses): IP address, Port number (P), MAC address, VLAN ID (VID), and Application-level address. If additional address spaces were added to the application, you can show or hide address space names by using the Show address spaces setting when configuring the devices table.
- Destination.
Address of the destination of network packets. The display of address information can be configured the same way as the Source column.
- Protocol.
Application layer protocol for which the event was registered.
- Technology.
Icon corresponding to the technology used to register the NDR event.
- Total appearances.
For an NDR event, the value of the repetition counter after the registration of the NDR event during the regeneration period. A value greater than 1 means that the conditions for registering an NDR event recurred N – 1 times. For an aggregate event, this column displays a value of 1.
- ID.
Unique identifier of the registered NDR or aggregate event.
- Application.
Information about applications that caused the conditions for registering the NDR event. The NDR event stores information about applications received from EPP applications.
- Application user.
Information about the user account that started the application specified in the Application column.
- Status.
Icon corresponding to the status of the NDR event or aggregate event.
- Description.
The description specified for the NDR event type.
- End.
For an NDR event, the date and time when the Resolved status was assigned or the regeneration period of the NDR event. For an aggregate event, the latest resolution date and time across nested NDR events. Just like with the Start column, you can view the date together with the time, or just the date or time by itself.
- Triggered rule.
For an NDR event, the name of the Process Control rule or Intrusion Detection rule that, when triggered, caused the NDR event to be registered. For an aggregate event, the name of the correlation rule that, when triggered, caused the aggregate event to be registered.
- Monitoring point.
Monitoring point whose traffic invoked registration of the NDR event.
- Event type.
Numeric code assigned to the NDR event type.
- Marker.
A set of icons that you can assign to any NDR or aggregate event to easily find NDR or aggregate events based on a criterion that is not present in the table.
When viewing the table of network traffic events, you can configure, filter, search, and sort records and navigate to related items.
Page topConfiguring the table of registered events
You can configure the display of the event table as follows:
- Show or hide the information panel.
- Show or hide events included in incidents.
- Show or hide the columns of the table and reorder the columns.
To configure the event table display:
- In the Network traffic events section, click the
icon.
This opens the table display configuration window.
- If you want to show the information panel displaying the number of events with New or In process status, select the Display information panel check box.
- Under Display embedded lists, select a display mode for NDR events nested in aggregate events:
- Flat. In this mode, the table of events displays all NDR events without regard to event nesting.
- Tree. In this mode, aggregate events are displayed as a tree of nested events and other aggregate events. If you want nested items to be displayed regardless of the current filtering and search settings, select the Show embedded events when filtering check box.
- Under Displayed columns, select check boxes next to the parameters that you want to view in the table. You must select at least one parameter.
- If you want to display the columns in a different order, select the name of the column that you want to move left or right in the table, and click the buttons with the up and down arrows.
For the Start, Last seen, and End columns, you can also change the order in which the date and time values are displayed, and for the Source and Destination columns, you can change the order in which the source and destination addresses of network packets are displayed. To do this, select the value that you want to move left or right in the table, and click the buttons with the up and down arrows.
The selected columns are displayed in the new order in the table in the Network traffic events section.
Page topViewing events nested inside an aggregate event
You can use the following modes to view NDR events nested in aggregate events in the table of network traffic events:
- Flat mode. In this mode, the table of NDR events displays all events without regard to event nesting.
- Tree mode. In this mode, aggregate events are displayed as trees that can be collapsed and expanded using the
and
buttons next to the titles of aggregate events.
You can change the display mode when configuring the table of events.
Page topViewing details of an NDR event
Details of NDR and aggregate events are displayed in the details area in the Network traffic events section of the application web interface.
To view the details of an NDR or aggregate event:
In the Network traffic events section, select an event.
The details area is displayed in the right part of the web interface window, displaying detailed information about the selected NDR or aggregate event.
Page topChanging the status of an NDR event
You can change the following statuses of NDR events and aggregate events:
- New. This status can be changed to In process or Resolved.
- In process. This status can be changed to Resolved.
The Resolved status cannot be changed.
If the NDR event is associated with a risk, when assigning the Resolved status to this event, you can also change the risk status to Accepted.
To change the status of NDR events and aggregate events when managing the table of events:
- In the Network traffic events section in the table of events, select the NDR events or aggregate events whose status you want to change.
- Open the Change status drop-down list in the toolbar.
- In the drop-down list, select the command for the status that you want to assign.
Some items of the drop-down list are not available in the following cases:
- The In process item is unavailable if the selected items do not include NDR events or aggregate events with the New status.
- The Resolved item is unavailable if the selected items do not include NDR events or aggregate events with the New or In process status.
If all NDR events or aggregate events that satisfy the current filtering and search conditions are selected, and the number of selected items is greater than 1000, the application does not check their statuses. In this case, the In process and Resolved items are both available. However, the In process item can be used to assign the In process status only to events and incidents that have the New status.
A window with a confirmation prompt opens.
- If the selected NDR events are associated with risks, and you want to simultaneously assign a status of Accepted to all these risks, select Assign the Accepted status for all risks related to the event if one event is selected or Assign the Accepted status for all risks related to the events if multiple events are selected.
Risks may become associated with events when registering certain types of NDR events using the Asset Management technology.
- In the prompt window, click OK.
Adding markers
Users with the Senior security officer role can assign markers to NDR events and aggregate events in the Network traffic events section of the application web interface.
A marker is an icon that helps you find NDR events and aggregate events by criteria that are not present in the table.
To assign a marker to an NDR or aggregate event:
- In the Network traffic events section, in the row with the NDR event or aggregate event, click in the
column.
- In the menu that is displayed, select the marker that you want to assign to this NDR event or aggregate event.
You can select one of seven markers provided by the application. The meaning of each marker is up to you to decide.
- If you need to remove a marker, select No marker in the menu.
Users with the Senior security officer and Security auditor roles can view NDR events or aggregate events with a marker.
Page topCopying NDR events to a text editor
You can copy information about NDR events and aggregate events from the table of network traffic events to any text editor. Information is copied from the columns currently displayed in the table.
Events can be copied if no more than 200 NDR events and aggregate events are selected.
To copy NDR and aggregate events into a text editor:
- In the Network traffic events section, select the NDR events and aggregate events that you want to copy to a text editor.
- Right-click to open the context menu of one of the selected events.
- In the context menu, select one of the following commands:
- Copy details of the event if a single NDR or aggregate event is selected.
- Copy details of the selected events if multiple NDR events or aggregate events are selected.
- Open any text editor.
- In the text editor window, paste the events (for example, by pressing Ctrl+v).
The copied event information can be edited in the text editor. Information about multiple events is delimited by empty lines.
Page topDownloading traffic for events
When viewing the table of events, you can download traffic related to registered NDR events and aggregate events. Traffic is downloaded as a PCAP file (if one event is selected) or as a ZIP archive containing PCAP files (if multiple events are selected).
You can download traffic if no more than 200 events are selected in the table of events (also counting events nested inside aggregate events).
Traffic for events is downloaded from the application database. Traffic can be stored in the database for registered NDR events if traffic saving is enabled for these events. The application can also directly save traffic in the database upon request to download traffic, using traffic dump files. These files are used for temporary storage and are automatically deleted as new traffic arrives (the rotation period depends on the amount of traffic and the application storage configuration). To guarantee the availability of traffic for download, we recommend enabling traffic saving for the relevant event types and configuring traffic storage in the database in accordance with the rate of traffic accumulation the rate of event registration.
To download a traffic file for NDR events or aggregate events:
- In the Network traffic events section, select the NDR events and aggregate events for which you want to download traffic.
- Click Download traffic.
- If file generation takes a long time (more than 15 seconds), the file generation operation becomes a background operation. In that case, follow these steps to download the file:
- Click the
button in the application web interface menu.
This opens the list of background operations.
- Wait for the file generation operation to complete.
- Click the Download file button.
- Click the
Your browser saves the downloaded file. Depending on your browser's settings, a window may be displayed on your screen in which you can specify the path and name of the downloaded file.
Page topCreating a directory for exporting events to a network share
You can export events and save a file with exported events on a network share of the Server computer. For the network share, you can use the Network File System (NFS) protocol, which lets you mount a share of another computer (for example, an NFS server export point) in the local file system of the Server computer. The directory is created and the network share is mounted using standard tools of the operating system.
When using the NFS protocol, the rpcbind software package is activated in the operating system. Keep in mind that attackers may try to use this software package to carry out some types of DDoS attacks. To eliminate the threat of intrusion, you must configure the firewall. In CentOS Stream, we recommend using the firewalld utility to configure the firewall.
Manually creating a directory and mounting a network share
To create a directory for saving files to a network share:
- Open the console of your operating system.
- Create a local directory in which you will mount the network share. To do so, enter the following command:
mkdir <
full path to the local directory
>
For example:
mkdir
~/nfsshare
- After creating the directory, enter the command to mount the network share:
sudo mount -t nfs <
name or IP address of the remote computer
>:\
<
full path to the network share
>\
<
full path to the local directory
>
For example:
sudo mount
-t nfs nfs-server.example:/nfsshare ~/nfsshare
- Confirm the success of the mounting:
mount | grep <
full path to the local directory
>
For example:
mount | grep ~/nfsshare
If the mount is successful, the displayed information contains the name or IP address of the remote computer, the name of the network share, and the name of the parent directory.
Automatically mounting a network share
To configure automatic mounting of a network share in the CentOS operating system:
Open the /etc/fstab file for editing as root and add the following line to the file:
<
name or IP address of the remote computer
>:<
full path to the network share
> <
full path to the local directory
> nfs defaults 0 0
For example:
nfs-server.example:/nfsshare /home/user1/nfsshare nfs defaults 0 0
Events database threat hunting
When managing the application web interface, you can generate search queries and use IOC and YAML files to search the events database for threats, for tenants to whose data you have access.
To form search queries through the events database, you can use builder mode or source code mode.
In builder mode, you can create and modify search queries using drop-down lists with options for the type of field value and operators.
In source code mode, you can create and modify search queries using text commands.
You can upload an IOC file or a YAML file with a Sigma rule and search for events in accordance with the conditions specified in this file.
Users with the Senior security officer, Security officer roles can also create TAA (IOA) rules based on event search conditions.
Searching events in design mode
To define event search conditions in builder mode:
- Select the Threat Hunting section, Builder tab in the application web interface window.
This opens the event search form.
- In the drop-down list, select an event search criterion.
You can view a description of the event search criteria in the Event search criteria section.
- In the drop-down list, select an operator.
For a list of available operators, see the Operators section.
Each type of value of the field has its own relevant set of operators. For example, when the EventType field value type is selected, the = and != operators will be available.
- Depending on the selected type of field value, perform one of the following actions:
- In the field, specify one or several characters by which you want to perform an event search.
- In the drop-down list, select the field value option by which you want to perform an event search.
For example, to search for a full match based on a user name, enter the user name.
- If you want to add a new condition, use the AND or OR logical operator and repeat the necessary actions for adding a condition.
- If you want to add a group of conditions, click the Group button and repeat the actions necessary for adding conditions.
- If you want to delete a group of conditions, click the Remove group button.
- If you want to search events that occurred during a specific period, in the Any time drop-down list select one of the following event search periods:
- Any time if you want the table to display events found as far back as the records go.
- Last hour if you want the table to display events that were found during the last hour.
- Last day if you want the table to display events found during the last day.
- Custom range if you want the table to display events found during the period you specify.
- If you selected Custom range:
- In the calendar that opens, specify the start and end dates of the event display range.
- Click Apply.
The calendar closes.
- Click Search.
The table of events that satisfy the search criteria is displayed.
If you are using the distributed solution and multitenancy mode, found events are grouped in tiers: Server – Tenant names – Server names.
- Click the name of the server for which you want to view events.
The host table of the selected server is displayed. Event grouping levels are displayed above the table.
You can convert a query created in the builder into an event search query in source code mode.
Searching events in source code mode
To define event search conditions in source code mode:
- In the application web interface window, select the Threat Hunting section, Source code tab.
This opens a form containing the field for entering event search conditions in source code mode.
- Enter the event search conditions using criteria, operators, logical operators
OR
andAND
, and parentheses to group conditions.A search condition must conform to the following syntax:
<criterion> <operator> <criterion value>
.Example:
EventType == 'filechange' AND
(
(
FileName == '*example*' OR
DllName == '*example*' OR
DroppedName == '*example*' OR
BlockedName == '*example*' OR
InterpretedFileName == '*example*' OR
InterpretedFiles.FileName == '*example*' OR
TargetName == '*example*' OR
HandleSourceName == '*example*' OR
HandleTargetName == '*example*'
) OR
UserName == '*example*'
)
You can use the autocomplete feature. To do so, place the cursor in the query line and press Ctrl+Space.
- If you want to search events that occurred during a specific period, click the Any time button and select one of the following event search periods:
- Any time if you want the table to display events found as far back as the records go.
- Last hour if you want the table to display events that were found during the last hour.
- Last day if you want the table to display events found during the last day.
- Custom range if you want the table to display events found during the period you specify.
- If you selected Custom range:
- In the calendar that opens, specify the start and end dates of the event display range.
- Click Apply.
The calendar closes.
- Click Search.
The table of events that satisfy the search criteria is displayed.
If you are using the distributed solution and multitenancy mode, found events are grouped in tiers: Server – Tenant names – Server names.
- Click the name of the server for which you want to view events.
The host table of the selected server is displayed. Event grouping levels are displayed above the table.
Converting a builder query for searching events in source code mode
You can convert a query created in the builder into an event search query in source mode.
When a query is converted, its syntax is adapted to searching for events in source code mode.
To convert a query:
- Select the Threat Hunting section, Builder tab in the application web interface window.
This opens the event search form.
- In the drop-down list, select an event search criterion.
You can view a description of the event search criteria in the Event search criteria section.
- In the drop-down list, select an operator.
For a list of available operators, see the Operators section.
Each type of value of the field has its own relevant set of operators. For example, when the EventType field value type is selected, the = and != operators will be available.
- Depending on the selected type of field value, perform one of the following actions:
- In the field, specify one or several characters by which you want to perform an event search.
- In the drop-down list, select the field value option by which you want to perform an event search.
For example, to search for a full match based on a user name, enter the user name.
- If you want to add a new condition, use the AND or OR logical operator and repeat the necessary actions for adding a condition.
- If you want to add a group of conditions, click the Group button and repeat the actions necessary for adding conditions.
- If you want to delete a group of conditions, click the Remove group button.
- If you want to search events that occurred during a specific period, in the Any time drop-down list select one of the following event search periods:
- Any time if you want the table to display events found as far back as the records go.
- Last hour if you want the table to display events that were found during the last hour.
- Last day if you want the table to display events found during the last day.
- Custom range if you want the table to display events found during the period you specify.
- If you selected Custom range:
- In the calendar that opens, specify the start and end dates of the event display range.
- Click Apply.
The calendar closes.
- Go to the Source code tab.
A warning is displayed telling you that the conversion is not reversible.
- Click Convert.
The query is converted into a query for searching events in source code mode.
Page topEvent search criteria
You can use the following criteria to search for events in builder mode:
- General information:
- Host is the host name.
- HostIP is the IP address of the host.
- EventType is the type of the event.
- UserName is the name of the user.
- OsFamily is the family of the operating system.
- OsVersion is the version of the operating system being used on the host.
- TAA properties:
- IOAId is the TAA (IOA) rule ID.
- IOATag is the information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- IOATechnique is the MITRE technique.
- IOATactics is the MITRE tactic.
- IOAImportance is the importance level that is assigned to an event generated using this TAA (IOA) rule.
- IOAConfidence is the level of confidence depending on the likelihood of false alarms caused by the rule.
- File properties:
- CreationTime is the event creation time.
- FileName is the name of the file.
- FilePath is the path to the directory where the file is located.
- FileFullName is the full path to the file. Includes the path to the directory and the file name.
- ModificationTime is the file modification time.
- FileSize is the size of the file.
- MD5 is the MD5 hash of the file.
- SHA256 is the SHA256 hash of the file.
- SimilarDLLPath is the malicious DLL placed in a directory on the standard search path to make the operating system load it before the original DLL.
- Linux processes:
- LogonRemoteHost is the IP address of the host that initiated remote access.
- RealUserName is the name of the user assigned when the user was registered in the system.
- EffectiveUserName is the user name that was used to log in to the system.
- FileOwnerUserName is the name of the file owner.
- RealGroupName is the name of the user group.
- EffectiveGroupName is the name of the user group that is used for operation.
- Environment is system environment variables.
- ProcessType is the type of the process.
- OperationResult is the result of the operation.
- Process started:
- PID is the process ID.
- ParentFileFullName is the path to the parent process file.
- ParentMD5 is the MD5 hash of the parent process file.
- ParentSHA256 is the SHA256 hash of the parent process file.
- StartupParameters is the options that the process was started with.
- ParentPID is the parent process ID.
- ParentStartupParameters is the parent process startup settings.
- Remote connection:
- HTTPMethod is the HTTP request method. For example, Get, Post, or Connect.
- ConnectionDirection is the direction of the connection (inbound or outbound).
- LocalIP is the IP address of the local computer from which the remote connection attempt was made.
- LocalPort is the IP address of the local computer from which the remote connection attempt was made.
- RemoteHostName is the name of the computer that was the target of the remote connection attempt.
- RemoteIP is the IP address of the computer that was the target of the remote connection attempt.
- RemotePort is the port of the computer that was the target of the remote connection attempt.
- URl is the address of the resource to which the HTTP request was made.
- TlsVersion is the version of the protocol.
- TlsSni is the Server Name Indication, that is, the name of the resource to which the connection is being established.
- TlsCertificateMd5 is the MD5 hash of the TLS certificate.
- TlsCertificateSha1 is the SHA1 hash of the TLS certificate.
- TlsCertificateSubjectNames are the primary and secondary DNS names.
- TlsCertificateIssuerName is the name of the organization of the certificate owner.
- TlsCertificateSerialNumber is the serial number of the certificate.
- TlsCertificateCheckResult is the certificate verification result.
- TlsCipherSuite are the cipher suites of the certificate.
- TlsCertificateValidFrom is the date from which the certificate expiration date is calculated.
- TlsCertificateValidTo is the date after which the certificate expires.
- DNS:
- DnsServerIpAddress is the IP address of the DNS server.
- DnsQueryDomainName is the domain name from the request.
- DnsAnswerData is the response data.
- DnsQueryTypeId is the record type ID.
- LDAP:
- LDAPSearchFilter is the search filter.
- LDAPSearchDistinguishedName is the distinguished name.
- LDAPSearchAttributeList is a list of search attributes.
- LDAPSearchScope is the search scope.
- Named pipe:
- PipeName is the named pipe.
- PipeOperationType is the type of the operation with the named pipe.
- WMI:
- WmiOperationType is the WMI operation type: WMI activity or WMI event consumer name.
- WmiHostName is the name of the machine.
- WmiUserName is the user name.
- WmiNamespaceName is the namespace.
- WmiQuery is the text of the query.
- WmiFilterName is the event filter.
- WmiConsumerName is the name of the event consumer.
- WmiConsumerText is the source code of the event consumer.
- Registry modified:
- RegistryKey is the registry key.
- RegistryValueName is the name of the registry value.
- RegistryValue is the data of the registry value.
- RegistryOperationType is the type of the operation with the registry.
- RegistryPreviousKey is the previous registry key.
- RegistryPreviousValue is the previous name of the registry value.
- System event log:
- WinLogEventID is the type ID of the security event in the Windows log.
- LinuxEventType is the type of the event. This criterion is used for Linux and macOS operating systems.
- WinLogName is the name of the log.
- WinLogEventRecordID is the log entry ID.
- WinLogProviderName is the ID of the system that logged the event.
- WinLogTargetDomainName is the domain name of the remote computer.
- WinLogObjectName is the name of the object that initiated the event.
- WinlogPackageName is the name of the package that initiated the event.
- WinLogProcessName is the name of the process that initiated the event.
- Detect and processing result:
- DetectName is the name of the detected object.
- RecordID is the ID of the triggered rule.
- ProcessingMode is the scanning mode.
- ObjectName is the name of the object.
- ObjectType is the type of the object.
- ThreatStatus is the detection mode.
- UntreatedReason is the event processing status.
- ObjectContent (for AMSI events too) is the content of the script sent for scanning.
- ObjectContentType (for AMSI events too) is the type of script content.
- Console interactive input:
- InteractiveInputText is the text entered on the command line.
- InteractiveInputType is the input type (console or pipe).
- File modified:
- FileOperationType is the type of the file operation.
- FilePreviousPath is the path to the directory where the file was previously located.
- FilePreviousName is the previous name of the file.
- FilePreviousFullName is the full name of the file including the path to the directory where the file was previously located and/or the previous file name.
- DroppedFileType is the type of the modified file.
- Code injection and process access:
- AccessMethod is the access method.
- InjectAddress is the address space of the recipient process.
- InjectedDllName is the name of the injected DLL.
- ModifiedStartupParameters are the modified startup parameters.
- InjectedDllPath is the path to the injected DLL.
- CallTrace is the call trace.
- TargetStartupParameters is the command that was used to start the recipient process.
- Process access:
- AccessOperationType is the operation type: Process access is open or Duplicate handle.
- ProccessAccessRights are the requested process access rights.
- HandleSourceStartupParameters is the command that starts the source handle.
- HandletargetStartupParameters is the command to start the target handle.
- Other:
- File type is the type of the file.
- TlsJa3Md5 contains decimal byte values for the following fields in the client hello packet: TLS version, cipher suite, list of TLS protocol extensions, elliptic curves, and elliptic curve formats.
- TlsJa3sMd5 contains decimal byte values for the following fields in the server hello packet: TLS version, cipher suite, and list of TLS protocol extensions.
- DotNetAssemblyName is the name of the .NET assembly.
- DotNetAssemblyFlags contains .NET assembly flags.
To view the list of event search fields in source code mode, you can download this file.
Page topOperators
The operators that you can use for searching in builder mode and in source code mode are listed in the table below.
Operators that can be used for searching in builder mode and in source code mode
Builder mode |
Source code mode |
---|---|
= |
== |
!= |
NOT (example) |
CONTAINS |
==*example* |
!CONTAINS |
NOT (example=='*example*') |
STARTS |
=='example*' |
!STARTS |
NOT (example=='example*') |
ENDS |
=='*example' |
!ENDS |
NOT (example=='*example') |
Sorting events in the table
You can sort events in the table by the Event time, Event type, Host, and User name columns.
To sort events in the event table:
- Select the Threat Hunting section in the application web interface window.
This opens the Threat Hunting window.
- Define the criteria for searching events in builder mode or source code mode.
The table of events that satisfy the search criteria is displayed.
- If you want to sort events by time, click one of the icons to the right of the Event time column name:
to display newer events at the top of the table.
to display older events at the top of the table.
- If you want to sort events by the event type name, click one of the icons to the right of the Event type column heading:
to sort alphabetically, A–Z.
to sort alphabetically, Z–A.
- If you want to sort events based on the names of host on which the alerts were generated, click one of the icons to the right of the Host column name:
to sort alphabetically, A–Z.
to sort alphabetically, Z–A.
- If you want to sort events based on the user names of hosts, click one of the icons on the right of the User name column name:
to sort alphabetically, A–Z.
to sort alphabetically, Z–A.
- If you want to group events based on the names of hosts or by the event type name, click one of the values in the Group by drop-down list:
- Group by host name if you want to group events by the names of hosts.
- Group by event type if you want to group events by the names of event types.
If events were sorted by the Host or Event type field, the sorting result is cleared when events are grouped by a similar attribute. To return to the sorting results, select the Group by value from the Group by drop-down list.
By default, events in the table are sorted by time, with the newest events at the top of the table.
You can sort events based on one attribute only.
When sorting by event type in a foreign language, events are sorted based on the internal name of the event type in English.
Page topChanging the event search conditions
To change the event search conditions, perform the following actions in the Threat Hunting section of the application web interface window:
- Click the form containing the event search conditions in the upper part of the window.
- Select one of the following tabs:
- Builder if you want to edit the event search conditions in builder mode.
- Source code, if you want to change the event search conditions in source code mode.
- Make the relevant changes.
- Click one of the following buttons:
- Refresh, if you want to refresh the current event search with the new conditions.
- New search, if you want to perform a new event search.
The table of events that satisfy the search criteria is displayed.
Searching for events by processing results in EPP applications
To search events by processing results in
in builder mode:- Select the Threat Hunting section, Builder tab in the application web interface window.
This opens the event search form.
- To search events by processing status:
- In the search criteria drop-down lost in the Detect and processing result group, select ThreatStatus.
- In the drop-down list of comparison operators, select one of the following options:
- = (equals)
- != (does not equal)
- In the drop-down list of event processing status, select one of the following options:
- Object clean.
- Object disinfected.
- False positive.
- Object added by user.
- Object added to exclusions.
- Object deleted.
- Object quarantined.
- Object not found.
- Object rolled back.
- Object cannot be processed.
- Object not processed.
- Processing terminated.
- Unknown.
- To search events by reasons why they were not processed:
- In the search criteria drop-down lost in the Detect and processing result group, select UntreatedReason.
- In the drop-down list of comparison operators, select one of the following options:
- = (equals)
- != (does not equal)
- In the drop-down list of reasons why the events were not processed, select one of the following options:
- Object already processed.
- Application is running in Report only mode.
- Failed to back up object.
- Failed to copy object.
- Device not ready.
- Object blocked.
- No rights to perform action.
- Object not curable.
- Object not overwritable.
- Object not found.
- No free space on disk.
- Processing canceled.
- Processing postponed.
- Processing task stopped.
- Error reading data.
- Reason unknown.
- This is a critical system object.
- Data write error.
- Data write not supported.
- Object write-protected.
- If you want to add a new condition, use the AND or OR logical operator and repeat the necessary actions for adding a condition.
- If you want to add a group of conditions, click the Group button and repeat the actions necessary for adding conditions.
- If you want to delete a group of conditions, click the Remove group button.
- If you want to search events that occurred during a specific period, in the Any time drop-down list select one of the following event search periods:
- Any time if you want the table to display events found as far back as the records go.
- Last hour if you want the table to display events that were found during the last hour.
- Last day if you want the table to display events found during the last day.
- Custom range if you want the table to display events found during the period you specify.
- If you have selected the Custom range display period for found events:
- In the calendar that opens, specify the start and end dates of the event display range.
- Click Apply.
The calendar closes.
- Click Search.
The table of events that satisfy the search criteria is displayed.
Searching for events using conditions specified in an IOC or YAML file
When creating an IOC file, review the list of IOC terms that you can use to search for events in the Threat Hunting section. You can view the list of supported IOC terms by downloading the file from the link below.
IOC terms for searching events in the Threat Hunting section
To search for events using conditions specified in an IOC or YAML file:
- Select the Threat Hunting section in the application web interface window.
This opens the event search form.
- Click Import.
This opens the file selection window.
- Select the file that you want to upload and click Open.
The file is uploaded.
On the Source code tab, the form containing event search conditions will display the conditions defined in the uploaded file.
You can search for events that match these conditions. You can also change the conditions defined in an uploaded file, or add event search conditions in source code mode.
- If you want to search events that occurred during a specific period, click the Any time button and select one of the following event search periods:
- Any time if you want the table to display events found as far back as the records go.
- Last hour if you want the table to display events that were found during the last hour.
- Last day if you want the table to display events found during the last day.
- Custom range if you want the table to display events found during the period you specify.
- If you have selected the Custom range display period for found events:
- In the calendar that opens, specify the start and end dates of the event display range.
- Click Apply.
The calendar closes.
- Click Search.
An event table is displayed that corresponds to criteria specified in the uploaded file.
Creating a TAA (IOA) rule based on event search conditions
To create a TAA (IOA) rule based on event search conditions:
- Select the Threat Hunting section in the application web interface window.
This opens the event search form.
- Perform an event search in builder mode or source code mode.
- Click Save as TAA (IOA) rule.
This opens the New TAA (IOA) rule window.
- In the Name field, type the name of the rule.
- Click Save.
The event search condition will be saved. In the TAA (IOA) rule table in the Custom rules section, TAA subsection of the web interface, the new rule is displayed with the specified name.
If you want to save event search conditions as a user-defined TAA (IOA) rule, avoid using the following fields:
- IOAId.
- IOATag.
- IOATechnique.
- IOATactics.
- IOAImportance.
- IOAConfidence.
At the time of saving the user-defined TAA (IOA) rule, the application may not have any events containing data for these fields. When events with this data turn up, the user-defined field that you have created earlier will be unable to mark events by these fields.
Users with the Security auditor and Security officer roles cannot create TAA (IOA) rules based on event search conditions.
Event information
If you are using the distributed solution and multitenancy mode, when managing the application using the web interface, you can view event information for those tenants to whose data you have access.
Event information displays local timestamps of the Endpoint Agent computer that detected the event. The application administrator must make sure the time on computers with the Endpoint Agent component is current.
To enable the display of events for all tenants:
- Select the Threat Hunting section in the application web interface window.
- Turn on the Search in all tenants toggle switch.
The table of events displays events for all tenants.
Recommendations for processing events
The event window display buttons with the actions available for handling this event in the box between the event tree and the information text for users with the Senior security officer role.
You can perform the following actions:
- Isolate <host name> – isolate the host with the Endpoint Agent component where the event was detected from the network. Applies to all event types.
- Create prevention rule – prohibit the execution of the file that was detected in the event. Applies to all event types except System event log.
- Create task — create a task. Applies to all event types except System event log.
Additionally, you can process the event by clicking the link with the name, path, MD5 or SHA256 hash of the file and the host name while viewing text information about the event in the lower part of the window.
Clicking the link with the file name or file path opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Filter by this value.
- Exclude from filter.
- Find on Kaspersky TIP.
- Find events.
- Find alerts.
- Copy value to clipboard.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
Users with the Security auditor and Security officer roles are not shown recommendations for processing events.
Following a recommendation to isolate a host
To follow a recommendation to isolate a host from the network:
- In the recommendation box, select Isolate <host name>.
This opens the host isolation settings window for the host from the event you are working on.
- In the Disable isolation after field, enter the time in hours (1 to 9999) during which network isolation of the host will be active.
- In the Exclusions for the host isolation rule settings group, in the Traffic direction list, select the direction of network traffic that must not be blocked:
- Incoming/Outgoing.
- Incoming.
- Outgoing.
- In the IP field, enter the IP address whose network traffic must not be blocked.
If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, you can use a proxy server for the connection of Kaspersky Endpoint Agent for Windows with Kaspersky Anti Targeted Attack Platform. When you add this proxy server to exclusions, network resources that can be accessed through the proxy server are also added to exclusions. If network resources that are accessed through the proxy server are added to exclusions, but the proxy server itself is not, such exclusions do not work.
- If you selected Incoming or Outgoing, in the Ports field enter the connection ports.
- If you want to add more than one exclusion, click Add and repeat the steps to fill in the Traffic direction, IP and Ports fields.
- Click Save.
Information about host isolation is displayed in the Endpoint Agents section of the web interface.
You can also create a network isolation rule by clicking the Isolate <host name> link in the alert information and in the Endpoint Agents section of the web interface.
Users with the Security auditor and Security officer roles cannot isolate a host from the network.
Following a recommendation to prevent a file from running
To follow a recommendation to prevent a file from running:
- In the recommendations box, select Create prevention rule.
This opens the prevention rule creation window with the MD5 or SHA256 hash of the file from the event you are working on.
- Configure the following settings:
- State is the state of the prevention rule:
- If you want to enable the prevention rule, set the toggle switch to On.
- If you want to disable the prevention rule, set the toggle switch to Off.
- Name is the name of the prevention rule.
- If you want the application to display a notification about prevention rule triggering to the user of the computer on which the prevention is applied, select the Notify user about blocking file execution check box.
- If you want to change the scope of the prevention rule, configure the Prevent on setting:
- If you want to apply the prevention rule on all hosts of all servers, select All hosts.
- If you want to apply the prevention rule on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to apply the prevention rule.
This option is available only when distributed solution and multitenancy mode is enabled.
- If you want to apply the prevention rule on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.
- State is the state of the prevention rule:
- Click Add.
The file run prevention is created.
Information about the created prevention is displayed in the Prevention section of the web interface.
If you selected the Notify user about blocking file execution check box and an attempt is made to execute a file prevented from running, the user is notified that an execution prevention rule was triggered by this file.
Users with the Security auditor and Security officer roles cannot prevent file execution.
Following a recommendation to create a task
To follow a recommendation to create a task:
- Click Create task, and in the recommendation box, expand the list of task types.
- Select a task type:
- Kill process.
- Get forensics.
- Start YARA scan.
- Manage services.
- Get process memory dump.
- Get NTFS metafiles.
- Run application.
- Get file.
- Delete file.
- Quarantine file.
- Restore file from quarantine.
This opens the task creation window with preset values (for example, host name, file path, MD5 or SHA256 hash of the file) from the event you are working on.
- If you want to modify preset values from the event, edit the corresponding fields.
- If you want to add a comment for the task, enter it in the Description box.
- If you are creating a Kill process, Delete file, Start YARA scan, or Manage services task and you want to modify the scope of the task, change the value of the Task for setting:
- If you want to run the task on all hosts of all servers, select the All hosts option.
- If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.
This option is available only when distributed solution and multitenancy mode is enabled.
- If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.
- Click Add.
The task is created.
Information about the created task is displayed in the Tasks section of the web interface.
Users with the Security auditor and Security officer roles cannot create tasks.
Information about events in the tree of events
The tree of events is displayed in the upper part of the event information window.
The tree of events contains the following information:
- The event for which you are viewing information.
The event you are viewing is displayed on the right side.
- The parent process.
The parent process is displayed to the left of the event you are viewing. If the event you are viewing does not have a parent process, the host name where the event was registered is displayed instead.
Clicking the name of the parent process on the left side displays the process that has initiated the process in question and is a parent process with regard to that process. If there is no parent process, the host name is displayed instead.
To the right of each parent process name, the total number of events generated by this process is displayed. You can view the list of events and information about the selected event.
Viewing parent process information in the tree of events
To display parent process information for the event being viewed:
- Perform an event search in builder mode or source code mode.
The event table is displayed.
- Select the event whose information you want to view.
This opens a window containing information about the event. The upper part of the window displays the tree of events.
- Click the .
In the bottom part of the window, the Details tab displays information about the process that is the parent process with regard to the event being viewed.
Viewing information about events initiated by the parent process in the tree of events
To view the table of all events initiated by the parent process:
- Perform an event search in builder mode or source code mode.
The event table is displayed.
- Select the event whose information you want to view.
This opens a window containing information about the event. The upper part of the event information window displays the tree of events.
- Click the name of the parent process in the event tree.
In the bottom part of the window, the Details tab displays information about the event that is the parent event with regard to the event being viewed.
- Go to the Events tab.
A table of all events initiated by the parent process is displayed. By default, events in the table are sorted by time, with the newest events at the top of the table.
You can view event information by clicking the row of the relevant event. The event node is displayed in the tree of events.
To display the event table grouped by type:
- Perform an event search in builder mode or source code mode.
The event table is displayed.
- Select the event whose information you want to view.
This opens a window containing information about the event. The upper part of the event information window displays the tree of events.
- Click the drop-down list to the right of the parent process name in the tree of events.
A list of all events initiated by the parent process is displayed. By default, the events in the list are grouped by type.
- In the tree of events, in the drop-down list to the right of the parent process name, select one of the following options:
- If you want to display all events initiated by the parent process, click All events.
A table of all events initiated by the parent process is displayed. By default, events in the table are sorted by time, with the newest events at the top of the table.
- If you want to view all events of a particular type initiated by the parent process, select the name of the relevant event type.
A table of all events initiated by the parent process is displayed, grouped by type.
You can view event information by clicking the row of the relevant event. The event is displayed in the tree of events.
- If you want to display all events initiated by the parent process, click All events.
Viewing host information in the tree of events
If the event that you are viewing or the parent process do not have a process that initiated it, the process node in the tree of events is replaced with the node of the host where the event was registered or the parent process was running.
To view information for the host where the event was registered or the parent process was started:
- Perform an event search in design mode or source code mode.
The event table is displayed.
- Select the event whose information you want to view.
This opens a window containing information about the event. The upper part of the window displays the tree of events.
- Click the host name in the tree of events.
The bottom part of the window displays information about the host where the event was registered or the parent process was running.
Viewing the table of events
The events table is displayed in the Threat Hunting section of the application web interface window after completion of Threat Hunting in the events database. You can sort events in the table by the Event time, Event type, Host, and User name columns.
If you are using the distributed solution and multitenancy mode, events in the table are grouped by hosts of the selected servers and tenants.
The table of events contains the following information:
- Event time—Date and time when the event was detected.
- Event type, for example, Process started.
- Host name—Name of the host on which the alert was generated.
- Details—Information about the event.
- User name—Name of the user on the computer with the Endpoint Agent component whose user account was used to detect the event.
In the events table, the Details column displays the set of data for each type of event in the Event type column (see the table below).
Set of data in the Details column for each event type in the Event type column
Event type |
Details |
---|---|
Process started |
Name of the process file that was started. SHA256 and MD5 hashes. |
Module loaded |
Name of the dynamic library that was loaded. SHA256 and MD5 hashes. |
Connection to remote host |
URL to which a remote connection attempt was made. Name of the file that attempted to establish a remote connection. |
Blocked application (prevention rule) |
Name of the file of the application that was blocked from starting. SHA256 and MD5 hashes. |
Document blocked |
Name of the document that was blocked from starting. SHA256 and MD5 hashes. |
File changed |
Name of the created file. SHA256 and MD5 hashes. |
System event log |
Channel for recording events in the system log. Event type ID. |
Registry modified |
Name of key in registry. |
Port listened |
Server address and port. Name of the file of the process that listens to the port. |
Driver loaded |
File name of the driver that has been loaded. SHA256 and MD5 hashes. |
Detection |
Name of the file in which the object was detected. Name of the detected object. SHA256 and MD5 hashes. |
Detection processing result |
Name of the file in which the object was detected. Name of the detected object. SHA256 and MD5 hashes. |
AMSI scan |
Name of the scanned object. Type of the script. Text of the script sent to be scanned. |
Process: interpreted file run |
Name of the file that was run. SHA256 and MD5 hashes. |
Process: console interactive input |
Command text. |
Process terminated |
File name of the stopped process. SHA256 and MD5 hashes. |
DNS |
Name of the domain being looked up. Resource record type ID. |
LDAP |
Search scope and filter. |
Named pipe |
Pipe name. Pipe operation type. |
WMI |
WMI operation type. Event consumer source code. |
Code injection |
File name of the target process or name of the dynamic-link library that contains the hook procedure and the name of the function to which control is passed after injection. Method of access to the target process file. SHA256 and MD5 hashes of the target process file. |
Process access |
Name of the recipient process file. Importance of the event. Type of operation performed on the process file. Process access permissions. |
If you are using Kaspersky Endpoint Agent as the Endpoint Agent component, information about the AMSI scan event is available when Kaspersky Anti Targeted Attack Platform is integrated with Kaspersky Endpoint Agent for Windows 3.10 or later and when Kaspersky Endpoint Agent is integrated with Kaspersky Endpoint Security for Windows 11.5 or later. If Kaspersky Endpoint Security for Windows is not installed on the computer and is not integrated with Kaspersky Endpoint Agent, information about the AMSI scan event is not logged in the event database and is not displayed in the Kaspersky Anti Targeted Attack Platform web interface.
If Kaspersky Endpoint Agent is used in the role of the Endpoint Agent component, the Central Node server generates Detection and Detection processing result events based on data received from EPP applications. If EPP applications are not installed on the computer and are not integrated with Kaspersky Endpoint Agent, information about these events is not logged in the event database and is not displayed in the Kaspersky Anti Targeted Attack Platform web interface.
Clicking the link with the name of the event type, data, additional information and user name opens a list in which you can select the action to perform on the object. Depending on the value in the cell, you can do one of the following:
- For all values in the cell:
- Filter by this value.
- Exclude from filter.
- Copy value to clipboard.
- Host name:
- File name:
- MD5 hash:
- SHA256 hash:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Create prevention rule.
- Find in Storage.
Configuring the event table display
You can show or hide columns and change the order of columns in the event table.
To configure the event table display:
- Perform an event search in design mode or source code mode.
The event table is displayed.
- In the heading part of the table, click
.
This opens the Customize table window.
- If you want to show a column in the table, select the check box next to the name of the parameter that you want displayed in the table.
If you want to hide a parameter in the table, clear the check box.
At least one check box must be selected.
- If you want to change the order of columns in the table, move the mouse cursor to the row with the relevant parameter, click
and move the row to its new place.
- If you want to restore default table display settings, click Default.
- Click Apply.
The display of the event table is configured.
Page topViewing information about an event
To view event details:
- In the application web interface window, select the Threat Hunting section, Builder or Source code tab.
This opens the event search form.
- If you are using the distributed solution and multitenancy mode and want to enable the display of events for all tenants, turn on the Search in all tenants toggle switch.
- Perform an event search in builder mode or source code mode.
The event table is displayed.
- Select the event whose information you want to view.
This opens a window containing information about the event.
Information about the "Process started" event
The window displaying information about Process started events contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- Process started section:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- File—Process file name.
- Process ID—Process identifier.
- Launch parameters—Process startup settings.
If the event was logged in the event database by Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Mac, instead of the Launch parameters field, the Command field is displayed, that is, the command that was used to run the process.
- Current directory—Current directory of the process
- MD5—MD5 hash of the process file.
- SHA256—SHA256 hash of the process file.
- Size—Size of the process file.
- File type—Type of the process file.
- Event time—Process start time.
- Attributes modification time—Time when the attributes of the process file were changed.
- Time created—Process file creation time.
- Time modified—Time of last modification of the process file.
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- Details section:
- Application name—For example, the name of the operating system.
- Vendor—For example, vendor of the operating system.
- File description—For example, Example File.
- Original file name—For example, ExampleFile.exe.
- Signature subject—Organization that issued the digital certificate of the file.
- Signature validation result—For example, "Invalid" or "OK".
- Attributes—File attribute in accordance with the Windows classification. For example, A (archive), D (directory), or S (system file).
If the event was logged in the event database by Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Mac, the Details section also includes the following fields:
- Attributes—Attributes of the process file.
- Process type—For example, exec.
- Environment variables—Environment variables of the process.
- Real user name—Name of the user assigned when registering in the system.
- Real group name—Group to which the user belongs.
- Effective user name—User name that was used to log in to the system.
- Effective group name—Group of the user whose name was used to log in to the system.
- Owner user name—Name of the user that created the process file.
- Owner group name—Name of the group whose users can modify or delete the file of the process.
- File permitted capabilities—Permissions that can be used to gain access to the process file. This field is not displayed if the event was recorded by Kaspersky Endpoint Security for Mac.
- File inheritable capabilities—Permissions that an user group has to perform operations on the parent directory of the process file. This field is not displayed if the event was recorded by Kaspersky Endpoint Security for Mac.
- File effective capabilities—Permissions that are relevant to the process file at the current moment. This field is not displayed if the event was recorded by Kaspersky Endpoint Security for Mac.
- Downloaded from URL—URL from which the process file was downloaded.
- Source—Metadata of the message from which the process file was obtained.
- Account properties—Flags of the user account that ran the process.
- Process creation flags—Process creation flags.
- Symbolic link—Path to the symbolic link.
- Call trace—Call stack.
- Event initiator section:
- File—Path to the parent process file.
- Process ID—Identifier of the parent process.
- Launch parameters—Parent process startup settings.
If the event was logged in the event database by Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Mac, instead of the Launch parameters field, the Command field is displayed, that is, the command that was used to run the parent process.
- MD5—MD5 hash of the parent process file.
- SHA256—SHA256 hash of the parent process file.
- System info section:
- Host name—Name of the host on which the process was started.
- Host IP—IP address of the host on which the process was started.
If you are using dynamic IP addresses, the field displays the IP address assigned to the host at the moment when the event was created.
The application does not support IPv6. If you are using IPv6, the IP address of the host is not displayed.
- User account type—Type of the account that ran the process. For example, administrator.
- Logon type—For example, using a running service.
- User name—Name of the user that started the process.
- OS version—Version of the operating system that is being used on the host.
If the event was logged in the event database by Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Mac, the System info section also displays the Logon from remote host field for the name of host from which the remote logon was performed.
Clicking the link with the file name or file path opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
In the information about the event that Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Mac recorded in the event database, you can click the links with the file name or file path to open a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the Get file task.
- Copy value to clipboard.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Get data → File, Forensics, Disk image, Memory dump.
- Kill process.
- Delete file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
In the information about the event that Kaspersky Endpoint Security for Linux recorded in the event database, you can click the link with the host name to open a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Kill process.
- Delete file.
- Get file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
In the information about the event that Kaspersky Endpoint Security for Mac recorded in the event database, you can click the links with the file name or file path to open a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the Get file task.
- Copy value to clipboard.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Information about the "Process terminated" event
The window displaying information about Process terminated events contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- Process terminated section:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- File—Process file name.
- Process ID—Process identifier.
- Launch parameters—Process startup settings.
If the event was logged in the event database by Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Mac, instead of the Launch parameters field, the Command field is displayed, that is, the command that was used to run the process.
- MD5—MD5 hash of the process file.
- SHA256—SHA256 hash of the process file.
- Size—Size of the process file.
- Event time— Process termination time.
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- Event initiator section:
- File—Path to the parent process file.
- Process ID—Identifier of the parent process.
- Launch parameters—Parent process startup settings.
If the event was logged in the event database by Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Mac, instead of the Launch parameters field, the Command field is displayed, that is, the command that was used to run the parent process.
- MD5—MD5 hash of the parent process file.
- SHA256—SHA256 hash of the parent process file.
- System info section:
- Host name—Name of the host on which the process was started.
- Host IP—IP address of the host on which the process was started.
If you are using dynamic IP addresses, the field displays the IP address assigned to the host at the moment when the event was created.
The application does not support IPv6. If you are using IPv6, the IP address of the host is not displayed.
- User account type—Type of the account that terminated the process. For example, administrator.
- User name—Name of the user that started the process.
- OS version—Version of the operating system that is being used on the host.
If the event was logged in the event database by Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Mac, the System info section also displays the Logon from remote host field for the name of host from which the remote logon was performed.
Clicking the link with the file name or file path opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
In the information about the event that Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Mac recorded in the event database, you can click the links with the file name or file path to open a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the Get file task.
- Copy value to clipboard.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Get data → File, Forensics, Disk image, Memory dump.
- Kill process.
- Delete file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
In the information about the event that Kaspersky Endpoint Security for Linux recorded in the event database, you can click the link with the host name to open a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Kill process.
- Delete file.
- Get file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
In the information about the event that Kaspersky Endpoint Security for Mac recorded in the event database, you can click the links with the file name or file path to open a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the Get file task.
- Copy value to clipboard.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Information about the "Module loaded" event
The window displaying information about Module loaded events contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- Module loaded section:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- File—Name of the loaded module file.
- MD5—MD5 hash of the loaded module file.
- SHA256—SHA256 hash of the loaded module file.
- DLL file type—Type of the loaded module.
- Size—Size of the loaded module.
- Event time—Time when the module was loaded.
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- Details section:
- Application name—For example, name of the operating system.
- Vendor—For example, vendor of the operating system.
- File description—For example, Example File.
- Original file name—For example, Example File.
- Zone ID—
- Signature subject—Organization that issued the digital certificate of the loaded module.
- Signature validation result—For example, "Signature invalid" or "Signature OK".
- Digital signature time—Signing time of the loaded module.
- File attributes modified—Attribute modification time of the loaded module.
- Time created—Creation time of the loaded module.
- Time modified—Date of last modification of the loaded module.
- .NET assembly name—Name of the .NET assembly of the loaded module.
- .NET assembly flags—Flags of the .NET assembly of the loaded module.
- .NET module flags—Flags of the loaded module.
- Next DLL in bypass path—The field contains the path to the DLL library that could have been loaded instead of the existing library.
The field is displayed if the following conditions are satisfied:
- The source of the loaded DLL is not trusted.
- A folder in the standard search path contains a library with the same name but a different hash.
If you are using Kaspersky Endpoint Agent as the Endpoint Agent component, Kaspersky Anti Targeted Attack Platform receives the data required to populate the Next DLL in bypass path field only when Kaspersky Anti Targeted Attack Platform is integrated with Kaspersky Endpoint Agent 3.10 for Windows. When integrating the application with older versions of the Kaspersky Endpoint Agent application the field is not displayed in the event information.
- Event initiator section:
- File—Path to the parent process file.
- MD5—MD5 hash of the parent process file.
- SHA256—SHA256 hash of the parent process file.
- System info section:
- Host name—Name of the host on which the module was loaded.
- Host IP—IP address of the host on which the module was loaded.
If you are using dynamic IP addresses, the field displays the IP address assigned to the host at the moment when the event was created.
The application does not support IPv6. If you are using IPv6, the IP address of the host is not displayed.
- User name—Name of the user that loaded the module.
- OS version—Version of the operating system being used on the host.
Clicking the link with the file name or file path in the Module loaded section opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
Clicking the link with the file name or file path in the Event initiator section opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Get data → File, Forensics, Disk image, Memory dump.
- Kill process.
- Delete file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Information about the "Remote connection" event
The window displaying information about Connection to remote host events contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- Connection to remote host section:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- Connection direction is the direction of the connection (inbound or outbound).
- Remote IP—IP address of the host to which a remote connection attempt was made.
- Local IP – IP address of the local computer from which a remote connection attempt was made.
- Event time—Time of the remote connection attempt.
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- TLS section:
- Version—Version of the protocol.
- SNI—Name of the website to connect to.
- Encrypted SNI—Encrypted name of the website.
- Certificate MD5—MD5 hash of the certificate file.
- Certificate SHA1—SHA1 hash of the certificate file.
- Certificate issuer name—Name of the organization that signed the certificate.
- Serial number—Unique number of the certificate.
- Certificate verification result—Result of certificate verification.
- Certificate valid from—Date from which the certificate is valid.
- Certificate valid to—Date after which the certificate expires.
- JA3—Decimal byte values for the following fields in the client hello packet: TLS version, cipher suite, list of TLS protocol extensions, elliptic curves, and elliptic curve formats. To delimit fields, use the "," character; to delimit values in each field, use the "-" character.
- JA3S—Decimal byte values for the following fields in the server hello packet: TLS version, cipher suite, and list of TLS protocol extensions. To delimit fields, use the "," character; to delimit values in each field, use the "-" character.
- JA3 MD5—JA3 fingerprint.
- JA3S MD5—JA3S fingerprint.
- Event initiator section:
- File—Name of the parent process file.
- MD5—MD5 hash of the parent process file.
- SHA256—SHA256 hash of the parent process file.
- System info section:
- Host name—Host name from which a remote connection attempt was made.
- Host IP—IP address of the host from which a remote connection attempt was made.
If you are using dynamic IP addresses, the field displays the IP address assigned to the host at the moment when the event was created.
The application does not support IPv6. If you are using IPv6, the IP address of the host is not displayed.
- User name—Name of the user that attempted to establish a remote connection.
- OS version—Version of the operating system being used on the host.
Clicking the link with the file name or file path in the Connection to remote host section opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
Clicking the link with the file name or file path in the Event initiator section opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Get data → File, Forensics, Disk image, Memory dump.
- Kill process.
- Delete file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Information about the "Prevention rule" event
The window with information about events in which prevention rules were triggered, i. e. events of the Blocked application (prevention rule) type, displays the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- Blocked application (prevention rule) section:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- File—Name of the file that was prevented from running.
- Launch parameters—Parameters that were used for the attempt to run the file.
- MD5—MD5 hash of the file that was prevented from running.
- SHA256—SHA256 hash of the file that was prevented from running.
- Size—Size of the file that was prevented from running.
- Event time—Time when the file startup prevention was triggered.
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- Details section:
- Application name—For example, the name of the operating system.
- Vendor—For example, vendor of the operating system.
- File description—For example, Example File.
- Original file name—For example, ExampleFile.exe.
- Signature subject—Organization that issued the digital certificate of the file.
- Signature validation result—For example, "Signature invalid" or "Signature OK".
- Time created—Creation time of the file that was prevented from running.
- Time modified—Date of last modification of the file that was prevented from running.
- Event initiator section:
- File—Name of the parent process file.
- MD5—MD5 hash of the parent process file.
- SHA256—SHA256 hash of the parent process file.
- Process ID—Identifier of the parent process.
- System info section:
- Host name—Name of the host on which the file startup prevention was triggered.
- Host IP—IP address of the host on which the file startup prevention was triggered.
If you are using dynamic IP addresses, the field displays the IP address assigned to the host at the moment when the event was created.
The application does not support IPv6. If you are using IPv6, the IP address of the host is not displayed.
- User name—Name of the user whose account was used to run the file.
- OS version—Version of the operating system being used on the host.
Clicking the link with the file name or file path opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Get data → File, Forensics, Disk image, Memory dump.
- Kill process.
- Delete file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
In the information about the event that Kaspersky Endpoint Security for Linux recorded in the event database, you can click the link with the host name to open a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Kill process.
- Delete file.
- Get file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Information about the "Document blocked" event
The window displaying information about Document blocked events contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- Document blocked section:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- File—Name of the blocked document.
- MD5—MD5 hash of the blocked document.
- SHA256—SHA256 hash of the blocked document.
- Event time—Time when the document was blocked.
- Process file – name of the file of the process that attempted to open the document.
- Process MD5 – MD5 hash of the process that attempted to open the document.
- Process SHA256 – SHA256 hash of the process that attempted to open the document.
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- Event initiator section:
- File—Name of the parent process file.
- MD5—MD5 hash of the parent process file.
- SHA256—SHA256 hash of the parent process file.
- Process ID—Identifier of the parent process.
- System info section:
- Host name—Name of the host on which the document was blocked.
- Host IP—IP address of the host on which the document was blocked.
If you are using dynamic IP addresses, the field displays the IP address assigned to the host at the moment when the event was created.
The application does not support IPv6. If you are using IPv6, the IP address of the host is not displayed.
- User name—Name of the user that attempted to open the document.
- OS version—Version of the operating system being used on the host.
Clicking the link with the file name or file path in the Document blocked section opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
Clicking the link with the file name or file path in the Event initiator section opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Get data → File, Forensics, Disk image, Memory dump.
- Kill process.
- Delete file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
In the information about the event that Kaspersky Endpoint Security for Linux recorded in the event database, you can click the link with the host name to open a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Kill process.
- Delete file.
- Get file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Information about the "File modified" event
The window displaying information about File changed events contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- Depending on the type of operation that was performed with the file, one of the following section names is displayed in the event information:
- File created.
- File modified.
- File renamed.
- File attributes modified.
- File deleted.
- File read.
- Hard link created.
- Symbolic link created.
- File creation time modified.
This section may display the following information:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- File—Name of the created, deleted, or modified file.
- MD5—MD5 hash of the created, deleted, or modified file.
- MD5 of the file referenced by the link—MD5 hash of the file to which the created link points.
- SHA256—SHA256 hash of the created, deleted, or modified file.
- SHA256 of the file referenced by the link—SHA256 hash of the file to which the created link points.
- Symbolic link—Full name of the file to which the created symbolic link points.
- Size—Size of the created, deleted, or modified file.
- Event time—Time when the event was detected.
- Time created—Time when the file was created.
- Time modified—Time of last modification of the file.
- Attributes modification time—Time when file attributes were modified.
- Previous version—Name of the previous version of the file.
The Previous version field is displayed in event details only for operations of the File renamed type.
- Remove file after reboot—Status of the file to be deleted.
If the file to which the "delete" operation was applied is opened in any application or is used by other processes, it is deleted when these processes terminate after a restart of the host. In this case, Remove file after reboot displays Yes.
If the file to which the "delete" operation was applied was deleted immediately, the Remove file after reboot field displays No.
The Remove file after reboot field is displayed in event details only for operations of the File deleted type.
If the event was logged in the event database by Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Mac, the section also includes the following fields:
- File type—Extension of the created, deleted, or modified file.
- File open flags—Value of the open flags for the created, deleted, or modified file.
- Owner user name—Name of the user that created the file.
- Owner group name—Name of the group whose users can modify or delete the file.
- File permitted capabilities—Permissions that can be used to gain access to a created, deleted, or modified file. This field is not displayed if the event was recorded by Kaspersky Endpoint Security for Mac.
- File inheritable capabilities—Permissions that a user group has to perform operations on the parent directory of the created, deleted, or modified file. This field is not displayed if the event was recorded by Kaspersky Endpoint Security for Mac.
- File effective capabilities—Permissions that are relevant to the created, deleted, or modified file at the current moment. This field is not displayed if the event was recorded by Kaspersky Endpoint Security for Mac.
- Event initiator section:
- File—Path to the parent process file.
- MD5—MD5 hash of the parent process file.
- SHA256—SHA256 hash of the parent process file.
If the event was logged in the event database by Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Mac, the Event initiator section also includes the following fields:
- Environment variables—Environment variables of the process.
- Real user name—Name of the user assigned when registering in the system.
- Real group name—Group to which the user belongs.
- Effective user name—User name that was used to log in to the system.
- Effective group name—Group of the user whose name was used to log in to the system.
- System info section:
- Host name—Name of the host on which the file was created.
- Host IP—IP address of the host on which the file was created.
If you are using dynamic IP addresses, the field displays the IP address assigned to the host at the moment when the event was created.
The application does not support IPv6. If you are using IPv6, the IP address of the host is not displayed.
- User name—Name of the user that created the file.
- OS version—Version of the operating system that is being used on the host.
If the event was logged in the event database by Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Mac, the System info section also displays the Logon from remote host field for the name of host from which the remote logon was performed.
Clicking the link with the file name or path to the file in the section with information about the file with which the operation was performed opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
Clicking the link with the file name or file path in the Event initiator section opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
In the information about the event that Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Mac recorded in the event database, you can click the links with the file name or file path to open a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the Get file task.
- Copy value to clipboard.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Get data → File, Forensics, Disk image, Memory dump.
- Kill process.
- Delete file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
In the information about the event that Kaspersky Endpoint Security for Linux recorded in the event database, you can click the link with the host name to open a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Kill process.
- Delete file.
- Get file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
In the information about the event that Kaspersky Endpoint Security for Mac recorded in the event database, you can click the links with the file name or file path to open a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the Get file task.
- Copy value to clipboard.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Information about the "System event log" event
The window displaying information about System event log events contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- System event log section:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- Event time—Time when the event was detected.
- Security event ID—Identifier of the type of security event in the Windows log.
If the event was logged in the event database by Kaspersky Endpoint Security for Linux, the System event log section also includes the following fields:
- Event type—Type of the event.
- Operation result—For example, Success or Failed.
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- The Event data section containing information from the system log. The scope of data depends on the type of Windows event.
The Event data section is not displayed in information about events logged to the event database by Kaspersky Endpoint Agent for Linux.
- Event initiator section:
- File—Process file name.
- Process ID—Process identifier.
- Command—Command used to run the parent process.
- Environment variables—Environment variables of the process.
- Real user name—Name of the user assigned when registering in the system.
- Real group name—Group to which the user belongs.
The Event initiator section is not displayed in information about events logged to events database by Kaspersky Endpoint Agent for Windows or Kaspersky Endpoint Security for Windows.
- System info section:
- Host name—Name of the host on which the event occurred.
- Host IP—IP address of the host on which the event took place.
If you are using dynamic IP addresses, the field displays the IP address assigned to the host at the moment when the event was created.
The application does not support IPv6. If you are using IPv6, the IP address of the host is not displayed.
- User name—Name of the user who started the process that initiated the system log record.
- OS version—Version of the operating system that is being used on the host.
Event information logged to events database by Kaspersky Endpoint Security for Linux also includes the Logon from remote host field, that is, the name of the host from which remote logon was performed.
In the information about the event that Kaspersky Endpoint Security for Linux recorded in the event database, you can click the links with the file name or file path to open a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the Get file task.
- Copy value to clipboard.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Get data → File, Forensics, Disk image, Memory dump.
- Kill process.
- Delete file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
In the information about the event that Kaspersky Endpoint Security for Linux recorded in the event database, you can click the link with the host name to open a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Kill process.
- Delete file.
- Get file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
Information about the "Changes in the registry" event
The window displaying information about Registry modified events contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- Depending on the type of operation that was performed with the registry, one of the following section names is displayed in the event information:
- Registry key created
- Registry key deleted
- Registry modified
- Registry key queried
- Registry key renamed
- Registry key saved
This section displays the following information:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- File is the full path to the file to which the registry key was saved.
This field is displayed for events of the Registry key saved type.
- Key path is the path to the registry key that was modified
- Value name: for example, RegistrySizeLimit
- Value data is the value of the registry entry
- Value type: for example, REG_DWORD
- Event time is the time of registry modification
When changing the name or value of a registry key, you may see additional fields containing information about the state of the registry key prior to its modification:
- The Previous key path field is displayed when the name of the registry key is modified.
- The Previous value data field is displayed when the registry value is modified.
- The Previous value type field is displayed when the type of the registry value is modified.
If you are using Kaspersky Endpoint Agent as the Endpoint Agent component, Kaspersky Anti Targeted Attack Platform receives the data required to populate the Previous key path, Previous value data, Previous value type fields only when Kaspersky Anti Targeted Attack Platform is integrated with the Kaspersky Endpoint Agent for Windows application version 3.10 and higher. When integrating the application with older versions of the Kaspersky Endpoint Agent, the fields are not displayed in the event information.
- Event initiator section:
- File—Path to the parent process file.
Clicking the link with the file name or file path opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Run the following tasks:
- MD5—MD5 hash of the parent process file.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
Copy value to clipboard.
- SHA256—SHA256 hash of the parent process file.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
- File—Path to the parent process file.
- System info section:
- Host name—Name of the host on which the registry modification was made.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Run the following tasks:
- Get data → File, Forensics, Disk image, Memory dump.
- Kill process.
- Delete file.
- Quarantine file.
- Run application.
- Host IP—IP address of the host on which the registry modification was made.
If you are using dynamic IP addresses, the field displays the IP address assigned to the host at the moment when the event was created.
The application does not support IPv6. If you are using IPv6, the IP address of the host is not displayed.
- User name—Name of the user that made the change in the registry.
- OS version—Version of the operating system being used on the host.
- Host name—Name of the host on which the registry modification was made.
You can view information about the modification of the selected register key by editing or replacing the Kaspersky Anti Targeted Attack Platform configuration file. To edit or replace the configuration file of the application, you must contact Technical Support.
You are strongly advised not to perform any operations with the Kaspersky Anti Targeted Attack Platform configuration file in Technical Support Mode without advice or instructions from Technical Support staff.
Information about the "Port listened" event
The window displaying information about Port listened events contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- Port listened section:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- Local port—Port that was listened to.
- Local IP—IP address of the network interface whose port was listened to.
- Event time—Port listening time.
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- Event initiator section:
- File—Path to the parent process file.
Clicking the link with the file name or file path opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Run the following tasks:
- MD5—MD5 hash of the parent process file.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
- SHA256—SHA256 hash of the parent process file.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
- File—Path to the parent process file.
- System info section:
- Host name—Name of the host whose port was listened to.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Run the following tasks:
- Get data → File, Forensics, Disk image, Memory dump.
- Kill process.
- Delete file.
- Quarantine file.
- Run application.
- Host IP—IP address of the host whose port was listened.
If you are using dynamic IP addresses, the field displays the IP address assigned to the host at the moment when the event was created.
The application does not support IPv6. If you are using IPv6, the IP address of the host is not displayed.
- User name—Name of the user whose account was used to listen to the port.
- OS version—Version of the operating system that is being used on the host.
- Host name—Name of the host whose port was listened to.
Information about the "Driver loaded" event
The window displaying information about Driver loaded events contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- Driver loaded section:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- File—Name of the loaded driver file.
- MD5—MD5 hash of the loaded driver file.
- SHA256—SHA256 hash of the loaded driver file.
- Size—Size of the loaded driver.
- Event time—Time when the driver was loaded.
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- Details section:
- Application name—For example, the name of the operating system.
- Vendor—For example, vendor of the operating system.
- File description—For example, Example File.
- Original file name—For example, ExampleFile.exe.
- Signature subject—Organization that issued the digital certificate of the file.
- Signature validation result—For example, "Signature invalid" or "Signature OK".
- Time created—Creation time of the loaded driver.
- Time modified—Time of last modification of the loaded driver.
- System info section:
- Host name—Name of the host on which the driver was loaded.
- Host IP—IP address of the host to which the driver was loaded.
If you are using dynamic IP addresses, the field displays the IP address assigned to the host at the moment when the event was created.
The application does not support IPv6. If you are using IPv6, the IP address of the host is not displayed.
- User name—Name of the user that loaded the driver.
- OS version—Version of the operating system being used on the host.
Clicking the link with the file name or file path opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Get data → File, Forensics, Disk image, Memory dump.
- Kill process.
- Delete file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Information about the "DNS" event
The window displaying information about DNS events contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- DNS section:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- Server IP—IPv4 address of the DNS server.
- Query options—DNS query options.
- Request status—Status of the DNS query.
- Domain name—Name of the domain for which the DNS record is to be resolved.
- Record type ID—Type of resource record.
- Response data—Contents of the DNS server response to the query.
- Event time—Time when the DNS query was sent.
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- Event initiator section:
- File—Name of the parent process file.
- MD5—MD5 hash of the parent process file.
- SHA256—SHA256 hash of the parent process file.
- Process ID—Identifier of the parent process.
If the event was logged in the event database by Kaspersky Endpoint Agent for Linux, the Event initiator section also includes the following fields:
- Environment variables—Environment variables of the process.
- Real user name—Name of the user assigned when registering in the system.
- Real group name—Group to which the user belongs.
- Effective user name—User name that was used to log in to the system.
- Effective group name—Group of the user whose name was used to log in to the system.
- System info section:
- Host name—Name of the host from which the query to the DNS server was issued.
- Host IP—IP address of the host from which the query to the DNS server was issued.
If you are using dynamic IP addresses, the field displays the IP address assigned to the host at the moment when the event was created.
The application does not support IPv6. If you are using IPv6, the IP address of the host is not displayed.
- Logon from remote host—Name of the host that was used to remotely log in to the system.
- User name—Name of the user that issued the query to the DNS server.
- OS version—Version of the operating system that is being used on the host.
Links with the server IP address, record type ID, and user name open a list in which you can do one of the following:
- Find alerts.
- Copy value to clipboard.
Clicking the link with the domain name opens a list in which you can do one of the following:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Copy value to clipboard.
Clicking the link with the file name or file path opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Get data → File, Forensics, Disk image, Memory dump.
- Kill process.
- Delete file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
In the information about the event that Kaspersky Endpoint Security for Linux recorded in the event database, you can click the link with the host name to open a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Kill process.
- Delete file.
- Get file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
Clicking the link with the IP address of the host opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Information about the "LDAP" event
The window displaying information about LDAP events contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- LDAP section:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- Search scope—LDAP search scope. Can have one of the following values: ADS_SCOPE_BASE, ADS_SCOPE_ONELEVEL, ADS_SCOPE_SUBTREE.
- Search filter—LDAP search filter.
- Distinguished name—Name of the LDAP directory entry.
- Search attribute list—Attributes specified in the search query as values to be returned.
- Launch parameters—Process startup settings.
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- Event initiator section:
- File—Name of the parent process file.
- MD5—MD5 hash of the parent process file.
- SHA256—SHA256 hash of the parent process file.
- System info section:
- Host name—Name of the host on which the LDAP search was performed.
- User name—Name of the user whose account was used to run the LDAP search.
- OS version—Version of the operating system that is being used on the host.
Information about the "Named pipe" event
The window displaying information about Named pipe events contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
Depending on the type of the named pipe operation, one of the following section names is displayed in the event information:
- Pipe created
- Pipe connected
This section displays the following information:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- File—File name of the process that created or connected to the named pipe.
- Event time—Time when the named pipe was created or connected to.
- Event initiator section:
- File—Name of the parent process file.
- MD5—MD5 hash of the parent process file.
- SHA256—SHA256 hash of the parent process file.
- System info section:
- Host name—Name of the host on which the named pipe was created or connected to.
- User name—Name of the user that created or connected to the named pipe.
- OS version—Version of the operating system that is being used on the host.
Clicking the link with the pipe name opens a list in which you can do one of the following:
- Find alerts.
- Copy value to clipboard.
Clicking the link with the file name or file path opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Get data → File, Forensics, Disk image, Memory dump.
- Kill process.
- Delete file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
Clicking the link with the IP address of the host opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Clicking the link with the user name opens a list in which you can do one of the following:
- Find alerts.
- Copy value to clipboard.
Information about the "WMI" event
The window displaying information about WMI events contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
Depending on the type of the operation, one of the following section names is displayed in the event information:
- WMI activity
- WMI event consumer name
The WMI activity section displays the following information:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- Connection to remote host—Remote start of the WMI service. If the service was started remotely, the field displays Yes.
- Machine name—Name of the host on which the WMI service was started.
- User name—Name of the user that started the WMI service.
- Namespace—WMI namespace.
- Query—Command that was used to start the WMI service.
The WMI activity section displays the following information:
- Connection to remote host—Remote start of the WMI service. If the service was started remotely, the field displays Yes.
- Namespace—Namespace of the event consumer.
- Event filter name—Name of the filter of the event consumer. This field is displayed for the WMI activity event type.
- Event consumer name—Name of the created event consumer.
- Event consumer description—Description of the created event consumer. This field is displayed for the WMI event consumer name event type.
- Event initiator section:
- File—Name of the parent process file.
- Launch parameters—Parent process startup settings.
- MD5—MD5 hash of the parent process file.
- SHA256—SHA256 hash of the parent process file.
- System info section:
- Host name—Name of the host on which the WMI service was started or the event consumer was created.
- Host IP—IP address of the host on which the WMI service was started or the event consumer was created.
- User name—Name of the user that started the WMI service or created the event consumer.
- OS version—Version of the operating system that is being used on the host.
Information about the "Alert" event
The window showing information about a Detection type event contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- On the Details tab, in the Detection section:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- Detect—Name of the detected object.
Clicking the link with the object name opens a list in which you can select one of the following actions:
- Find events.
- View on Kaspersky Threats.
- Copy value to clipboard.
- Last action—Last action taken on the detected object.
- Object name—Full name of the file in which the object was detected.
- MD5—MD5 hash of the file in which the object was detected.
- SHA256—SHA256 hash of the file in which the object was detected.
- Object type—Type of object (for example, a file).
- Detection mode—Scan mode in which the alert was generated.
- Event time—Date and time of the event.
- Record ID—ID of the record of the alert in the database.
- Database version—Version of the database used to generate the alert.
- Content—Contents of the script sent to be scanned.
You can download this data by clicking Save to file.
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- On the Details tab, in the Event initiator section:
- File—Path to the parent process file.
Clicking the link with the file name or file path opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Run the following tasks:
- Process ID—Identifier of the parent process.
- Launch parameters—Parent process startup settings.
- MD5—MD5 hash of the parent process file.
- SHA256—SHA256 hash of the parent process file.
- File—Path to the parent process file.
- On the Details tab, in the System info section:
- Host name—Name of the host on which the alert was generated.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Run the following tasks:
- Get data → File, Forensics, Disk image, Memory dump.
- Kill process.
- Delete file.
- Quarantine file.
- Run application.
In the information about the event that Kaspersky Endpoint Security for Linux recorded in the event database, you can click the link with the host name to open a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run tasks: Get file, Delete file, Quarantine file, Run application.
- Copy value to clipboard.
In the information about the event that Kaspersky Endpoint Security for Mac recorded in the event database, you can click the links with the file name or file path to open a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the Get file task.
- Copy value to clipboard.
- Host IP—IP address of the host on which the alert was generated.
If you are using dynamic IP addresses, the field displays the IP address assigned to the host at the moment when the event was created.
The application does not support IPv6. If you are using IPv6, the IP address of the host is not displayed.
- User name—User account used to complete the action taken on the detected object.
- OS version—Version of the operating system that is being used on the host.
- Host name—Name of the host on which the alert was generated.
- On the History tab, in the table:
- Type—Type of event: Detection or Detection processing result.
- Description—Description of the event.
- Time—Date and time of detection and alert processing result.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Information about the "Alert processing result" event
The window showing information about a Detection processing result type event contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- On the Details tab, under Detection processing result:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- Detect—Name of the detected object.
Clicking the link with the object name opens a list in which you can select one of the following actions:
- Find events.
- View on Kaspersky Threats.
- Copy value to clipboard.
- Last action—Last action taken on the detected object.
- MD5—MD5 hash of the file in which the object was detected.
- SHA256—SHA256 hash of the file in which the object was detected.
- Object type—Type of object (for example, a file).
- Object name—Full name of the file in which the object was detected.
- Detection mode—Scan mode in which the alert was generated.
- Event time—Date and time of the event.
- Record ID—ID of the record of the alert in the database.
- Database version—Version of the database used to generate the alert.
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- On the Details tab, under Event initiator:
- File—Path to the parent process file.
Clicking the link with the file name or file path opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Run the following tasks:
- Process ID—Identifier of the parent process.
- Launch parameters—Parent process startup settings.
- MD5—MD5 hash of the parent process file.
- SHA256—SHA256 hash of the parent process file.
- File—Path to the parent process file.
- On the Details tab, under System info:
- Host name—Name of the host on which the alert was generated.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Run the following tasks:
- Get data → File, Forensics, Disk image, Memory dump.
- Kill process.
- Delete file.
- Quarantine file.
- Host IP—IP address of the host on which the alert was generated.
If you are using dynamic IP addresses, the field displays the IP address assigned to the host at the moment when the event was created.
The application does not support IPv6. If you are using IPv6, the IP address of the host is not displayed.
- User name—User account used to complete the action taken on the detected object.
- OS version—Version of the operating system that is being used on the host.
- Host name—Name of the host on which the alert was generated.
- On the History tab, in the table:
- Type is the type of the Detection processing result event.
- Description—Description of the event.
- Time is the date and time of the alert processing result.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Information about the "Interpreted file run" event
The window displaying information about Process: interpreted file run events contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- Process: interpreted file run section:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- File—Name of the file.
- MD5—MD5 hash of a file.
- SHA256—SHA256 hash of a file.
- Size—Size of the file.
- Time created—Time when the file was created.
- Time modified—Time of last modification of the file.
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- Event initiator section:
- File—Path to the parent process file.
- MD5—MD5 hash of the parent process file.
- SHA256—SHA256 hash of the parent process file.
- Process ID—Identifier of the parent process.
- System info section:
- Host name—Name of the host on which the file was run.
- Host IP—IP address of the host on which the file was run.
If you are using dynamic IP addresses, the field displays the IP address assigned to the host at the moment when the event was created.
The application does not support IPv6. If you are using IPv6, the IP address of the host is not displayed.
- User name—Name of the user whose account was used to run the file.
- OS version—Version of the operating system being used on the host.
Clicking the link with the file name or file path in the Process: interpreted file run section opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
Clicking the link with the file name or file path in the Event initiator section opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Get data → File, Forensics, Disk image, Memory dump.
- Kill process.
- Delete file.
- Quarantine file.
- Run application.
- Copy value to clipboard.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Information about the "AMSI scan" event
The window showing information about an AMSI scan event contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- In the AMSI scan section:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- Object name—Name of the scanned object.
- MD5—MD5 hash of the scanned object.
- SHA256—SHA256 hash of the scanned object.
- Event time—Date and time of the event.
- Content type—Type of script.
The application provides two types of scripts:
- If the script is presented as text, the Content type field shows the Text script type.
- If the script is presented in another format, the Content type field displays the Binary script type.
- Content—Contents of the script sent to be scanned.
You can copy this data by clicking Copy to clipboard if the data is presented as text or download a file containing the data by clicking Save to file if the data has a different format.
The Content field is displayed in the event information if the application registers signs of targeted attacks.
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- In the Event initiator section:
- File—Path to the parent process file.
Clicking the link with the file name or file path opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Run the following tasks:
- MD5—MD5 hash of the parent process file.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
- SHA256—SHA256 hash of the parent process file.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
- File—Path to the parent process file.
- In the System info section:
- Host name—Name of the host on which the alert was generated.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Run the following tasks:
- Get data → File, Forensics, Disk image, Memory dump.
- Kill process.
- Delete file.
- Quarantine file.
- Run application.
- Host IP—IP address of the host on which the alert was created.
If you are using dynamic IP addresses, the field displays the IP address assigned to the host at the moment when the event was created.
The application does not support IPv6. If you are using IPv6, the IP address of the host is not displayed.
- User name—User account that was used to make the change in the registry.
- OS version—Version of the operating system that is being used on the host.
- Host name—Name of the host on which the alert was generated.
Information about the "Interactive command input at the console" event
The window displaying information about Process: console interactive input events contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- Process: console interactive input section:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- Input type—Type of input of commands that were passed to the console application.
The application provides two ways to enter commands:
- If commands were entered by the user in the console application, the Input type field displays the Console command input type.
- If commands were passed to the console application from another application through a pipe, the Input type field displays the Pipe command input type.
If you are using the Kaspersky Endpoint Agent application as the Endpoint Agent component, Kaspersky Anti Targeted Attack Platform receives the data required to populate the Input field only when Kaspersky Anti Targeted Attack Platform is integrated with Kaspersky Endpoint Agent 3.10 for Windows. When integrating the application with older versions of the Kaspersky Endpoint Agent for Windows application, the field is not displayed in the event information.
- Input text—Text entered at the command line (for example, CMD) on the host with the Kaspersky Endpoint Agent for Windows application.
You can copy this text by clicking the Copy to clipboard button located in the Input text field.
- Event time—Time when the event was detected.
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- Event initiator section:
- File—Path to the parent process file.
Clicking the link with the file name or file path opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Run the following tasks:
- MD5—MD5 hash of the parent process file.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
- SHA256—SHA256 hash of the parent process file.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
- File—Path to the parent process file.
- System info section:
- Host name—Name of the host on which the command was entered.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Run the following tasks:
- Get data → File, Forensics, Disk image, Memory dump.
- Kill process.
- Delete file.
- Quarantine file.
- Run application.
- Host IP—IP address of the host on which the command was entered.
If you are using dynamic IP addresses, the field displays the IP address assigned to the host at the moment when the event was created.
The application does not support IPv6. If you are using IPv6, the IP address of the host is not displayed.
- User name—User account that was used to enter the command.
- OS version—Version of the operating system that is being used on the host.
- Host name—Name of the host on which the command was entered.
Information about the "Code injection" event
The window displaying information about Code injection events contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- Code injection section:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- File—Path to the target process file.
- Process ID—Identifier of the target process.
- Launch parameters—Command line options of the target process.
- Modified start options—Modified command line options of the target process.
This field is displayed if the ARG_SPOOFING method was used to inject code.
- MD5—MD5 hash of the target process file.
- SHA256—SHA256 hash of the target process file.
- Access method—Method of access to the target process.
This field can have the following values: WRITE_EXECUTABLE_MEMORY, SET_WINDOWS_HOOK, QUEUE_APC_THREAD, SET_THREAD_CONTEXT – .MAP_VIEW_OF_SECTION, CREATE_REMOTE_THREAD, ARG_SPOOFING.
- Address space—Address in the address space of the target process at which the remotely executed code was placed.
This field is not populated if the code was injected using the SET_WINDOWS_HOOK or ARG_SPOOFING methods.
- System call parameters—Command line that the target process was started with.
- DLL name—Name of the DLL that contains the hook procedure and the name of the function to which control is passed after injection.
This field is filled if the SET_WINDOWS_HOOK method was used to inject code.
- DLL full path—Path to the DLL containing the hook procedure.
This field is filled if the SET_WINDOWS_HOOK method was used to inject code.
- Event time—Time of code injection.
- Call trace—API call stack at the time of interception of the function related to code injection.
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- Event initiator section:
- File—Name of the parent process file.
- MD5—MD5 hash of the parent process file.
- SHA256—SHA256 hash of the parent process file.
- System info section:
- Host name—Name of the host on which the code injection occurred.
- User name—Name of the user account that was used for the code injection.
- OS version—Version of the operating system that is being used on the host.
Information about the "Process access" event
The window displaying information about File changed events contains the following details:
- Tree of events.
- Actions that can be performed to handle an event.
- Depending on the type of operation that was performed with the process file, one of the following section names is displayed in the event information:
- Process access is open
- Duplicate handle
The Process access is open displays the following information:
- IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered MITRE technique as well as recommendations for reacting to the event.
The field is displayed if a TAA (IOA) rule was triggered when the event was created.
- File—Name of the recipient process.
- Process ID—Process ID of the recipient process.
- Launch parameters—Command line options of the recipient process.
- MD5—MD5 hash of the recipient process file.
- SHA256—SHA256 hash of the recipient process file.
- Access permissions—Requested process access rights.
- Size—Size of the recipient process file.
- Event time—Time when the event was detected.
- Time created—Recipient process file creation time.
- Time modified—Time of last modification of the recipient process file.
- Attributes modification time—Time when the attributes of the recipient process file were changed.
- Call trace—Call stack.
The Duplicate handle section displays the following information:
- File—File name of the duplicated process.
- MD5—MD5 hash of the duplicated process file.
- SHA256—SHA256 hash of the duplicated process file.
- Time created—Duplicated process file creation time.
- Time modified—Time of last modification of the duplicated process file.
- Attributes modification time—Time when the attributes of the duplicated process file were changed.
- Size—Size of the duplicated process file.
- Process ID—ID of the duplicated process.
- Launch parameters—Command line options of the duplicated process.
For events of this type, the event information also includes the Information about the process to which the handle was duplicated and Information about the process from which the handle was duplicated sections. These sections contain the following information:
- File—Process file name.
- MD5—MD5 hash of the process file.
- SHA256—SHA256 hash of the process file.
- Process ID—Process identifier.
- Launch parameters—Process startup settings.
- Size—Size of the process file.
- Time created—Process file creation time.
- Time modified—Time of last modification of the file.
- Attributes modification time—Time when the attributes of the process file were changed.
- Event initiator section:
- File—Path to the parent process file.
- MD5—MD5 hash of the parent process file.
- SHA256—SHA256 hash of the parent process file.
- Launch parameters—Parent process startup settings.
- System info section:
- Host name—Name of the host on which the file was created.
- User name—Name of the user that created the file.
- OS version—Version of the operating system that is being used on the host.
Clicking the link with the file name or path to the file in the section with information about the file with which the operation was performed opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
Clicking the link with the file name or file path in the Event initiator section opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Run the following tasks:
- Copy value to clipboard.
Clicking the MD5 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Clicking the SHA256 link opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find in Storage.
- Create prevention rule.
- Copy value to clipboard.
Event chain scanning by Kaspersky TAA (IOA) rules
Some cyberattacks can be detected only by looking at a certain sequence of events. If the event chain scanning functionality is enabled, Kaspersky Anti Targeted Attack Platform marks events arriving at the Central Node server in accordance with Kaspersky TAA (IOA) rules and, when it detects a suspicious sequence of events, an alert is recorded in the table of alerts.
You can view events marked by a Kaspersky TAA (IOA) rule in one of the following ways:
- By creating a search query to the event database with the following criteria: IOATag, IOAImportance, IOAConfidence.
- While viewing events and alerts.
Kaspersky TAA (IOA) rules cannot be edited. If you do not want the application to create alerts for events generated as part of host activity that is normal for your organization, you can add a TAA (IOA) rule to exclusions. Only one exclusion can be created per Kaspersky TAA (IOA) rule.
In
, you must enable the event chain scanning functionality on each Central Node server on which you want to use it. If the Central Node component is deployed as a cluster, you can enable the functionality on any server in the cluster.Using TAA (IOA) rules that scan chains of events causes higher usage of system resources. If you encounter performance problems with the application, we recommend disabling this functionality.
Special considerations for displaying event chain information in widgets
The top 10 widgets display information only about events that triggered a TAA (IOA) rule. Widgets do not take into account events that occurred earlier and participate in the event chain, but did not trigger a rule. For this reason, the number of events reported by the widget may not match the number of events in the selection displayed when you click the link with the host name and the name of the TAA (IOA) rule.
Page topEnabling or disabling event chain scanning by Kaspersky TAA (IOA) rules
To enable or disable event chain scanning by Kaspersky TAA (IOA) rules:
- In the window of the application web interface, select the Settings section, Endpoint Agents subsection.
- Under Use TAA (IOA) rules for chains of events, do one of the following:
- If you want to enable the functionality, set the Use rules for chains of events toggle switch to Enabled.
- If you want to disable the functionality, set the Use rules for chains of events toggle switch to Disabled.
This functionality is disabled by default.
Event chain scanning by Kaspersky TAA (IOA) rules is enabled or disabled.
Page topViewing events marked by a Kaspersky TAA (IOA) rule
To view all events marked by the selected Kaspersky TAA (IOA) rule in the Alerts section:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click the link in the Technologies column to open the filter configuration window.
- In the drop-down list on the left, select Contain.
- In the drop-down list on the right, select the (TAA) Targeted Attack Analyzer technology.
- Click Apply.
The table displays alerts generated by the TAA technology based on TAA (IOA) rules.
- Select an alert for which the Detected column displays the name of the relevant rule.
This opens a window containing information about the alert.
- Under Scan results, click the link with the name of the rule to open the rule information window.
- This opens a window; in that window, click Events.
A table of events matching the selected TAA (IOA) rule is displayed.
To view all events marked by the selected Kaspersky TAA (IOA) rule in the Threat Hunting section:
- Select the Threat Hunting section in the application web interface window.
This opens the event search form.
- Define the search conditions and click the Search button. For example, you can select event search criteria in the TAA properties group in builder mode.
The table of events that satisfy the search criteria is displayed.
- Select an event.
- To the right of the IOA tags setting, click the name of the rule.
This opens a window containing information about the rule.
- This opens a window; in that window, click Events.
A table of events matching the selected TAA (IOA) rule is displayed.
Page topManaging assets
Assets are all devices present in the local and internal network of the organization. To manage assets, you can view the table of devices in the Assets section of the Kaspersky Anti Targeted Attack Platform web interface. You can also view information about interactions of devices and perform various actions on devices when managing the network interactions map and the topology map.
Viewing the table of devices
To manage devices, the application generates a table of devices. The application considers all devices in the table to be known devices.
To view the table of devices:
- Select the Assets section in the application web interface window.
- Go to the Devices tab.
The table of devices is displayed.
The table displays the following information:
- Name is the name that represents the device in the application.
- Device ID is the ID of the device assigned in Kaspersky Anti Targeted Attack Platform.
- Status is the device status that determines whether the device is allowed to be active on the corporate LAN. A device can have one of the following statuses:
- Authorized. This status is assigned to a device that is allowed to be active on the network.
- Unauthorized. This status is assigned to a device that is not allowed to be active on the network.
- Archived. This status is assigned to a device if it is no longer in use or must not be used on the network, or if the device has not been active for a long time (30 days or more) and information about this device has not been updated.
- Address information lists MAC and/or IP addresses of the device. If a device has multiple network interfaces, each network interface can have a different MAC and/or IP address.
- Category is the name of the category that characterizes the functional purpose of the device. Kaspersky Anti Targeted Attack Platform recognizes the following device categories:
- Server for a computer on which server software is deployed.
- Network device for a piece of network equipment (for example, a router, a switch).
- Workstation for a stationary personal computer or operator workstation.
- Mobile device for a portable electronic device with computing functionality.
- Laptop for a portable personal computer.
- Printer for a printing device.
- UPS for an uninterruptible power supply connected to a computer network.
- Network camera for a device that performs video surveillance and transmits digital imaging data.
- Gateway for a device that connects networks by converting various interfaces (for example, Serial Ethernet) in networks with a heterogeneous data transmission medium and different protocols.
- Storage system for a device that stores information inside memory systems.
- Firewall for a device that act as a firewall to scan and block unwanted traffic.
- Switch for a device that physically connects hosts of the local network.
- Virtual switch for a device that logically combines physical switches or software switches for virtualization systems.
- Router for a device that forwards network packets between segments of a computer network.
- Virtual router for a device that logically combines physical routers or routers that use multiple independent routing and forwarding tables.
- Wi-Fi for an access point that provides wireless connection of devices from Wi-Fi networks.
- Historian server for a server with archived data.
- Other for a device that does not belong to any of the above categories.
- Group is the name of the group in which the device is placed in the device group tree (contains the name of the group itself and the names of all its parent groups).
- Security state is the security state of the device, which is determined by the existence of events related to the device. A device can have one of the following security states:
- Critical. The device has associated events that have a 8.0–10.0 severity score.
- Warning. The device has associated events that have a 4.0–7.9 severity score.
- OК. The device has associated events that have a 0.0-3.9 severity score, or the device has no associated events.
- Importance is the importance of the device. Importance is assigned to the device in accordance with its category. A device can have one of the following importance ratings:
- High. Assigned to devices of the Server category.
- Medium. Assigned to devices of the following categories: Network device, Workstation, Gateway, Storage system, Firewall, Switch, Virtual switch, Router, Virtual router, Wi-Fi, Historian server.
- Low. Assigned to devices of the following categories: Mobile device, Laptop, Printer, UPS, Network camera, or Other.
- Last seen is the date and time of the last recorded activity of the device.
- Risks lists the categories of risks detected for the device. By default, the device table displays information only for current risks. To display information for all risks, you can select the Show remediated and accepted risks check box when configuring the device table.
- Last modified is the date and time when the device information was last modified.
- Created is date and time when the device was added to the table of devices.
- OS is the name of the operating system installed on the device.
- Hardware vendor is the name of the vendor of the hardware of the device. In the details area, this parameter is called Vendor and is displayed on the General tab under Hardware.
- Hardware Model is the name of the device model. In the details area, this parameter is called Model and is displayed on the General tab under Hardware.
- Hardware version is the version number of the device hardware. In the details area, this parameter is called Version and is displayed on the General tab under Hardware.
- Software vendor is the vendor name of the device software. In the details area, this parameter is called Vendor and is displayed on the General tab under Software.
- Software name is the name of the device software. In the details area, this parameter is called Name and is displayed on the General tab under Software.
- Software version is the version number of the device software. In the details area, this parameter is called Version and is displayed on the General tab under Software.
- Network name is the name that represents the device on the network.
- Labels lists labels assigned to the device.
- EPP application is the short name of the EPP application installed on the device (if this application has communicated with Kaspersky Anti Targeted Attack Platform).
- EPP connection is the status of the connection of the Endpoint Agent component installed on the device to the integration server. The following statuses are possible:
- Active. Less than 24 hours have passed since the application last connected to the integration server.
- Inactive. Over 24 hours have passed since the application last connected to the integration server.
- N/A. The connection status is unknown.
- Last connection to EPP is the date of the last connection of the Endpoint Agent component to the integration server.
Viewing device information
To view device information:
- Select the Assets section in the application web interface window.
- Go to the Devices tab.
- Select the device for which you want to view information.
This opens a window containing information about the device.
This window can contain the following information:
- Device information:
- Security status is the security status of the device, which is determined by the existence of events related to the device. A device can have one of the following security states:
- Critical. The device has associated events that have a 8.0–10.0 severity score.
- Warning. The device has associated events that have a 4.0–7.9 severity score.
- OК. The device has associated events that have a 0.0-3.9 severity score, or the device has no associated events.
- Importance is the importance of the device to the organization. Importance is assigned to the device in accordance with its category. A device can have one of the following importance ratings:
- High. Assigned to devices of the Server category.
- Medium. Assigned to devices of the following categories: Network device, Workstation, Gateway, Storage system, Firewall, Switch, Virtual switch, Router, Virtual router, Wi-Fi, Historian server.
- Low. Assigned to devices of the following categories: Mobile device, Laptop, Printer, UPS, Network camera, or Other.
- Status is the device status that determines whether the device is allowed to be active on the corporate LAN. A device can have one of the following statuses:
- Authorized. This status is assigned to a device that is allowed to be active on the network.
- Unauthorized. This status is assigned to a device that is not allowed to be active on the network.
- Archived. This status is assigned to a device if it is no longer in use or must not be used on the network, or if the device has not been active for a long time (30 days or more) and information about this device has not been updated.
- Category is the name of the category that characterizes the functional purpose of the device.
- Network name is the name that represents the device on the network.
- Group is the name of the group in which the device is placed in the device group tree (contains the name of the group itself and the names of all its parent groups).
- Security status is the security status of the device, which is determined by the existence of events related to the device. A device can have one of the following security states:
- The Main tab:
- Created is date and time when the device was added to the table of devices.
- Last modified is the date and time when the device information was last modified.
- Last seen is the date and time of the last recorded activity of the device.
- Address information lists MAC and/or IP addresses of the device. If a device has multiple network interfaces, each network interface can have a different MAC and/or IP address.
- Hardware contains information about the hardware characteristics of the device.
- Software contains information about the software of the device.
- Endpoint Agent contains information about the Endpoint Agent component. This section is displayed if the Endpoint Agent component is installed on the device.
- EPP application contains information about the application that is being used in the role of an Endpoint Agent component.
- Router is the attribute that marks the device as a routing device.
If the application cannot determine the routing device attribute automatically, you must set the attribute manually. This attribute allows the application to use additional algorithms for detecting devices that interact with each other through a router.
- Public key is a public key for authenticating the device before establishing an SSH connection and scanning the device as part of security audit tasks.
- Additional information contains additional information about the device specified by the user of the application (for example, description of the physical location of the device).
- Custom fields is a set of non-standard information about the device, specified by the user of the application (for example, categories and protection classes of the device). Up to 16 custom fields can be specified for a device.
- Dynamic fields is a set of extended device information that is detected in traffic using the Device Information Detection method. A field is displayed if the application has detected extended information.
- Addresses tab:
- DHCP server is the DHCP server attribute.
This field displays Yes if the device has the DHCP server attribute.
- DHCP relay is the DHCP relay attribute.
This field displays Yes if the device has the DHCP relay attribute.
- Network interface <number> contains information about the network interface of the device.
- DHCP server is the DHCP server attribute.
- The Topology settings tab contains information about the last active polling of the device, as well as information about the links of the device with other nodes.
- The Equipment tab contains information about BIOS programs and CPUs of the device, the amount of free RAM and free local disk space, and USB devices and optical drives being used. Information is displayed if it was obtained using the hardware monitoring functionality.
- The Configurations tab contains information about obtained device configurations. Information is displayed if it was obtained by configuration monitoring tasks.
Automatically adding and updating devices
The application can automatically add devices to the table and update device information. To enable automatic adding and updating of devices in Kaspersky Anti Targeted Attack Platform, you must enable and configure the Device Activity Detection (AM) technology. If the technology is enabled, the application adds and updates device information using data obtained from network traffic and the integration with the Endpoint Agent component.
When adding a device, the application sets a default device name using the following template: Device <internal device counter value>. This internal counter value in the device name may not match the device ID that is displayed in the Device ID column.
The application can automatically update vendor information of network equipment based on the MAC addresses of devices. To identify vendors by MAC addresses, the application looks up the MAC addresses of devices in the ranges of addresses registered in the open database of the Institute of Electrical and Electronics Engineers (IEEE). If the vendor of the network equipment is identified by its MAC address, the application keeps the name from the IEEE database.
After installing the application, a copy of the IEEE database is used, which contains information about MAC addresses and vendors at the time when the current version of the application was released. You can keep your local copy of the IEEE database up to date by installing updates.
Page topManually adding devices
This section provides instructions on manually adding devices. You can manually add a new device to the table of devices. You must specify the MAC and/or IP address of the device that you want to add.
The MAC and IP addresses of the added device must be unique within the address space to which these addresses belong. If extra address spaces are added to the application, you can add devices with the same address to different address spaces.
Only users with the Senior security officer role can manually add devices.
After adding a device, you can add process monitoring settings for the device.
Adding a device while managing the table of devices
To add a device while managing the table of devices:
- Select the Assets section in the application web interface window.
- In the table of devices on the Devices tab, select the device for which you want to view information.
This opens a window containing information about the device.
- Click Add device.
- On the Settings tab, in the details area, specify your values in the device information fields.
- On the Address information tab, in the details area:
- In the DHCP server drop-down list, select Yes if the device is a DHCP server.
- In the DHCP relay drop-down list, select Yes if the device is a DHCP relay.
In learning mode, for devices that are DHCP servers and DHCP relays, these attributes are assigned automatically. You can disable automatic update of attributes (see step 6 of these instructions).
In monitoring mode, only users with the Senior security officer role can edit attributes.
- In the Address space drop-down list, select the address space to which you want the device to belong.
- In the MAC address field, enter the MAC address of the device.
- In the IP address drop-down list select the IP address assignment type (static or dynamic), and enter the IP address of the device.
You can specify multiple IP addresses for the same network interface of a device. To create a list of IP addresses, do one of the following:
- If you want to add an IP address, click Add IP address.
- If you want to delete an IP address, click the
icon to the right of the field with the IP address.
If the device has multiple network interfaces, create a list of the network interfaces:
- If you want to add a network interface, click Add interface below the settings of the last network interface.
- If you want to delete a network interface, click the
icon to the right of the name of the network interface (if the device has two or more network interfaces).
- If you want to enter a different name for the network interface, click the
icon to the right of the current name, and enter the new name in the displayed field.
- On the Settings and Address information tabs, in the details area, enable or disable automatic modification of certain elements of device information. To do so, click the
or
icons.
If you disable automatic updating of a device's IP address, automatic updating of the IP address type (static or dynamic) and address space information is also disabled.
- On the Custom fields tab in the details area, create a list of custom fields, if necessary.
- Click Save.
This button is unavailable if the device settings do not contain all the required information or if some of the specified settings are invalid. Tabs with settings that require a correct value is marked with the
icon.
A new device appears in table of devices with the Authorized status.
Page topAdding a device while managing the topology map
You can add a new device to the table of devices while managing the topology map.
To add a new device to the table of devices while managing the topology map:
- Select the Network map section in the application web interface window.
- Go to the Topology map tab.
- Click Add device.
- On the Settings tab, in the details area, specify your values in the device information fields.
- On the Address information tab, in the details area:
- In the DHCP server drop-down list, select Yes if the device is a DHCP server.
- In the DHCP relay drop-down list, select Yes if the device is a DHCP relay.
In learning mode, for devices that are DHCP servers and DHCP relays, these attributes are assigned automatically. You can disable automatic update of attributes (see step 6 of these instructions).
In monitoring mode, only users with the Senior security officer role can edit attributes.
- In the Address space drop-down list, select the address space to which you want the device to belong.
- In the MAC address field, enter the MAC address of the device.
- In the IP address drop-down list select the IP address assignment type (static or dynamic), and enter the IP address of the device.
You can specify multiple IP addresses for the same network interface of a device. To create a list of IP addresses, do one of the following:
- If you want to add an IP address, click Add IP address.
- If you want to delete an IP address, click the
icon to the right of the field with the IP address.
If the device has multiple network interfaces, create a list of the network interfaces:
- If you want to add a network interface, click Add interface below the settings of the last network interface.
- If you want to delete a network interface, click the
icon to the right of the name of the network interface (if the device has two or more network interfaces).
- If you want to enter a different name for the network interface, click the
icon to the right of the current name, and enter the new name in the displayed field.
- On the Settings and Address information tabs, in the details area, enable or disable automatic modification of certain elements of device information. To do so, click the
or
icons.
If you disable automatic updating of a device's IP address, automatic updating of the IP address type (static or dynamic) and address space information is also disabled.
- On the Custom fields tab in the details area, create a list of custom fields, if necessary.
- Click Save.
This button is unavailable if the device settings do not contain all the required information or if some of the specified settings are invalid. Tabs with settings that require a correct value is marked with the
icon.
A new device appears in table of devices with the Authorized status.
Page topAdding a device based on an unknown device node on the network interactions map
While managing the network interactions map, you can add a new device to the table of devices based on the node that represents the device that the application does not recognize.
To add an unrecognized device node to the table of devices:
- Select the Network map section in the application web interface window.
- On the Network interactions map tab, select the node representing the device that the application does not recognize.
The details area is displayed in the right part of the web interface window.
- Click Add to the devices table.
- On the Settings tab, in the details area, specify your values in the device information fields.
- On the Address information tab, in the details area:
- In the DHCP server drop-down list, select Yes if the device is a DHCP server.
- In the DHCP relay drop-down list, select Yes if the device is a DHCP relay.
In learning mode, for devices that are DHCP servers and DHCP relays, these attributes are assigned automatically. You can disable automatic update of attributes (see step 6 of these instructions).
In monitoring mode, only users with the Senior security officer role can edit attributes.
- In the Address space drop-down list, select the address space to which you want the device to belong.
- The IP address and MAC address fields are filled in automatically; we do not recommend changing these settings.
You can specify multiple IP addresses for the same network interface of a device. To create a list of IP addresses, do one of the following:
- If you want to add an IP address, click Add IP address.
- If you want to delete an IP address, click the
icon to the right of the field with the IP address.
If the device has multiple network interfaces, create a list of the network interfaces:
- If you want to add a network interface, click Add interface below the settings of the last network interface.
- If you want to delete a network interface, click the
icon to the right of the name of the network interface (if the device has two or more network interfaces).
- If you want to enter a different name for the network interface, click the
icon to the right of the current name, and enter the new name in the displayed field.
- On the Settings and Address information tabs, in the details area, enable or disable automatic modification of certain elements of device information. To do so, click the
or
icons.
If you disable automatic updating of a device's IP address, automatic updating of the IP address type (static or dynamic) and address space information is also disabled.
- On the Custom fields tab in the details area, create a list of custom fields, if necessary.
- Click Save.
This button is unavailable if the device settings do not contain all the required information or if some of the specified settings are invalid. Tabs with settings that require a correct value is marked with the
icon.
A new device appears in table of devices with the Authorized status. A node on the network interactions map that previously represented a device that the application did not recognize now represents a device that is known to the application.
Page topAdding a device based on an unmanaged switch on the topology map
While managing the topology map, you can add a new device to the table of devices based on the node that represents an unmanaged switch.
To add an unmanaged switch node to the table of devices:
- Select the Network map section in the application web interface window.
- On the Network interactions map tab, select the node representing the unmanaged switch.
The details area is displayed in the right part of the web interface window.
- Click Add to the devices table.
- On the Settings tab, in the details area, specify your values in the device information fields.
- On the Address information tab, in the details area:
- In the DHCP server drop-down list, select Yes if the device is a DHCP server.
- In the DHCP relay drop-down list, select Yes if the device is a DHCP relay.
In learning mode, for devices that are DHCP servers and DHCP relays, these attributes are assigned automatically. You can disable automatic update of attributes (see step 6 of these instructions).
In monitoring mode, only users with the Senior security officer role can edit attributes.
- In the Address space drop-down list, select the address space to which you want the device to belong.
- In the MAC address field, enter the MAC address of the device.
- In the IP address drop-down list select the IP address assignment type (static or dynamic), and enter the IP address of the device.
You can specify multiple IP addresses for the same network interface of a device. To create a list of IP addresses, do one of the following:
- If you want to add an IP address, click Add IP address.
- If you want to delete an IP address, click the
icon to the right of the field with the IP address.
If the device has multiple network interfaces, create a list of the network interfaces:
- If you want to add a network interface, click Add interface below the settings of the last network interface.
- If you want to delete a network interface, click the
icon to the right of the name of the network interface (if the device has two or more network interfaces).
- If you want to enter a different name for the network interface, click the
icon to the right of the current name, and enter the new name in the displayed field.
- On the Settings and Address information tabs, in the details area, enable or disable automatic modification of certain elements of device information. To do so, click the
or
icons.
If you disable automatic updating of a device's IP address, automatic updating of the IP address type (static or dynamic) and address space information is also disabled.
- On the Custom fields tab in the details area, create a list of custom fields, if necessary.
- Click Save.
This button is unavailable if the device settings do not contain all the required information or if some of the specified settings are invalid. Tabs with settings that require a correct value is marked with the
icon.
A new device appears in the table of devices with the Authorized status. The node on the topology map that previously represented an unmanaged switch now represents a device that is known to the application.
Page topAutomatically assigning device status
When monitoring device activity, the application can automatically assign a status to discovered devices based on the obtained MAC and/or IP addresses of such devices. Status is assigned depending on the current asset management mode.
In learning mode, the application assigns the Authorized status to all devices (both new and previously added to the table), except for those devices that have had the Unauthorized status assigned previously.
In monitoring mode, the assigned status depends on whether the device that has exhibited activity is a device that the application knows or does not recognize. In this mode, status is assigned according to the following rules:
- If the device is new (it was absent from the device table at the time of discovery), this device is assigned the Unauthorized status.
- If the device is present in the table of devices with the Authorized or Unauthorized status, its status does not change.
- If a device is present in the table of devices with the Archived status, the device is assigned the Unauthorized status.
By default, if a device with the Authorized status has been inactive for more than 30 days and device information has not changed during this period, such a device is automatically assigned the Archived status. You can disable the automatic assignment of the Archived status when you change the device status manually (for example, to prevent the Authorized status from changing to Unauthorized for a device that rarely connects to the network).
When using connectors of the Cisco Switch type, network access of devices may be automatically restricted after these devices get the Unauthorized status. You need to take into account the specified settings of connectors of this type to prevent blocking necessary devices because of a status change.
Page topAutomatically grouping devices based on a criterion
This section contains instructions on how to automatically group devices based on a criterion. You can automatically group devices in the device group tree based on one of the following criteria:
- IP addresses belonging to subnets that are known to the application
- Device categories
- Device vendors
Only users with the Senior security officer role can automatically group devices.
Automatically grouping devices based on a criterion, starting from the root of the group tree
To automatically group devices based on a criterion, starting from the root of the group tree:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- In the Network map section, on the Network interactions map tab, click one of the following buttons for selecting a grouping criterion in the toolbar in the left part of the network interactions map display area:
to group devices by subnet.
to group devices by category.
to group devices by vendor.
This opens a prompt window in which you can select a grouping option.
- To group devices by category and vendor based on address spaces, in the prompt window, select the Take into account the address spaces check box.
- Click on one of the following buttons, depending on the what you want to do:
- To group devices by subnets, click Group.
- To group devices by category and vendor based on address spaces in all groups of the device group tree, click With child groups.
- To group devices by category and vendor based on address spaces only at the top level of the device group tree hierarchy, click Selected only.
The application identifies devices that match the selected grouping criterion, creates groups for these devices, and arranges the devices into these groups.
Page topAutomatically grouping devices in a selected device group
To automatically group devices in a selected device group:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- In the Network map section, on the Network interactions map tab, select the group in which you want to automatically group devices.
- Right-click to open the context menu.
- In the context menu, select one of the following commands:
- Group by subnet.
- Group by category.
- Group by vendor.
This opens a prompt window in which you can select a grouping option.
- To group devices by category and vendor based on address spaces, in the prompt window, select the Take into account the address spaces check box.
- In the prompt window, click on one of the following buttons, depending on the what you want to do:
- To group devices by subnets, click Group.
- If you want to group devices by category or vendor in all child groups of the selected group, click With child groups.
- If you want to group devices by category or vendor only in the selected group, click Selected only.
The application identifies devices that match the selected grouping criterion, creates groups for these devices and arranges devices into these groups (devices in other groups are not affected).
Manually arranging devices into groups
This section contains instructions on how to manually manage the placement of devices in the group tree. Only users with the Senior security officer role can arrange devices in the group tree.
Adding a device to a group
To add an individual device to a group when managing the table:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the device in the Assets section on the Devices tab or in the Network map section.
In the Network map section, you can select the device to add to a group on the network interactions map as well as the topology map.
The details area is displayed in the right part of the web interface window.
- Click Edit.
- In the details area, go to the Settings tab.
- Click the
icon in the right part of the Group field.
The Select group in tree window appears.
- In the device group tree, select the relevant group.
If the relevant group is not in the tree, you can add it in the currently displayed Select group in tree window.
- Click Select.
The path to the selected group appears in the Group field.
- Click Save in the details area.
This button is unavailable if the device settings do not contain all the required information or if some of the specified settings are invalid. Tabs with settings that require a correct value is marked with the
icon.
Adding multiple devices to a group
You can add multiple devices to a group while managing the table of devices.
Also, when managing the network interactions map, you can add to a group multiple known devices on the network interactions map. You can select component servers either individually or as part of collapsed groups that include the required devices. When you select a collapsed group, all devices in child groups at all nesting levels also end up in the selection.
To add multiple devices to a group when managing the table:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the Assets section.
- On the Devices tab, select the devices that you want to add to a group.
- Right-click to open the context menu.
- In the context menu, select Group management → Move to group.
The Select group in tree window appears.
- In the device group tree, select the relevant group.
If the relevant group is not in the tree, you can add it in the currently displayed Select group in tree window.
- Click Select.
The path to the selected group appears in the Group column.
To add multiple devices to a group when managing the network interactions map:
- Use the web interface to connect to the Central Node with the Security officer or Senior security officer role.
- In the Network map section, on the Network interactions map tab, select the relevant component servers and/or collapsed groups.
To select multiple component servers and/or groups, do one of the following:
- Press and hold the SHIFT key, then use the mouse to select a rectangular area with the objects that you want to select.
- Press and hold the CTRL key and click every object that you want to select.
- Right-click to open the context menu.
- In the context menu, select Move to group.
The Select group in tree window appears.
- In the device group tree, select the relevant group.
If the relevant group is not in the tree, you can add it in the currently displayed Select group in tree window.
- Click Select.
The selected component servers are displayed inside the selected group.
Removing a device from a group
To remove an individual device from a group when managing the table:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the device in the Assets section on the Devices tab or in the Network map section.
In the Network map section, you can select devices to remove from a group on the network interactions map as well as the topology map.
The details area is displayed in the right part of the web interface window.
- Click Edit.
- In the details area, go to the Settings tab.
- In the Group field, delete the path to the group by clicking the
icon in the field (the icon is displayed if a group is defined).
- Click Save.
This button is unavailable if the device settings do not contain all the required information or if some of the specified settings are invalid. Tabs with settings that require a correct value is marked with the
icon.
After saving the changes for the device, its Group value is cleared and the device is assigned to the root level of the group tree.
Page topRemoving multiple devices from groups
You can remove multiple devices from groups while managing the table of devices. Devices selected for removal from groups can belong to the same group or to different groups.
Also, when managing the network interactions map, you can exclude from groups multiple known devices on the network interactions map. You can select component servers either individually or as part of collapsed groups that include the required devices. When you select a collapsed group, all devices in child groups at all nesting levels also end up in the selection.
To remove multiple devices from groups when managing the table:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the Assets section.
- On the Devices tab, select the devices that you want to remove from groups.
- Right-click to open the context menu.
- In the context menu, select Group management → Remove from groups.
This opens a confirmation prompt window.
- In the prompt window, confirm the removal of devices from groups.
For all selected devices, the Group value is cleared and these devices are assigned to the root level of the group tree.
To remove multiple devices from groups when managing the network interactions map:
- Use the web interface to connect to the Central Node with the Security officer or Senior security officer role.
- In the Network map section, on the Network interactions map tab, select the component servers in expanded groups and/or collapsed groups.
To select multiple component servers and/or groups, do one of the following:
- Press and hold the SHIFT key, then use the mouse to select a rectangular area with the objects that you want to select.
- Press and hold the CTRL key and click every object that you want to select.
- Right-click to open the context menu.
- In the context menu, select Remove from group.
This opens a confirmation prompt window.
- In the prompt window, confirm the removal of devices from groups.
For all selected devices, the Group value is cleared and these devices are displayed outside of groups.
Page topMoving servers with components and groups to other groups on the network interactions map
You can rearrange component servers and groups in the device group tree by dragging and dropping objects on the network interactions map. The location of moved component servers and groups in the device group tree changes in the same way as when you add devices to a group or remove devices from groups.
Only users with the Senior security officer role can move component servers and groups to other groups.
To move component servers and/or groups to other groups:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- In the Network map section, on the Network interactions map tab, select the relevant component servers and/or collapsed groups.
To select multiple component servers and/or groups, do one of the following:
- Press and hold the SHIFT key, then use the mouse to select a rectangular area with the objects that you want to select.
- Press and hold the CTRL key and click every object that you want to select.
- Point to one of the selected objects (a group or a component server).
- Press and hold the CTRL key and drag the selected objects to the group you want (or to any space outside the groups if you want to move the selected objects to the top hierarchy level of the group tree).
A window with a confirmation prompt opens.
- In the prompt window, confirm the movement of the selected objects.
Device group tree
The purpose of the device group tree is to arrange devices in accordance with their function, location, or any other arbitrary attribute. Devices can be arranged into groups manually or automatically (by their IP addresses belonging to subnets, by category, or by vendor).
If a device is not included in any of the groups, such a device belongs to the top level of the group tree. Devices automatically added to the table are not included in any group by default.
You can see which groups devices belong to when viewing the device table. Paths to groups are indicated in the Group column. Device groups are also displayed on the network interactions map, however, devices belonging to these groups may not be displayed if they do not satisfy the filtering criteria for objects on the network interactions map.
Page topManually editing the device group tree
You can edit the device group tree when managing the device table, the network interactions map, and the topology map. Tree creation functions are available in the Create group tree or Select group in tree window.
Only users with the Senior security officer role can create the device group tree.
To use the device tree group editing functionality:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- In the Assets section on the Devices tab or in the Network map section, do one of the following:
- Open the Create group tree window by clicking Configure groups.
The Configure groups button in the Assets section is available in the Group management drop-down list in the toolbar.
The Configure groups button in the Network map section is only available on the Network interactions map tab.
- Open the Select group in tree window while adding devices to groups. You can also open this window when filtering the table of devices by the Group column.
- Open the Create group tree window by clicking Configure groups.
Any changes made to the device group tree in the Create group tree or Select group in tree window are applied immediately.
This section provides instructions on using the features for generating a device group tree.
Adding a group
To add a group to the device group tree:
- In the Create group tree or Select group in tree window, add a new group in one of the following ways:
- If the tree is empty and you want to add the first group, click Add or press either INSERT or ENTER.
- If you want to add a group at the same hierarchy level as an existing group, select that group and press ENTER.
- If you want to add a child group to an existing group, select this group and click Add or press INSERT.
- Enter a name for the group in the text box.
You can use letters, numbers, the space character, and the following special characters:
! @ # № $ % ^ & ( ) [ ] { } ' , . - _ /
.The group name must satisfy the following requirements:
- Begins and ends with any character other than a space.
- Contains up to 255 characters.
- Is not the same as the name of another group name under the same parent group (case-insensitive).
- Click the
icon to the right of the text box.
Renaming a group
To rename a group to the device group tree:
- In the Create group tree or Select group in tree window, select the group that you want to rename.
- Click Rename or press F2.
- Enter the new name for the group in the text box.
You can use letters, numbers, the space character, and the following special characters:
! @ # № $ % ^ & ( ) [ ] { } ' , . - _ /
.The group name must satisfy the following requirements:
- Begins and ends with any character other than a space.
- Contains up to 255 characters.
- Is not the same as the name of another group name under the same parent group (case-insensitive).
- Click the
icon to the right of the text box.
The new group name is displayed in device information for devices that are added to this group or to its child groups.
Page topDeleting groups
Deleting a group does not delete devices added to the group. Devices from a deleted group are moved to the same hierarchy level in the device tree as the deleted group.
To delete a group from the device group tree:
- In the Create group tree or Select group in tree window, select the group that you want to delete.
- Click the
icon.
This opens a prompt window in which you can select a deletion option.
- In the prompt window, click on one of the following buttons, depending on the what you want to do:
- If you want to delete only the selected group and keep its child groups, click Selected only.
- If you want to delete the selected group together with all of its child groups, click With child groups.
This opens a confirmation prompt window.
- In the prompt window, click OK.
Moving a group
To move a group in the device group tree:
- In the Create group tree or Select group in tree window, select the group that you want to move.
- Use the arrow icons or the corresponding shortcuts (ALT+↓, ALT+↑, ALT+←, ALT+→) to move the group relative to other elements of the tree. If an operation cannot be performed, the icon of that operation is not available.
Searching for groups
You can find relevant groups in the device group tree by using the Search groups field in the Create group tree or Select group in tree window. The device group tree displays groups that match the search conditions. For child groups, their parent groups are also displayed.
Page topUpdating the tree
The makeup of the device group tree may be modified on the Central Node while you are managing the tree (for example, by another user who has connected to the Central Node).
You can manually update the tree by clicking the icon in the Create group tree or Select group in tree window.
Adding and removing device labels
This section provides instructions on how to add or remove device labels. The labels you add to devices can be arbitrary.
A device label contains a text description that allows you to quickly find or filter devices in the table. You can save any text descriptions that you find convenient as labels. A device can have up to 16 labels. Each device can have its own set of labels.
Lists of device labels are displayed in the devices table in the Labels column. Labels in a cell are sorted alphabetically.
Only users with the Senior security officer role can add or remove device labels.
Adding labels to an individual device
To add a label to one device:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the device in the Assets section on the Devices tab or in the Network map section.
In the Network map section, you can select a device for adding a label on the network interactions map as well as the topology map.
The details area is displayed in the right part of the web interface window.
- Click Edit.
In the details area, go to the Settings tab.
- In the Labels field, enter the text descriptions that you want to use as labels. To separate the labels, you can use newline by pressing ENTER or the semicolon character (
;
).You can use uppercase and lowercase letters, numbers, the space character, and the following special characters:
! @ # № $ % ^ & ( ) [ ] { } ' , . - _
.The label name must satisfy the following requirements:
- Begins and ends with any character other than a space.
- Is unique in the list of that device's labels (case-insensitive).
- Contains 1 to 255 characters.
- If necessary, click Copy labels to copy the list of labels. The link is displayed if the list of labels is not empty.
- Click Save.
This button is unavailable if the device settings do not contain all the required information or if some of the specified settings are invalid. Tabs with settings that require a correct value is marked with the
icon.
Adding labels to multiple devices
You can add labels to multiple devices while managing the table of devices.
Also when managing the network interactions map and the topology map, you can add labels to devices known to the application, represented by nodes on the maps. You can select nodes either individually or as part of collapsed groups that include the required devices. When you select a collapsed group, all devices in child groups at all nesting levels also end up in the selection.
To add labels to multiple devices while managing the table:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the Assets section.
- On the Devices tab, select the devices to which you want to add labels.
- Right-click one of the selected devices to open the context menu.
- In the context menu, select Add labels.
This opens the Add labels window.
- In the Labels field, enter the text descriptions that you want to use as labels. To separate the labels, you can use newline by pressing ENTER or the semicolon character (
;
).You can use uppercase and lowercase letters, numbers, the space character, and the following special characters:
! @ # № $ % ^ & ( ) [ ] { } ' , . - _
.The label name must satisfy the following requirements:
- Begins and ends with any character other than a space.
- Is unique in the list of that device's labels (case-insensitive).
- Contains 1 to 255 characters.
- If necessary, click Copy labels to copy the list of labels. The link is displayed if the list of labels is not empty.
- If you want to clear the current lists of labels for selected devices and provide only new labels for these devices, select the Delete existing check box.
If the Delete existing check box is cleared, the current list of labels will remain on each device. The new tags are appended to the lists of labels on all selected devices. For some of the selected devices, this may cause the total number of labels to exceed the limit (up to 16 labels for each device). The application checks the limit before adding new tags.
- Click OK.
The button is not available if the names of entered labels do not meet the requirements, or if the list of labels is empty while the Delete existing check box is cleared.
To add labels to multiple devices while managing the maps:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the Network map section.
- On the Network interactions map or Topology map tab, select the relevant nodes of known devices and/or collapsed groups.
To select multiple nodes and/or groups, do one of the following:
- Press and hold the SHIFT key, then use the mouse to select a rectangular area with the objects that you want to select.
- Press and hold the CTRL key and click every object that you want to select.
- Right-click one of the selected objects to open the context menu.
- In the context menu, select Add labels.
This opens the Add labels window.
- In the Labels field, enter the text descriptions that you want to use as labels. To separate the labels, you can use newline by pressing ENTER or the semicolon character (
;
).You can use uppercase and lowercase letters, numbers, the space character, and the following special characters:
! @ # № $ % ^ & ( ) [ ] { } ' , . - _
.The label name must satisfy the following requirements:
- Begins and ends with any character other than a space.
- Is unique in the list of that device's labels (case-insensitive).
- Contains 1 to 255 characters.
- If necessary, click Copy labels to copy the list of labels. The link is displayed if the list of labels is not empty.
- If you want to clear the current lists of labels for selected devices and provide only new labels for these devices, select the Delete existing check box.
If the Delete existing check box is cleared, the current list of labels will remain on each device. The new tags are appended to the lists of labels on all selected devices. For some of the selected devices, this may cause the total number of labels to exceed the limit (up to 16 labels for each device). The application checks the limit before adding new tags.
- Click OK.
The button is not available if the names of entered labels do not meet the requirements, or if the list of labels is empty while the Delete existing check box is cleared.
Removing labels from an individual device
To remove a label from one device:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the device in the Assets section on the Devices tab or in the Network map section.
In the Network map section, you can select a device for removing a label on the network interactions map as well as the topology map.
The details area is displayed in the right part of the web interface window.
- Click Edit.
In the details area, go to the Settings tab.
- In the Labels field, delete the labels that you no longer need:
- Click the
icon next to the label names if you want to remove individual labels.
- If you want to delete all labels, use the
icon on the right side of the Labels field.
- Click the
- Click Save.
This button is unavailable if the device settings do not contain all the required information or if some of the specified settings are invalid. Tabs with settings that require a correct value is marked with the
icon.
Clearing the lists of labels for multiple devices
You can clear the lists of labels for multiple devices while managing the table of devices.
Also when managing the network interactions map and the topology map, you can clear the lists of labels for devices known to the application, represented by nodes on the maps. You can select nodes either individually or as part of collapsed groups that include the required devices. When you select a collapsed group, all devices in child groups at all nesting levels also end up in the selection.
To clear the lists of labels for multiple devices while managing the table:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the Assets section.
- On the Devices tab, select the devices for which you want to clear the lists of labels.
- Right-click one of the selected devices to open the context menu.
- In the context menu, select Add labels.
This opens the Add labels window.
- Select the Delete existing check box.
- Click OK.
To clear the lists of labels for multiple devices while managing the maps:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the Network map section.
- On the Network interactions map or Topology map tab, select the relevant nodes of known devices and/or collapsed groups.
To select multiple nodes and/or groups, do one of the following:
- Press and hold the SHIFT key, then use the mouse to select a rectangular area with the objects that you want to select.
- Press and hold the CTRL key and click every object that you want to select.
- Right-click one of the selected objects to open the context menu.
- In the context menu, select Add labels.
This opens the Add labels window.
- Select the Delete existing check box.
- Click OK.
Group response
To create a task for a group of devices:
- Select the Assets section in the application web interface window.
- Go to the Devices tab.
- Select the devices for which you want to create a common task.
If too many devices are listed, you can apply filters to display devices that you need. For example, you can find devices with certain labels or devices that belong to certain groups.
- In the Response menu, select a task type.
This opens the task creation window.
- Specify task settings depending on its type:
- Click Save.
The task is created.
Monitoring users on devices
Kaspersky Anti Targeted Attack Platform can monitor user accounts on devices known to the application. When monitoring users, the application automatically gets information about user accounts registered in the operating systems of the devices. Based on this information, the application generates user tables.
When getting information about user accounts, the application uses this information to monitor all user accounts on devices with the exception of some local system users, which only operating system services can use. For example, the application does not monitor the LocalSystem and NetworkService accounts on Windows devices.
To use the user monitoring functionality, Asset Management methods must be enabled to detect device activity and device information. These methods must be enabled on all servers with application components from which information is received.
User monitoring is based of information received from the following types of sources:
- Telemetry (Endpoint Agent)
Information about devices and the processes running on these devices is received when the Endpoint Agent component is integrated with the NDR functionality.
- External source
Information is received from systems that use the Kaspersky Anti Targeted Attack Platform API NDR and send information about users to Kaspersky Anti Targeted Attack Platform.
Sources are listed in order of decreasing priority of information coming in from these sources. The application processes information about users in accordance with the priority of the received information. User information from a higher-priority source may override information from other sources. The application also automatically removes users from tables if information about such a user had been obtained from an External source, but the users are missing in new information received from these sources.
You can view information about users in the Assets section on the Users tab.
When viewing the table of users, you can configure, filter, search, and sort users, as well as navigate to related items. The table of all users can contain up to 200,000 users.
The application displays the following information about device users in the table and in the details area of the selected user:
- User ID is the user ID assigned in Kaspersky Anti Targeted Attack Platform.
- User name is the name of the user account without the domain name or host name of the device.
- Full name is the name of the user account with the domain name or host name of the device.
- Groups lists names of user groups of which the user is a member.
- Device is the name and address of the device.
- Origin is the source of information about the user.
- SID is the user's security ID.
- Account status is the status corresponding to the received value for enabling or disabling the account.
- Lock is the status corresponding to the received value of the account blocking setting.
- Change password at next logon is an attribute that reflects whether the user must change the password at next logon.
- Block password change by user is an attribute that reflects whether the user is prohibited from changing the user's own password.
- Password validity period is the status corresponding to the received value of the setting that enables or disables the validity period limit for the user's password.
- Data received is the date and time when the information about the user account was last received.
- Description is the description specified for the user account.
When monitoring users, the application registers events using the Asset Management technology. Events are registered with system event type code 4000005600. Events are registered when user accounts are automatically added, modified, or deleted on devices.
You can edit the available settings of event types.
Page topMonitoring file execution on devices
Kaspersky Anti Targeted Attack Platform can monitor file execution on devices known to the application. File execution is monitored based on information received from EPP applications. Based on this information, the application generates a table of executable files.
To automatically get information about file execution from EPP applications, the following conditions must be satisfied:
- Endpoint Agent must be installed on the devices.
- Asset Management methods must be enabled to detect device activity and device information.
For the table of executable files, the following restrictions on the number of items and storage durations apply:
- The total number of executable files may not exceed 100,000.
If the maximum number of executable files is reached, the application automatically removes 10% of the oldest entries.
- The maximum storage duration of an executable file before information about its execution is received again is 90 days.
If new information about file execution is not received before the maximum storage duration expires, the application automatically removes the entry of this file.
If necessary, users with the Administrator role can delete executable files manually.
To view the table of executable files:
- Select the Assets section in the application web interface window.
- Go to the Executable files tab.
The table of executable files is displayed.
When viewing the table of executable files, you can configure, filter, search, and sort the files, as well as navigate to related items.
The table displays the following information:
- File ID is the file ID assigned in Kaspersky Anti Targeted Attack Platform.
- Device is the name and address of the device.
- Name is the name and version of the application, or the file name.
- Data received is the date and time when the information about the file was last received.
- Product is the name of the software product saved in the operating system of the device.
- Product version is the version of the software product saved in the operating system of the device.
- Vendor is the name of the vendor of the application.
- Path is the full path to the file.
- File size is the amount of disk space occupied by the file.
- MD5 hash is the checksum of the file calculated using the MD5 hashing algorithm.
- SHA256 hash is the checksum of the file calculated using the SHA256 hashing algorithm.
- Signature is the result of verifying the digital signature of the file: Valid (if the digital signature was verified successfully) or Invalid (for example, if the certificate has expired).
- Created is the date and time when the file was created.
- Changed is the date and time the file was last modified.
- Origin is the source of information about the file.
- Attributes is the list of file attributes.
- Description is the description set for the file.
Active device polling jobs
Using the active polling jobs, you can conduct a security audit of monitored devices in terms of receiving accurate and complete information about devices and their configurations directly from the devices themselves. Active polling is achieved using connectors. To actively poll devices, you need to add one or more Active poll connectors to the application.
Connectors provide different active polling methods. Active polling methods stipulate the protocols as well as commands and functions of these protocols. The built-in Active poll connector type contains a set of methods that support active polling over application-layer protocols as well as general-purpose protocols. Kaspersky Anti Targeted Attack Platform supports the following methods for active polling of devices:
- Polling via ARP (only for computers with the kernel version 4.3 or later)
- Polling via SMB
- Polling via SNMP
- Polling via SSH
- Polling via WinRM HTTP
- Polling via WinRM HTTPS
- Polling via WMI
The methods let you get different sets of device information. You can select the information that you need and the methods to be used when configuring active polling.
Some methods use secrets to connect to devices. Device connections are made using credentials from secrets added to the application.
Using appropriate methods, the application can automatically update the following device information based on active polling results:
- Name that represents the device in the application
- Name that represents the device on the network (network name)
- Vendor name of the device hardware
- Model name of the device
- Version number of the device hardware
- Vendor name of the device software
- Name of the device software
- Version number of the device software
- Address information for network interfaces of the device
- Name of the operating system installed on the device (only for devices running Windows and Linux operating systems)
For a list of operating systems supported by the application for actively polling devices, see the Appendix.
The application does not update data for which the automatic update function was disabled using the Autoupdate toggle button when the device was added or when device information was edited. The application also evaluates the accuracy of received device information and in some case may not update previously received information.
Some active polling methods support detecting risks and modifying the topology map with the obtained device information.
You can manually run security audit jobs or configure a schedule to automatically run each job. Only users with the Senior security officer role can run active polling jobs.
When using the active polling functionality, you must keep in mind the following special considerations and limitations:
- The functionality becomes available after adding a license key.
- Application modules of connectors that are used for actively polling of devices need network access to the devices to send requests to and receive data from the devices. If the application modules are running on the host with installed application components, to ensure network access to devices, this computer must have a network interface with a connection to the network of the devices to be polled. Network interfaces of monitoring points cannot be used for this purpose if these network interfaces receive mirrored corporate LAN traffic (for example, from SPAN ports of network switches).
- Unexpected problems may arise when active polling devices if these devices misinterpret the commands of the active poll. The problems may be caused by misconfiguration or highly specialized configuration of devices. Also, problems can arise due to hidden errors in the network configuration, which do not manifest during normal communication of devices. Therefore, the risks of the following potential consequences are involved in active polling of a device:
- The device powering off
- Connectivity being lost with the device
- Complete or partial device malfunction
- Slower-than-normal operation
- Other potential faults of the network and equipment
Adding active polling job
For devices known to the application, you can add active polling jobs.
Only users with the Senior security officer role can add active polling jobs. Adding active polling jobs is available after adding a license key.
The active polling job is configured using the Wizard. The wizard lets you configure the job step by step. After completing the configuration, you can wait until the scanning begins on schedule or start the job manually.
When adding an active polling job, you can invoke the Configuration Wizard in the following ways:
- Adding a job with blank settings. To do this:
- Select the Assets section.
- On the Active polling tab, click Add job.
The settings of the configuration wizard do not have default values.
- Adding a job for selected devices. To do this:
- Select the Assets section.
- On the Devices tab, select the devices for which you want to add an active polling job. You can select no more than 100 devices.
- In the toolbar above the devices table, open the Create job drop-down list and select Active polling.
By default, a list of devices made up of the selected devices is created in the settings of the configuration wizard.
To configure the job in the window of the configuration wizard:
- Read the active polling considerations in the warning window, and confirm that you accept the risks associated with using the active polling module.
- In the Select devices section of the Wizard, create a list of devices for which you want to perform active polling. Select up to 100 devices.
You can create a list of devices using the Add to job and Delete from job buttons. To add a device, the application opens a window with the device selection table. You can filter and sort the table to display the devices that you need.
- In the Select parameters section of the wizard, select the check boxes for the specific device information that you want to update using active polling. You can also enable risk detection (the Risks check box) and discovery of topology settings for devices (the Topology settings check box).
- In the Select methods section of the wizard, do the following:
- Select an active polling module.
- Select the check boxes for the specific methods that you want to use for getting device information, risk detection, and/or reading topology settings.
Methods that can be used are grouped by connectors that provide the ability of actively polling devices. The list contains only methods that support getting the selected information. If a connector cannot be used to actively poll the selected devices, the available methods are not displayed for this connector (for example, if the connector is disabled or an address space that does not contain the addresses of the selected devices is selected for the connector).
- Configure the methods for each connector as needed. For example, for Polling via SSH, specify a port and a credentials secret.
If a secret with the required credentials has not been added to the application, you can open a new tab in the browser without closing the Configuration Wizard window, connect to the Server and add the secret, and then use the button in the Configuration Wizard window to refresh the list of secrets.
We do not recommend using the same secret for active polling of devices on the network because this negatively affects the level of information security.
Methods that require configuring settings are highlighted in red. To update the settings, click the
button to the right of the desired method.
- In the Job configuration section of the wizard, configure the rest of the job settings:
- Enter a name and description for the job.
You can use letters, numerals, spaces, and the following special characters:
! @ # № $ % ^ & ( ) [ ] { } / \ : ; , . - _
. The name of the job must begin and end with any valid character other than a space.The job name must contain no more than 256 characters. The job description must contain no more than 4,096 characters.
- To run the job according to a schedule, enable the Run job according to schedule option and configure the schedule settings:
- In the Frequency drop-down list, select how often to run the job: Hourly, Daily, Weekly, or Monthly.
- Depending on the selected option, specify the values for the settings to define the precise job start time.
The application run the job according to the schedule, provided that the previous start of this job has been completed. If by the time a scheduled job is started its previous launch has the Running status, the application skips the run of the scheduled job.
- Enter a name and description for the job.
- Click Create job or Create and run to close the wizard.
The specified settings are displayed in the job details.
Page topEditing an active polling job
Only users with the Senior security officer role can edit active polling jobs.
To edit an active polling job:
- Select the Assets section.
- On the Active polling tab, select the job for which you want to change the settings.
- Click Edit.
The Configuration Wizard starts. the settings of the selected job are specified as default values in the settings of the configuration wizard.
- In the Job configuration section of the wizard, configure the rest of the job settings:
- Enter a name and description for the job.
You can use letters, numerals, spaces, and the following special characters:
! @ # № $ % ^ & ( ) [ ] { } / \ : ; , . - _
. The name of the job must begin and end with any valid character other than a space.The job name must contain no more than 256 characters. The job description must contain no more than 4,096 characters.
- To run the job according to a schedule, enable the Run job according to schedule option and configure the schedule settings:
- In the Frequency drop-down list, select how often to run the job: Hourly, Daily, Weekly, or Monthly.
- Depending on the selected option, specify the values for the settings to define the precise job start time.
The application run the job according to the schedule, provided that the previous start of this job has been completed. If by the time a scheduled job is started its previous launch has the Running status, the application skips the run of the scheduled job.
- Enter a name and description for the job.
- Click Edit job to close the wizard.
The specified settings are displayed in the job details.
Page topViewing the table of active polling jobs
The table of active polling jobs is displayed in the Assets section on the tab Active polling.
Job settings are displayed in the following columns of the table:
- Job ID.
Job ID assigned in Kaspersky Anti Targeted Attack Platform.
- Name.
Name that represents the job in the application.
- Description.
Job description
- Created.
Date and time when the job was added to the application.
- Changed.
Date and time of the last modification in the application.
- Devices selected.
Number of devices selected for the job.
- Schedule.
Information about the schedule that the application uses to run the job.
- Status of last run.
The resulting status of all device scans when the job was last run.
- Last run.
Date and time when the job was last run.
- Next run.
Date and time of the next scheduled run of the job.
When viewing the table of active polling jobs, you can use the configuration, filter, search, and sorting functions.
Starting and stopping active polling jobs
You can manually start and stop active polling jobs. When you start or stop a job, the application starts or stops all scans on the devices that are selected for that job.
You can stop or run the job depending on the status of the last job run. For example, a job cannot be started if the status of its last run is Running.
Only users with the Senior security officer role can manually start and stop active polling jobs.
To start an active polling job:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the Assets section.
- On the Active polling tab, select the job you want to start.
The details area is displayed in the right part of the web interface window.
- Click Start. The button is disabled if the job cannot be started.
Kaspersky Anti Targeted Attack Platform starts the job. You can view information about the device scans in progress on the Runs tab in the job details.
To stop an active polling job:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the Assets section.
- On the Active polling tab, select the job you want to stop.
The details area is displayed in the right part of the web interface window.
- Click Stop. The button is disabled if the job cannot be stopped.
Viewing general information about the active polling job runs
You can view general information on the runs of active polling jobs in the jobs table. The table displays information about the most recent runs not including the information about device scans. To view general information on all job runs, including information about the device scans, select the job and in the details area, open the Runs tab.
General information about active polling job runs includes the following:
- The status of the job or device scan.
The following statuses are possible:
- Pending – a command to start the scan has not been sent yet.
- In progress – the job is starting, or the scan is in progress.
- Canceling – the start of the job or scanning is being stopped.
- Canceled – the start of the job or scanning is stopped.
- Completed – the scan completed successfully or all scans within the job run completed successfully.
- Error – an error occurred during a scan or errors occurred in all scans within the job run.
- Partially successful – the job completed with a partially successful result: some scans have the Completed status while some scans have a status of Canceled or Error.
- Start date and time.
- End date and time.
- Run time
Viewing a report on the active polling job execution
You can view reports containing the device scan results when viewing the details of an active polling job run. The application generates reports for the jobs completed with the following statuses: Completed, Partially successful, Canceled, and Error.
In the report, the following details are displayed:
- Name of the device that was scanned.
- Device settings update status.
- List of device settings grouped by their update status.
- List of methods grouped by their execution status. If an error occurs when a method is being employed, the application displays its reason.
To view a report on the active polling job execution:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the Assets section.
- On the Active polling tab, select the job for which you want to view the run report.
The details area is displayed in the right part of the web interface window.
- In the details area, go to the Runs tab and select the desired job run.
The details area is displayed in the right part of the web interface window. The details area displays detailed information about the selected job run.
Deleting active polling jobs
You can delete active polling jobs. However, you cannot delete the jobs with a last run status of Running or Pending.
Only users with the Senior security officer role can delete active polling jobs.
To delete active polling jobs:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the Assets section.
- On the Active polling tab, select the jobs you want to delete.
- Click Delete.
This opens a confirmation prompt window.
- In the prompt window, confirm deletion of the jobs.
You can delete only the jobs whose last run status is not Running or Pending. If there are jobs with a status of Running or Pending among the selected jobs, the corresponding message is displayed. To delete such jobs, you must first stop the jobs.
Configuring address spaces
Kaspersky Anti Targeted Attack Platform monitors devices and their interactions, taking into account address spaces (hereinafter also referred to as "AS"). Address spaces are used to classify device addresses into sets by some attribute (for example, by the network segments that the devices belong to).
To describe address spaces, the application uses lists of rules and subnets.
An address space rule is a set of parameters that determine whether an address belongs to the address space. To be associated with an address space, a MAC or IP address must match at least one address space rule. If an address matches multiple rules, the application picks the address space whose rule defines the conditions of association in the least general way (for example, if the address is explicitly specified in the rule).
Address space subnets are used to check IP addresses discovered by the application. Depending on the type of subnet the discovered IP address belongs to, the application may perform different Asset Monitoring actions and Interaction Control actions.
You can configure address spaces in the Assets section of the Address spaces tab. Each address space is represented by a section with information about the address space. The section comprises a title and subsections with tables of rules and subnets. When viewing information about address spaces, you can expand and collapse the sections.
Default address space
By default, the application has one address space configured, the Default address space. This address space contains a single rule that associates all MAC and IP addresses with this address space. By default, the list of subnets of the Default address space contains the standard set of subnets most frequently used in enterprise networking.
You cannot edit the rule of the Default address space or add other rules to this address space. However, users with the Senior security officer role can edit the list of subnets in this address space to configure a set of subnets that take into account the way IP addressing of devices is set up in your corporate network. If Kaspersky Anti Targeted Attack Platform receives data from EPP applications, the application can use this data to automatically add subnets to the list of subnets.
Additional address spaces
If necessary, you can configure multiple address spaces in the application in addition to the Default address space. You can create arbitrary rules and sets of subnets for the added address spaces. Addresses matching the conditions of the added address spaces become associated with these address spaces. The rest of the addresses remain associated with the Default address space.
You may need to add address spaces, for example, if you are using devices with the same address in different network segments. In this case, after address spaces are added and configured, the application can disambiguate address information by additional attributes that the application adds to addresses, that is, by address space names.
For address space usage examples, see the Appendix.
Relations of addresses and address spaces
When using multiple address spaces, the application adds address space name attributes to all addresses that are specified in objects of the application: devices, risks, rules, events, and other objects. Address space name attributes are no longer displayed for addresses if you remove all non-default address spaces (address space attributes remain only for addresses in events and in some device-related risks).
Address space name attributes indicate the relations between addresses and address spaces. Relations with address spaces make addresses dependent on these address spaces.
Relations between addresses and address spaces lead to the following special consideration when deleting an address space: the application automatically deletes all addresses associated with the deleted address space. Such addresses are deleted from all application objects except for events. When an address is removed from an object, the application checks if other addresses remain in that object, and if no other addresses remain, the application also deletes the object itself (for example, a device).
About address space rules
The rules of address spaces are displayed in the Rules blocks within address space descriptions. Information about rules is displayed in the title bar of the address space and in the table of rules.
Address space rule settings are displayed in the following columns of the table:
- Source.
The type of the source of data about address information and the list of selected data sources. The following data source types are possible:
- Monitoring points – monitoring points selected for the rule.
- Integration servers – integration servers selected for the rule (the data on address information received from the selected integration servers will satisfy the address space rule).
- Active polling modules – active polling module connectors selected for the rule (the data on address information received from the selected active polling modules will satisfy the address space rule).
The data sources must be specified in the address space rules after adding the objects to be used as sources to the application. For example, connectors for the Active poll modules data source must be specified after adding connectors of the Active poll type.
- OSI model layers
Selected layers of the OSI (Open Systems Interconnection) network protocol stack for the address space rule. You can configure the rule for addresses of the following layers of the OSI model:
- Data Link (L2) – MAC addresses.
- Network (L3) – IP addresses.
- Data Link and Network (L2 and L3) – MAC addresses and IP addresses.
- VLAN ID.
VLAN IDs used for the VLAN technology in accordance with the IEEE 802.1q standard. When used for an address space rule, the VLAN ID may take the following values:
- Any – VLAN technology is used for network interactions between devices, and any VLAN IDs can be used.
- Unallowed – VLAN technology is not used for network interactions between devices.
- Any or not used – VLAN technology is either not used for network interactions between devices, or it is used with any VLAN IDs.
- Fixed values with a list of VLAN IDs – VLAN technology is used for network interactions between devices, and an address space can include only address information that has one of the listed VLAN IDs.
- IP addresses
IP addresses included in the address space. You can specify addresses individually, as ranges, or as a CIDR subnet address.
When viewing the rule table, you can use the configuration functionality (by clicking the icon) as well as the search functionality.
About address space subnets
The subnets of address spaces are displayed in the Subnets blocks within address space descriptions.
The application matches the discovered IP addresses against the lists of subnets of address spaces and, depending on whether the IP addresses are found to belong to certain types of subnets, can perform the following actions:
- Add a device with the discovered IP address to the table of devices and monitor the activity of this device.
- Display a device with its detected IP address on the network interactions map and the topology map as its corresponding type of node (known device, unknown device, or WAN node).
- Display the connection on a network interactions map, in which one of the interaction parties is the device with the discovered IP address.
- Scan the interactions of the device with the discovered IP address according to the configured rules (Interaction Control rules, Intrusion Detection rules, and correlation rules).
- Ignore the activity of the device with the discovered IP address.
Subnet settings of the address space are displayed in the following columns of the table:
- Subnet.
Subnet address in Classless Inter-Domain Routing (CIDR) format:
<base address of the subnet>/<number of bits in the mask>
. Subnet addresses are displayed as a tree that represents the subnet nesting hierarchy. - Type.
Type of the subnet that stipulates its purpose. The following types are possible:
- Private, IT – subnet for devices that serve as information technology (IT) resources, such as file servers.
- Private, DMZ – subnet for devices that reside within a network segment of a demilitarized zone (DMZ), such as servers that handle requests from external networks.
- Public – subnet that is considered to be an external (global) network for devices in other types of subnets. IP addresses from this subnet are represented on the network interactions map by the WAN node.
- Link-local – subnet for network interactions within one segment of the local area network (not routed).
- Range
The range of IP addresses included in the subnet.
- Automatically add subnets
Indicates whether the automatic adding of nested subnets based on information received from EPP applications is enabled or disabled. If this mode is enabled, the application adds nested subnets based on information received from EPP applications.
When viewing the table of subnets, you can use the configuration functionality (by clicking the icon) as well as the filtering, search, and sorting functionality.
Adding an address space
You can add address spaces to the application if you need to classify device addresses into sets according to some criterion (for example, based on devices belonging to network segments).
The maximum number of address spaces in the application is 100.
Only users with the Senior security officer role can add address spaces.
To add an address space:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the Assets section.
- On the Address spaces tab, open the details area by clicking Add AS.
- Enter the name of the address space.
You can use letters, numbers, the space character, and the following special characters:
! @ # № $ % ^ & ( ) [ ] { } ' , . - _
.The address space name must satisfy the following requirements:
- Begins and ends with any character other than a space.
- Contains up to 255 characters.
- Does not reuse the name of another address space (case-insensitive).
We recommend using address spaces 6–8 characters long or less. If the name is too long, the address information may not fit in the cells of some data tables (for example, in the table of devices).
- If necessary, enter a text description of the address space.
- Configure the settings of the first address space rule.
- If necessary, add and configure additional address space rules by clicking Add rule.
The total number of rules in an address space cannot exceed 10.
- Click Save.
This button is unavailable if not all required settings are specified, or if some settings are invalid.
The lower part of the Address spaces tab will show a separate block containing information about the added address space.
Page topCreating a subnet list for Asset Management
This section contains information about the features available for generating a list of subnets for asset management.
For address spaces, you can create lists of subnets that take into account the way device addressing works in your corporate network. This section provides instructions on using the features for generating a list of subnets.
If Kaspersky Anti Targeted Attack Platform receives data from EPP applications, the application can use this data to automatically add subnets in the corresponding address spaces. The application automatically adds discovered subnets if they are nested inside subnets for which the automatic subnet addition mode is enabled.
Only users with the Senior security officer role can manage the list of subnets.
Adding a subnet
To add a subnet:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the Assets section.
- On the Address spaces tab, expand the block containing information about the address space in which you want to add a subnet.
- In the header of the Subnets block, click the
icon.
The details area is displayed in the right part of the web interface window.
- In the Subnet field, enter the subnet address in CIDR format:
<base address of subnet>/<number of bits in mask>
. - In the Type drop-down list, select the type of subnet according to its purpose.
- Enable or disable the Automatically add subnets toggle switch, to enable or disable automatic addition of nested subnets according to data received from EPP applications.
If this mode is enabled, the application adds nested subnets under this subnet based on information received from EPP applications. For these nested subnets, the default type is the type selected for the current subnet.
- Click Save.
A subnet is added to the list of subnets at the corresponding level of the tree.
Page topEditing subnet settings
To edit subnet settings:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the Assets section.
- On the Address spaces tab, expand the block containing information about the address space in which you want to edit the subnet settings.
- Expand the Subnets block and select the relevant subnet.
The details area is displayed in the right part of the web interface window.
- Click Edit.
- Depending on what you want, do the following:
- In the Subnet field, enter the subnet address in CIDR format:
<base address of subnet>/<number of bits in mask>
.The address of the root subnet is not editable.
- In the Type drop-down list, select the type of subnet according to its purpose.
When changing the type of a subnet, keep in mind that the new subnet type may affect the actions that the application performs with IP addresses from the subnet. For example, if you select the Public type, the network interactions map will no longer display links to devices that were assigned IP addresses from this subnet.
- Enable or disable the Automatically add subnets toggle switch, to enable or disable automatic addition of nested subnets according to data received from EPP applications.
If this mode is enabled, the application adds nested subnets under this subnet based on information received from EPP applications. For these nested subnets, the default type is the type selected for the current subnet.
- In the Subnet field, enter the subnet address in CIDR format:
- Click Save.
If the Subnet value is changed, the tree hierarchy level may be changed for a subnet.
Page topDeleting subnets
In the list of subnets of the address space, you can delete any subnet except the root subnet in the tree (subnet 0.0.0.0/0).
To delete subnets:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the Assets section.
- On the Address spaces tab, expand the block containing information about the address space from which you want to delete subnets.
- Expand the Subnets block and select the subnets to delete.
The details area is displayed in the right part of the web interface window.
- Click Delete.
This opens a confirmation prompt window.
- In the prompt window, confirm deletion of the subnets.
The deleted subnets are removed from the list of subnets. If the deleted subnet contained nested subnets, these subnets remain in the list (however, the level of these subnets in the hierarchy tree is changed).
Page topViewing information about devices with IP addresses from the selected subnets
You can view information about devices that have IP addresses from selected subnets in the address space. Device information is displayed in the table of devices. The table of devices is automatically filtered by subnet addresses.
To view information about devices in the table of devices:
- Select the Assets section.
- On the Address spaces tab, expand the block containing information about the address space containing the relevant subnets.
- Expand the Subnets block and select the subnets for which you want to view information about devices.
The details area is displayed in the right part of the web interface window.
- Click Show devices.
This opens the Devices tab in the Assets section. The table of devices is filtered by IP addresses in the address information of devices.
Page topChanging an address space
For the added address spaces, you can edit the names, text descriptions, and rule settings. You cannot edit any of these for the Default address space, however.
You can also create lists of subnets for any address spaces (including the list of subnets of the Default address space).
When managing the rule settings of an address space, you must take into account the relations this address space has with addresses that are specified in application objects: devices, risks, rules, events, and other objects. If editing rule settings of an address space severs the relations of this address space with addresses, the application automatically deletes such addresses. This can lead to the deletion of the objects themselves (for example, devices) if these objects do not have any other addresses.
Only users with the Senior security officer role can edit the names, text descriptions, and rule settings of address spaces.
To edit the name, text description, or rule settings of an address space:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the Assets section.
- On the Address spaces tab, click the
icon in the block containing information about the relevant address space.
The details area is displayed in the right part of the web interface window.
- Depending on what you want, do the following:
- Enter the name of the address space.
You can use letters, numbers, the space character, and the following special characters:
! @ # № $ % ^ & ( ) [ ] { } ' , . - _
.The address space name must satisfy the following requirements:
- Begins and ends with any character other than a space.
- Contains up to 255 characters.
- Does not reuse the name of another address space (case-insensitive).
We recommend using address spaces 6–8 characters long or less. If the name is too long, the address information may not fit in the cells of some data tables (for example, in the table of devices).
- Enter a description for the address space.
- Manage the settings of address space rules.
- If necessary, add and configure additional address space rules by clicking Add rule or delete any unnecessary rules by using the
icons.
The total number of rules in an address space cannot exceed 10.
- Enter the name of the address space.
- Click Save.
This button is unavailable if not all required settings are specified, or if some settings are invalid.
- In the prompt window, confirm the changes of address space settings.
Deleting an address space
You can delete added address spaces. The Default address space cannot be deleted.
When deleting an address space, you must take into account the relations this address space has with addresses that are specified in application objects: devices, risks, rules, events, and other objects. If deleting an address space severs the relations of this address space with addresses, the application automatically deletes such addresses. This can lead to the deletion of the objects themselves (for example, devices) if these objects do not have any other addresses.
Only users with the Senior security officer role can delete address spaces.
To delete an address space:
- Use the web interface to connect to the Central Node with the Senior security officer role.
- Select the Assets section.
- On the Address spaces tab, click the
icon in the block containing information about the address space that you want to delete.
This opens a confirmation prompt window.
- In the prompt window, confirm the deletion of the address space.
Managing the network interactions map
The network interactions map is a visual display of discovered interactions between devices. You can use the network interactions map to view information about device interactions at various time periods.
To view the network interactions map:
- Select the Network map section in the application web interface window.
- Go to the Network interactions map tab.
The network interactions map is displayed.
The following objects can be displayed:
- Nodes. These objects represent the senders and recipients of network packets.
- Device groups. These objects correspond to groups in the device group tree. Groups contain nodes representing devices included in these groups as well as child groups.
- Links. These objects represent interactions between nodes.
Nodes and links appear on the network interactions map based on the data obtained from traffic or from Endpoint Agent over a certain period of time. Device groups are displayed continuously.
You can filter nodes and links. By default, the network interactions map displays objects in on-line mode with a filtering period of one hour.
The network interactions map can display up to 1000 connections.
Objects with issues are highlighted on the network interactions map. The application considers the following objects to have issues:
- A node if it has unprocessed events with a score of 4.0 or higher, or if it represents a device with the Unauthorized status.
- A link if it has to do with events with a score of 4.0 or higher. Only events registered during the given object filtering period are taken into account. The current status of events is not taken into account.
- A group, if it contains devices with issues, or if nodes in this group have links with issues. Objects taken into account can belong to the group itself or to any of its child groups at any nesting level.
Nodes on the network interactions map
Nodes on the network interactions map can have the following types:
- A device known to the application. A node of this type represents a device that is listed in table of devices.
- A device unknown to the application. A node of this type represents a device with a unique IP or MAC address that is not listed in the device table. Such a node may appear on the network interactions map, for example, if you use the
ping
command to send network packets to a non-existent device. Nodes of devices that the application does not recognize are displayed individually if their total number (in accordance with the current filtering settings on the network interactions map) does not exceed 100. If more such devices exist, unknown devices are jointly represented by a single node.
Information displayed on nodes that represent devices known to the application
For nodes that represent devices known to the application, the following information is displayed on the network interactions map at maximum zoom:
- The specified device name.
- The icon of the device category.
- The IP address of the device (if it has no IP address, the MAC address is displayed).
- Various icons depending on the following conditions:
- Whether the Router attribute is set for the device
- Whether the Endpoint Agent is installed on the device (the color of the icon depends on its connection status)
- Whether the device has the Archived status
- A thick line on the left border of the node in one of the following colors, depending on the security state of the device:
- Green for the OK security state
- Yellow for the Warning security state
- Red for the Critical security state
If the device has the Unauthorized status or the security state of the device is not OK, the node has a red background.
Information displayed on nodes that represent devices unknown to the application
For nodes that represent devices unknown to the application, the following information is displayed on the network interactions map at maximum zoom:
- If the node represents a single unknown device, the IP or MAC address of the device is displayed. If the node represents multiple unknown devices (a node that includes more than 100 devices unknown to the application), Unknown devices is displayed.
- Icon for an unknown device and its status
.
Nodes representing devices unknown to the application have a gray background.
Page topDevice groups on the network interactions map
Groups from the device group tree can be collapsed or expanded on the network interactions map. Collapsed groups are displayed as icons similar to nodes. Expanded groups are displayed as boxes with nodes and other groups included in them.
Information displayed on collapsed groups
If a group is collapsed, the following is displayed at maximum zoom:
- The name of the group.
- Number of devices that match the current filtering criteria on the network interaction map. Devices in this group and in all its child groups at all nesting levels are taken into account.
- Number of child groups at all nesting levels.
If a group contains devices or links with issues (including child groups at any nesting level), the border of the group is colored red. Information displayed on expanded groups
The expanded group's box contains a title bar with the name of the group and an area for displaying objects. The group box displays devices included in this group, as well as child groups at the nesting level immediately below it. Among the devices included in the group, only those devices are displayed that satisfy the filtering criteria current configured the network interactions map.
If a group contains devices or links with issues (including child groups at any nesting level), the box has a red background.
Collapsing and expanding groups
You can expand a collapsed group by double-clicking the group icon. You can collapse an expanded group by double-clicking the title bar of that group's box or by clicking in the title bar.
To expand multiple collapsed groups at the same time:
- On the network interactions map, select multiple collapsed groups by doing one of the following:
- Press and hold the SHIFT key, then use the mouse to select a rectangular area with the groups that you want to select.
- Press and hold the CTRL key and click every collapsed group that you want to select.
- Click
in the toolbar located in the left part of the network interactions map display area (the button is available if at least one collapsed group is selected).
To collapse all expanded groups at the same time:
Click in the toolbar located in the left part of the network interactions map display area (the button is available if at least one group is expanded).
Links on the network interactions map
Links on the network interactions map are discovered by analyzing network packets in which addresses of senders and recipients can be matched with addresses of nodes.
Each links represents two sides of an interaction. One of the following objects on the network interactions map can be a party of an interaction:
- Node of one of the following types:
- A device known to the application.
- A device unknown to the application.
- The common node of unknown devices (if the link shows interaction with one or more unknown devices inside this node).
- A collapsed group if the link shows interaction with one or more devices in this group.
Depending on the scores of events registered while detecting interactions, the link can be displayed a colored line:
- Gray for an interaction that caused no events to be registered or only events with scores of 0.0–3.9.
- Red for an interaction has caused events to be registered with a score of 4.0–10.0.
Only events registered during the given object filtering period are taken into account for links. The current status of the events is not taken into account.
The application stores link information in a database at . The total amount of stored records cannot exceed the configured limit. If the amount exceeds the limit, the application automatically deletes 10% of the oldest records. You can set the maximum network interactions map size when configuring the storage settings.
Page topViewing object details
Detailed information about objects represented on the network interactions map is displayed in the details area. To display detailed information, you can select an object with the mouse (if you want to view the details of a group, you must first collapse the group).
For nodes, the following information is displayed:
- If the node represents a device known to the application, the details area displays the same information that appears in the device table.
- If the node represents a single device unknown to the application, the details area displays the MAC and/or IP addresses of the device (with the names of address spaces if extra address spaces have been added to the application).
- If the common node of unknown devices is selected, the following information is displayed:
- The number of nodes that this node contains, taking into account the current filtering settings.
- IP addresses displays the number of IP addresses of unknown devices and the first 100 IP addresses (with the address space names, if extra address spaces have been added to the application). This section is displayed if some unknown device nodes have IP addresses.
- MAC addresses displays the number of MAC addresses of unknown devices and the first 100 MAC addresses (with the address space names, if extra address spaces have been added to the application). This section is displayed if some unknown device nodes have MAC addresses.
For groups, the following information is displayed:
- Parent group displays the path to the group in the device group tree. If the group is at the top level of the hierarchy, N/A (this is a top-level group) is displayed.
- The number of devices in this group and in all its child groups at all nesting levels.
- Information about the number of objects with issues in the selected group and in its child groups at all nesting levels. If there no such objects exist, the security state is displayed as OK.
For links, the following information is displayed:
- Severity is the icon corresponding to the maximum severity level of the events associated with the link. If no events are associated with the link, No events is displayed. Only events registered during the given object filtering period are taken into account. The current status of events is not taken into account.
- Sections with basic information about the first and second parties of the interaction:
- If an unknown device node is a party of the interaction, this section displays the name or address of the device, category, and address information (whereas for a device known to the application, the address information is displayed only for those network interfaces that were involved in the interaction). For a known device, the device status is also displayed.
- If a collapsed group is a party of the interaction, this section displays the name of the group and the number of devices and child groups it contains.
- If the common node of unknown devices is a party of the interaction, this section displays the name of the node, Unknown devices, and the number of nodes represented by this node.
- Protocols is a section with a list of protocols involved in the interaction. For each protocol, the amount of transmitted data is indicated, calculated from the detected network packets. The section is not displayed if one of the parties to the interaction is the common node of unknown devices.
Zooming the network interactions map
The network interactions map can be zoomed from 1 to 100%. The current scale is displayed in the toolbar located in the left part of the network interactions map display area.
To zoom the network interactions map:
Use the mouse wheel or the + and - buttons in the toolbar next to the current zoom value.
Zooming out the network interactions map hides some information displayed in nodes and collapsed groups.
At zoom levels below 25%, icons and text information are hidden in nodes and collapsed groups. The display of nodes and collapsed groups changes as follows:
- On a node representing a device known to the application, the device status is displayed in the upper right corner as a colored triangle:
- Green means the device has the Authorized status.
- Red means the device has the Unauthorized status.
- Gray means the device has the Archived status.
- On a collapsed group, a triangle in the upper right corner indicates the presence of objects with issues. This triangle is filled with one of the following colors:
- Green if the group does not contain objects requiring attention.
- Red if the group contains objects with issues.
Positioning the network map
If necessary, you can change the positioning of the network interactions map manually or automatically. Automatic positioning pans and zooms the network interactions map to fit all nodes satisfying filtering criteria and all expanded groups.
To position the network interactions map manually:
- Point to any space on the network interactions map that is not occupied by objects.
- Click and hold to drag the network interactions map.
To position the network interactions map automatically:
Click in the toolbar in the left part of the network interactions map display area.
The map is panned and zoom to fit all nodes and expanded groups.
Page topPinning and unpinning nodes and groups
By default, nodes and collapsed groups are not pinned to the network map. Unpinned nodes and collapsed groups can be automatically moved around to optimize the display of other objects.
Nodes and groups are pinned when their location is changed manually or in the process of automatic distribution. You can also pin displayed objects without moving them.
To pin or unpin objects without moving them, you can use the following controls:
- Buttons in the toolbar in the left part of the network interactions map display area. You can click
or
to pin or unpin all nodes and groups displayed on the network interactions map (including nodes in expanded groups).
- Buttons in the title bar of the expanded group box. You can click
or
to pin or unpin nodes and groups in the expanded group box only (but not in boxes of nested groups).
The buttons are available if the network interactions map contains objects to which the corresponding actions can be applied.
After the node or collapsed group is pinned, the icon is displayed in the upper-right corner of the node or group (if the zoom level is at least 25%). You can also use this icon to unpin the object.
The pinned node or group stays in place. If a pinned node is no longer displayed on the network interactions map (for example, after applying a filter), the next time it appears in the same place.
Page topManually rearranging nodes and groups
You can manually arrange nodes and groups on the network interactions map as you see fit.
Nodes and groups that have been moved become pinned to their new location. You can unpin them if necessary.
Objects included in a group can be moved only within the confines of that group's box.
To rearrange nodes and/or collapsed groups:
- On the network interactions map, select one or more nodes and/or collapsed groups.
To select multiple nodes and/or collapsed groups, do one of the following:
- Press and hold the SHIFT key, then use the mouse to select a rectangular area with the objects that you want to select.
- Press and hold the CTRL key and click every object that you want to select.
- Drag the selected objects to where you want to place them.
Nodes and collapsed groups remain pinned after moving. The icon is added to these objects.
To reposition an expanded group:
Click and drag the expanded group box by its title bar to a new location.
Page topAutomatically arranging nodes and groups
To optimally arrange objects on the map of network interactions, you can use algorithms that automatically rearrange nodes and groups. The following algorithms are provided:
- Radial arrangement
- Alignment to grid
You can apply automatic arrangement algorithms to the following objects:
- All displayed nodes and groups at the top level of the hierarchy in the group tree. Automatic arrangement is performed using the
(radial arrangement) button and the
(grid-aligned arrangement) button in the toolbar located in the left part of the network interactions map display area.
- All displayed nodes and groups within the expanded group. To perform automatic arrangement, you can click the
(to arrange radially) and
(to align to grid) buttons in the title bar of the expanded group's box.
- Only selected nodes and collapsed groups. Before automatic arrangement, you must select at least three nodes and/or collapsed groups within an expanded group or at the top level of the hierarchy. To select multiple objects, you can press and hold the SHIFT key and draw a selection box around the necessary objects, or you can select multiple objects by CTRL+clicking them. Automatic arrangement is performed using the
(radial arrangement) button and the
(grid-aligned arrangement) button in the toolbar located in the left part of the network interactions map display area.
Nodes and groups that have been automatically arranged become pinned to their new location. The icon is added to these objects. You can unpin them if necessary.
Searching for nodes on the network interactions map
You can search for nodes on the network interactions map based on the details of these nodes. All nodes that satisfy the current filtering conditions, including nodes inside collapsed groups and nodes beyond the displayed region of the network interaction map.
For nodes that represent devices known to the application, the search is performed by all columns of the table of devices except Status, Security state, Last seen, Last modified, and Created. The search is also performed by the values of custom fields for devices.
If nodes matching the search query are found, the outlines of these nodes are highlighted in yellow. The outlines of collapsed groups in which the nodes are found are highlighted in the same way. At the same time, the following elements appear in the right part of the Search nodes field:
- The ordinal number of the currently selected object (a found node or a collapsed group with found nodes) among the search results.
- The total number of found objects (nodes and/or collapsed groups with found nodes).
The total number of found objects does not take into account the number of nodes in collapsed groups. If you want nodes in groups to be counted towards the total in search results, expand the collapsed groups.
- Arrows for moving between found objects. You move between found objects in alphabetical order of their names. When moving to the next object, the network interactions map is automatically positioned to display this object.
To find nodes on the network interactions map:
Filtering objects on the network interactions map
This section provides instructions on filtering objects on the network interactions map to limit the number of nodes and links displayed.
Comprehensive filtering of nodes and links
This section contains instructions on comprehensive filtering of nodes and links.
Filtering using a period on the timeline
To filter nodes and links, you can select a time period on the timeline. The timeline is displayed in the lower part of the network interactions map window.
The timeline contains the following elements:
- The starting date and time of the timeline.
- Periods when events with scores of 4.0 and higher were recorded. These periods are displayed as red bars in the lower part of the scale. Periods are not displayed if the configured length of the timeline is more than seven days.
- Filtering period. This period is displayed as a yellow bar with dragging handles at both ends.
- Graph of traffic volume processed by the application. The graph is not displayed if the configured length of the timeline is more than seven days.
- The end of the timeline. Depending on the filtering period, the end of the timeline is displayed as a date and time (if a date and time is specified) or as a Now link.
The following types of filtering periods are possible:
- Period with reference to the current moment. The right end of such a period coincides with the right end of the timeline corresponding to the current moment.
- Period without reference to the current moment. A period of this type can be placed anywhere in the timeline.
To configure filtering of objects by period with reference to the current moment:
- Click the Now button to the right of the timeline. This button is not displayed if the period is already defined with reference to the current moment.
- If you want to specify a different length of the period, do one of the following:
- Drag the left end of the yellow period bar to the required position (the maximum length of period is 7 days).
- Open the settings window by clicking the button above the yellow period bar, select the Anchor to boundary check box, then select a duration (Hour, Day, 7 days) and click OK.
The network interactions map displays only those nodes and connections for which interactions were detected from the beginning of the specified period to the current moment.
To configure filtering by period without reference to the current moment:
- If the period you want to set is out of bounds of the timeline, change the start and/or end date and time of the timeline:
- To change the start date and time of the timeline, click the link in the left part of the timeline to open a window and in that window, select one of the following options:
- Day.
- 7 days.
- 30 days.
- Set the date. For this option, specify a date and time in the displayed field.
- To change the end date and time of the timeline, click the link in the right part of the timeline to open a window and in that window, select one of the following options:
- Now.
- Specify a date. For this option, specify a date and time in the displayed field.
- To change the start date and time of the timeline, click the link in the left part of the timeline to open a window and in that window, select one of the following options:
- Set the period you want. To do so, do one of the following:
- Drag the period on the timeline to where you want it to be.
- Move one or both edges of the yellow period bar on the timeline to where you want the period to be (the maximum length of a period is 7 days).
- Open the settings window by clicking the button above the yellow period bar, then select a duration (Hour, Day, 7 days) and click OK.
- If the period is automatically anchored to the current moment (when you move the period to the extreme right position, the Now button to the right of the timeline is no longer displayed) and you don't want this, disable the automatic anchoring. To do so, open the settings window by clicking the button above the yellow period bar, clear the Anchor to boundary check box and click OK.
Filtering by registered events
On the network interactions map, you can display nodes and links whose information is stored in events associated with the selected nodes.
You can use the filtering functionality if no more than 200 nodes are selected on the network interactions map. You can select nodes either individually or as part of collapsed groups that include the required devices. When you select a collapsed group, all devices in child groups at all nesting levels also end up in the selection.
You can use the following ways of filtering by events:
- Initial filtering by events. Use this method to filter objects by events associated only with the selected nodes.
- Additional filtering by events. Use this method when the initial filtering by events already has been performed (for example, when going to the network interactions map from the table of events) and you need to supplement the filter with events associated with additional selected nodes from among the network interactions displayed on the network interactions map.
To display nodes and links based on initial event filtering:
- On the network interactions map, select one or more nodes and/or collapsed groups.
To select multiple nodes and/or groups, do one of the following:
- Press and hold the SHIFT key, then use the mouse to select a rectangular area with the objects that you want to select.
- Press and hold the CTRL key and click every object that you want to select.
- In the toolbar above the network interactions map, open the Event filter drop-down list.
- In the drop-down list, select Filter.
The network interaction map displays only nodes and links whose information is contained in events associated with the selected nodes. In the toolbar above the network interactions map, a list is displayed with event IDs (the IDs are listed in the chronological order of detection of the associated events).
To add nodes and links to the displayed objects using additional filtering by events:
- Make sure the initial filtering by events already has been performed. To do so, look for the list of event IDs in the toolbar above the network interactions map.
- From among the displayed nodes on the network interactions map, select nodes whose associated events you want to add to the filter.
The details area is displayed in the right part of the web interface window.
- In the toolbar above the network interactions map, open the Event filter drop-down list.
- In the drop-down list, select Add to filter.
The network interaction map additionally displays nodes and links whose information is contained in the events associated with the selected nodes. IDs of detected events are added to the list of IDs in the toolbar.
Page topFiltering nodes by device status
To filter nodes by device status:
- In the toolbar above the network interactions map, open the Device statuses drop-down list.
A list is displayed with status names for devices known to the application (Unauthorized, Authorized, Archived), as well as the Unknown device status for devices that application does not recognize.
- In the drop-down list, select check boxes for statuses that you want to use as a filtering condition for nodes displayed on the network interactions map.
- Click OK.
The network interactions map displays only those nodes that represent devices with selected statuses.
Page topFiltering nodes by device security state
To filter nodes by device security state:
- In the toolbar above the network interactions map, open the Device states drop-down list.
A list is displayed containing the security state names of the devices (OK, Warning, Critical).
- In the drop-down list, select check boxes for security states that you want to use as a filtering condition for nodes displayed on the network interactions map.
- Click OK.
The network interactions map displays only those nodes that represent devices with selected security states.
Page topFiltering nodes by device category
To filter nodes by device category:
- In the toolbar above the network interactions map, open the Device categories drop-down list.
A list is displayed containing the names of categories of devices known to the application as well as special categories for unknown devices.
- In the drop-down list, select check boxes for categories that you want to use as a filtering condition for nodes displayed on the network interactions map.
- Click OK.
The network interactions map displays only those nodes that represent devices of the selected categories.
Page topShowing and hiding nodes linked to filtered nodes
After filtering the nodes, the network interactions map displays only those nodes that satisfy the specified filtering conditions. However, for a node to be displayed on the network interactions map, this node must have a link to another displayed node. If, given the specified filtering conditions, not all nodes are displayed with which the node has interactions, such a node is also not displayed on the network interactions map. Filtering is applied in the same way to nodes rolled up into the common node of unknown devices: if not all nodes that have interactions with an unknown devices node, this node is excluded from the list of nodes of the common node of unknown devices.
If necessary, you can show the network interactions of all nodes associated with the filtered nodes. All nodes that have been interacted with will be displayed together with the filtered nodes (regardless of the current filtering conditions).
To show or hide nodes associated with filtered nodes:
Use the Linked devices toggle switch in the toolbar above the network interactions map.
Page topFiltering links by criticality score
To filter links on the network interactions map by their severity scores:
- In the toolbar above the network interactions map, open the Scores of links drop-down list.
A list of event severity levels and ranges is displayed: Low (0.0–3.9), Medium (4.0–7.9), High (8.0–10.0); as well as the No events item, which lets you filter links that have no registered events.
- In the drop-down list, select the check boxes for the severity levels by which you want to filter.
- Click OK.
The network interaction map displays only links that have associated events with selected severity levels.
Page topFiltering links by communication protocol
To filter links on the network interactions map by protocol:
- In the toolbar above the network interactions map, open the Protocols drop-down list.
This opens a window with a table of protocols displayed as a protocol stack tree. You can control the display of tree nodes using the + and - buttons next to the names of protocols that encompass protocols of the next tiers.
The table columns contain the following information:
- Protocol is the name of the protocol in the protocol stack tree.
- EtherType is the number of the next-layer protocol encapsulated by the Ethernet protocol (if the protocol has a specified number). Displayed in decimal format.
- IP number is the number of the next-layer protocol encapsulated by the IP protocol (if the protocol has a specified number). Specified only for protocols that are part of the IP protocol structure. Displayed in decimal format.
- If necessary, use the search bar above the table to find the protocols that you need.
- In the list of protocols, select check boxes for protocols that you want to use in search conditions.
If you select or clear the check box for a protocol that contains nested protocols, check boxes are also automatically selected or cleared for all nested protocols.
- Click OK.
Only links that used the selected protocols are displayed on the network interactions map.
Page topFiltering links by OSI model layer
You can filter links by interaction layers that correspond to the layers of the Open Systems Interconnection (OSI) network protocol stack.
To filter link on the network interactions map by OSI model layers:
- In the toolbar above the network interactions map, open the OSI model layers drop-down list.
A list of OSI model layer names is displayed:
- Data Link. This layer includes connections that used MAC addresses to communicate with devices.
- Network. This layer includes connections that used IP addresses to communicate with devices.
- In the drop-down list, select check boxes for OSI model layers that you want to use as a filtering condition for links displayed on the network interactions map.
- Click OK.
Only links that belong to the selected OSI model layer are displayed on the network interactions map.
Page topResetting filtering criteria
You can reset specified node and link filtering criteria to their default condition.
To reset specified filtering criteria on the network interactions map:
In the toolbar above the network interactions map, click Default filter (the button is displayed if non-default filtering criteria are specified).
The network interactions map displays all nodes and links for which interactions were detected during the specified period.
Page topSaving and loading the display settings of the network interactions map
This section describes the network interactions map display customization features.
The application allows you to save the current display settings of the network interactions map. A set of display settings that can be saved is called a view. You can use views to apply settings saved in them to the network interactions map (for example, to quickly restore display settings after any changes or to manage the network interactions map on another computer).
When you save a view, the following display settings of the network interactions map are saved:
- Zoom level
- Positioning the network interactions map
- Position of pinned nodes and groups
- Filtering of nodes and links
You can save and use up to 10 views.
Only users with the Administrator role can manage the list of views (including saving the current display settings as a view). However, all users with the Administrator, Security auditor, Senior security officer, and Security officer roles can see the list of views and apply views to the network interactions map.
Adding a new view and saving the current display settings of the network interactions map
To add a new view and save the current display settings of the network interactions map
- Log in to the Kaspersky Anti Targeted Attack Platform web interface with the Administrator credentials.
- Select the Network map section in the application web interface window.
- Go to the Network interactions map tab.
- Open the Configure network map views window by clicking the Manage views button.
- Click Add.
- Enter a name for the view in the text box.
You can use letters, numbers, the space character, and the following special characters:
! @ # № $ % ^ & ( ) [ ] { } ' , . - _
.The view name must satisfy the following requirements:
- Begins and ends with any character other than a space.
- Contains up to 100 characters.
- Does not reuse the name of another view (case-insensitive).
- Click the
icon to the right of the text box.
Refreshing a view and saving the current display settings of the network interactions map
To update a view and save the current display settings of the network interactions map
- Log in to the Kaspersky Anti Targeted Attack Platform web interface with the Administrator credentials.
- Select the Network map section in the application web interface window.
Go to the Network interactions map tab.
- Open the Configure network map views window by clicking the Manage views button.
- Select the view in which you want to save the current display settings of the network interactions map.
- Click Overwrite.
This opens a confirmation prompt window.
- In the prompt window, confirm the saving of the current settings in the selected view.
Renaming a network interactions map view
To rename a view:
- Log in to the Kaspersky Anti Targeted Attack Platform web interface with the Administrator credentials.
- Select the Network map section in the application web interface window.
- Go to the Network interactions map tab.
- Open the Configure network map views window by clicking the Manage views button.
- Select the view you want to rename.
- Click the
icon to the right of the current view name.
- Enter the new name for the view in the text box.
You can use letters, numbers, the space character, and the following special characters:
! @ # № $ % ^ & ( ) [ ] { } ' , . - _
.The view name must satisfy the following requirements:
- Begins and ends with any character other than a space.
- Contains up to 100 characters.
- Does not reuse the name of another view (case-insensitive).
- Click the
icon to the right of the text box.
Deleting a network interactions map view
To delete a view:
- Log in to the Kaspersky Anti Targeted Attack Platform web interface with the Administrator credentials.
- Select the Network map section in the application web interface window.
- Go to the Network interactions map tab.
- Open the Configure network map views window by clicking the Manage views button.
- Select the view you want to delete.
- Click Delete.
This opens a confirmation prompt window.
- In the prompt window, confirm the deletion of the selected view.
Applying settings saved in the view to the network interactions map
To apply settings saved in a view to the network interactions map:
- Log in to the Kaspersky Anti Targeted Attack Platform web interface with the Administrator credentials.
- Select the Network map section in the application web interface window.
- Go to the Network interactions map tab.
- Open the Configure network map views window by clicking the Manage views button.
- In the list, select the view that you want to apply.
- Click Apply.
This opens a confirmation prompt window.
- In the prompt window, confirm to apply the selected view.
Monitoring network sessions
Kaspersky Anti Targeted Attack Platform can scan traffic to detect network sessions that devices create to connect to other devices. The application registers detected network sessions and saves information that can help you analyze network activity of devices and download data about transmitted network packets from traffic dump files. Unlike links on the network interactions map, registered network sessions allow you to obtain more fine-grained information about device interactions, due in part to independent registration of sessions for different ports and protocols that are used for the interactions.
The application detects network sessions if the Network Session Detection method is enabled for the Asset Management technology. Network Session Detection can be performed when analyzing traffic arriving at monitoring points, as well as when receiving information from the Endpoint Agent component.
Each registered network session contains information about the connection between two devices that are parties to the interaction. A network session is characterized by the address information of the parties to the interaction (MAC and/or IP addresses), port numbers, and the application protocol that is used for the connection. The first device in a network session is usually the device that initiated the sending of network packets to the other device.
You can view the full list of protocols detected by Kaspersky Anti Targeted Attack Platform by downloading the file from the link below.
Protocols detected by Kaspersky Anti Targeted Attack Platform
A network session is considered closed if no network packets have been sent for one minute or if the Network Session Detection technology becomes disabled on the relevant node or monitoring point.
When an exceedingly large number of network sessions is detected, the application applies the following session registration restrictions:
- The number of registered sessions between two interacting parties using the same application protocol may not exceed 1000 per minute.
- The total number of registered sessions between the two parties may not exceed 5000 per minute.
The application stores information about network sessions in a database on the Central Node server. The total amount of stored records cannot exceed the configured limit. If the amount exceeds the limit, the application automatically deletes 10% of the oldest records.
In distributed solution and multitenancy mode, information about network sessions of SCN servers is not displayed on the PCN.
Network sessions table
To view the list of network sessions:
- Select the Network map section in the application web interface window.
- Go to the Network sessions tab.
The network sessions table is displayed.
The table contains the following information:
- Status is the status of the network session. A registered network session can have one of the following statuses:
- Active. This status is assigned when a network session is registered and is retained as long as the devices keep sending network packets within this session.
- Closed. This status is assigned to a network session if no network packets have been sent for one minute or if the Network Session Detection technology becomes disabled on the relevant node or monitoring point.
- Side 1 is the MAC and/or IP addresses of one of the sides of the network interaction. The display of MAC and IP addresses can be turned on and off.
- Side 1 port is the port number of the first side of the interaction.
- Side 2 is the MAC and/or IP addresses of the other side of the network interaction. The display of MAC and IP addresses can be turned on and off.
- Side 2 port is the port number of the second side of the interaction.
- Device 1 is the name of the device known to the application, which corresponds to the address information of the first side of the interaction.
- Device 2 is the name of the device known to the application, which corresponds to the address information of the second side of the interaction.
- Transfer protocol is the name of the transport protocol used in the network session.
- Application protocol is the name of the application layer protocol used in the network session.
- Current speed is the current data transfer rate for the network session.
- Average speed is the average data transfer rate for the network session.
- Total transmitted is the number of bytes transmitted during the network session.
- Monitoring points lists the names of monitoring points that have received traffic for the network session.
- Start is the date and time of the first network packet in the network session or the date and time of the beginning of the time period defined by data from an EPP application.
- Last interaction is the date and time of the last network packet in the network session or the date and time of the end of the time period defined by data from an EPP application (if only one packet was received in the network session, this value is the same as the Start).
- Number of packets is the number of network packets transmitted during the network session.
When viewing the table of network sessions, you can configure, filter, and sort the network sessions, as well as navigate to related items and export data.
Page topViewing network session details
Detailed information about a network session includes information from the Network sessions table, as well as the name of the application that was active when the network session was initiated (if Kaspersky Anti Targeted Attack Platform was able to determine the name of the application).
To view the details of a network session:
- Select the Network map section in the application web interface window.
- Go to the Network sessions tab.
- Click the line with the relevant session.
This opens a window with information about the network session.
Page topDownloading network session traffic
When viewing the table of network sessions, you can download traffic related to the selected network sessions. Traffic is downloaded as a PCAP file. To download only the data you need, you can configure network packet filtering.
The application downloads traffic of network sessions from traffic dump file storages. Traffic can be downloaded from the internal storage that was automatically created as part of the Sensor installation process, as well as an external storage if one is connected.
When downloading network session traffic, consider the following:
- Traffic can be downloaded only for those network sessions that were registered when analyzing traffic that arrived at the monitoring points. If a network session was registered based on information received from the Endpoint Agent component, you cannot download the traffic of such a session.
- Traffic dump files are stored in storages temporarily and are automatically deleted as new traffic arrives (the rotation period depends on the amount of traffic and the application storage configuration). You cannot downloading traffic for a network session if the corresponding traffic dump files have already been deleted from storages.
To download network session traffic:
- Select the Network map section in the application web interface window.
- Go to the Network sessions tab.
- Select check boxes next to network sessions whose traffic you want to download.
You can select a maximum of 100 network sessions.
- Click Download traffic.
The details area is displayed in the right part of the web interface window.
- Do the following:
- If you want to download traffic for a certain period of time, set the bounds using the Period of traffic to download setting.
By default, the maximum possible period is chosen, starting from the date and time when the earliest network session was established and ending with the date and time when the latest session in the selection ended. If necessary, you can move the bounds within this period or set an empty value for one of the bounds (for example, for the right bound to download new traffic of sessions that have not ended yet).
- Under Download volume limit, set the maximum amount of traffic to download.
If the amount of downloaded traffic exceeds the specified limit, the newest traffic is dropped.
- If necessary, enable filtering under Filtering by monitoring points and specify the monitoring points that got the traffic that you need.
By default, the monitoring points that got the traffic of selected network sessions are specified.
- If necessary, enable filtering in the Filtering by address spaces section and specify the address spaces to which the addresses in the network packets of the selected network sessions belong (this section is displayed if additional address spaces are added to the application).
By default, all address spaces created in the application are specified.
- If necessary, enable filtering under Filtering using BPF and enter an expression for filtering using the BPF (Berkley Packet Filter) technology by address parameters in network packets of the selected network sessions.
Example of a filter expression:
tcp port 102 or tcp port 502
- If necessary, enable filtering under Filtering using regular expressions and enter a regular expression for filtering by the payload data of network packets of the selected network sessions.
Example of a filtering expression:
^test.+xABxCD
- If you want to download traffic for a certain period of time, set the bounds using the Period of traffic to download setting.
- Click Download.
- If file generation takes a long time (more than 15 seconds), the file generation operation becomes a background operation. In that case, follow these steps to download the file:
- Click the
button in the application web interface menu.
This opens the list of background operations.
- Wait for the file generation operation to complete.
- Click the Download file button.
- Click the
Your browser saves the downloaded file. Depending on your browser's settings, a window may be displayed on your screen in which you can specify the path and name of the downloaded file.
Page topSearching network packets
You can find and view the traffic related to the selected network packets. If necessary, you can download dumps of the found traffic.
To find traffic related to the selected network packets:
- Select the Network map section in the application web interface window.
- Go to the Network sessions tab.
- Click Search in packets.
This opens the window with network packet search settings.
- Do the following:
- In the Period of traffic to download field, set the bounds within which you want to search network packets.
- If necessary, enable filtering under Filtering using BPF and enter an expression for filtering using the BPF (Berkley Packet Filter) technology by address parameters in network packets of the selected network sessions. The BPF filtering expression is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.
Example of a filter expression:
tcp port 102 or tcp port 502
- If necessary, enable filtering in the Filtering using regular expressions section and enter an expression for filtering based on payload data in network packets.
Example of a filtering expression:
^test.+xABxCD
- If necessary, enable filtering under Filtering by monitoring points and specify the monitoring points from which you want to get traffic.
- If necessary, enable filtering under Filtering by address spaces and specify the address spaces to which the addresses in network packets belong.
- Click Search.
The table displays data that match the filtering criteria.
- If you want to download the dumps of the found network packets, click Download.
Raw network traffic dumps are downloaded in PCAP format.
Page topPreconfigured network packet search rules
You can search in traffic using preconfigured rules that use BPF and regular expressions.
To search network packets using a preconfigured rule:
- Select the Network map section in the application web interface window.
- Go to the Network sessions tab.
- Click Search in packets.
This opens the window with network packet search settings.
- In the Period of traffic to download field, set the bounds within which you want to search network packets.
- In the table below, copy a filtering expression from the Filtering using BPF or Filtering using regular expressions column and paste it into the corresponding section of the web interface for searching in network packets.
- Click Search.
The table displays data that match the filtering criteria.
The preconfigured rules are listed in the table below.
Preconfigured network packet search rules
Purpose of the rule |
Filtering using BPF |
Filtering using regular expressions |
Explanation |
Example |
---|---|---|---|---|
Searching traffic by IP address |
|
|
|
|
Searching traffic between two hosts |
|
|
|
|
Searching for traffic of an individual TCP session |
|
|
|
|
Searching for traffic by multiple IP addresses |
|
|
|
|
Finding all DNS queries from a group of hosts |
|
|
|
|
Searching for HTTP traffic |
|
|
The filter must be used without quotes |
|
Searching for DNS traffic |
|
|
Standard DNS only |
|
Searching for HTTP traffic with a GET request to a certain domain |
|
|
|
|
Searching for ICMP traffic of a specific host |
|
|
|
|
Searching for authentication data transmitted as plain text |
|
|
The filter must be used without quotes |
|
Searching for TCP sessions in which the host acts as a client |
|
|
|
|
Searching for HTTP traffic in a given subnet |
|
|
|
|
Searching for local interaction traffic |
|
|
|
|
Searching for traffic of interaction with objects on the internet |
|
|
|
|
Searching for traffic by the UserAgent field in HTTP traffic |
|
|
|
|
Monitoring risks
Kaspersky Anti Targeted Attack Platform can detect risks to which the information system resources are exposed. The application identifies the risks based on traffic analysis results and the received device information.
Detected risks can belong to the following categories:
- Vulnerability. Detected device vulnerabilities belong to this category.
- Configuration problems. This category includes security risks caused by incorrect configuration and risks of compromising data when writing and reading device configurations.
- Insecure network architecture. This category includes risks associated with detected insecure network interactions, devices, protocols, and software; risks due to authorized devices becoming inactive; and risks due to the EPP applications being absent from devices or not fully functional.
Each risk is scored from 0.0 to 10.0. When calculating the risk score, the application takes into account the available information about the device with which the detected risk is associated. When calculating the score, the application takes into account the importance level of the device, as well as other risks associated with that device. The base score is used as the initial value for the calculation. The base scores of risks in the Vulnerability category follow the Common Vulnerability Scoring System (CVSS). For the rest of the risk categories, the base scores are taken from the table of risk types.
Risk information is uploaded to the database of detected risks on the Central Node. The total amount of stored records in the database cannot exceed the specified limit. If the amount exceeds the limit, the application automatically deletes 10% of the oldest records. You can set the maximum size of detected risk information when configuring the storage settings.
The contents of the detected risk database is displayed in the Risks section of the application web interface. You can also view an overview of device risks in the Assets section on the Devices tab.
About risks of the Vulnerability category
Vulnerability risks are registered when the application detects vulnerabilities in monitored devices on the corporate LAN. A vulnerability is a flaw in the software or hardware of a device, which an attacker can exploit to compromise the information system or gain unauthorized access to information.
The application detects vulnerabilities by analyzing the available device information. Information that can help identify a known vulnerability for a device is compared against certain fields in the database of known vulnerabilities. The database of known vulnerabilities is built into the application. This database, maintained by Kaspersky experts, contains information about the most relevant or the most frequently encountered device vulnerabilities.
The database of known vulnerabilities contains descriptions of vulnerabilities and of devices that are affected by these vulnerabilities. In addition, the database contains recommendations for protecting the system in the form of texts or links to public resources. The database of known vulnerabilities contains descriptions and recommendations from various sources, which may include vendors of devices and software, as well as various security organizations. The descriptions and recommendations in the database are in English.
After the application is installed, the original database of known vulnerabilities is used. You can keep your database up to date by installing updates.
Kaspersky Anti Targeted Attack Platform compares the available information about devices with fields in the database of known vulnerabilities that describe the devices that are affected by the vulnerabilities. The application uses the following device information to detect vulnerabilities:
- Hardware vendor.
- Hardware model.
- Hardware version.
- Software vendor. If no software vendor information can be found in the device information, Kaspersky Anti Targeted Attack Platform reuses the Hardware vendor value.
- Software name. If the software name cannot be found in the device information, Kaspersky Anti Targeted Attack Platform reuses the Hardware model value.
- Software version.
In the database of known vulnerabilities, device descriptions are stored in the CPE (Common Platform Enumeration) format. The application compares the available device information with these descriptions, automatically converting the information to the CPE format. For each vulnerability, the content of the matching descriptions is listed in the risk details area in the Matched CPE section.
The main parameter that identifies a vulnerability is its ID in the Common Vulnerabilities and Exposures (CVE) list. This identification number is called the CVE ID. If a vulnerability does not yet have a CVE ID, an ID obtained from other public resources with descriptions of vulnerabilities is specified.
The Kaspersky Anti Targeted Attack Platform supports getting IDs and links to descriptions of vulnerabilities provided by the Federal Service for Technical and Export Control (FSTEC) of Russia in the Information Security Threats Databank (hereinafter also referred to as the "BDU"). If the downloaded vulnerability information contains such information from FSTEC's BDU, the application displays this information in the form of corresponding IDs in the "BDU:<year>-<number>" format.
Page topImplementation scenario for a continuous risk management process
The risk detection functionality allows implementing continuous (cyclical) risk management in your information system. To help you manage risks, Kaspersky Anti Targeted Attack Platform provides information about detected risks, which you can use to take the necessary remediation or mitigation measures.
The implementation scenario for the continuous risk management process involves the following steps:
- Taking a device inventory
This step is performed using the Device Activity Detection and Device Information Detection methods (the methods must be enabled). At this step, the application automatically detects new devices and updates the device information. If some devices on the network were not detected automatically, you need to add them manually or import them from external projects.
You must enable automatic update in the device settings for all information that determines the classification and operational characteristics of devices (for example, model and software version). If automatic update of such information is for some reason impossible, this information must be kept up to date manually.
- Risk detection while scanning passively or actively
The application passively scans devices for risks using the available information about the devices. The application also analyzes network interactions in corporate LAN traffic to detect risks. Risk detection is implemented by the Risk Detection method (the method must be enabled).
You can also actively poll devices to quickly get their information. When performing active polling of devices, you also can detect specific types of risks if the corresponding risk analysis methods are selected. To actively poll devices, you need to add one or more Active poll connectors to the application.
Risks of the Vulnerability category are automatically detected after updating the database of known vulnerabilities in the application or after adding or updating the device information that is used for matching (for example, after saving software model and version information).
- Scoring and classifying detected risks
For each detected risk, the application calculates a score. The score reflects the severity of the risk. Depending on the score, the severity of the risk can be Low (score 0.0–3.9), Medium (score 4.0–7.9), or High (score 8.0–10.0).
Based on the severity levels and scores, and factoring in the special ways in which devices are used in your information system, you can classify detected risks in accordance with their importance. If you assess the risk as insignificant, you can manually change its status from the Active status (assigned by default after detection) to the Accepted status, for example, if the prerequisites for exploiting the vulnerability cannot be reproduced. When changing the status of a risk, we recommend adding or editing a comment.
All risks that need something to be done about them should be left with the Active status.
- Remediation
At this step, you must undertake remediation or mitigation of the detected risks. To do this, check all Active detected risks, starting with the risks with the highest scores. Do what is necessary in your information system (for example, to remedy the vulnerability of a device, install the software update that fixes it, and if this is not possible, isolate this device from external networks). For some risks (for example, vulnerabilities), information on recommended actions is provided.
Kaspersky Anti Targeted Attack Platform is not involved in the remediation of detected risks.
- Verifying remediation
This step is similar to risk detection while scanning. As a result of this step, no Active risks should remain in the risk table.
For most risks that the application detects during passive scanning (for example, vulnerabilities), the application automatically assigns the Remediated status if the conditions for detecting these risks are no longer satisfied. For example, after the software version is changed for a device, the application assigns the Remediated status to the Vulnerability risk that was registered because of a vulnerable software version that had been specified previously. The Remediated status is also assigned to risks that no longer have a description in the database of known vulnerabilities (if the description is removed from the database after downloading updates).
When devices are removed, the application also removes the risks associated with these devices.
If, after remediation, the conditions for detecting the risk have not changed (for example, the vulnerable device is isolated from external networks, but the information about this device has not changed), you can manually assign the Accepted status to this risk. When changing the status of a risk, we recommend adding or editing a comment.
Some risks cannot be automatically assigned a status of Remediated (for example, Remediated cannot be automatically assigned to risks that are detected during active polling of devices). For such risks, you must also manually assign the Accepted status after the risk remediation is complete.
If a risk is associated with an event, you can assign the Accepted status to this risk at the same time when you change the event status to Resolved.
Viewing the risk table
The risk table is displayed in the Risks and anomalies section of the application web interface window.
Risk settings are displayed in the following columns of the table:
- Category.
The name of the risk category.
- Name.
Risk name. For a risk of the Vulnerability category, the CVE ID of the detected vulnerability is used (if there is no CVE ID, an ID obtained from other public resources with vulnerability descriptions is displayed).
- CVE.
For risks of the Vulnerability category: CVE ID of the detected vulnerability.
- BDU.
For risks of the Vulnerability category: ID of the vulnerability in the BDU database. If multiple vulnerabilities with different BDU IDs correspond to one vulnerability with a CVE ID, the column lists all such IDs.
- Risk ID.
Unique ID of the risk.
- Score.
The calculated risk score. This numerical value determines the severity level of the risk. Depending on the severity level, the score can be displayed in one of the following colors:
- Red for a High severity risk.
- Yellow for a Medium severity risk.
- Blue for a Low severity risk.
For Active risks, the color of the score is bright. For Remediated or Accepted risks, the color of the score is faint.
In the details area, this setting is called Base score.
- Side 1.
Address information of one of the sides of the network interaction (indicated for some types of risks). The display of MAC and IP addresses can be turned on and off separately. If extra address spaces are added in the application, when configuring the risk table, you can enable or disable the display of address space names using the Show address spaces setting.
- Side 2.
Address information of the other side of the network interaction (indicated for some types of risks). The display of address information can be configured the same way as the Side 1 column.
- Device group.
Name of the group in which the device with the detected risk is placed (contains the name of the group itself and the names of all its parent groups).
- Device.
Name and address of the device.
- Source.
For risks of the Vulnerability category: the name of the source from which the information was uploaded into the database of known vulnerabilities. In the details area, this setting is called Source of vulnerability.
- Status.
Current risk status. The following statuses are possible:
- The Active status is assigned by default when the risk is first detected (as well as upon repeated detection if the risk had been assigned the Remediated status). You can also manually assign the Active status to a risk if its current status is Accepted.
- The Remediated status is automatically assigned if the conditions for detecting the risk are no longer satisfied.
- The Accepted status is assigned to a risk manually if the risk is assessed as insignificant or if the undertaken remediation actions did not result in the automatic assignment of the Remediated status.
- Detected at.
Date and time when the risk was detected.
- Last status change.
Date and time of the last risk status change.
- Matched CPE.
For risks of the Vulnerability category: device descriptions stored in the database of known vulnerabilities. Descriptions that match the device information from the table of devices are listed here.
When viewing the risk table, you can configure, filter, search, and sort the files, as well as navigate to related items.
Page topViewing risk information
Risk information includes information from the risk table and the following fields:
- Risk type is the code of the risk type.
- Description is the description specified for the risk type or for the vulnerability.
- Base score is the initial value for calculating the risk score.
For risks of the Vulnerability category, additional information is displayed in the following fields and field groups:
- CVSS vector is a record of metrics for calculating the CVSS vulnerability score.
- Attack conditions is a description of the conditions that must be satisfied for the vulnerability to be exploited.
- Impact is a description of the possible consequences of exploiting the vulnerability.
- Mitigations lists recommendations for the remediation of the vulnerability (for example, information about which software version is recommended to be installed on the device).
- Links lists links to public resources that can provide additional information about the vulnerability.
- CVE history lists dates when the vulnerability was identified, confirmed, and published in public sources.
To view risk information:
- Select the Assets section in the application web interface window.
- Go to the Devices tab.
- Click the name of the vulnerability (as a CVE ID or other vulnerability ID) in the Risks column.
This opens a window containing information about the vulnerability.
Page topManually changing risk status
When managing the Risks and anomalies section, you can manually change the statuses of any risks from Active to Accepted and vice versa. When managing the Assets section, you can only change the status of Vulnerability category risks, and only from Active to Accepted.
You can also assign the Accepted status to a risk when assigning the Resolved status to events that are associated with this risk.
To manually change the risk status:
- Open the risk details area or the risk details window.
- Open the Change status drop-down list.
- Depending on the status you want to assign to the risk, select one of the following from the drop-down list:
- Accepted if you want to change the status of the risk from Active to Accepted.
- Active if you want to reassign the Active status to the risk.
This opens a confirmation prompt window.
- If the selected risk has related events and you want to assign the Resolved status to all these events at the same time, select the Assign the Resolved status to all related events check box.
Risks may become associated with events when registering certain types of events using the Asset Management technology.
- In the prompt window, click OK.
Viewing risk information while managing the table of devices
When managing the table of devices, you can view information for risks that have been detected on devices. For each device that has risks of the Vulnerability category, the names of the detected vulnerabilities are displayed (as CVE IDs or other vulnerability IDs). If risks of other categories are detected on the device, names of those risk categories are displayed for that device. Vulnerability names and risk categories are displayed in the Risks column and in the details area when a device is selected.
By default, the table of devices displays information only about Active risks. If necessary, you can enable the display of information for all risks by selecting the Show remediated and accepted risks check box when configuring the device table.
To indicate the severity levels of risks, the names of vulnerabilities and categories are colored as follows:
- Red for High severity risks.
- Yellow for Medium severity risks.
- Blue for Low severity risks.
For Active risks, the color of the names is bright. For Remediated or Accepted risks, the color of the names is faint.
If a device has risks of the same category, the name of this category is displayed in the highest-severity color of all these risks.
If you want to view risk details, you can click the vulnerability and category names. Clicking a vulnerability name (as a CVE ID or other vulnerability ID) opens the vulnerability details window. Clicking a risk category name takes you to the risk table filtered to display the risks of the selected category for the device.
When viewing th table of devices, you can filter devices by their risks. You can also search for devices by vulnerability names (as CVE IDs or other vulnerability IDs).
Page topConfiguring NDR event types
Event types determine the parameters used when registering events: titles, descriptions, base scores, and registration settings. In Kaspersky Anti Targeted Attack Platform, you can view the settings of event types, edit some settings of event types, and configure automatic saving of traffic and forwarding of registered events through connectors.
Viewing the table of event types
The event types provided in the application are displayed in the Settings section, Event types subsection of the application web interface.
The table of event types contains system event types. These event types are created by the application during installation and cannot be removed from the list. Event registration technologies implemented in the application use different sets of system event types.
On the basis of some system event types, you can configure user-defined event settings to be used when registering events in certain cases. User-defined settings can be defined for the event type of the External systems technology, code 4000005400, to be used for registering events using the Kaspersky Anti Targeted Attack Platform API NDR.
User-defined settings take precedence when registering events. In absence of user-defined settings, settings configured in the system event types are used.
The following settings are provided for event types:
- Code – unique number (identifier) of the event type. In the table of event types, the number is displayed together with the event title in the Code and title column. In the table of registered events, the event type ID is displayed in the Event type column.
- Title – contents of the event title presented as text and/or variables. System event types can use variables specific only to these types of events, or general variables, which can also be used in user-defined settings. In the table of event types, the content of the title is displayed together with the event type number in the Code and title column. In the table of registered events, the text of the title and/or received values of variables are displayed in the Title column.
- Base score – initial value for calculating the score of the registered event. If an event type can have different base scores, the maximum value is displayed. This setting is displayed in the table of event types.
- Technology – technology used for event registration. This setting is displayed in the table of event types.
- Description – additional text that describes the event type. Similarly to the title, can contain variables. This setting is not displayed in the table of event types. You can view the description in the details area of the selected event type. In the table of registered events, the text of the description and/or the resulting values of variables are displayed in the Description column.
- <Recipient connector name> – name of the connector that the application uses to send events to the third-party system. The application sends to third-party systems only events of types that are configured for sending through the connector. Each connector, through which forwarding of events to third-party systems is configured, is displayed in a separate column of the table of risk types. This setting is not displayed in the details area of the selected event type.
- Event regeneration period – maximum time after which an event can be registered again. If the conditions for event enrollment are repeated before the specified time period elapses, a new event is not registered but the counter for the number of repeats of the previously registered event is increased and the date and time of the last occurrence of the event is updated. After the end of this period, when the conditions for registering an event recur, the application register a new event of this type. The regeneration period starts counting from the moment of the last registration of an event of this type. For example, if the regeneration period is set to 8 hours, and conditions for registering this event recur two hours after the previous event, a new event is not registered. A new event is registered if the conditions are detected after 8 hours or later. This setting is not displayed in the table of event types. You can view and configure this setting in the details area of the selected event type.
For registered events, the regeneration period may expire earlier than configured. Repeated registration of an event is allowed earlier than the configured time if the Resolved status is assigned to the event, or if the Central Node computer performing is restarted.
- Save traffic – this setting enables or disables automatic saving of traffic when an event is registered. This setting is not displayed in the table of event types. You can view and configure this setting in the details area of the selected event type.
If automatic saving of traffic is disabled, you can manually download traffic for some time after an event of this type is registered. When the application gets a request to download traffic, it searches for network packets in its temporarily generated traffic dump files. If the necessary network packets are found in the traffic dump files, these packets are downloaded (after being saved in the database first).
When viewing the table of event types, you can use the configuration, filtering, searching, and sorting functionality.
Page topEditing the settings of a system event type
To edit the settings of a system event type:
- In the window of the application web interface, select the Settings section, Event types subsection.
- In the table of event types, select the type of event that you want to edit.
The details area is displayed in the right part of the web interface window.
- Click Edit.
- Edit the editable settings: the regeneration period and traffic saving settings.
- Click Save.
Configuring automatic saving of traffic for system event types
When editing event types, you can enable or disable automatic saving of traffic for events when they are registered. If traffic saving is enabled, the database stores the network packet that caused the registration of the event, as well as the packets before and after the registration of the event that were detected within the network session in which the event was registered. Traffic saving settings determine how many network packets are saved and time limits.
If automatic traffic saving is disabled for an event type, and user-defined settings enabling traffic saving have been configured for this event type, you can download traffic only within a certain time frame after the registration of an event of this type. In this case, the application uses traffic dump files for downloading traffic. These files are stored temporarily and automatically deleted as new traffic arrives. When traffic is downloaded from these files, as many network packets are saved in the database as configured by default when you enable traffic saving for event types.
The application saves traffic in the database only when an event is registered. If the conditions for registering this event recur during the regeneration period, the traffic for that moment is not saved in the database.
You can enable and configure traffic saving for any event types.
If traffic saving is enabled for aggregate events (that is, for system event type 8000000001), the application saves traffic for all nested events when registering an aggregate event. The settings specified for the aggregate event are applied when saving the traffic of nested events. However, traffic saving settings specified directly for the types of events nested in the aggregate event override the settings specified for the aggregate event. That is, traffic for nested events is saved in accordance with the settings specified for the types of these events, and if such settings are not specified, the settings of the aggregating event are used.
To enable and configure traffic saving for an event type:
- In the window of the application web interface, select the Settings section, Event types subsection.
- In the table of event types, select the type of event that you want to edit.
The details area appears in the right part of the web interface window.
- Click Edit.
- Set the Save traffic toggle switch to Enabled.
- Configure the saving of traffic from before the event was registered. To do so, specify relevant values in Total packets before event and/or Time to event, ms. Zero means the setting is not applied. If values are specified in both of these fields, the application saves the minimum number of packets that match one of the specified values.
- Configure the saving of traffic from after the event was registered. To do so, specify the relevant values in Total packets after event and/or Time after event, ms. Zero means the setting is not applied. If values are specified in both of these fields, the application saves the minimum number of packets that match one of the specified values.
For some technologies (in particular, Deep Packet Inspection), fewer packets from after registration may be saved in events than configured in traffic saving settings. This is due to the peculiarities of the traffic monitoring technology.
- Click Save.
Configuring the forwarding of events through connectors
When configuring system event types, you can specify the connectors through which you want Kaspersky Anti Targeted Attack Platform to forward registered events to third-party systems. Kaspersky Anti Targeted Attack Platform can send event information through multiple connectors simultaneously.
To configure the forwarding of events through connectors to third-party systems:
- In the window of the application web interface, select the Settings section, Event types subsection.
- Make sure that the table of event types displays the columns with the connectors that you need.
If the column of the relevant connector is missing, check the column display settings. If the connector has not been added to the list of connectors, add it.
- In the table of event types, select the types of events for which you want to enable or disable forwarding through connectors.
If you select an individual event type, the details area is displayed in the right part of the web interface window.
- Do one of the following:
- If you select one event type, click Select connectors in the details area.
- If you select multiple event types, click Select connectors in the upper part of the window.
This opens the Event recipient connectors window.
- Select the check boxes next to the connectors through which you want to forward events to third-party systems.
- Click OK.
Common substitution variables in Kaspersky Anti Targeted Attack Platform
You can use common variables to substitute current values in Kaspersky Anti Targeted Attack Platform. You can use common variables in the following settings:
- Headers and descriptions of events in user-defined settings for event registration
- Settings of event forwarding, application messages, or audit records using the email connector
To insert a common variable into an input field:
Start typing the name of the variable with the leading $ character and select the common variable from the displayed list.
Common variables can be used for interpolation in different settings, depending on the purpose of the variable (see the table below).
Common variables for value substitution
Variable |
Description |
Usage |
|
Network interaction description strings (one string per network interaction), specifying the protocol and sender and recipient addresses of the network packet |
|
|
Network packet recipient address (depending on the information provided by the protocol, this can be an IP address, port number, MAC address and/or other address information) |
|
|
Extra variable added using the |
|
|
Name of the monitoring point whose traffic caused the event to be registered |
|
|
Date and time of registration |
|
|
Name of the application layer protocol for which the event was logged |
|
|
Network packet sender address (depending on the information provided by the protocol, this can be an IP address, port number, MAC address and/or other address information) |
|
|
Name of the rule in the event. |
|
|
Name of the top-level protocol. |
|
|
Code of the event type, application message, or audit entry. |
|
|
Date and time when a status of Resolved was assigned or the date and time of the event regeneration period (for events that are not aggregate events), or the date and time of registration of the last event included in the incident (for aggregate events). |
|
|
How many times a nested or aggregate event was triggered |
|
|
Description |
|
|
Unique ID of the registered event, application message, or audit entry. |
|
|
Category of transmitted data (event, application message, or audit record). |
|
|
Number of transmitted events, application messages or audit records. |
|
|
Template that consists of a block containing a list of data. |
|
|
Email notification string template |
|
|
Node with the installed application component that sent the data. |
|
|
Operation result in the audit entry. |
|
|
Event score value. |
|
|
Event severity level. |
|
|
Application message status |
|
|
Application process that caused the message to be registered |
|
|
Technology associated with the event. |
|
|
Event title, message text, or registered action. |
|
|
Name of the user that performed the registered action. |
|
NDR event registration technologies
Kaspersky Anti Targeted Attack Platform registers NDR events using one of the following technologies:
- Intrusion Detection (IDS)
This technology registers NDR events related to the detection of anomalies in traffic that are indicators of attacks (for example, an NDR event can be registered indicators of ARP spoofing are detected).
- External (EXT)
This technology registers aggregate and nested NDR events that are received by the Kaspersky Anti Targeted Attack Platform from third-party systems using the methods of the Kaspersky Anti Targeted Attack Platform API.
- Asset Management (AM)
This technology registers NDR events involving the detection of information about devices in traffic or in data received from EPP applications (for example, an NDR event can be registered when a device is found to have a new IP address).
- Endpoint Protection Platform (EPP)
This technology registers NDR events for threats detected by Kaspersky applications that protect workstations and servers (for example, a malware detection event).
System event types in Kaspersky Anti Targeted Attack Platform
To register events, Kaspersky Anti Targeted Attack Platform uses system event types that are automatically created during application installation.
Each event type belongs to a certain event registration technology.
System event types of the Intrusion Detection technology
This article describes the system event types of the Intrusion Detection technology (see the table below).
Intrusion Detection (IDS) system event types
Code |
Event type title |
Conditions for registration |
---|---|---|
4000003000 |
Rule from the $fileName set (system rule set) was triggered |
An intrusion detection rule from the system rule set is triggered. The following variables are used in the title and description of the event type:
|
4000003001 |
Rule from the $fileName set (user-defined rule set) was triggered |
An intrusion detection rule from the user-defined rule set is triggered. The following variables are used in the title and description of the event type:
|
4000003002 |
Signs of a brute-force attack or scan were detected |
A rule for detecting brute-force or scanning attack is triggered. In the description of the event type, the $ruleName variable is used for the rule name. |
4000004001 |
Symptoms of ARP spoofing detected in ARP replies |
Indicators of address spoofing in ARP packets detected: multiple ARP responses that are not associated with ARP requests. The following variables are used in the description of the event type:
|
4000004002 |
Symptoms of ARP spoofing detected in ARP requests |
Indicators of address spoofing in ARP packets detected: multiple ARP requests from the same MAC address to different destinations. The following variables are used in the description of the event type:
|
4000005100 |
IP protocol anomaly detected: data conflict when assembling IP packet |
IP protocol anomaly detected: data mismatch in overlapping IP packet fragments. |
4000005101 |
IP protocol anomaly detected: fragmented IP packet size exceeded |
IP protocol anomaly detected: actual total size of fragmented IP packet after reassembly exceeds the allowed limit. |
4000005102 |
IP protocol anomaly detected: the size of the initial fragment of the IP packet is less than expected |
IP protocol anomaly detected: the size of the initial fragment of the IP packet is less than the minimum allowed value. |
4000005103 |
IP protocol anomaly detected: mis-associated fragments |
IP protocol anomaly detected: fragments of the IP packet being assembled contain different information about the length of the fragmented packet. |
4000002701 |
TCP protocol anomaly detected: content substitution in overlapping TCP segments |
TCP protocol anomaly detected: packets contain overlapping TCP segments with different content. |
4000000003 |
Test event (IDS) |
Test network packet detected (with rule-based intrusion detection enabled). |
System event types of the Asset Management technology
This article describes the system event types of the Asset Management technology (see the table below).
System event types of the Asset Management (AM) technology
Code |
Event type title |
Conditions for registration |
---|---|---|
4000005003 |
Detected new device with the address $owner_ip_or_mac |
With Asset Monitoring in monitoring mode, a new device was automatically added by the detected IP or MAC address, which is not specified for other devices in the table. When registering the event, the application may simultaneously register an Unauthorized device risk for this device. In this case, a relation is established the risk and the event. The following variables are used in the title and description of the event type:
|
4000005004 |
Received new information about device with the address $owner_ip_or_mac |
With Asset Monitoring in monitoring mode, device information was automatically updated based on information received from traffic. The following variables are used in the title and description of the event type:
|
4000005005 |
IP address conflict detected $owner_ip |
With Asset Monitoring in monitoring mode, an IP address was detected that was not being used by the device for which the IP address was specified. The following variables are used in the title and description of the event type:
|
4000005006 |
Detected traffic from address $owner_ip_or_mac, which is assigned to device with the Archived status |
With Asset Management in monitoring mode, or based on data received from an EPP application, activity was detected from a device that has the Archived status. When registering the event, the application may simultaneously register an Unauthorized device risk for this device. In this case, a relation is established the risk and the event. The following variables are used in the title and description of the event type:
|
4000005007 |
Detected new IP address $new_ip_addr for device with the MAC address $owner_mac |
With Asset Monitoring in monitoring mode, a new IP address used by a device was detected. The following variables are used in the title and description of the event type:
|
4000005008 |
New MAC address ($owner_mac) was added to device with IP address $owner_ip |
In Asset Management monitoring mode, a MAC address was automatically added for a network interface that had only an IP address specified (the device had the Unauthorized or Archived status). The following variables are used in the title and description of the event type:
|
4000005009 |
New IP address ($owner_ip) was added to device with the MAC address $owner_mac |
In Asset Management monitoring mode, an IP address was automatically added for a network interface that had only a MAC address specified (the device had the Unauthorized or Archived status). The following variables are used in the title and description of the event type:
|
4000005010 |
Detected new MAC address $new_mac_addr for device with the IP address $owner_ip |
With Asset Monitoring in monitoring mode, a new MAC address used by a device was detected (with automatic update of address information disabled for this device). The following variables are used in the title and description of the event type:
|
4000005011 |
Detected change of MAC address $owner_mac to $challenger_mac in device data received from EPP application |
Based on information received from an EPP application, the MAC address of the device has been updated. The following variables are used in the title and description of the event type:
|
4000005012 |
New address information for device $asset_name found in data received from EPP application |
New address information of a device was found in data received from an EPP application. An event of this type is registered if the change of the address information of the device has not been processed by the application as event 4000005009 or 4000005010. The following variables are used in the title and description of the event type:
|
4000005013 |
Conflict detected in addresses of devices $conflicted_epp_assets after data was received from EPP application |
Based on the information received from the EPP application, a conflict with the addresses of multiple devices in Kaspersky Anti Targeted Attack Platform was detected. According to the information from the EPP application, the addresses belong to the same device. The following variables are used in the title and description of the event type:
|
4000005014 |
Subnet $subnet_mask was added from EPP application data |
After getting information from an EPP application, a new subnet was automatically added to the list of known subnets. The subnet is added to the address space in which the data source can be the integration server getting information from the EPP application. If multiple such address spaces exist, an address space is selected that contains the most suitable subnet for automatically adding a new nested subnet. The following variables are used in the title and description of the event type:
|
4000005016 |
Unauthorized DHCP server detected with IP address $owner_ip |
The $asset_name device (ID: $asset_id) with the address $owner_ip_or_mac was identified as an unauthorized DHCP server. The following variables are used in the title and description of the event type:
|
4000005017 |
Unauthorized DHCP relay detected with IP address $owner_ip |
The $asset_name device (ID: $asset_id) with the address $owner_ip_or_mac was identified as an unauthorized DHCP relay. The following variables are used in the title and description of the event type:
|
4000005600 |
Changes detected in the list of users on the device with the address $owner_ip_or_mac |
Changes to user information were detected while controlling users on devices. The following variables are used in the title and description of the event type:
|
4000005601 |
Changes detected in the list of applications on the device with the address $owner_ip_or_mac |
Modified information about applications on the device detected while monitoring applications and patches on devices. The following variables are used in the title and description of the event type:
|
4000005602 |
Changes detected in the list of patches on the device with the address $owner_ip_or_mac |
Modified device patch information detected while monitoring applications and patches on devices. The following variables are used in the title and description of the event type:
|
4000005603 |
Changes detected in the configuration component $inventory_loc_key on the device |
While monitoring device configurations, changes in the configuration component were detected as compared to the previous configuration according to device scan results (for jobs that run in the Update only and/or Archive versions configuration processing modes). The following variables are used in the title and description of the event type:
|
4000005604 |
Discrepancies detected compared with the reference configuration component $inventory_loc_key on the device |
When monitoring device configurations, discrepancies were found compared to the reference configuration component according to device scan results (for jobs that run in the Compare with benchmark configuration processing mode). The following variables are used in the title and description of the event type:
|
4000005700 |
Public key mismatch detected while connecting to the device remotely |
When connecting to the device remotely, a mismatch was detected between the received public key of the device and the value stored in the application. Device scan canceled. The following variables are used in the description of the event type:
|
4000005701 |
Public key mismatch detected during device active polling |
While actively polling a device, a mismatch was detected between the received public key of the device and the value stored in the application. Active polling canceled for the device. The following variables are used in the description of the event type:
|
4000000004 |
Test event (AM) |
Test network packet detected (with device activity detection method enabled). |
System event types of the External systems technology
This article describes the system event types of the External systems technology (see the table below).
System event types of the External systems (EXT) technology
Code |
Event type title |
Conditions for registration |
---|---|---|
8000000001 |
Aggregate event |
A sequence of events was detected that satisfied the conditions of a correlation rule. When registering an aggregate event, the title and description from the correlation rule are used as the title and description of the event. |
4000005400 |
Event from external system |
Event received from an external system using the Kaspersky Anti Targeted Attack Platform API NDR. When the event is registered, the title and description are determined by the external system. |
System event types of the Endpoint Protection Platform technology
This article describes the system event types of the Endpoint Protection Platform (see the table below).
System event type using the Endpoint Protection Platform (EPP) technology
Code |
Event type title |
Conditions for registration |
---|---|---|
4000005500 |
Activity specific for network attacks |
The integration server received information about the triggering of the Network Threat Protection component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005501 |
Connection of an untrusted external device |
The integration server received information about the triggering of the Device Control component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005502 |
Attempt to run an unauthorized or untrusted application |
The integration server received information about the triggering of the Device Control component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005503 |
Prohibited file operation in the specified monitoring scope |
The integration server received information about the triggering of the File Integrity Monitor component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005504 |
Files in the specified monitoring scope are modified |
The integration server received information about the triggering of the Baseline File Integrity Monitor component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005505 |
Network connection not allowed by firewall rules |
The integration server received information about the triggering of the Firewall Management component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005506 |
System registry modifications in the specified monitoring scope |
The integration server received information about the triggering of the Registry Access Monitor component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005507 |
Log analysis rule was triggered |
The integration server received information about the triggering of the Log Inspection component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005508 |
Attempt to exploit a vulnerability in a protected process |
The integration server received information about the triggering of the Exploit Protection component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005509 |
Attempt to maliciously encrypt network file resources |
The integration server received information about the triggering of the Anti-Cryptor component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005510 |
Attempt to connect to a Wi-Fi network |
The integration server received information about the triggering of the Wi-Fi Control component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005512 |
Infected or probably infected object was detected |
The integration server received information about the triggering of the Real-Time File Protection component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005513 |
Sigma rule $sigmaAlertTitle triggered |
The integration server received data about an Endpoint Agent component Sigma rule being triggered. The following variables are used in the title and description of the event type:
|
Configuring risk types
Risk types define the settings that are used when registering risks in Kaspersky Anti Targeted Attack Platform: names, categories, and base scores for risks. You can view the settings of risk types and, if necessary, change the base scores for some risk types.
After the installation, the application uses the original list of risk types. You can update and add supported risk types by installing updates.
Viewing the table of risk types
The table of risk types is displayed in the Settings section, [Risk types]] subsection of the application web interface.
Risk type settings are displayed in the following columns of the table:
- Code.
Unique number of the risk type. In the table of registered risks, the number of the risk type is displayed in the details area of the selected risk.
- Name.
Name of the risk type displayed in the table of risk types. When registering a risk, its name may not completely match the name of the risk type used. The names of some risk types may be completely replaced with other names for registered risks. For instance, risk types with such names include risks of the Risk from external system types. If a risk of this type is registered, the application keeps the name of the risk specified in the source of information about the risk (for example, in an external system that uses the Kaspersky Anti Targeted Attack Platform API NDR).
- Category.
The name of the risk category.
- Base score
Baseline for calculating the score of the registered risk. The configured base scores are applied when registering all risks, except for risks from external systems. Risk types named Risk from external system have base scores of zero. Base scores for such risks must be specified in external systems that register risks using the Kaspersky Anti Targeted Attack Platform API NDR.
When viewing the table of risk types, you can use the configuration, filtering, searching, and sorting functionality.
Changing the base score for a risk type
Base scores cannot be changed for risk types named Risk from external system. If a risk of this type is registered, the base score of this risk must be provided by the source of information about the risk (for example, an external system that uses the Kaspersky Anti Targeted Attack Platform API NDR).
To change the base score for a risk type:
- In the window of the application web interface, select the Settings section, Risk types subsection.
- In the table of risk types, select the risk type for which you want to change the base score.
The details area is displayed in the right part of the web interface window.
- Click Edit.
- Enter the new base score.
- Click Save.
Managing the settings for storing risks
You can change the maximum total size limit for stored risks.
To change the risk storage settings:
- Log in to the web interface with the application administrator account.
- Select the Sensor servers section.
- Select the card of the Central Node server.
The details area is displayed in the right part of the web interface window.
- Click Edit.
In the details area, tabs are displayed, on which you can manage the settings of the server.
- On the General tab, go to Risks tab and use the Max volume setting to set the size limit for storing risks.
You can select the unit of measure for the size limit: MB or GB.
When editing the value, you also need to take into account that the sum total of all size limits may not exceed the specified maximum storage capacity for the node.
- If necessary, use the Storage time (days) setting to enable a minimum storage time for risks, and specify the minimum number of days.
- Click Save.
System event types in Kaspersky Anti Targeted Attack Platform
To register events, Kaspersky Anti Targeted Attack Platform uses system event types that are automatically created during application installation.
Each event type belongs to a certain event registration technology.
System event types of the Intrusion Detection technology
This article describes the system event types of the Intrusion Detection technology (see the table below).
Intrusion Detection (IDS) system event types
Code |
Event type title |
Conditions for registration |
---|---|---|
4000003000 |
Rule from the $fileName set (system rule set) was triggered |
An intrusion detection rule from the system rule set is triggered. The following variables are used in the title and description of the event type:
|
4000003001 |
Rule from the $fileName set (user-defined rule set) was triggered |
An intrusion detection rule from the user-defined rule set is triggered. The following variables are used in the title and description of the event type:
|
4000003002 |
Signs of a brute-force attack or scan were detected |
A rule for detecting brute-force or scanning attack is triggered. In the description of the event type, the $ruleName variable is used for the rule name. |
4000004001 |
Symptoms of ARP spoofing detected in ARP replies |
Indicators of address spoofing in ARP packets detected: multiple ARP responses that are not associated with ARP requests. The following variables are used in the description of the event type:
|
4000004002 |
Symptoms of ARP spoofing detected in ARP requests |
Indicators of address spoofing in ARP packets detected: multiple ARP requests from the same MAC address to different destinations. The following variables are used in the description of the event type:
|
4000005100 |
IP protocol anomaly detected: data conflict when assembling IP packet |
IP protocol anomaly detected: data mismatch in overlapping IP packet fragments. |
4000005101 |
IP protocol anomaly detected: fragmented IP packet size exceeded |
IP protocol anomaly detected: actual total size of fragmented IP packet after reassembly exceeds the allowed limit. |
4000005102 |
IP protocol anomaly detected: the size of the initial fragment of the IP packet is less than expected |
IP protocol anomaly detected: the size of the initial fragment of the IP packet is less than the minimum allowed value. |
4000005103 |
IP protocol anomaly detected: mis-associated fragments |
IP protocol anomaly detected: fragments of the IP packet being assembled contain different information about the length of the fragmented packet. |
4000002701 |
TCP protocol anomaly detected: content substitution in overlapping TCP segments |
TCP protocol anomaly detected: packets contain overlapping TCP segments with different content. |
4000000003 |
Test event (IDS) |
Test network packet detected (with rule-based intrusion detection enabled). |
System event types of the Asset Management technology
This article describes the system event types of the Asset Management technology (see the table below).
System event types of the Asset Management (AM) technology
Code |
Event type title |
Conditions for registration |
---|---|---|
4000005003 |
Detected new device with the address $owner_ip_or_mac |
With Asset Monitoring in monitoring mode, a new device was automatically added by the detected IP or MAC address, which is not specified for other devices in the table. When registering the event, the application may simultaneously register an Unauthorized device risk for this device. In this case, a relation is established the risk and the event. The following variables are used in the title and description of the event type:
|
4000005004 |
Received new information about device with the address $owner_ip_or_mac |
With Asset Monitoring in monitoring mode, device information was automatically updated based on information received from traffic. The following variables are used in the title and description of the event type:
|
4000005005 |
IP address conflict detected $owner_ip |
With Asset Monitoring in monitoring mode, an IP address was detected that was not being used by the device for which the IP address was specified. The following variables are used in the title and description of the event type:
|
4000005006 |
Detected traffic from address $owner_ip_or_mac, which is assigned to device with the Archived status |
With Asset Management in monitoring mode, or based on data received from an EPP application, activity was detected from a device that has the Archived status. When registering the event, the application may simultaneously register an Unauthorized device risk for this device. In this case, a relation is established the risk and the event. The following variables are used in the title and description of the event type:
|
4000005007 |
Detected new IP address $new_ip_addr for device with the MAC address $owner_mac |
With Asset Monitoring in monitoring mode, a new IP address used by a device was detected. The following variables are used in the title and description of the event type:
|
4000005008 |
New MAC address ($owner_mac) was added to device with IP address $owner_ip |
In Asset Management monitoring mode, a MAC address was automatically added for a network interface that had only an IP address specified (the device had the Unauthorized or Archived status). The following variables are used in the title and description of the event type:
|
4000005009 |
New IP address ($owner_ip) was added to device with the MAC address $owner_mac |
In Asset Management monitoring mode, an IP address was automatically added for a network interface that had only a MAC address specified (the device had the Unauthorized or Archived status). The following variables are used in the title and description of the event type:
|
4000005010 |
Detected new MAC address $new_mac_addr for device with the IP address $owner_ip |
With Asset Monitoring in monitoring mode, a new MAC address used by a device was detected (with automatic update of address information disabled for this device). The following variables are used in the title and description of the event type:
|
4000005011 |
Detected change of MAC address $owner_mac to $challenger_mac in device data received from EPP application |
Based on information received from an EPP application, the MAC address of the device has been updated. The following variables are used in the title and description of the event type:
|
4000005012 |
New address information for device $asset_name found in data received from EPP application |
New address information of a device was found in data received from an EPP application. An event of this type is registered if the change of the address information of the device has not been processed by the application as event 4000005009 or 4000005010. The following variables are used in the title and description of the event type:
|
4000005013 |
Conflict detected in addresses of devices $conflicted_epp_assets after data was received from EPP application |
Based on the information received from the EPP application, a conflict with the addresses of multiple devices in Kaspersky Anti Targeted Attack Platform was detected. According to the information from the EPP application, the addresses belong to the same device. The following variables are used in the title and description of the event type:
|
4000005014 |
Subnet $subnet_mask was added from EPP application data |
After getting information from an EPP application, a new subnet was automatically added to the list of known subnets. The subnet is added to the address space in which the data source can be the integration server getting information from the EPP application. If multiple such address spaces exist, an address space is selected that contains the most suitable subnet for automatically adding a new nested subnet. The following variables are used in the title and description of the event type:
|
4000005016 |
Unauthorized DHCP server detected with IP address $owner_ip |
The $asset_name device (ID: $asset_id) with the address $owner_ip_or_mac was identified as an unauthorized DHCP server. The following variables are used in the title and description of the event type:
|
4000005017 |
Unauthorized DHCP relay detected with IP address $owner_ip |
The $asset_name device (ID: $asset_id) with the address $owner_ip_or_mac was identified as an unauthorized DHCP relay. The following variables are used in the title and description of the event type:
|
4000005600 |
Changes detected in the list of users on the device with the address $owner_ip_or_mac |
Changes to user information were detected while controlling users on devices. The following variables are used in the title and description of the event type:
|
4000005601 |
Changes detected in the list of applications on the device with the address $owner_ip_or_mac |
Modified information about applications on the device detected while monitoring applications and patches on devices. The following variables are used in the title and description of the event type:
|
4000005602 |
Changes detected in the list of patches on the device with the address $owner_ip_or_mac |
Modified device patch information detected while monitoring applications and patches on devices. The following variables are used in the title and description of the event type:
|
4000005603 |
Changes detected in the configuration component $inventory_loc_key on the device |
While monitoring device configurations, changes in the configuration component were detected as compared to the previous configuration according to device scan results (for jobs that run in the Update only and/or Archive versions configuration processing modes). The following variables are used in the title and description of the event type:
|
4000005604 |
Discrepancies detected compared with the reference configuration component $inventory_loc_key on the device |
When monitoring device configurations, discrepancies were found compared to the reference configuration component according to device scan results (for jobs that run in the Compare with benchmark configuration processing mode). The following variables are used in the title and description of the event type:
|
4000005700 |
Public key mismatch detected while connecting to the device remotely |
When connecting to the device remotely, a mismatch was detected between the received public key of the device and the value stored in the application. Device scan canceled. The following variables are used in the description of the event type:
|
4000005701 |
Public key mismatch detected during device active polling |
While actively polling a device, a mismatch was detected between the received public key of the device and the value stored in the application. Active polling canceled for the device. The following variables are used in the description of the event type:
|
4000000004 |
Test event (AM) |
Test network packet detected (with device activity detection method enabled). |
System event types of the External systems technology
This article describes the system event types of the External systems technology (see the table below).
System event types of the External systems (EXT) technology
Code |
Event type title |
Conditions for registration |
---|---|---|
8000000001 |
Aggregate event |
A sequence of events was detected that satisfied the conditions of a correlation rule. When registering an aggregate event, the title and description from the correlation rule are used as the title and description of the event. |
4000005400 |
Event from external system |
Event received from an external system using the Kaspersky Anti Targeted Attack Platform API NDR. When the event is registered, the title and description are determined by the external system. |
System event types of the Endpoint Protection Platform technology
This article describes the system event types of the Endpoint Protection Platform (see the table below).
System event type using the Endpoint Protection Platform (EPP) technology
Code |
Event type title |
Conditions for registration |
---|---|---|
4000005500 |
Activity specific for network attacks |
The integration server received information about the triggering of the Network Threat Protection component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005501 |
Connection of an untrusted external device |
The integration server received information about the triggering of the Device Control component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005502 |
Attempt to run an unauthorized or untrusted application |
The integration server received information about the triggering of the Device Control component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005503 |
Prohibited file operation in the specified monitoring scope |
The integration server received information about the triggering of the File Integrity Monitor component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005504 |
Files in the specified monitoring scope are modified |
The integration server received information about the triggering of the Baseline File Integrity Monitor component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005505 |
Network connection not allowed by firewall rules |
The integration server received information about the triggering of the Firewall Management component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005506 |
System registry modifications in the specified monitoring scope |
The integration server received information about the triggering of the Registry Access Monitor component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005507 |
Log analysis rule was triggered |
The integration server received information about the triggering of the Log Inspection component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005508 |
Attempt to exploit a vulnerability in a protected process |
The integration server received information about the triggering of the Exploit Protection component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005509 |
Attempt to maliciously encrypt network file resources |
The integration server received information about the triggering of the Anti-Cryptor component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005510 |
Attempt to connect to a Wi-Fi network |
The integration server received information about the triggering of the Wi-Fi Control component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005512 |
Infected or probably infected object was detected |
The integration server received information about the triggering of the Real-Time File Protection component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005513 |
Sigma rule $sigmaAlertTitle triggered |
The integration server received data about an Endpoint Agent component Sigma rule being triggered. The following variables are used in the title and description of the event type:
|
Managing Endpoint Agent host information
The application that is used as the Endpoint Agent component is installed on individual computers (hereinafter also referred to as "hosts") in the IT infrastructure of the organization. The application continuously monitors processes running on those hosts, active network connections, and files that are being modified.
Users with the Senior security officer, Security officer, Security auditor, and Administrator roles can assess how regularly data is received from hosts with the Endpoint Agent component on the Endpoint Agents tab of the web interface window of the Central Node server for tenants to whose data the user has access. If you are using the distributed solution and multitenancy mode, the web interface of the PCN server displays the list of hosts with the Endpoint Agent component for the PCN and all connected SCNs.
Users with the Administrator role can configure the display of how regularly data is received from hosts with Endpoint Agent for tenants to whose data they have access.
If suspicious network activity is detected, users with the Senior security officer role can isolate from the network any host with Kaspersky Endpoint Agent, for tenants to whose data the user has access. In this case, the connection between the server with the Central Node component and a host with the Endpoint Agent component will not be interrupted.
In order to provide support in case of problems with the Endpoint Agent component, Technical Support staff may ask you to perform the following actions for debugging purposes (including in Technical Support Mode):
- Activate collection of extended diagnostic information.
- Modify the settings of individual application components.
- Modify the settings for storing and sending the obtained diagnostic information.
- Configure network traffic to be intercepted and saved to a file.
Technical Support staff will provide all the information needed to perform these operations (description of the sequence of steps, settings to be modified, configuration files, scripts, additional command line functionality, debugging modules, special-purpose utilities, and other resources) and inform you about the scope of data obtained for debugging purposes. The retrieved diagnostic information is saved on the user's computer. The retrieved data is not automatically sent to Kaspersky.
The operations listed above should be performed only when instructed by and under the supervision of Technical Support experts. Unsupervised changes to application settings performed in ways other than those described in this manual or according to the instructions of Technical Support experts can slow down or crash the operating system, reduce computer security, or compromise the availability and integrity of data being processed.
Viewing the table of hosts with the Endpoint Agent component
To view the table of hosts with the Endpoint Agent component:
- Select the Assets section in the application web interface window.
- Go to the Endpoint Agents tab.
The table of hosts with the Endpoint Agent component is displayed.
If you are using the distributed solution and multitenancy mode, the table contains information about hosts with the Endpoint Agent component connected to the PCN and all SCN servers.
The table can display the following data:
- Number of hosts and activity indicators of the Endpoint Agent component:
- Critical inactivity is the number of hosts from which latest data was received a very long time ago.
- Warning is the number hosts from which latest data was received a long time ago.
- Normal activity is the number of hosts from which latest data was recently received.
- Host—Name of the host with the Endpoint Agent component.
- Servers is the name of the server to which the host with the Endpoint Agent component is connected.
This field is displayed if you are using the distributed solution and multitenancy mode.
- IP is the IP address of the host where the Endpoint Agent component is installed.
- OS is the version of the operating system that is installed on the host with the Endpoint Agent component.
- Version—Version of the Endpoint Agent component installed.
- Activity—Activity indicator of the Endpoint Agent component.
- Normal activity for hosts from which latest data was recently received.
- Warning for hosts from which latest data was received a long time ago.
- Critical inactivity for hosts from which latest data was received an extremely long time ago.
- Last connection for the date and time of the last connection of the Endpoint Agent component to the Central Node server.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Filter by this value.
- Exclude from filter.
- Run the following tasks:
- Kill process.
- Delete file.
- Kill by unique PID.
- Get file.
- Get forensics.
- Quarantine file.
- Run application.
- New prevention rule.
- Isolate from network.
- Find events.
- Find alerts.
- Copy value to clipboard.
The list of available actions depends on the type of Endpoint Agent component: for Windows, Linux, or Mac (for details, see the Operating principle of the application section).
Clicking the link with the IP opens a list in which you can select one of the following actions:
- Filter by this value.
- Exclude from filter.
- Find alerts.
- Copy value to clipboard.
If you are using only KATA functionality (the KATA key), the following actions are available in the list that is displayed by clicking the host name link:
- Find alerts (displayed for users with the Senior security officer role).
- Filter by this value.
- Exclude from filter.
- Copy value to clipboard.
Clicking a link in any other column of the table opens a list in which you can select one of the following actions:
- Filter by this value.
- Exclude from filter.
- Copy value to clipboard.
Configuring the display of the table of hosts with the Endpoint Agent component
You can show or hide columns and change the order of columns in the table of hosts with the Endpoint Agent component.
To configure the display of the table of hosts with the Endpoint Agent component:
- Select the Assets section in the application web interface window.
- Go to the Endpoint Agents tab.
- In the heading part of the table, click
.
- This opens the Customize table window.
- If you want to show a column in the table, select the check box next to the name of the parameter that you want displayed in the table.
If you want to hide a parameter in the table, clear the check box.
At least one check box must be selected.
- If you want to change the order of columns in the table, move the mouse cursor to the row with the relevant parameter, click
and move the row to its new place.
- If you want to restore default table display settings, click Default.
- Click Apply.
The display of the table of hosts with the Endpoint Agent component is configured.
Page topViewing information about a host
To view information about a host with the Endpoint Agent component:
- Select the Assets section in the application web interface window.
- Go to the Endpoint Agents tab.
- Select the host for which you want to view information.
This opens a window containing information about the host.
The window contains the following information:
- Recommendations group:
- Clicking the Alerts link opens the Alerts section with the search condition containing the selected host.
- Clicking the Events link opens the Threat Hunting section with the search condition containing the selected host.
- Clicking the Events affected by prevention rules link opens the Threat Hunting section with the search condition containing the selected host and the Blocked application (prevention rule) event type.
If you only use the KATA functionality (the KATA key), only the Alerts link is displayed in the recommendations section.
- On the Details tab, the Host section displays the following information:
- Name is the name of the host with the Endpoint Agent component.
- IP is the IP address of the host where the Endpoint Agent component is installed.
- OS—Version of the operating system on the host with the Endpoint Agent component installed.
- On the Details tab, the Endpoint Agent section displays the following information:
- Version—Version of the Endpoint Agent component installed.
- Activity is the activity indicator of the Endpoint Agent component. Possible values:
- Normal activity for hosts from which latest data was recently received.
- Warning for hosts from which latest data was received a long time ago.
- Critical inactivity for hosts from which latest data was received an extremely long time ago.
- Server—Name of the SCN or PCN server. Only displayed in distributed solution and multitenancy mode.
- Connected to server—Name of the Central Node server.
- Last connection—time of the last connection to the Central Node, SCN, or PCN server.
- License key status—For example, "OK".
- On the Prevention rules tab, you can see MD5 or SHA256 hashes for files that were prevented from running or opening on the host. The following information is displayed:
- Name—Name of the file.
- State—State of the prevention rule.
- Hash—Hashing algorithm.
If you are using only KATA functionality (the KATA key), the Prevention rules tab is not displayed.
- On the Tasks tab, you can see which tasks were run on the host. The following information is displayed:
- Time created—Task creation date and time.
- Name—Task name.
- Details—Full path to the file or data stream for which the task was created.
- State—Task completion status.
If you are using only KATA functionality (the KATA key), the Tasks tab is not displayed.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Run the following tasks:
- Kill process.
- Delete file.
- Get file.
- Get forensics.
- Quarantine file.
- Run application.
- New prevention rule.
- Isolate from network.
- Find events.
- Find alerts.
- Filter by this value.
- Exclude from filter.
- Copy value to clipboard.
The list of available actions depends on the type of Endpoint Agent component: for Windows, Linux, or Mac (for details, see the Operating principle of the application section).
Clicking the link with the IP opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
If you are using only KATA functionality (the KATA key), the following actions are available in the list that is displayed by clicking the host name and IP address links:
- Find alerts.
- Copy value to clipboard.
Filtering and searching hosts with the Endpoint Agent component by host name
To filter or search for hosts with the Endpoint Agent component by host name:
- Select the Assets section in the application web interface window.
- Go to the Endpoint Agents tab.
This opens the table of hosts.
- Click the Host link to open the filter configuration window.
- If you want to display only isolated hosts, select the Show isolated Endpoint Agents only check box.
- In the drop-down list, select one of the following filtering operators:
- Contain
- Not contain
- In the entry field, specify one or several characters of the host name.
- To add a filter condition using a different criterion, click
and specify the filter condition.
- If you want to delete the filter condition, click the
button to the right of the field.
- Click Apply.
The filter configuration window closes.
The table displays only those hosts that match the filter criteria you have set.
You can use multiple filters at the same time.
Filtering and searching hosts with the Endpoint Agent component that have been isolated from the network
To filter or search for hosts with the Endpoint Agent component that are isolated from the network:
- Select the Assets section in the application web interface window.
- Go to the Endpoint Agents tab.
This opens the table of hosts.
- Click the Host link to open the filter configuration window.
- Select the Show isolated Endpoint Agents only check box.
- Click Apply.
The filter configuration window closes.
The table displays only those hosts that match the filter criteria you have set.
You can use multiple filters at the same time.
Filtering and searching hosts with the Endpoint Agent component by PCN and SCN server names
If you are using the distributed solution and multitenancy mode, you can filter or find hosts with the Kaspersky Endpoint Agent component based on the names of PCN and SCN servers to which those hosts are connected.
To filter or search for hosts with the Endpoint Agent component by the names of PCN and SCN servers:
- Select the Assets section in the application web interface window.
- Go to the Endpoint Agents tab.
This opens the table of hosts.
- Click the Servers link to open the filter configuration window.
- Select check boxes next to names of servers by which you want to filter or search for hosts with the Endpoint Agent component.
- Click Apply.
The filter configuration window closes.
The table displays only those hosts that match the filter criteria you have set.
You can use multiple filters at the same time.
Filtering and searching hosts with the Endpoint Agent component by computer IP address
To filter or search for hosts with the Endpoint Agent component by IP address of the computer on which the application is installed:
- Select the Assets section in the application web interface window.
- Go to the Endpoint Agents tab.
This opens the table of hosts.
- Click the IP link to open the filter configuration window.
- In the drop-down list, select one of the following filtering operators:
- Contain
- Not contain
- In the entry field, specify one or several characters of the computer IP address. You can enter the IP address or subnet mask in IPv4 format (for example,
192.0.0.1
or192.0.0.0/16
). - To add a filter condition using a different criterion, click
and specify the filter condition.
- If you want to delete the filter condition, click the
button to the right of the field.
- Click Apply.
The filter configuration window closes.
The table displays only those hosts that match the filter criteria you have set.
You can use multiple filters at the same time.
Filtering and searching hosts with the Endpoint Agent component by operating system version on the computer
To filter or search for hosts with the Endpoint Agent component by version of the operating system installed on the computer:
- Select the Assets section in the application web interface window.
- Go to the Endpoint Agents tab.
This opens the table of hosts.
- Click the OS link to open the filter settings window.
- In the drop-down list, select one of the following filtering operators:
- Contain
- Not contain
- In the entry field, specify one or several characters of the operating system version.
- To add a filter condition using a different criterion, click
and specify the filter condition.
- If you want to delete the filter condition, click the
button to the right of the field.
- Click Apply.
The filter configuration window closes.
The table displays only those hosts that match the filter criteria you have set.
You can use multiple filters at the same time.
Filtering and searching hosts with the Endpoint Agent component by component version
You can filter hosts by version of the application that is used in the role of the Endpoint Agent component.
To filter or search for hosts with the Endpoint Agent component by component version:
- Select the Assets section in the application web interface window.
- Go to the Endpoint Agents tab.
This opens the table of hosts.
- Click the Version link to open the filter settings window.
- In the drop-down list, select one of the following filtering operators:
- Contain
- Not contain
- In the entry field, specify one or more characters of the version of the application that is used as the Endpoint Agent component.
- To add a filter condition using a different criterion, click
and specify the filter condition.
- If you want to delete the filter condition, click the
button to the right of the field.
- Click Apply.
The filter configuration window closes.
The table displays only those hosts that match the filter criteria you have set.
You can use multiple filters at the same time.
Filtering and searching hosts with the Endpoint Agent component by their activity
To filter or search for hosts with the Endpoint Agent component by their activity:
- Select the Assets section in the application web interface window.
- Go to the Endpoint Agents tab.
This opens the table of hosts.
- Click the Activity link to open the filter configuration window.
Select check boxes next to one or multiple activity indicators:
- Normal activity, if you want to find hosts from which the last data was recently received.
- Warning, if you want to find hosts from which the last data was received a long time ago.
- Critical inactivity, if you want to find hosts from which the last data was received an extremely long time ago.
- Click Apply.
The filter configuration window closes.
The table displays only those hosts that match the filter criteria you have set.
You can use multiple filters at the same time.
Quickly creating a filter for hosts with the Endpoint Agent component
To quickly create a filter for hosts with the Endpoint Agent component:
- Select the Assets section in the application web interface window.
- Go to the Endpoint Agents tab.
This opens the table of hosts.
- Do the following to quickly add filter conditions to the filter being created:
- Position the mouse cursor on the link containing the table column value that you want to add as a filter condition.
- Left-click it.
This opens a list of actions to perform on the value.
- In the list that opens, select one of the following actions:
- Filter by this value, if you want to include this value in the filter condition.
- Exclude from filter, if you want to exclude the value from the filter condition.
- If you want to add several filter conditions to the filter being created, perform the actions to quickly add each filter condition to the filter being created.
The table displays only those hosts that match the filter criteria you have set.
Resetting the filter for hosts with the Endpoint Agent component
To clear the Endpoint Agent host filter for one or more filtering criteria:
- Select the Assets section in the application web interface window.
- Go to the Endpoint Agents tab.
- Click
to the right of the header of the table column for which you want to clear the filter conditions.
If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.
The selected filters are cleared.
The table displays only those hosts that match the filter criteria you have set.
Removing hosts with the Endpoint Agent component
To remove one or more hosts from the Endpoint Agents table:
- Select the Assets section in the application web interface window.
- Go to the Endpoint Agents tab.
- Select check boxes next to one or more hosts that you want to remove. You can select all hosts by selecting the check box in the row containing the headers of columns.
A control panel appears in the lower part of the window.
- Click Delete.
- This opens the action confirmation window; in that window, click Yes.
The selected hosts are removed from the Endpoint Agents table.
When hosts are removed the following changes are made in the web interface of Kaspersky Anti Targeted Attack Platform:
- You cannot create a task, prevention rule, or network isolation rule for a removed host.
- If a prevention rule was previously created for a host, its name in the rule window (the Prevent on field) is hidden when the host is removed. The rule continues to apply.
If this host reconnects to the Central Node server, the host name is restored in the Prevent on field and the prevention rule is applied to it again.
- If a network isolation rule was previously created for a host, it continues to apply until the time specified in the rule expires.
When this host reconnects to the Central Node, the rule is reapplied to this host.
- The metadata of objects quarantined on the remote host are deleted from Kaspersky Anti Targeted Attack Platform quarantine.
When this host reconnects to the Central Node server, the metadata of objects in Kaspersky Anti Targeted Attack Platform quarantine are not restored. You can avoid quarantine filling up on a host by clearing it on command line or in Kaspersky Security Center. For details, see the Help of the application that you are using in the role of the Endpoint Agent component.
- If an object was quarantined by the Quarantine file task on one host only and that host was removed, the Restore all button in the task window is inactive because the file cannot be restored on a removed host.
Event search by the name of the removed host remains available.
Supported interpreters and processes
Kaspersky Endpoint Agent application monitors the execution of scripts by the following interpreters:
- cmd.exe
- reg.exe
- regedit.exe
- regedt32.exe
- cscript.exe
- wscript.exe
- mmc.exe
- msiexec.exe
- mshta.exe
- rundll32.exe
- runlegacycplelevated.exe
- control.exe
- explorer.exe
- regsvr32.exe
- wwahost.exe
- powershell.exe
- java.exe and javaw.exe (only if started with the –jar option)
- InstallUtil.exe
- msdt.exe
- python.exe
- ruby.exe
- rubyw.exe
Information about the processes monitored by Kaspersky Endpoint Agent application is presented in the table below.
Processes and the file extensions that they open
Process |
File extensions |
---|---|
winword.exe |
rtf doc dot docm docx dotx dotm docb |
excel.exe |
xls xlt xlm xlsx xlsm xltx xltm xlsb xla xlam xll xlw |
powerpnt.exe |
ppt pot pps pptx pptm potx potm ppam ppsx ppsm sldx sldm |
acrord32.exe |
|
wordpad.exe |
docx |
chrome.exe |
|
MicrosoftEdge.exe |
Network isolation of hosts with the Endpoint Agent component
When responding to threats, users with the Senior security officer role can isolate hosts with detected objects with issues during the incident investigation.
Network isolation is not a Threat Response action by itself. The security officer should take steps to investigate the incident on his own while the network isolation is active for the host. You can configure the duration of host network isolation when you create the network isolation rule.
If you are using Kaspersky Endpoint Agent for Windows as the Endpoint Agent component, network isolation is available for hosts with the Kaspersky Endpoint Agent application version 3.8 and later.
To ensure correct operation of an isolated host, it is recommended to meet the following conditions:
- Create a local administrator account on the host or save the domain account data to the cache before enabling the network isolation rule.
- Do not change the certificate and IP address of the server with the Central Node component while the network isolation rule is enabled.
Isolated hosts can access the following resources over the network:
- Server with the Central Node component.
- Source of application database updates (Kaspersky update server or custom source).
- Servers of the KSN service.
- Hosts added to network isolation rule exclusions.
In cases when the Endpoint Agent component is turned off on the host, and also for a certain period of time after turning on th component or restarting the computer with the component, network isolation of the host may be inactive.
Consider some limitations when applying network isolation.
Creating a network isolation rule
To create a network isolation rule:
- Select the Assets section in the application web interface window.
- Go to the Endpoint Agents tab.
This opens the table of hosts.
- Select the host for which you want to enable or disable the network isolation rule.
This opens a window containing information about the host.
- Click Isolate.
- In the Disable isolation after field, enter the time in hours (1 to 9999) during which network isolation of the host will be active.
- In the Exclusions for the host isolation rule settings group, in the Traffic direction list, select the direction of network traffic that must not be blocked:
- Incoming/Outgoing.
- Incoming.
- Outgoing.
- In the IP field, enter the IP address whose network traffic must not be blocked.
If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, you can use a proxy server for the connection of Kaspersky Endpoint Agent for Windows with Kaspersky Anti Targeted Attack Platform. When you add this proxy server to exclusions, network resources that can be accessed through the proxy server are also added to exclusions. If network resources that are accessed through the proxy server are added to exclusions, but the proxy server itself is not, such exclusions do not work.
- If you selected Incoming or Outgoing, in the Ports field enter the connection ports.
- If you want to add more than one exclusion, click Add and repeat the steps to fill in the Traffic direction, IP and Ports fields.
- Click Save.
The host will be isolated from the network.
You can also create a network isolation rule by clicking the Isolate <host name> link in the event information and in the alert information.
Users with the Security auditor and Security officer roles cannot create network isolation rules.
The network isolation feature is not available for hosts where Kaspersky Endpoint Security 11.4 for Linux is used as the Endpoint Agent component.
Adding an exclusion from a network isolation rule
To add an exclusion to a previously created network isolation rule:
- Select the Assets section in the application web interface window.
- Go to the Endpoint Agents tab.
This opens the table of hosts.
- Select the isolated host for which you want to create an exclusion from the network isolation rule.
This opens a window containing information about the host.
- Click the Add to exclusions link to expand the Exclusions for the host isolation rule settings group.
- Select the direction of network traffic that must not be blocked:
- Incoming/Outgoing.
- Incoming.
- Outgoing.
- In the IP field, enter the IP address whose network traffic must not be blocked.
- If you selected Incoming or Outgoing, in the Ports field enter the connection ports.
- If you want to add more than one exclusion, click Add and repeat the steps to fill in the Traffic direction, IP and Ports fields. Click Save.
The network isolation rule exclusion will be added.
If you are using Kaspersky Endpoint Agent for Windows in the role of the Endpoint Agent component, you can use a proxy server for the connection of Kaspersky Endpoint Agent with Kaspersky Anti Targeted Attack Platform. When you add this proxy server to exclusions, network resources that can be accessed through the proxy server are also added to exclusions. If network resources that are accessed through the proxy server are added to exclusions, but the proxy server itself is not, such exclusions do not work.
Users with the Security auditor and Security officer roles cannot create exclusions from a network isolation rule.
Page topDeleting a network isolation rule
To delete a network isolation rule:
- Select the Assets section in the application web interface window.
- Go to the Endpoint Agents tab.
This opens the table of hosts.
- Click the name of the host for which you want to delete a network isolation rule to open the action menu for the host.
- Select the Delete host isolation rule action.
This opens the action confirmation window.
- Click Yes.
The network isolation rule for the host is deleted.
Users with the Security auditor and Security officer roles cannot remove network isolation rules.
Limitations that are relevant to network isolation
Some limitations apply when network isolation is used:
- When a network isolation rule is enabled on a host, all current connections are disconnected and a VPN connection becomes unavailable.
- If the application administrator replaces the certificate of the server with the Central Node component while a network isolation rule is enabled, you cannot disable the rule.
- The application blocks the connection of isolated hosts with an Active Directory server. If the operating system settings require a connection to Active Directory services for authorization, the user of an isolated host will not be able to log in to the system.
Automatically sending files from Kaspersky Endpoint Agent hosts to be scanned by the Sandbox component in accordance with Kaspersky TAA (IOA) rules
If this functionality is enabled, the application can automatically send files from hosts with the Endpoint Agent component for scanning with the Sandbox component in accordance with Kaspersky TAA (IOA) rules. Files are sent in accordance with the following principle:
- Kaspersky Anti Targeted Attack Platform checks the event database and marks events that match TAA (IOA) rules.
- If relevant conditions are found in TAA (IOA) rules, Kaspersky Anti Targeted Attack Platform sends files for scanning by the Sandbox component.
Requests for scanning files by the Sandbox component are not displayed in the Kaspersky Anti Targeted Attack Platform web interface.
- Based on the results of the scan, the application may create an alert.
You can view alerts created in this way by filtering alerts by the Details – Autosend to Sandbox attribute.
If automatic sending of files to be scanned by the Sandbox component is enabled, the volume of traffic processed by the component can become very large. If the Sandbox component server cannot support the increased load, some of the objects from the processing request queue are replaced with requests for processing files that are automatically sent for scanning.
To avoid dropping objects from the processing request queue, you can:
- Deploy additional Sandbox servers.
- Disable automatically sending files to be scanned by the Sandbox component.
- Add to exclusions those TAA (IOA) rules that most frequently cause Kaspersky Anti Targeted Attack Platform to send files for scanning by the Sandbox component.
Information about rules that are most frequently used by Kaspersky Anti Targeted Attack Platform to send files for scanning by the Sandbox component is displayed in the Sent to Sandbox by TAA rules widget. You can add this widget to your current layout.
When you add a file to exclusions, event marking and creation of alerts in accordance with this rule is also stopped.
Files that can be automatically sent for scanning by the Sandbox component are listed in the following table.
List of files that can be automatically sent for scanning by the Sandbox component
Event type |
File type |
---|---|
Process started |
File of the started process and file of its parent process. |
Module loaded |
File of the loaded module and file of its parent process. |
Connection to remote host |
File of the parent process. |
Blocked application (prevention rule) |
File of the application that was blocked from running, and file of its parent process. |
Document blocked |
File of the document that was blocked from running, and file of its parent process. |
File changed |
Created, deleted, or modified file and file of the parent process. |
System event log |
File of the process (only for Linux). |
Registry modified |
File of the parent process. |
Port listened |
File of the parent process. |
Driver loaded |
File of the loaded driver. |
Detection |
Detected file and file of its parent process (if any). |
Detection processing result |
Detected file and file of its parent process (if any). |
AMSI scan |
Process file. |
Process: interpreted file run |
File that was started and file of its parent process. |
Process: console interactive input |
File of the parent process. |
Information about files sent for scanning by the Sandbox component is not displayed in the Kaspersky Anti Targeted Attack Platform web interface.
Enabling and disabling the automatic sending of files from hosts with the Endpoint Agent component to be scanned by the Sandbox component
To enable or disable automatically sending files to be scanned by the Sandbox component in accordance with Kaspersky TAA (IOA) rules:
- In the window of the application web interface, select the Settings section, Endpoint Agents subsection.
- Under Send files to Sandbox automatically:
- Set the Send files toggle switch to Enabled if you want to enable the automatic sending of files.
This functionality is enabled by default.
- Set the Send files toggle switch to Disabled if you want to disable the automatic sending of files.
Disabling this functionality does not affect the functioning of TAA (IOA) rules; only automatic sending of files is disabled.
- Set the Send files toggle switch to Enabled if you want to enable the automatic sending of files.
- Click Apply.
Automatically sending files to be scanned by the Sandbox component in accordance with Kaspersky TAA (IOA) rules is enabled or disabled.
In distributed solution and multitenancy mode, settings for automatically sending files for scanning by the Sandbox component in accordance with Kaspersky TAA (IOA) rules configured on the PCN server are also applied on SCN servers connected to that PCN server. If necessary, you can enable or disable the automatic sending of files on each selected SCN server individually.
Page topSelecting operating systems to use when scanning objects in Sandbox
Users with the Senior security officer role can select a set of operating systems used as the basis for creating tasks for scanning objects by the Sandbox component. The Sandbox server must have virtual machines installed that match the selected set.
You can view a list of Sandbox servers and virtual machines deployed on a server.
Users with the Security auditor role can view the list of Sandbox servers and settings for a set of operating systems. Users with the Security officer role cannot view this section.
Page topViewing the table of servers with the Sandbox component
Users with the Security officer role cannot view the table of servers with the Sandbox component.
Users with the Senior security officer role can view the table of servers with the Sandbox component.
To view the table of servers with the Sandbox component:
- In the main window of the application web interface, select the Settings section, Sandbox servers subsection.
- Select the Servers tab.
A table is displayed with a list of Sandbox servers.
The table contains the following information:
- IP and name—IP address or fully qualified domain name of the server with the Sandbox component.
- Authorization—Status of the request to connect to the Sandbox component.
- Status—Status of the connection to the Sandbox component.
- Certificate fingerprint—Certificate fingerprint of the server with the Sandbox component.
- Virtual machines—List of virtual machines created on the server.
Selecting operating systems to use when scanning objects in Sandbox
To select the set of operating systems:
- In the main window of the application web interface, select the Settings section, Sandbox servers subsection.
- Go to the Settings tab.
- Under OS set, select one of the following options:
- Windows 7, Windows 10.
- CentOS 7.8, Windows 7, Windows 10.
- Astra Linux 1.7, Windows 7, Windows 10.
- Custom.
- If you selected Custom, under Set composition, select the check boxes next to the operating systems that you want to include in the set.
Custom operating systems are displayed in the list if virtual machines with these operating systems are installed on the Sandbox server. Preset operating systems are always displayed in the list, but if virtual machines running these operating systems are not deployed, the Unknown status is displayed next to the name of the operating system.
Kaspersky Anti Targeted Attack Platform will create tasks for scanning objects in Sandbox in accordance with the selected set.
If the set of operating systems installed on the Sandbox server does not match the set selected on the Central Node server, objects are not sent to be scanned by that Sandbox server. If multiple Sandbox servers are connected to the Central Node server, the application sends objects to those Sandbox servers whose installed operating systems match the set selected on Central Node.
You can change the set of operating systems in the course of using the application. In this case, you need to make sure that the configuration of the Sandbox server satisfies hardware requirements.
In distributed solution and multitenancy mode, the settings of the operating system set configured on the PCN server are not applied to SCN servers connected to that PCN server. You can select the set of operating systems for each PCN and SCN server individually.
Page topManaging tasks
Users with the Senior security officer role creating tasks on a server have unlimited (root) access rights for all hosts with the Endpoint Agent component that are connected to that server.
In the web interface of the application, users with the Senior security officer role can manage files and applications on hosts by creating and removing tasks.
In distributed solution and multitenancy mode, Kill process, Get forensics, Get registry key, Start YARA scan, Manage services, Run application, Delete file, Restore file from quarantine, Quarantine file tasks can have one of the following types:
- Global—Created on the PCN server. These tasks apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Tasks belong to the tenant for which the user is managing the program using the web interface.
- Local—Created on the SCN server. These tasks apply only to hosts that are connected to this SCN server. Tasks belong to the tenant for which the user is managing the program using the web interface.
Get file, Get process memory dump, Get NTFS metafiles, Get disk image, Get memory dump tasks run only on the specified host, regardless of the application operating mode.
The maximum task execution time is 24 hours. If the task did not complete in this time, execution is paused.
Users with the Senior security officer role can manage all tasks for tenants to whose data they have access.
Users with the Security officer role do not have access to tasks.
Users with the Security auditor role can view the task table and information about the selected task.
Viewing the task table
The tasks table contains a list of created tasks and is in the Tasks section of the application web interface window. You can view all tasks or only tasks created by you (current user).
You can show or hide tasks created by you using the Only mine toggle switch in the upper right corner of the window. The display of tasks created by the current user is enabled by default.
The tasks table contains the following information:
- Time—Task creation date and time.
- Type is the type of the task depending on the operating mode of the application and the server on which the task was created.
Tasks may be one of the following types:
- Global—Created on the PCN server. These tasks apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Tasks belong to the tenant for which the user is managing the program using the web interface.
- Local—Created on the SCN server. These tasks apply only to hosts that are connected to this SCN server. Tasks belong to the tenant for which the user is managing the program using the web interface.
- Name—Task name.
Clicking the link with the name of the task type opens a list in which you can select one of the following actions:
- Filter by this value.
- Exclude from filter.
- Copy value to clipboard.
- Details—full path to the file or data stream for which the task was created, or the path to a shared network resource.
Clicking the link containing information about the path to the file or data stream opens a list in which you can select one of the following actions:
- Filter by this value.
- Exclude from filter.
- Copy value to clipboard.
- Servers—Name of the server with the PCN or SCN role on which the task is being run.
This field is displayed if you are using the distributed solution and multitenancy mode.
- Hosts—Name of the host on which the task is run.
This field is displayed only if you are using a standalone Central Node server.
- Created by—Name of the user who created the task.
If only tasks created by the current user are displayed, this column is not displayed.
- State—Task completion status.
A task can have one of the following statuses:
- Pending.
- In process.
- Completed.
Viewing information about a task
To view task details:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Select the task for which you want to view information.
This opens a window containing information about the task.
The window can contain the following information depending on the task type:
- State—Task completion status.
- Description is the task description.
- File path—Path to the file or data stream.
- Information type—Type of the collected data.
- Registry key—Path to the registry key that you want to get.
- Process ID—Process identifier.
- Mask—Mask of files that are included in the data list.
- Metafiles—NTFS metafiles that you want to get.
- Volume—name of the drive from which you want to receive metafiles, disk image, or memory dump.
- Share path—path to a shared network resource.
- Stored file—link to the file received as a result of the task execution.
- Maximum nesting level—Maximum nesting level of folders which the application searches for files.
- Exclusions—Folders in which searching and scanning files is prohibited.
- Scan scope—Folders which are scanned by YARA rules.
- Action—Action that was performed for the service.
The application supports the following operations with services:
- Start.
- Stop.
- Pause.
- Resume.
- Delete.
- Modify startup type.
- Maximum scan duration—Maximum task execution time, after which the scan is stopped.
- SHA256—SHA256 hash of the file that you want to receive.
- Run as—Option to run the application using the name of the local system.
- Created by—Name of the user who created the task.
- Tenant—Name of the tenant. Displayed only when you are using the distributed solution and multitenancy mode.
- Time created—Time when the task was created.
- Time completed—Task completion time.
- Report—Task result on selected hosts.
Creating a get file task
You can retrieve a file from selected hosts with the Endpoint Agent component. To do so, you must create a get file task.
The file to be downloaded must not exceed 100 MB. If the file exceeds 100 MB, the task finishes with an error.
To create a get file task:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click the Add button and select File in the Get data drop-down list.
This opens the task creation window.
- Configure the following settings:
- File path—Path to the file that you want to receive.
If the requested file is linked to other NTFS data streams, running the task yields all files of NTFS data streams that the requested file is linked to.
You can also specify the path to an
of this file. In this case, you receive only the files of the specified stream.When creating a task, the application does not check if the specified path to the file that you want to receive is valid.
- MD5/SHA256—MD5- or SHA256 hash of the file that you want to receive. This field is optional.
- If you do not want to scan the file, clear the Send for scanning check box.
The check box is selected by default.
- Description is the task description. This field is optional.
- Host is the name or IP address of the host.
You can specify only one host.
- File path—Path to the file that you want to receive.
- Click Add.
The get file task will be created. The task runs automatically after it is created.
A file received through this task will be placed in Storage. If the get file task completed successfully, you can download the received file to your local computer.
If you are using the distributed solution and multitenancy mode, the archive is placed in Storage of the Central Node server to which the host specified in the Host field is connected.
You can also download the file from the task report window.
To download the file from the task report window:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Open the get file task that you want to download.
- In the Report section, click the name or IP address of the host.
This opens a window containing information about the file.
- Click Download.
The file will be saved to your local computer in the browser's downloads folder.
Users with the Security auditor role cannot create get file tasks.
Users with the Security officer role do not have access to tasks.
Creating a forensic collection task
You can get lists of files, processes, and autorun points from selected Endpoint Agent hosts. To do so, you must create a forensic collection task.
To create a forensic collection task:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click the Add button and select Forensics in the Get data drop-down list.
This opens the task creation window.
- Configure the following settings:
- Information type is the type of collected data. Select the check box next to one, multiple, or all settings:
- Process list if you want to get a list of processes running on the host at the time of the task execution.
- Autorun point list if you want to get a list of autorun points.
The autorun points list includes information about applications added to the startup folder or registered in the Run keys of the registry, as well as applications that are automatically run at startup of a host with the Endpoint Agent component and when a user logs in to the operating system on the specified hosts.
- File list if you want to get a list of files stored in the selected folder or in all host folders at the time of the task execution.
- If you have selected the File list check box, in the Source type group of settings, select one of the following options:
- All local disks if you want the list of files to include files stored in all folders on local disks at the time of the task execution.
- Directory if you want the file list to include files stored in the specified folder and its subfolders at the time when the task is run.
- If you selected Directory, in the Start directory field, specify the path to the folder from which the file search should start.
You can use the following prefixes:
- System environment variables.
- User-defined environment variables.
When using user-defined environment variables, the list of files includes information about files in folders of all users who have set the specified environment variables. If user-defined environment variables override system environment variables, the list of files includes information about files in folders based on the values of system environment variables.
- In the Hosts field, enter the IP address or name of the host to which you want to assign the task.
You can specify multiple hosts.
If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, the forensics collection task can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.10 and later. Getting a list of autorun points is only supported on hosts with Kaspersky Endpoint Agent for Windows 3.12 and higher.
If necessary, you can specify the following search criteria for files in folders:
- Mask is the mask of files to be included in the list of files.
- Alternative data streams is the check box that enables recording information about alternate data streams in the file list.
If the requested file is linked to other NTFS data streams, running the task yields all files of NTFS data streams that the requested file is linked to.
The check box is selected by default.
- Maximum nesting level is the maximum nesting level of folders in which the application searches for files.
- Exclusions is the path to the folders in which you want to prohibit the search for information about files.
- Description is the task description.
- Information type is the type of collected data. Select the check box next to one, multiple, or all settings:
- Click Add.
The forensic collection task is created. The task runs automatically after it is created.
As a result of the task, the application places a ZIP archive in Storage; the archive contains a file with the selected data. If the task completed successfully, you can download the archive to your local computer.
Users with the Security auditor role cannot create forensic collection tasks.
Users with the Security officer role do not have access to tasks.
Creating a registry key retrieval task
You can retrieve a registry key from selected hosts with the Endpoint Agent component. To do so, you must create a registry key retrieval task.
To create a registry key retrieval task:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click the Add button and select Registry key in the Get data drop-down list.
This opens the task creation window.
- Configure the following settings:
- Registry key is the registry key that you want to get.
You can enter the registry key in one of the following formats:
- Relative to the root key.
For example, \REGISTRY\MACHINE\SOFTWARE\Microsoft\WindowsUpdate\Orchestrator.
- Relative with full name of the root key.
For example, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\Orchestrator.
- Relative with an abbreviation instead of the full name of the root key.
For example, HKLM\SOFTWARE\Microsoft\WindowsUpdate\Orchestrator.
If you want to get data from HKEY_CURRENT_USER, you must specify HKEY_USERS and the SID of the user: HKEY_USERS\<SID of the user>.
- Relative to the root key.
- Description is the task description. This field is optional.
- In the Hosts field, enter the name or IP address of the host to which you want to assign the task.
You can specify multiple hosts.
If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, the registry key retrieval task can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.13 and later.
- Registry key is the registry key that you want to get.
- Click Add.
The registry key retrieval task is created. The task runs automatically after it is created.
As a result of the task, the application places a ZIP archive in Storage; the archive contains a .reg file, which contains a list of all registry keys and values under the key that was specified when creating the task. You can download the archive to your local computer.
If the task results in an error, the archive file contains the description of the error.
Users with the Security auditor role cannot create this task.
Users with the Security officer role do not have access to tasks.
Creating an NTFS metafile retrieval task
You can retrieve NTFS metafiles from selected hosts with the Endpoint Agent component. To do so, you must create an NTFS metafile retrieval task.
To create an NTFS metafile retrieval task:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click the Add button and select NTFS metafiles in the Get data drop-down list.
This opens the task creation window.
- Configure the following settings:
- Metafiles is the list of metafiles that you can get using the task. Select the relevant metafile by selecting the corresponding check box.
You can select multiple metafiles.
- Volume is the name of the disk from which you want to get metafiles.
By default, the system disk is specified. You can enter the path to a different disk in the
<drive letter>:
format. - Description is the task description. This field is optional.
- Hostis the name or IP address of the host to which you want to assign the task.
You can specify only one host.
If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, the NTFS metafile retrieval task can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.13 and later.
- Metafiles is the list of metafiles that you can get using the task. Select the relevant metafile by selecting the corresponding check box.
- Click Add.
The NTFS metafile creation task is created. The task runs automatically after it is created.
When the task finishes, the application places a ZIP archive containing the selected metafiles in Storage. You can download the archive to your local computer.
If the task results in an error, the archive file contains the description of the error.
If you are using the distributed solution and multitenancy mode, the archive is placed in Storage of the Central Node server to which the host specified in the Host field is connected.
If downloading selected metafiles exhausts Storage capacity, objects in Storage will be rotated. If a metafile is larger than total Storage capacity, it is not downloaded
Users with the Security auditor role cannot create this task. Users with the Security officer role do not have access to tasks.
Creating a process memory dump retrieval task
You can retrieve a process memory dump from selected hosts with the Endpoint Agent component. To do so, you must create a process memory dump retrieval task.
To create a process memory dump retrieval task:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click the Add button and select Process memory dump in the Get data drop-down list.
This opens the task creation window.
- Configure the following settings:
- Process ID is the ID of the process for which you want to get a memory dump.
- MD5/SHA256 is the MD5 or SHA256 hash of the file of the process of which you want to get a memory dump. This field is optional.
- Description is the task description. This field is optional.
- Hostis the name or IP address of the host to which you want to assign the task.
You can specify only one host.
If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, the process memory dump retrieval task can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.13 and later.
- Click Add.
The process memory dump retrieval task is created. The task runs automatically after it is created.
The task creates a ZIP archive in Storage, which contains a file with information about the process and a process memory dump file. You can download the archive to your local computer.
If the task results in an error, the archive file contains the description of the error.
If you are using the distributed solution and multitenancy mode, the archive is placed in Storage of the Central Node server to which the host specified in the Host field is connected.
Users with the Security auditor role cannot create this task.
Users with the Security officer role do not have access to tasks.
Creating a disk image retrieval task
You can retrieve a disk image from selected Kaspersky Endpoint Agent for Windows host. To do so, you must create an NTFS disk image retrieval task.
The resulting file can be saved only to a shared network resource.
To create a disk image retrieval task:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click the Add button and select Disk image in the Get data drop-down list.
This opens the task creation window.
- Configure the following settings:
- Share path—path to a shared network resource.
You need to specify the path in the Universal Naming Convention (UNC) format:
\\server\share\path
.If the last folder with the specified name is absent, Kaspersky Endpoint Agent will create one. If creation is unsuccessful, an error will be displayed in the web interface of Kaspersky Anti Targeted Attack Platform.
- User name—user name of the account used to access the shared network resource.
- Password—password of the account used to access the shared network resource.
- Under Disk type, select one of the following options:
- Logical.
- Physical.
- If you selected Logical, enter a
% SystemDrive%
variable or a drive letter without the colon and slash in the Volume field. - If you selected Physical, enter the disk number in the Physical drive field.
- Select the Split file into parts check box if you want the file to be divided into multiple parts when saved.
- If you selected the check box, in the Part size, GB field, specify the minimum size of one part of the saved file.
The minimum part size must be more than one gigabyte.
- Description is the task description. This field is optional.
- Host—the IP address or name of the host to which you want to assign the task.
- Share path—path to a shared network resource.
- Click Add.
The disk image retrieval task will be created. The task runs automatically after it is created.
The application places an archive containing a file or files in the EWF or RAW format in a network share. You can convert files from the RAW format to the EWF format.
If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, the task can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.14 and later.
Users with the Security auditor role cannot create tasks.
Users with the Security officer role do not have access to tasks.
Converting a file from RAW to EWF format
Kaspersky Endpoint Security saves the disk image in the RAW format. Files can also be compressed into an archive. A special Python script allows converting files from the RAW format to the EWF format. The script constantly looks for RAW files in the specified folder. If such files are detected, the script automatically converts the files to the EWF format.
convert_to_ewf_monitor.py script
For the script to work, the following software must be installed on the computer:
- The libewf library for accessing Expert Witness Compression Format (EWF) files.
The libewf library is open source software.
It is recommended to place the library files and the script file in the same folder.
- The Python interpreter.
To enable the conversion of disk image files:
- Start the command line interpreter.
- Change to the folder where the script is located.
- Run the following command:
py convert_to_ewf_monitor.py --source <full path to the source files folder> [additional settings]
EWF conversion script parameters
Parameter
Description
--source <full path to folder>
The full path to the folder in which the script looks for source files. The script also looks for files in subfolders at the specified path. This is a mandatory parameter.
--destination <full path to folder>
The full path to the folder where the script saves converted files. The folder structure is preserved. By default, the script saves converted files in the folder specified in the
source
parameter.--delete
Delete source files after successful conversion. If the conversion fails, the script skips deleting the source files and you can try again.
--ewftool <full path to folder>
The full path to the ewfacquirestream.exe file. The path must include the file name. By default, the script attempts to locate the ewfacquirestream.exe file in the folder where the script is located.
--name_mask <regular expressions>
Regular expressions to find source files to convert. You can use this option if you need to convert individual files. By default, the script looks for files using the
^diskdump_
regular expression.--convert_single_dump
Find a single file to convert. After successful conversion of the single file, the script exits.
--workers_num <number of files>
The maximum number of source files that the script can convert at the same time. You can use this setting to optimize the performance of the script. By default, the script can convert up to four files at a time.
--log_level <log level>
Logging level. By default, the script uses the DEBUG logging level.
--log_path <full path to folder>
The full path for saving log files. The path must include the file name of the log file. By default, the script displays events on the interpreter console.
Example:
|
Creating a RAM dump retrieval task
You can retrieve a RAM dump from a selected host with the Endpoint Agent component. To do so, you must create a memory dump retrieval task.
The resulting file can be saved only to a shared network resource.
To create a memory dump retrieval task:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click the Add button and select Memory dump in the Get data drop-down list.
This opens the task creation window.
- Configure the following settings:
- Share path—path to a shared network resource.
You need to specify the path in the Universal Naming Convention (UNC) format:
\\server\share\path
.If the last folder with the specified name is absent, Kaspersky Endpoint Agent will create one. If creation is unsuccessful, an error will be displayed in the web interface of Kaspersky Anti Targeted Attack Platform.
- User name—user name of the account used to access the shared network resource.
- Password—password of the account used to access the shared network resource.
- Description is the task description. This field is optional.
- Host—the IP address or name of the host to which you want to assign the task.
- Share path—path to a shared network resource.
- Click Add.
The RAM dump retrieval task is created. The task runs automatically after it is created.
As a result, the application places a RAW file or an archive that contains a RAW file on the shared network resource.
If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, the task can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.14 and later.
Users with the Security auditor role cannot create tasks.
Users with the Security officer role do not have access to tasks.
Creating a process termination task
If you believe that a process running on the computer could threaten the security of the computer or the corporate LAN, you can terminate the process.
To create a process termination task:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click Add and select Kill process.
This opens the task creation window.
- Configure the following settings:
- File path —Path to the file of the process that you want to terminate.
You can also specify the path to an alternate data stream of this file. In this case, only processes of the specified data stream will be terminated. The processes of the other streams of this file will be executed.
- MD5/SHA256—MD5- or SHA256 hash of the file of the process that you want to terminate. This field is optional.
- Description is the task description. This field is optional.
- Task for—Task scope:
- If you want to run the task on all hosts of all servers, select the All hosts option.
- If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.
This option is available only when distributed solution and multitenancy mode is enabled.
- If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.
- File path —Path to the file of the process that you want to terminate.
- Click Add.
The process termination task will be created. The task runs automatically after it is created.
Users with the Security auditor role cannot create process termination tasks.
Users with the Security officer role do not have access to tasks.
Creating a task to scan hosts using YARA rules
You can scan hosts with the Endpoint Agent component using YARA rules. To do so, you must create a Start YARA scan task. You can create the task:
- In the Tasks section.
In this case, when creating the task, you must select YARA rules that you want to use to scan hosts.
- In the Custom rules section, YARA subsection.
In this case, a task is created to scan hosts using selected YARA rules.
To create a task for scanning hosts with the Kaspersky Endpoint Agent component using YARA rules in the Tasks section:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click Add and select Start YARA scan.
This opens the task creation window.
- Configure the following settings:
- Select rules is the name of the rule. You can enter the name of the rule or a sequence of characters from the name of the rule, then select the rule in the list.
You can add multiple rules.
- Scan is the scan scope. Select one of the following options:
- RAM if you want to scan processes that are running at the time of the task execution.
The application does not scan processes with a low priority.
- Autorun points if you want to scan autorun points obtained from the Get forensics task.
If you are using Kaspersky Endpoint Agent as the Endpoint Agent component, this function is available only when integrated with Kaspersky Endpoint Agent 3.13 or later.
To have autorun points scanned, you must specify hosts for which the Get forensics was previously run.
- Specified directories if you want to scan files that are located in a specified folder and all its nested folders at the time of the task execution.
- All local disks if you want to scan files stored in all folders on local disks at the time of the task execution.
Scanning all local disks can cause high load on the host.
- RAM if you want to scan processes that are running at the time of the task execution.
- If you selected RAM, if necessary, do the following:
- In the Processes field, enter short names of processes or a mask of files that you want to scan.
The application scans all processes with identical names that are running on the host.
If the Processes field is left blank, the application scans all processes that were running at the time of the task execution, except processes with PID under 10 and processes listed in the Exclusions field.
- In the Exclusions field, enter short names of processes or a mask of files that you want to exclude from scanning.
If multiple processes with identical names are running on the host, the application excludes all such processes from scanning.
- In the Processes field, enter short names of processes or a mask of files that you want to scan.
- If you selected Autorun points, in the Scan type field, select the scan type:
- Quick.
In this case, all autorun points are scanned, except COM objects.
- Full.
In this case, all autorun points are scanned, as well as files involved with them.
If you are using Kaspersky Endpoint Security for Windows as the Endpoint Agent component, a full scan is performed regardless of the selected setting.
- Quick.
- If you selected Specified directories:
- In the Specified directories field, specify the path to the directory in the format C:\<directory name>\*.
- In the Exclusions field, specify the path to the directory in the format C:\<directory name>\*.
- Maximum scan duration is the maximum scan duration.
When this time elapses, the scan is stopped even if some rules were not applied to scan the hosts. The task report contains results that are up-to-date at the moment when the scan was stopped.
- Description is the task description. This field is optional.
- Task for—Task scope:
- If you want to run the task on all hosts of all servers, select the All hosts option.
- If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.
This option is available only when distributed solution and multitenancy mode is enabled.
- If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.
If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, the task for scanning Kaspersky Endpoint Agent hosts using YARA rules can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.12 and later. If you simultaneously assign a task to hosts with Kaspersky Endpoint Agent 3.12 and earlier versions of the application, the task is executed only on hosts with Kaspersky Endpoint Agent 3.12.
- Select rules is the name of the rule. You can enter the name of the rule or a sequence of characters from the name of the rule, then select the rule in the list.
To create a task for scanning Kaspersky Endpoint Agent for Windows hosts using YARA rules in the Custom rules section, YARA subsection:
- In the window of the application web interface, select the Custom rules section, YARA subsection.
- Select check boxes to the left of rules that you want to use when scanning the hosts.
A control panel appears in the lower part of the window.
- Click Start YARA scan.
- Carry out step 3 of the instruction above.
Task creation is complete. The task runs automatically after it is created.
If the scan detects any threats, Kaspersky Anti Targeted Attack Platform creates corresponding alerts.
Users with the Security auditor role cannot create a task for scanning hosts using YARA rules.
Users with the Security officer role do not have access to tasks.
Creating a service management task
You can remotely start, stop, pause, or resume a service, as well as remove a service or change its start type on selected hosts with the Endpoint Agent component. To do so, you must create a service management task.
To create a service management task:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click Add and select Manage services.
This opens the task creation window.
- Configure the following settings:
- In the Service name field, enter the name of the service.
- In the MD5/SHA256 field, enter the MD5 or SHA256 hash of the service. This field is optional.
If you enter the hash of a service that is loaded from a DLL, Kaspersky Anti Targeted Attack Platform simultaneously compares the specified hash with the hash of the service DLL and the hash of the svchost process.
- In the Action field, select the operation that you want to perform on the service.
The application supports the following operations with services:
- Start.
- Stop.
- Pause.
- Resume.
- Delete.
- Modify startup type.
When you remove a service, processes that the service has started keep running until the system is restarted or the process is terminated.
- If you selected Modify startup type, in the Startup type, select the start type for the service.
- Description is the task description. This field is optional.
- Task for—Task scope:
- If you want to run the task on all hosts of all servers, select the All hosts option.
- If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.
This option is available only when distributed solution and multitenancy mode is enabled.
- If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.
If you are using Kaspersky Endpoint Agent as the Endpoint Agent component, the task can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.12 and later. Hosts running earlier versions of Kaspersky Endpoint Agent for Windows are displayed in the list of hosts, but cannot be selected.
- Click Add.
The service management task is created. The task runs automatically after it is created.
Stopping, pausing, deleting services or changing the start type of services that affect the functioning on the host is strongly discouraged. |
Users with the Security auditor role cannot create service management tasks.
Users with the Security officer role do not have access to tasks.
Creating an application execution task
You can create an application running task or command execution task.
If the standard output file or error output file reaches a size of 100 KB when the task is running, some of the data is deleted from the file. The file will not contain all the data.
To create a task for running an application or executing a command:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click Add and select Run application.
This opens the task creation window.
- Configure the following settings:
- In the File path and Working directory fields, enter values in one of the following ways:
- In the File path field, enter the full path to the executable file (for example,
C:\Windows\System32\ipconfig.exe
).
Leave the Working directory field empty.When creating a task, the application does not check if the specified path to the executable file is valid.
- In the File path field, enter the name and extension of the executable file (for example,
ipconfig.exe
). In the Working directory field, enter the working directory (for example,C:\Windows\System32\
).
- In the File path field, enter the full path to the executable file (for example,
- In the Arguments field, enter additional options for running the file or task (for example, the
/all
argument). - In the Description field, enter the task description. This field is optional.
- Configure the Task for setting, that is, the task scope:
- If you want to run the task on all hosts of all servers, select the All hosts option.
- If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.
This option is available only when distributed solution and multitenancy mode is enabled.
- If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.
- In the File path and Working directory fields, enter values in one of the following ways:
- Click Add.
The application running task or command execution task is created. The task runs automatically after it is created.
Example: To run the
|
Users with the Security auditor role cannot create application running tasks or command execution tasks.
Users with the Security officer role do not have access to tasks.
Creating a file deletion task
To create a file deletion task:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click Add and select Delete file.
This opens the task creation window.
- Configure the following settings:
- File path—Path to the file that you want to delete.
You can also specify the path to an alternate data stream of this file. In this case, only the specified data stream will be deleted. The other data streams of this file will be left unchanged.
- MD5/SHA256—MD5- or SHA256 hash of the file that you want to delete. This field is optional.
- Description is the task description. This field is optional.
- Task for—Task scope:
- If you want to run the task on all hosts of all servers, select the All hosts option.
- If you want to run the task on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to run the task.
This option is available only when distributed solution and multitenancy mode is enabled.
- If you want to run the task on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.
- File path—Path to the file that you want to delete.
- Click Add.
The file deletion task will be created. The task runs automatically after it is created.
If the file has been blocked by another process, the task will be displayed with the Completed status but the file will be deleted only after the host is restarted. It is recommended to check whether the file is successfully deleted after the host is restarted.
Deleting the file from a mapped network drive is not supported.
Users with the Security auditor role cannot create file deletion tasks.
Users with the Security officer role do not have access to tasks.
Creating a file quarantine task
If you believe that an infected or probably infected file is on the computer with the Endpoint Agent component, you can isolate it by putting it into quarantine.
To create a file quarantine task:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click Add and select Quarantine file.
This opens the task creation window.
- Configure the following settings:
- In the File path field, enter the path to the file that you want to quarantine.
- In the MD5/SHA256 field, enter the MD5 or SHA256 hash of the file that you want to quarantine. This field is optional.
- Description is the task description. This field is optional.
- In the Hosts field, enter the name or IP address of the host to which you want to assign the task.
You can specify multiple hosts.
- Click Add.
The file quarantine task is created. The task runs automatically after it is created.
As a result of the task:
- The file is deleted from the folder of the computer where it is located and moved to the quarantine directory on the same computer, which was specified during configuration of the application that is used as the Endpoint Agent component.
- In the task list of the Tasks section of the application web interface, execution information about the task is displayed.
- In the file list in the Storage section, Quarantine subsection, information about the quarantined file is displayed.
If the file has been blocked by another process, the task is displayed with the Completed status but the file is placed in quarantine only after the host is restarted. It is recommended to check whether the task was successfully completed after the host is restarted.
The file quarantine task can finish with the Access denied error if you are trying to quarantine an executable file and it is currently running.
To solve this problem, create a process termination task for this file, and then try creating the file quarantine task again.
Users with the Security auditor role cannot create file quarantine tasks.
Users with the Security officer role do not have access to tasks.
Creating a quarantined file recovery task
If you believe that a previously isolated file is safe, you can restore it from quarantine to the host.
To create a task for restoring a file from quarantine:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click Add and select Restore file from quarantine.
This opens the task creation window.
- Configure the following settings:
- Description is the task description. This field is optional.
- File search—Name of the file in quarantine.
- Click Add.
The task for restoring a file from quarantine is created. The task runs automatically after it is created.
After restoring a file from quarantine to a host, metadata about the file remains in the table of objects placed in Storage.
In distributed solution and multitenancy mode, a file that is quarantined on an SCN server cannot be restored on the PCN server. You can restore the file on the SCN server on which the quarantine file task was created.
Users with the Security auditor role cannot create tasks to restore files from quarantine.
Users with the Security officer role do not have access to tasks.
Creating a copy of a task
To copy the task:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Open the task that you want to copy.
- Click Duplicate.
This opens the task creation window. All task settings will be copied.
- If you want to modify task settings, edit one or more settings depending on the type of the task being copied.
- Click Add.
A copy of the selected task will be created.
Users with the Security auditor role cannot copy tasks.
Users with the Security officer role do not have access to tasks.
Deleting tasks
If you delete a task while it is running, the task results might not be saved.
If you delete a successfully completed file download task, the file is also deleted.
To delete a task:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Open the task that you want to delete.
- Click Delete.
This opens the action confirmation window.
- Click Yes.
The task will be deleted.
To delete all or multiple tasks:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Select check boxes next to the tasks that you want to delete.
You can select all tasks by selecting the check box in the row containing the headers of columns.
- In the pane that appears in the lower part of the window, click Delete.
This opens the action confirmation window.
- Click Yes.
The selected tasks are deleted.
Users with the Security auditor role cannot delete tasks.
Users with the Security officer role do not have access to tasks.
Filtering tasks by creation time
To filter tasks by creation time:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click the Time link to open the task filtering menu.
- Select one of the following task display periods:
- All if you want the application to display all created tasks in the table.
- Last hour if you want the application to display tasks that were created during the last hour in the table.
- Last day if you want the application to display tasks that were created during the last day in the table.
- Custom range if you want the application to display tasks that were created during a specified period in the table.
- If you have selected the Custom range task display period:
- This opens the calendar; in the calendar, specify the start and end dates of the task display period.
- Click Apply.
The calendar closes.
The tasks table displays only tasks matching the filter criteria you have set.
You can use multiple filters at the same time.
Filtering tasks by type
If you are using distributed solution and multitenancy mode, you can filter tasks by their type.
To filter tasks by type:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click the Type link to open the task filtering menu.
- Select one of the following task display options:
- All, if you want to display all tasks regardless of their type.
- Global, if you want to display only tasks that were created on the PCN server. These tasks apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Tasks belong to the tenant for which the user is managing the program using the web interface.
- Local, if you want to display only tasks that were created on a SCN server. These tasks apply only to hosts that are connected to this SCN server. Tasks belong to the tenant for which the user is managing the program using the web interface.
The tasks table displays only tasks matching the filter criteria you have set.
You can use multiple filters at the same time.
Filtering tasks by name
To filter tasks by name:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click the Name link to open the task filtering menu.
- Select one or more check boxes:
- Kill process.
- Run application.
- Get forensics.
- Start YARA scan.
- Manage services.
- Get file.
- Delete file.
- Quarantine file.
- Restore file.
- Click Apply.
The tasks table displays only tasks matching the filter criteria you have set.
You can use multiple filters at the same time.
Filtering tasks by file name and path
You can filter tasks based on the Details criterion—Name and path to the file or data stream.
To filter tasks by name and path to the file or data stream:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click the Details link to open the task filter configuration window.
- In the drop-down list on the right, select Details.
- In the drop-down list on the left, select one of the following task filtering operators:
- Contain
- Not contain
- Equal to
- Not equal to
- In the entry field, specify one or several characters of the file name or path.
- To add a filter condition using a different criterion, click
and specify the filter condition.
- Click Apply.
The tasks table displays only tasks matching the filter criteria you have set.
You can use multiple filters at the same time.
Filtering tasks by description
You can filter tasks by the Description criterion, which is the task description that was added when the task was created.
To filter tasks by description:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click the Details link to open the task filter configuration window.
- In the drop-down list on the left, select Description.
- In the drop-down list on the right, select one of the following task filtering operators:
- Contain
- Not contain
- Equal to
- Not equal to
- In the entry field, specify one or several characters of the file name or path.
- To add a filter condition using a different criterion, click
and specify the filter condition.
- Click Apply.
The tasks table displays only tasks matching the filter criteria you have set.
You can use multiple filters at the same time.
Page topFiltering tasks by server name
If you are using distributed solution and multitenancy mode, you can filter tasks based on the servers to which the tasks are applied.
To filter tasks by servers to which the tasks are applied:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click the Servers link to open the task filtering menu.
- Select the check boxes next to the names of the servers whose tasks you want to display.
The tasks table displays only tasks matching the filter criteria you have set.
You can use multiple filters at the same time.
Filtering tasks based on the name of the user that created the task
To filter tasks based on the user name that created the task, all tasks must be displayed. If only tasks created by the current user are displayed, tasks cannot be filtered by user name.
To filter tasks by the name of the user that created the task:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click the Created by link to open the task filtering menu.
- In the drop-down list, select one of the following task filtering operators:
- Contain
- Not contain
- In the entry field, specify one or several characters of the user name.
- To add a filter condition using a different criterion, click
and specify the filter condition.
- Click Apply.
The tasks table displays only tasks matching the filter criteria you have set.
You can use multiple filters at the same time.
Filtering tasks by processing status
To filter tasks based on the status of their processing by the user:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click the State link to open the task filtering menu.
- Select one or more check boxes:
- Pending.
- In process.
- Completed.
- Click Apply.
The tasks table displays only tasks matching the filter criteria you have set.
You can use multiple filters at the same time.
Clearing a task filter
To clear the task filter for one or more filtering criteria:
- Select the Tasks section in the application web interface window.
This opens the task table.
- Click
to the right of the header of the table column for which you want to clear the filter conditions.
If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.
The selected filters are cleared.
The tasks table displays only tasks matching the filter criteria you have set.
Managing policies (prevention rules)
When working in the application web interface, users with the Senior security officer role can manage prevention rules for files and processes on selected hosts. For example, you can prevent the running of applications that you consider unsafe to use on the selected host with the Endpoint Agent component. The application identifies files based on their hash by using the MD5 and SHA256 hashing algorithms. You can create, enable, disable, delete, and modify prevention rules. Additionally, you can click the link with the name of the hashing algorithm in the prevention rule table to find objects, events, or alerts that have triggered prevention rules, such as Find events, Find alerts, Find on Kaspersky TIP, or Find on virustotal.com.
In distributed solution and multitenancy mode, prevention rules can have the following types:
- Global—Created on the PCN. These prevention rules apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Prevention rules belong to the tenant which the user is managing in the program web interface.
- Local—Created on the SCN server. These prevention rules apply only to hosts that are connected to this SCN server. Prevention rules belong to the tenant which the user is managing in the program web interface.
Users with the Senior security officer role can create, edit, delete, enable, disable, and import prevention rules for tenants to whose data they have access.
Users with the Security officer role do not have access to policies.
Users with the Security auditor role can view the table of file run prevention rules and process run prevention rules, as well as information about the selected prevention rule, but they cannot edit the rules.
All changes to prevention rules are applied on hosts after an authorized connection is established with the selected hosts. If there is no connection with the hosts, the old prevention rules continue to be applied on the hosts. Changes to prevention rules do not affect processes that are already running.
Prevention rules can be created automatically based on preset politics (hereinafter also "presets") added by default. With presets turned on, a prevention rule is created based on a medium or high severity alert of the Sandbox component. The prevention rule thus created prevents running the file based on its MD5 hash. Users with the Senior security officer role can enable and disable presets.
Presets are not supported in distributed solution and multitenancy mode.
The same operations can be applied to automatically created or imported prevention rules as for manually created rules.
You can create only one prevention rule for each file hash.
The maximum supported number of prevention rules in the system is 50,000.
Prevention rules are enforced only if the Endpoint Agent component is running on the host. If an attempt to run a file is made before the component is started or after the component is shut down on a host, the file will not be blocked from running.
You can manage file and process running prevention rules on selected hosts using policies only if the Endpoint Agent component is integrated with the Central Node server; to do so, you must use the web interface of Kaspersky Anti Targeted Attack Platform.
If you are using Kaspersky Endpoint Security for Windows as the Endpoint Agent component, you must take into account that the application supports preventing from running office format files with certain extensions and certain script interpreters.
Viewing the prevention rule table
The table of prevention rules is in the Prevention section of the application web interface window.
The table contains the following information:
- Type is the type of the rule depending on the operating mode of the application and the role of the server which generated the rule:
- Global—Created on the PCN. These prevention rules apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Prevention rules belong to the tenant which the user is managing in the program web interface.
- Local—Created on the SCN server. These prevention rules apply only to hosts that are connected to this SCN server. Prevention rules belong to the tenant which the user is managing in the program web interface.
- Name is the name of the prevention rule.
- Created by—Name of the user whose account was used to create the rule.
- File hash—Hashing algorithm applied to identify a file.
A file can be identified based on one of the following hashing algorithms:
- MD5.
- SHA256.
Clicking the link with the name of the hashing algorithm opens a list in which you can view the file hash and select one of the following actions:
- Filter by this value.
- Exclude from filter.
- Find on Kaspersky TIP.
- Find on virustotal.com (for SHA256).
- Find events.
When this action is performed, the Threat Hunting section opens with events that are already filtered based on the hash you selected.
- Find alerts.
When this action is performed, the Alerts section opens with alerts that are already filtered based on the hash you selected.
- Enable prevention rule.
- Disable prevention rule.
- Delete prevention rule.
- Copy value to clipboard.
- Servers are names of servers with the PCN or SCN role to which the prevention rule applies.
This field is displayed if you are using the distributed solution and multitenancy mode.
- Hosts is the name of the server with the Central Node component to whose hosts the prevention rule is applied.
This field is displayed only when you are using a standalone Central Node server.
- State is the current state of the prevention rule.
A prevention rule can have one of the following states:
- Enabled
- Disabled
Configuring prevention rule table display
You can show or hide columns and change the order of columns in the prevention rule table.
To configure prevention rule table display:
- Select the Prevention section in the application web interface window.
This opens the prevention rule table
- In the heading part of the table, click
.
This opens the Customize table window.
- If you want to show a column in the table, select the check box next to the name of the parameter that you want displayed in the table.
If you want to hide a parameter in the table, clear the check box.
At least one check box must be selected.
- If you want to change the order of columns in the table, move the mouse cursor to the row with the relevant parameter, click
and move the row to its new place.
- If you want to restore default table display settings, click Default.
- Click Apply.
The prevention rule table display is configured.
Page topViewing a prevention rule
To view a prevention rule:
- Select the Prevention section in the application web interface window.
This opens the prevention rule table
- Select the prevention rule that you want to view.
A prevention rule contains the following information:
- The Events link opens the Threat Hunting section with the search condition containing your selected prevention rule.
- State is the current state of the prevention rule.
A prevention rule can have one of the following states:
- Enabled
- Disabled
- The Details tab contains the following information:
- MD5/SHA256 is the hash of the file prevented from running.
Clicking the MD5/SHA256 link opens a list in which you can select one of the following actions:
- Find on Kaspersky TIP.
- Find events.
- Find alerts.
- Copy value to clipboard.
- Name is the name of the prevention rule or file prevented from running.
- Type is the type of the rule depending on the operating mode of the application and the role of the server which generated the rule:
- Global—Created on the PCN. These prevention rules apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Prevention rules belong to the tenant which the user is managing in the program web interface.
- Local—Created on the SCN server. These prevention rules apply only to hosts that are connected to this SCN server. Prevention rules belong to the tenant which the user is managing in the program web interface.
- Notification is the state of the Notify user about blocking file execution setting.
- Prevent on is the list of hosts on which the prevention rule is applied.
If the prevention is in effect on all hosts, the All hosts section is displayed.
- MD5/SHA256 is the hash of the file prevented from running.
- The Change log tab contains a list of changes made to the prevention: time of the change, name of the user that changed the prevention, and actions taken on the prevention.
Creating a prevention rule
When you create a prevention rule for a system file, the host on which the file is prevented from running may work incorrectly. Kaspersky Anti Targeted Attack Platform does not check what type of files the prevention rule is created for.
To create a prevention rule:
- Select the Prevention section in the application web interface window.
This opens the prevention rule table
- Click Add.
- Select Create rule.
This opens the prevention rule creation window.
- Configure the following settings:
- State is the state of the prevention rule:
- If you want to enable the prevention rule, set the toggle switch to On.
- If you want to disable the prevention rule, set the toggle switch to Off.
- MD5/SHA256—MD5- or SHA256 hash of the file or data stream that you want to prevent from starting.
- Name is the name of the prevention rule.
- If you want the application to display a notification about prevention rule triggering to the user of the computer on which the prevention is applied, select the Notify user about blocking file execution check box.
If you selected the Notify user about blocking file execution check box and an attempt is made to execute a file prevented from running, the user is notified that an execution prevention rule was triggered by this file.
- Prevent on is the prevention rule scope:
- If you want to apply the prevention rule on all hosts of all servers, select All hosts.
- If you want to apply the prevention rule on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to apply the prevention rule.
This option is available only when distributed solution and multitenancy mode is enabled.
- If you want to apply the prevention rule on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.
If you are using a Kaspersky Endpoint Security for Linux version earlier than 12.2 in the role of the Endpoint Agent component, the prevention rule creation functionality is not available. When creating a prevention rule, if you select a host with Kaspersky Endpoint Security for Linux or all hosts as the scope of the rule, the rule is not applied or is only applied to hosts with Kaspersky Endpoint Agent for Windows and Kaspersky Endpoint Security for Windows.
- State is the state of the prevention rule:
- Click Add.
The file startup prevention will be created.
You can also import prevention rules.
Users with the Security auditor role cannot create file launch prevention rules.
Users with the Security officer role cannot access prevention rules.
Importing prevention rules
You can import a file with MD5 and SHA256 hashes for files that you want to prevent from running. For each hash, Kaspersky Anti Targeted Attack Platform creates a separate prevention rule.
The maximum size of the imported file is 10 MB. Only one hash per line is allowed.
To import prevention rules:
- Select the Prevention section in the application web interface window.
This opens the prevention rule table
- Click Add.
- Select Import rules.
This opens the prevention rule import window.
- Configure the following settings:
- State is the state of the prevention rule:
- If you want to enable all imported prevention rules, set the toggle switch to On.
- If you want to disable all imported prevention rules, set the toggle switch to Off.
- If you want the application to display a notification about prevention rules triggering to the user of the computer on which the prevention is applied, select the Notify user about blocking file execution check box.
The Prevent on field cannot be edited. By default, prevention rules created on a PCN server are applied on all hosts connected to that PCN server and all SCN servers connected to that PCN server (if you are using the distributed solution and multitenancy mode).
- State is the state of the prevention rule:
- Click Browse to upload the file containing hashes of files for which you want to create prevention rules.
This opens the file selection window.
- Select the file that you want to upload and click Open.
This closes the file selection window.
- Click Add.
The rules are imported.
Users with the Security auditor role cannot import file launch prevention rules.
Users with the Security officer role cannot access prevention rules.
Page topEnabling and disabling a prevention rule
To enable or disable a prevention rule:
- Select the Prevention section in the application web interface window.
This opens the prevention rule table
- In the row containing the prevention rule that you want to enable or disable, in the State column, perform one of the following actions:
- If you want to enable the prevention rule, set the toggle switch to Enabled.
The prevention rule you selected will be enabled.
- If you want to disable the prevention rule, set the toggle switch to Disabled.
The prevention rule you selected will be disabled.
- If you want to enable the prevention rule, set the toggle switch to Enabled.
Users with the Security auditor role cannot enable or disable prevention rules.
Users with the Security officer role do not have access to the prevention rules for launching files and processes on selected hosts using policies.
Enabling and disabling presets
To enable or disable presets:
- Select the Prevention section in the application web interface window.
This opens the prevention rule table
- Select the Presets tab.
- In the row of the preset that you want to enable or disable, in the State column, set the toggle switch to Enabled or Disabled.
The preset is enabled or disabled. When a preset is disabled, all prevention rules that were previously automatically created are not removed.
Page topDeleting prevention rules
You can delete a single prevention rule or multiple prevention rules, or all prevention rules at the same time.
To delete a single prevention rule:
- Select the Prevention section in the application web interface window.
This opens the prevention rule table
- Click the prevention rule that you want to delete.
This opens the prevention rule details window.
- Click Delete.
This opens the action confirmation window.
- Click Yes.
The prevention rule is deleted.
To delete all or multiple prevention rules:
- Select the Prevention section in the application web interface window.
This opens the prevention rule table
- Select check boxes next to prevention rules that you want to delete.
You can select all prevention rules by selecting the check box in the row containing the headers of columns.
- In the pane that appears in the lower part of the window, click Delete.
This opens the action confirmation window.
- Click Yes.
The selected prevention rules are deleted.
Users with the Security auditor role cannot delete prevention rules.
Users with the Security officer role do not have access to the prevention rules for launching files and processes on selected hosts using policies.
Filtering prevention rules by name
To filter prevention rules by name:
- Select the Prevention section in the application web interface window.
This opens the prevention rule table
- Click the Name link to open the prevention filtering menu.
- In the drop-down list, select one of the following prevention filtering operators:
- Contain
- Not contain
- In the text box, enter one or more characters of the prevention rule name.
- To add a filter condition using a different criterion, click
and specify the filter condition.
- Click Apply.
The prevention rules table displays only the prevention rules that match the filter criteria you have set.
You can use multiple filters at the same time.
Filtering prevention rules by type
If you are using distributed solution and multitenancy mode, you can filter prevention rules by their type.
To filter prevention rules by type:
- Select the Prevention section in the application web interface window.
This opens the prevention rule table
- Click the Type link to open the prevention rule filtering menu.
- Select one of the following options for displaying prevention rules:
- All, if you want to display all prevention rules regardless of their type.
- Global, if you want to display only the prevention rules that were created on the PCN. These prevention rules apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Prevention rules belong to the tenant which the user is managing in the application web interface.
- Local, if you want to display only prevention rules that were created on a SCN server. These prevention rules apply only to hosts that are connected to this SCN server. Prevention rules belong to the tenant which the user is managing in the application web interface.
The prevention rules table displays only the prevention rules that match the filter criteria you have set.
You can use multiple filters at the same time.
Filtering prevention rules by file hash
To filter prevention rules by file hash:
- Select the Prevention section in the application web interface window.
This opens the prevention rule table
- Click the File hash link to open the prevention rule filtering menu.
- In the drop-down list, select one of the following prevention filtering operators:
- Contain
- Not contain
- In the text box, enter one or several characters of the file hash.
- To add a filter condition using a different criterion, click
and specify the filter condition.
- Click Apply.
The prevention rules table displays only the prevention rules that match the filter criteria you have set.
You can use multiple filters at the same time.
Filtering prevention rules by server name
If you are using the distributed solution and multitenancy mode, you can filter prevention rules based on the servers to which the prevention rules apply.
To filter prevention rules by server name:
- Select the Prevention section in the application web interface window.
This opens the prevention rule table
- Click the Servers link to open the prevention rule filtering menu.
- Select the check boxes next to those servers by which you want to filter the prevention rules.
- Click Apply.
The prevention rules table displays only the prevention rules that match the filter criteria you have set.
You can use multiple filters at the same time.
Page topClearing a prevention rule filter
To clear the prevention rule filter for one or more filtering criteria:
- Select the Prevention section in the application web interface window.
This opens the prevention rule table
- Click
to the right of the header of the column of the prevention rule table for which you want to clear the filter conditions.
If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.
The selected filters are cleared.
The prevention rules table displays only the prevention rules that match the filter criteria you have set.
Managing user-defined rules
For additional protection of the corporate IT infrastructure, you can configure TAA, IDS, IOC, and YARA custom rules.
Users with the Senior security officer role can work with custom TAA, IDS, IOC, and YARA rules: load and delete rule files, view lists of rules, and edit the selected rules.
Users with the Security auditor role can view the lists of custom TAA, IDS, IOC, and YARA rules and properties of selected rules without the possibility of editing.
Users with the Security officer role can view the lists of custom TAA, IOC, and YARA rules and properties of selected rules without the possibility of editing.
Using indicators of compromise (IOC) and attack (IOA) for Threat Hunting
Kaspersky Anti Targeted Attack Platform uses two types of indicators for threat hunting: IOC (Indicator of Compromise) and IOA (Indicator of Attack).
An IOC is a set of data about a malicious object or malicious activity. Kaspersky Anti Targeted Attack Platform uses IOC files conforming to the
standard, which is an open standard for describing indicators of compromise. IOC files contain a set of indicators that are compared to the indicators of an event. If the compared indicators match, the application considers the event to be a detection and creates an alert. The likelihood of an alert may increase if a scan detects exact matches between the data of an object and several IOC files.An IOA (also referred to as a "TAA (IOA) rule") is a rule containing the description of a suspicious activity in the system that could be a sign of a targeted attack. Kaspersky Anti Targeted Attack Platform scans the Events database of the application and marks events or event chains that match behaviors described by TAA (IOA) rules. The streaming scan technology is used, which involves continuous real-time scanning of events being received from protected devices.
TAA (IOA) rules created by Kaspersky experts are used by the TAA (Targeted Attack Analyzer) technology and are updated alongside the application databases. They are not displayed in the interface of the application and cannot be edited.
You can add user-defined IOC and TAA (IOA) rules using IOC files in the OpenIOC format as well as create TAA (IOA) rules based on event database search conditions.
The following table contains a comparative analysis of indicators of compromise (IOC) and attack (IOA).
Comparison of IOC and IOA indicators
Characteristic |
IOC in user-defined IOC rules |
IOA in user-defined TAA (IOA) rules |
IOA in TAA (IOA) rules created by Kaspersky experts |
---|---|---|---|
Scan scope |
Computers with the Endpoint Agent component |
Application events database |
Application events database |
Scanning mechanism |
Periodical scan |
Streaming scan |
Streaming scan |
Can be added to exclusions from scan |
None. |
Not needed. Users with the Senior security officer role can edit the text of the indicator in custom TAA (IOA) rules as necessary. |
Yes. |
If you are using the distributed solution and multitenancy mode, this section displays information for the selected tenant.
Page topManaging user-defined TAA (IOA) rules
Custom TAA (IOA) rules are created based on event databased search criteria. For example, if you want Kaspersky Anti Targeted Attack Platform to generate alerts for events when an application that you consider unsafe is started on computers with the Endpoint Agent component, you can:
- Generate a search query to the event database manually or upload an IOC file with indicators of compromise or a YAML file with a Sigma rule to detect this application.
When creating an IOC file, review the list of IOC terms that you can use to search for events in the Threat Hunting section. You can view the list of supported IOC terms by downloading the file from the link below.
IOC terms for searching events in the Threat Hunting section
- Create a custom TAA (IOA) rule based on event search conditions.
When Central Node server receives events matching the created TAA (IOA) rule, Kaspersky Anti Targeted Attack Platform generates alerts.
You can also create a TAA (IOA) rule based on conditions from an already loaded IOC file. To do so:
- Find events corresponding to the criteria of the selected file.
- Create a TAA (IOA) rule based on event search criteria from the selected file.
In distributed solution and multitenancy mode, TAA (IOA) rules can have one of the following types:
- Global—Created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the tenant which the user is managing in the application web interface.
- Local—Created on the SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the tenant which the user is managing in the application web interface.
The differences between user rules and Kaspersky rules are summarized in the following table.
Comparison of TAA (IOA) rules
Characteristic |
User-defined TAA (IOA) rules |
Kaspersky TAA (IOA) rules |
---|---|---|
Recommendations on responding to the event |
No |
Yes You can view recommendations in |
Correspondence to technique in MITRE ATT&CK database |
No |
Yes You can view the description of the |
Display in the TAA (IOA) rule table |
Yes |
No |
Ability to disable database lookup for this rule |
||
Ability to delete or add the rule |
You can delete or add a rule in the web interface of the application |
Rules are updated together with application databases |
Searching for alerts and events in which TAA (IOA) rules were triggered |
Using Alerts and Events links in the TAA (IOA) rule information window |
Using Alerts and Events links in the alert information window |
Users with the Senior security officer role can create, import, delete, enable or disable TAA (IOA) rules, and exclude Kaspersky TAA (IOA) rules from scanning. Users with the Security officer or Security auditor roles can use TAA (IOA) rules to search for signs of targeted attacks, infected and possibly infected objects in the database of events and alerts, and to view the TAA (IOA) rule table and TAA (IOA) rule information.
Viewing the TAA (IOA) rule table
If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.
The table of user-defined TAA (IOA) rules contains information about TAA (IOA) rules that are used to scan events and create alerts; the table is in the Custom rules section, TAA subsection of the application web interface window.
The table contains the following information:
—Importance level that is assigned to an alert generated using this TAA (IOA) rule.
The importance level can have one of the following values:
– Low.
– Medium.
– High.
- Type is the type of the rule depending on the operating mode of the application and the role of the server which generated the rule:
- Global—Created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the tenant which the user is managing in the application web interface.
- Local—Created on the SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the tenant which the user is managing in the application web interface.
- Confidence – level of confidence depending on the likelihood of false alarms caused by the rule:
- High.
- Medium.
- Low.
The higher the confidence, the lower the likelihood of false alarms.
- Name – name of the rule.
- Servers are names of servers with the PCN or SCN role to which the rule applies.
This column is displayed if you are using the distributed solution and multitenancy mode.
- Alerts – requirement to store information on alerts based on matching an event from the database with criteria of the rule.
- Enabled – a record is created for the event in the alerts table with Targeted Attack Analyzer (TAA) technology specified.
- Disabled – not displayed in the alert table.
- State – usage status of the rule in event scans:
- Enabled – the rule is being used.
- Disabled – the rule is not being used.
Creating a TAA (IOA) rule based on event search conditions
To create a TAA (IOA) rule based on event search conditions:
- Select the Threat Hunting section in the application web interface window.
This opens the event search form.
- Perform an event search in builder mode or source code mode.
- Click Save as TAA (IOA) rule.
This opens the New TAA (IOA) rule window.
- In the Name field, type the name of the rule.
- Click Save.
The event search condition will be saved. In the TAA (IOA) rule table in the Custom rules section, TAA subsection of the web interface, the new rule is displayed with the specified name.
If you want to save event search conditions as a user-defined TAA (IOA) rule, avoid using the following fields:
- IOAId.
- IOATag.
- IOATechnique.
- IOATactics.
- IOAImportance.
- IOAConfidence.
At the time of saving the user-defined TAA (IOA) rule, the application may not have any events containing data for these fields. When events with this data turn up, the user-defined field that you have created earlier will be unable to mark events by these fields.
Users with the Security auditor and Security officer roles cannot create TAA (IOA) rules based on event search conditions.
Importing TAA (IOA) rules
You can import TAA (IOA) rules from an IOC file or a YAML file with a Sigma rule and use these to scan events and generate Targeted Attack Analyzer alerts.
To import a TAA (IOA) rule:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- Click Import.
This opens the file selection window on your local computer.
- Select the file that you want to upload and click Open.
This opens the New TAA (IOA) rule window.
- Set the State toggle switch to Enabled if you want to enable the rule for scanning the event database.
- On the Details tab, in the Name field, enter the name of the rule.
- In the Description field, enter any additional information about the rule.
- In the Importance drop-down list, select the importance level to be assigned to alerts generated using this TAA (IOA) rule.
- Low.
- Medium.
- High.
- In the Confidence drop-down list, select the level of confidence of this rule based on your estimate:
- Low.
- Medium.
- High.
- Under Apply to, select check boxes corresponding to servers on which you want to apply the rule.
- On the Query tab, verify the defined search conditions. Make changes if necessary.
- Click Save.
The user-defined TAA (IOA) rule is imported into the application.
You can also add a TAA (IOA) rule by saving events database search conditions in the Threat Hunting section.
Viewing custom TAA (IOA) rule details
To display information about the TAA (IOA) rule:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- Select the rule for which you want to view information.
This opens a window containing information about the rule.
The window contains the following information:
- Click the Alerts link to display the alert table in a new browser tab. The alerts are filtered by the Targeted Attack Analyzer technology and the name of the TAA (IOA) rule that you are working on.
- Click the Find events link to display the events table in a new browser tab. The table is filtered by rule name.
- Click the Run query link to display the events table in a new browser tab. The table is filtered by rule name. The event search conditions are populated with information from the TAA (IOA) rule that you are working on. For example,
EventType=Process started AND FileName CONTAINS <name of the rule you are working on>
. You can edit the event search query. - Click the IOA ID link to display the ID that the application assigns to each rule.
IDs cannot be modified. You can copy the ID by clicking the Copy value to clipboard button.
- State – use of the rule in events database scans.
The Details tab shows the following information:
- Name is the name of the rule that you specified when you added the rule.
- Description is any additional information about the rule that you specified.
- Importance is an estimate of the probable impact of the event on the security of computers or the corporate LAN as specified by the user when the rule was added.
- Confidence is the level of confidence depending on the likelihood of false alarms as defined by the user when the rule was added.
- Type is the type of the rule depending on the role of the server which generated it:
- Global—Created on the PCN server. These rules are used to scan events on this PCN server and all SCN servers connected to this PCN server. Scanned events belong to the tenant which the user is managing in the application web interface.
- Local—Created on the SCN server. These rules are used to scan events on this SCN server. Scanned events belong to the tenant which the user is managing in the application web interface.
- Apply to – name of servers with the Central Node component on which the rule is applied.
The Query tab displays the source code of the query being checked. Click the Run query link in the upper part of the window to go to the Threat Hunting section and run an event search query.
Searching for alerts and events in which TAA (IOA) rules were triggered
To search and display alerts and events that were created by a user-defined TAA (IOA) rule triggering:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- Select the rule for which you want to view the triggering result.
This opens a window containing information about the rule.
- Do one of the following:
- If you want to view alerts generated by the TAA (IOA) rule triggering, click Alerts to go to the alerts database.
The alert table is opened in a new browser tab.
- If you want to view events generated by the TAA (IOA) rule triggering, click Events to go to the events database.
The event table is opened in a new browser tab.
- If you want to view alerts generated by the TAA (IOA) rule triggering, click Alerts to go to the alerts database.
To search and display alerts and events that were created by a user-defined TAA (IOA) rule triggering:
To search and display alerts and events that were created by a Kaspersky TAA (IOA) rule triggering:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click the link in the Technologies column to open the filter configuration window.
- In the drop-down list on the left, select Contain.
- In the drop-down list on the right, select the (TAA) Targeted Attack Analyzer technology.
- Click Apply.
The table displays alerts generated by the TAA technology based on TAA (IOA) rules.
- Select an alert for which the Detected column displays the name of the relevant rule.
This opens a window containing information about the alert.
- Under Scan results, click the link with the name of the rule to open the rule information window.
- Do one of the following:
- If you want to view alerts generated by the TAA (IOA) rule triggering, click Alerts to go to the alerts database.
The alert table is opened in a new browser tab.
- If you want to view events generated by the TAA (IOA) rule triggering, click Events to go to the events database.
The event table is opened in a new browser tab.
- If you want to view alerts generated by the TAA (IOA) rule triggering, click Alerts to go to the alerts database.
To search and display alerts and events that were created by a Kaspersky TAA (IOA) rule triggering:
Filtering and searching TAA (IOA) rules
To filter or search for TAA (IOA) rules by required criteria:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- Depending on the filtering criterion, do the following:
The table displays only rules that match the specified criteria.
You can use multiple filters at the same time.
Resetting the TAA (IOA) rule filter
To clear a TAA (IOA) rule filter based on one or multiple filter conditions:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- Click
to the right of that column heading of the rule table for which you want to clear filtering criteria.
If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.
The selected filters are cleared.
The table displays only rules that match the specified criteria.
Enabling and disabling TAA (IOA) rules
Users with the Senior security officer role can enable or disable one or several rules, as well as all rules at once.
To enable or disable the use of a TAA (IOA) rule when scanning events:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- In the row with the relevant rule, select or clear the check box in the State column.
The use of the rule when scanning events is enabled or disabled.
To enable or disable the use of all or multiple TAA (IOA) rules when scanning events:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- Select the check boxes on the left of the rules whose use you want to enable or disable.
You can select all rules by selecting the check box in the row containing the headers of columns.
A control panel appears in the lower part of the window.
- Click Enable or Disable to enable or disable all rules.
The use of the selected rules when scanning events is enabled or disabled.
In distributed solution and multitenancy mode, you can manage only global TAA (IOA) rules on the PCN server. You can manage local TAA (IOA) rules on SCN servers of tenants to which you have access.
Users with the Security auditor and Security officer roles cannot enable or disable TAA (IOA) rules.
Modifying a TAA (IOA) rule
Users with the Senior security officer role can modify custom TAA (IOA) rules. Rules created by Kaspersky cannot be edited.
In distributed solution and multitenancy mode, you can edit only those TAA (IOA) rules that were created on the current server. Consequently, in the web interface of the PCN, you can edit only the rules that were created on the PCN. In the web interface of an SCN, you can edit only the rules that were created on the SCN.
To edit a TAA (IOA) rule:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- Select the rule that you want to modify.
This opens a window containing information about the rule.
- Make the relevant changes.
- Click Save.
The rule settings are modified.
Users with the Security auditor and Security officer roles cannot modify TAA (IOA) rules based on event search conditions.
Deleting TAA (IOA) rules
Users with the Senior security officer role can delete one or more TAA (IOA) rules, or all rules at the same time.
In distributed solution and multitenancy mode, you can delete only those TAA (IOA) rules that were created on the current server. Consequently, in the web interface of the PCN, you can delete only the rules that were created on the PCN. In the web interface of an SCN, you can delete only the rules that were created on the SCN.
To delete a custom TAA (IOA) rule:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- Select the rule that you want to delete.
This opens a window containing information about the rule.
- Click Delete.
This opens the action confirmation window.
- Click Yes.
The rule is deleted.
To delete all or multiple custom TAA (IOA) rules:
- In the window of the application web interface, select the Custom rules section, TAA subsection.
This opens the TAA (IOA) rule table.
- Select the check boxes on the left of the rules that you want to delete.
You can select all rules by selecting the check box in the row containing the headers of columns.
A control panel appears in the lower part of the window.
- Click Delete.
This opens the action confirmation window.
- Click Yes.
The selected rules will be deleted.
You cannot delete TAA (IOA) rules defined by Kaspersky. If you do not want to use a Kaspersky TAA (IOA) rule for scanning, add it to exclusions.
Users with the Security auditor and Security officer roles cannot modify TAA (IOA) rules based on event search conditions.
Managing user-defined IOC rules
You can use IOC files to search indicators of compromise in the event database and on computers with the Endpoint Agent component. For example, if you have received third-party information about a piece of malware currently spreading, you can:
- Create an IOC file with indicators of compromise for the malware and upload it to the web interface of Kaspersky Anti Targeted Attack Platform.
- Find events corresponding to the criteria of the selected IOC file.
You can view such events, and if you want Kaspersky Anti Targeted Attack Platform to generate alerts for the selected events, you can create a TAA (IOA) rule.
- Enable automatic use of the selected IOC file to search indicators of compromise on computers with the Endpoint Agent component.
- If while scanning the computers, the Endpoint Agent component detects indicators of compromise, Kaspersky Anti Targeted Attack Platform generates an alert.
You can find these alerts in the table of alerts by filtering by technology name.
- Configure the schedule for searching for indicators of compromise using IOC files on computers with the Endpoint Agent component.
In distributed solution and multitenancy mode, IOC files can have the following types:
- Local—IOC files uploaded to an SCN server. These IOC files are used to search for indicators of compromise on Kaspersky Endpoint Agent hosts connected to the SCN server.
- Global—IOC files uploaded to the PCN server. These IOC files are used to search for indicators of compromise on Kaspersky Endpoint Agent hosts connected to the PCN server and all SCN servers connected to the PCN server.
An IOC file is a text file saved with the .ioc extension. When creating the IOC file, review the list of IOC terms supported by the application that you are using in the Endpoint Agent role. You can view the list of supported IOC terms by downloading the files from the links below.
Kaspersky Endpoint Agent for Windows and Kaspersky Endpoint Security for Windows
Kaspersky Endpoint Security 12 for Linux
Kaspersky Endpoint Security 11.4 for Linux and Kaspersky Endpoint Security for Mac do not support IOC files.
Example of an IOC file for finding a file by its hash
Each IOC file can contain only one rule. The rule can be of any complexity.
Users with the Senior security officer role can import, delete, download IOC files to their computer, enable or disable the search of indicators of compromise using IOC files, as well as configure the schedule for searching indicators of compromise on computers with the Endpoint Agent component.
Users with the Security officer and Security auditor roles can view the list of IOC files and information about the selected file, and export IOC files to their computer.
Viewing the table of IOC files
If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.
The table of IOC files contains information about IOC files used for scanning on computers with the Endpoint Agent component installed; you can find the table in the Custom rules section, IOC subsection of the application web interface window.
The table of IOC files contains the following information:
—Importance level that will be assigned to an alert generated using this IOC file.
The importance level can have one of the following values:
— Low importance.
— Medium importance.
— High importance.
- Type—Type of IOC file depending on the application operating mode and the server to which the IOC file was uploaded:
- Local—IOC files uploaded to an SCN server. These IOC files are used to search for indicators of compromise on hosts with the Endpoint Agent component connected to the SCN server.
- Global—IOC files uploaded to the PCN server. These IOC files are used to search for indicators of compromise on hosts with the Endpoint Agent component connected to the PCN server and all SCN servers connected to the PCN server.
- Name—Name of the IOC file.
- Servers are names of servers with the PCN or SCN role to which the rule applies.
This column is displayed if you are using the distributed solution and multitenancy mode.
- Autoscan—The IOC file is used when automatically scanning hosts with the Endpoint Agent component.
Host scanning using this IOC file can have one of the following statuses:
- Enabled
- Disabled
Viewing information about an IOC file
To view IOC file details:
- In the window of the application web interface, select the Custom rules section, IOC subsection.
This opens the table of IOC files.
- Select the IOC file for which you want to view information.
This opens a window containing information about the IOC file.
The window contains the following information:
- Clicking the Find alerts link opens the Alerts section with the filter condition populated with the name of your selected IOC file.
- Clicking the Find events link opens the Threat Hunting section with the search condition populated with indicators of compromise of your selected IOC file.
- Clicking the Download link opens the IOC file download window.
- Autoscan—The IOC file is used when automatically scanning hosts with the Endpoint Agent component.
- Name—Name of the IOC file.
- Importance—Importance level that must be assigned to an alert generated using this IOC file.
The importance level can have one of the following values:
— Low importance.
— Medium importance.
— High importance.
- Apply to—Displays the name of the tenant and the names of servers associated with events scanned based on this IOC file (in distributed solution and multitenancy mode).
- XML—Displays the IOC file contents in XML format.
Uploading an IOC file
IOC files having UserItem properties for domain users are not supported.
To upload an IOC file:
- In the window of the program web interface, select the Custom rules section, IOC subsection.
This opens the table of IOC files.
- Click Import.
This opens the file selection window on your local computer.
- Select the file that you want to upload and click Open.
- Specify the following parameters:
- Autoscan—The IOC file is used when automatically scanning hosts with the Endpoint Agent component:
- Enabled
- Disabled
- Name—Name of the IOC file.
- Importance—Importance level that must be assigned to an alert generated using this IOC file:
- Low.
- Medium.
- High.
- Apply to—Name of the tenant and names of the servers which you want to scan using this IOC file (in distributed solution and multitenancy mode).
- Autoscan—The IOC file is used when automatically scanning hosts with the Endpoint Agent component:
- Click Save.
The IOC file will be uploaded in XML format.
Downloading an IOC file to a computer
You can download a previously uploaded IOC file to a computer.
To download an IOC file:
- In the window of the program web interface, select the Custom rules section, IOC subsection.
This opens the table of IOC files.
- Select the IOC file that you want to download.
This opens a window containing information about the IOC file.
- Depending on your browser settings, click the Download link to save the file to the default folder or specify a folder in which to save the file.
The IOC file is saved to your computer in the browser's downloads folder.
Enabling and disabling the automatic use of an IOC file when scanning hosts
You can enable or disable the automatic use of an IOC file for searching for indicators of compromise on hosts with the Endpoint Agent component.
To enable or disable the automatic use of an IOC file for searching for indicators of compromise on hosts with the Endpoint Agent component:
- In the window of the program web interface, select the Custom rules section, IOC subsection.
This opens the table of IOC files.
- In the row containing the IOC file whose use you want to enable or disable, in the State column, set the toggle switch to one of the following positions:
- Enabled
- Disabled
Automatic use of an IOC file for searching for indicators of compromise on hosts with the Endpoint Agent component is enabled or disabled.
Users with the Security auditor and Security officer roles cannot enable or disable automatic application of an IOC file.
Deleting an IOC file
To delete an IOC file:
- In the window of the program web interface, select the Custom rules section, IOC subsection.
This opens the table of IOC files.
- Select the IOC file that you want to delete.
This opens a window containing information about the IOC file.
- Click Delete.
The IOC file will be deleted.
Users with the Security auditor and Security officer roles cannot delete IOC files.
Searching for alerts in IOC scan results
To find and view scan results for the selected IOC file:
- In the window of the program web interface, select the Custom rules section, IOC subsection.
This opens the table of IOC files.
- Select the IOC file for which you want to view scan results.
This opens a window containing information about the IOC file.
- Go to the alert database by clicking Find alerts.
The alert table is opened in a new browser tab.
You can also view scan results for all IOC files by filtering alerts by technology name.
Searching for events using an IOC file
To view events found using an IOC file:
- In the window of the program web interface, select the Custom rules section, IOC subsection.
This opens the table of IOC files.
- Select the IOC file to use for searching for events in the event database.
This opens a window containing information about the IOC file.
- Go to the event database by clicking Find events.
The event table is opened in a new browser tab.
Filtering and searching IOC files
To filter or search for IOC files by required criteria:
- In the window of the program web interface, select the Custom rules section, IOC subsection.
- This opens the table of IOC files. Depending on the filtering criterion, do the following:
The table of IOC files will display only IOC files that match the filter criteria you have set.
You can use multiple filters at the same time.
Clearing an IOC file filter
To clear the IOC file filter for one or more filtering criteria:
- In the window of the program web interface, select the Custom rules section, IOC subsection.
- This opens the IOC file table. Click
to the right of the header of the IOC file table column for which you want to clear the filtering conditions.
If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.
The selected filters are cleared.
The table of IOC files will display only IOC files that match the filter criteria you have set.
Configuring an IOC scan schedule
You can configure the schedule for searching for indicators of compromise using IOC files on hosts with the Endpoint Agent component.
Users with Security auditor and Security officer roles cannot configure the schedule for searching for indicators of compromise using IOC files.
To configure the schedule for searching for indicators of compromise using IOC files on hosts with the Endpoint Agent component:
- In the window of the application web interface, select the Settings section, Endpoint Agents subsection, IOC scanning schedule group of settings.
- In the Start time drop-down lists, select the start time of the indicator of compromise search. The time is specified in the time zone of the Central Node server on which you are performing the configuration.
If the Endpoint Agent gets the new scan schedule later than the time specified in the IOC scanning schedule, the next scan is initiated the next day at the specified time.
- In the Maximum scan duration drop-down list, select a time limit for completing the indicator of compromise search.
- Click Apply.
The new schedule for searching for indicators of compromise using IOC files on hosts with the Endpoint Agent component becomes active immediately after changes are saved. Results of the indicator of compromise search are displayed in the table of alerts.
Managing the search for indicators of compromise using IOC files is limited to the functionality provided by the web interface of Kaspersky Anti Targeted Attack Platform. No alternative ways of managing the search for indicators of compromise are provided.
If you are using Kaspersky Endpoint Security for Windows in the role of the Endpoint Agent component, make sure that the IOC files comply with the requirements. You must also take into account that when adding the RegistryItem data type to the IOC search scope, the application analyzes only certain registry keys.
For more details on the requirements for IOC files and the scanned registry keys, refer to the Online Help for Kaspersky Endpoint Security for Windows:
Managing user-defined Intrusion Detection rules
To detect intrusions in network traffic, you can use Intrusion Detection rules and additional Intrusion Detection methods that use built-in algorithms. When indicators of attacks are detected in traffic, Kaspersky Anti Targeted Attack Platform registers Intrusion Detection technology events.
A valid KATA or KATA + NDR license key is required to manage user-defined Intrusion Detection rules.
An Intrusion Detection rule describes a traffic anomaly that may signify an attack in the network. Rules contain conditions that the Intrusion Detection system uses to analyze traffic.
Intrusion Detection rules are applied if the Rule-based Intrusion Detection method is enabled. You can enable or disable the method.
You can use the following types of rule sets:
- System rule sets. These rule sets are supplied by Kaspersky and are designed to detect indicators of the most common attacks or unwanted network activity. System rule sets are available immediately after installing the application. You can update system rule sets by installing updates.
- User-defined rule sets. These are the rule sets that you upload yourself. The files you upload must contain data structures that define Intrusion Detection rules. Files that you want to upload must all be in the same directory, and they must have the .rules extension. The names of the custom rule sets match the names of the files from which the rule sets were uploaded.
User-defined Intrusion Detection rule sets are displayed in the Custom rules → Intrusion detection section.
The application supports up to 50,000 rules in total across all uploaded rule sets. You can upload up to 100 rule sets.
Rules loaded from user-defined rule sets may contain traffic analysis conditions that cause the application to register too many rule triggering events. In that case, you must keep in mind that registering too many events can impact the performance of the Intrusion Detection system.
Intrusion Detection rule sets can be enabled or disabled. Rules from an enabled rule set are applied when analyzing traffic if the Rule-based Intrusion Detection method is enabled. If a rule set is disabled, the rules in that rule set are not applied.
When a rule set is uploaded, the application checks the rules it contains. If any errors are found in the rules, the application blocks such rules and they are not applied. If errors are found in all rules of a rule set or the rule set does not contain any rules, the application disables such a rule set.
When conditions specified in a rule from an enabled set are detected in traffic, the application registers a rule triggering event. System event types are used for registration, which have the following codes:
- 4000003000 for an event involving a rule from the system rule set being triggered
- 4000003001 for an event involving a rule from a user-defined rule set being triggered
User-defined rule sets can contain rules obtained from other intrusion detection and prevention systems. When processing such rules, the application does not perform the specified actions that apply to network packets (for example, the drop
and reject
actions). When an intrusion detection rule triggers, Kaspersky Anti Targeted Attack Platform only registers an event.
The values of Kaspersky Anti Targeted Attack Platform event scores correspond to the priority values in the intrusion detection rules (see the table below).
Correspondence between rule priorities and event scores
Priority values in intrusion detection rules |
Kaspersky Anti Targeted Attack Platform event scores |
---|---|
4 or more |
2.5 |
3 |
4.5 |
2 |
6.5 |
1 |
9 |
You can configure the settings for registering Intrusion Detection events under Settings → Event types.
You can view Intrusion Detection events in the table of registered events.
Users with the Senior security officer role can upload, enable, and disable user-defined Intrusion Detection rule sets. Users with the Security auditor role can view user-defined detection rule sets. Users with the Security officer role do not have access to user-defined intrusion detection rules.
Intrusion Detection rules
An Intrusion Detection rule describes a traffic anomaly that may signify an attack in the network. Rules contain conditions that the Intrusion Detection system uses to analyze traffic.
Intrusion Detection rules are applied if the Rule-based Intrusion Detection method is enabled. You can enable or disable the method.
You can use the following types of rule sets:
- System rule sets. These rule sets are supplied by Kaspersky and are designed to detect indicators of the most common attacks or unwanted network activity. System rule sets are available immediately after installing the application. You can update system rule sets by installing updates.
- User-defined rule sets. These are the rule sets that you upload yourself. The files you upload must contain data structures that define Intrusion Detection rules. Files that you want to upload must all be in the same directory, and they must have the .rules extension. The names of the custom rule sets match the names of the files from which the rule sets were uploaded.
The application supports up to 50,000 rules in total across all uploaded rule sets. You can upload up to 100 rule sets.
Rules loaded from user-defined rule sets may contain traffic analysis conditions that cause the application to register too many rule triggering events. In that case, you must keep in mind that registering too many events can impact the performance of the Intrusion Detection system.
Intrusion Detection rule sets can be enabled or disabled. Rules from an enabled rule set are applied when analyzing traffic if the Rule-based Intrusion Detection method is enabled. If a rule set is disabled, the rules in that rule set are not applied.
When a rule set is uploaded, the application checks the rules it contains. If any errors are found in the rules, the application blocks such rules and they are not applied. If errors are found in all rules of a rule set or the rule set does not contain any rules, the application disables such a rule set.
When conditions specified in a rule from an enabled set are detected in traffic, the application registers a rule triggering event. System event types are used for registration, which have the following codes:
- 4000003000 for an event involving a rule from the system rule set being triggered
- 4000003001 for an event involving a rule from a user-defined rule set being triggered
User-defined rule sets can contain rules obtained from other intrusion detection and prevention systems. When processing such rules, the application does not perform the specified actions that apply to network packets (for example, the drop
and reject
actions). When an intrusion detection rule triggers, Kaspersky Anti Targeted Attack Platform only registers an event.
The values of Kaspersky Anti Targeted Attack Platform event scores correspond to the priority values in the intrusion detection rules (see the table below).
Correspondence between rule priorities and event scores
Priority values in intrusion detection rules |
Kaspersky Anti Targeted Attack Platform event scores |
---|---|
4 or more |
2.5 |
3 |
4.5 |
2 |
6.5 |
1 |
9 |
Additional Intrusion Detection methods
To detect intrusions, you can use the following additional methods:
- Detection of signs of falsified addresses in ARP packets (ARP spoofing).
If ARP spoofing detection is enabled, Kaspersky Anti Targeted Attack Platform checks the addresses specified in ARP packets and detects indicators of low-level man-in-the-middle (MITM) attacks. This type of attack in networks that use the ARP protocol is indicated by fake ARP messages being found in the traffic.
When indicators of ARP spoofing are detected, the application registers Intrusion Detection technology events. System event types are used for registration, which have the following codes:
- 4000004001 for an event involving the detection of multiple ARP responses that are not associated with ARP requests
- 4000004002 for an event involving the detection of multiple ARP requests from the same MAC address to different recipients.
- TCP Protocol Anomaly Detection.
If TCP Protocol Anomaly Detection is enabled, Kaspersky Anti Targeted Attack Platform scans TCP segments of the data stream in supported application layer protocols.
When Kaspersky Anti Targeted Attack Platform detects packets containing overlapping TCP segments with different content, it registers an Intrusion Detection technology event. Events are registered with system event type code 4000002701.
- IP Protocol Anomaly Detection.
If IP protocol anomaly detection is enabled, Kaspersky Anti Targeted Attack Platform scans fragmented IP packets.
When IP packet assembly errors are detected, the application registers Intrusion Detection technology events. System event types are used for registration, which have the following codes:
- 4000005100 for an event involving the detection of a data conflict during IP packet assembly (IP fragment overlapped)
- 4000005101 for an event involving the detection of an IP packet exceeding the maximum allowed size (IP fragment overrun)
- 4000005102 for an event involving the detection of an IP packet with the initial fragment smaller than expected (IP fragment too small)
- 4000005103 for an event involving the detection of mis-association of fragments of an IP packet (mis-associated fragments)
- Brute-force Attack and Scan Detection.
When Brute-force Attack and Scan Detection is enabled, Kaspersky Anti Targeted Attack Platform examines network activity statistics to detect indicators of brute force attacks, denial of service attacks, scanning, network service spoofing, and other anomalies.
This method uses built-in rules. When the rules are triggered, the application registers an Intrusion Detection technology event. Events are registered with system event type code 4000003002.
You can enable or disable methods. Additional Intrusion Detection methods can be applied regardless of whether Intrusion Detection rules exist or are enabled. Additional detection methods use built-in algorithms.
Page topEnabling and disabling sets of Intrusion Detection rules
Intrusion Detection rule sets can be Enabled or Disabled. If a rule set is disabled, none of the rules in that rule set are used for intrusion detection.
When you enable or disable selected rule sets, the Intrusion Detection system is restarted on all computers that have application components (Central Node and Sensor) installed. A restart is necessary to apply the changes.
Only users with the Senior security officer role can change the status of Intrusion Detection rule sets.
To change the status of Intrusion Detection rule sets:
- In the window of the application web interface, select the Custom rules section, Intrusion detection subsection.
- Select the check boxes next to the rule sets whose status you want to change.
- Right-click to open the context menu.
- In the context menu, select one of the following commands:
- Enable if you want to enable all disabled sets of rules from among the selected rule sets.
- Disable if you want to disable all enabled sets of rules from among the selected rule sets.
- Change the statuses of selected rule sets if you want to invert the statuses of all selected rule sets. This option allows you to quickly enable and disable selected rule sets with different statuses on all computers with installed application components: to apply the changes, you only need one restart of the Intrusion Detection system on these computers.
- In the confirmation window, click OK.
The statuses of the intrusion detection rule sets are changed.
Page topLoading and replacing user-defined sets of Intrusion Detection rules
You can upload Intrusion Detection rule sets from files into the application. To be uploaded to the application, files with Intrusion Detection rule descriptions must be located in the same folder and have the .rules extension. File names may not contain the following characters: \ / : * ? , " < > |
Intrusion Detection rules uploaded from a file are saved in the application as a user-defined rule set. The name of the rule set is the same as the name of the file from which the rule set was uploaded.
When rule sets are uploaded from files, current user-defined rule sets are deleted from the table and replaced with new rule sets.
Only users with the Senior security officer role can upload user-defined Intrusion Detection rule sets.
To upload and replace user-defined Intrusion Detection rule sets:
- In the window of the application web interface, select the Custom rules section, Intrusion detection subsection.
- In the toolbar, click the Replace all user-defined rules button.
- In the confirmation window, click OK.
This opens the file upload window.
- Select the folder that contains the files that you need and click the button to upload files from this folder.
The rule set table displays new user-defined rule sets. All rule sets without errors are enabled.
- Check the uploaded rule sets for errors.
Information about the detected errors is displayed in the Rules column. The OK status is displayed if there are no errors. If the rule set contains errors, you can view detailed information about them by clicking Details.
- If necessary, enable or disable the rule sets (including the rule sets that have the Errors in some rules status).
User-defined Intrusion Detection rule sets are uploaded.
Page topRemoving user-defined sets of Intrusion Detection rules
You can delete all user-defined Intrusion Detection rule sets that were uploaded into the application from files. Selecting which user-defined rule sets to delete is not possible. If you want to use only some of the current rule sets in the application, you can copy the files with these sets to a separate folder and replace all user-defined rule sets with rule sets from this folder.
Only users with the Senior security officer role can delete user-defined Intrusion Detection rule sets.
To delete user-defined Intrusion Detection rule sets:
- In the window of the application web interface, select the Custom rules section, Intrusion detection subsection.
- In the toolbar, click the Delete all user-defined rules button.
- In the confirmation window, click OK.
This opens a window for selecting the folder with Intrusion Detection rule files.
All user-defined Intrusion Detection rule sets are deleted from the table.
Page topManaging user-defined YARA rules
You can use YARA rules as YARA module databases to scan files and objects received at the Central Node and to scan hosts with the Endpoint Agent component.
In distributed solution and multitenancy mode, custom YARA rules can have one of the following types:
- Global—Created on the PCN server. These rules are used to scan files and objects received at the PCN server and all SCN servers connected to that PCN server. Scanned files and objects belong to the tenant which the user is managing in the application web interface.
- Local—Created on the SCN server. These rules are used to scan files and objects received at the SCN server. Scanned files and objects belong to the tenant which the user is managing in the application web interface.
When managing the application web interface, users with the Senior security officer role can import a YARA rule file into Kaspersky Anti Targeted Attack Platform using the application web interface.
Users with the Security auditor and Security officer roles can only view YARA rules.
Viewing the YARA rule table
The table of user-defined YARA rules contains information about YARA rules that are used to scan files and objects and to create alerts; the table is displayed in the Custom rules section, YARA subsection of the application web interface window.
The table contains the following information:
- Created is the rule creation time.
—Alert importance for the Kaspersky Anti Targeted Attack Platform user depending on the impact this alert may have on computer or corporate LAN security based on Kaspersky experience.
By default, alerts generated as a result of scanning by uploaded YARA rules are assigned a high importance.
- Type is the type of the rule depending on the operating mode of the application and the role of the server which generated the rule:
- Global—Created on the PCN server. These rules are used to scan files and objects received at the PCN server and all SCN servers connected to that PCN server. Scanned files and objects belong to the tenant which the user is managing in the application web interface.
- Local—Created on the SCN server. These rules are used to scan files and objects received at the SCN server. Scanned files and objects belong to the tenant which the user is managing in the application web interface.
- Name – name of the rule.
- File name is the name of the file from which the rule was imported.
- Created by is the name of the user whose account was used to import the rule.
- Servers is the name of the server with the PCN or SCN role to which the rule applies.
This column is displayed if you are using the distributed solution and multitenancy mode.
- Traffic scanning is the usage status of the rule when stream scanning files and objects arriving at the Central Node:
- Enabled – the rule is being used.
- Disabled – the rule is not being used.
Configuring YARA rule table display
You can show or hide columns and change the order of columns in the table.
To configure the table display:
- In the window of the application web interface, select the Custom rules section, YARA subsection.
This opens the YARA rule table.
- In the heading part of the table, click
.
This opens the Customize table window.
- If you want to show a column in the table, select the check box next to the name of the parameter that you want displayed in the table.
If you want to hide a parameter in the table, clear the check box.
At least one check box must be selected.
- If you want to change the order of columns in the table, move the mouse cursor to the row with the relevant parameter, click
and move the row to its new place.
- If you want to restore default table display settings, click Default.
- Click Apply.
The table display is configured.
Page topImporting YARA rules
To import YARA rules:
- In the window of the program web interface, select the Custom rules section, YARA subsection.
- Click Upload.
This opens the file selection window.
- Select the YARA rule file that you want to upload and click Open.
This closes the file selection window and opens the Import YARA rules window.
The maximum allowed size of an uploaded file is 20 MB.
A report is displayed in the lower part of the window. The report contains the following information:
- The number of rules that can be successfully imported.
- The number of rules that will not be imported (if any).
For each rule that cannot be imported, its name is listed.
- Select the Traffic scanning check box if you want to use imported rules for streaming scans of objects and data received at the Central Node.
- If necessary, enter any additional information in the Description field.
The Importance field cannot be edited. By default, alerts generated by uploaded YARA rules are assigned a high level of importance.
- Under Apply to, select check boxes corresponding to servers on which you want to apply the rules.
This field is displayed only when you are using the distributed solution and multitenancy mode.
- Click Save.
Imported rules are displayed in the table of YARA rules.
Viewing YARA rule details
To view YARA rule details:
- In the window of the application web interface, select the Custom rules section, YARA subsection.
This opens the YARA rule table.
- Select the rule for which you want to view information.
This opens a window containing information about the rule.
The window contains the following information:
- Click the Alerts link to display the alert table in a new browser tab. The alerts are filtered by the Targeted Attack Analyzer technology and the name of the TAA (IOA) rule that you are working on.
- The Start YARA scan link opens the task creation window.
- The Download link lets you download a file with YARA rules.
- Rule name is the name of the rule specified in the file.
- Traffic scanning is the usage status of the rule when stream scanning files and objects arriving at the Central Node:
- Type is the type of the rule depending on the role of the server which generated it:
- Global—Created on the PCN server. These rules are used to scan files and objects received at the PCN server and all SCN servers connected to that PCN server. Scanned files and objects belong to the tenant which the user is managing in the application web interface.
- Local—Created on the SCN server. These rules are used to scan files and objects received at the SCN server. Scanned files and objects belong to the tenant which the user is managing in the application web interface.
- Importance is the importance level assigned to the alert created as a result of scanning by this rule.
By default, alerts generated as a result of scanning by uploaded YARA rules are assigned a high importance.
- Description is any additional information about the rule that you specified.
- Apply to – name of servers with the Central Node component on which the rule is applied.
Filtering and searching YARA rules
To filter or search for YARA rules by required criteria:
- In the window of the application web interface, select the Custom rules section, YARA subsection.
This opens the YARA rule table.
- Depending on the filtering criterion, do the following:
The table displays only rules that match the specified criteria.
You can use multiple filters at the same time.
Clearing a YARA rule filter
To clear the YARA rule filter for one or more filtering criteria:
- In the window of the application web interface, select the Custom rules section, YARA subsection.
This opens the YARA rule table.
- Click
to the right of that column heading of the rule table for which you want to clear filtering criteria.
If you want to clear multiple filter conditions, take steps to clear each filter condition individually.
The selected filters are cleared.
The table displays only rules that match the specified criteria.
Enabling and disabling YARA rules
Users with the Senior security officer role can enable or disable one or several rules, as well as all rules at once.
When working in distributed solution and multitenancy mode, you can enable or disable only those YARA rules that were created on the current server. It means that in the web interface of the PCN, you can enable or disable only the rules that were created on the PCN server. In the web interface of an SCN, you can enable or disable only the rules that were created on the SCN server.
If YARA rules with identical names are enabled on the PCN and SCN servers, the PCN rule takes precedence over the SCN rule when scanning files and objects.
To enable or disable a YARA rule for stream scanning files and objects arriving at the Central Node:
- In the window of the application web interface, select the Custom rules section, YARA subsection.
This opens the YARA rule table.
- In the row with the relevant rule, select or clear the check box in the Traffic scanning column.
The rule is enabled or disabled for stream scanning files and objects arriving at the Central Node.
To enable or disable all or multiple YARA rules for stream scanning files and objects arriving at the Central Node:
- In the window of the program web interface, select the Custom rules section, YARA subsection.
- Select the check boxes on the left of the rules whose use you want to enable or disable.
You can select all rules by selecting the check box in the row containing the headers of columns.
A control panel appears in the lower part of the window.
- Click Enable or Disable to enable or disable all rules.
Selected rules are enabled or disabled for stream scanning files and objects arriving at the Central Node.
Deleting YARA rules
To delete a YARA rule:
- In the window of the application web interface, select the Custom rules section, YARA subsection.
This opens the YARA rule table.
- Select the rule that you want to delete.
This opens a window containing information about the rule.
- Click Delete.
- This opens the action confirmation window; in that window, click Yes.
The rule is deleted.
To delete all or multiple YARA rules:
- In the window of the application web interface, select the Custom rules section, YARA subsection.
This opens the YARA rule table.
- Select the check boxes on the left of the rules that you want to delete.
You can select all rules by selecting the check box in the row containing the headers of columns.
A control panel appears in the lower part of the window.
- Click Delete.
- This opens the action confirmation window; in that window, click Yes.
The selected rules will be deleted.
Users with the Security auditor and Security officer roles cannot delete YARA rules.
Managing objects in Storage and quarantine
Storage is used for storing files that must be sent for scanning as well as files obtained as a result of running tasks: Get file, Restore file from quarantine, Get forensics, Get NTFS metafiles, Get registry key, Get process memory dump.
Storage is located on the Central Node server.
You can manage objects in Storage as follows: delete, download, upload, and send objects to be scanned, and filter lists of objects.
Kaspersky Anti Targeted Attack Platform displays the objects in Storage as a table of objects.
If you are using the distributed solution and multitenancy mode, Storage is located on PCN and SCN servers. The web interface of the PCN server displays information about Storage of all connected SCNs for those tenants to which the user has access.
Users with the Senior security officer role can place copies of objects into Storage using tasks or by uploading the object to Storage using the Kaspersky Anti Targeted Attack Platform web interface on the PCN or SCN server that is used for managing tenants to which the user has access.
Users with the Security officer role can only work with files received as part of tasks that the same user created on the PCN or SCN server which is used to manage tenants to which the user has access.
If you consider a file threatening, you can quarantine it on the computer with the Endpoint Agent component. Metadata of the quarantined file are displayed in the Storage section, Quarantine subsection of the Kaspersky Anti Targeted Attack Platform web interface.
Quarantine on a Kaspersky Anti Targeted Attack Platform server is an area of Storage of the server part of the Kaspersky Anti Targeted Attack Platform solution, which is used for storing metadata of objects quarantined on Endpoint Agent computer, in the Storage section, Quarantine subsection of the web interface of Kaspersky Anti Targeted Attack Platform.
You can manage quarantined objects: restore objects from quarantine and upload copies of objects quarantined on Endpoint Agent computers to Storage of Kaspersky Anti Targeted Attack Platform.
Kaspersky Anti Targeted Attack Platform displays the information about quarantined objects as a table.
The maximum capacity of Storage is determined when configuring the sizing of the application. As soon as this threshold value is exceeded, the application starts to remove the oldest copies of objects from Storage. When the amount of occupied space is again below the threshold value, the application stops removing copies of objects from Storage.
The maximum size of an object that can be placed in Storage is 1 GB.
The actual size of the object can be greater than the apparent size of the object due to the metadata required to restore the object from quarantine. When an object is quarantined, its actual size is considered. Encrypted files may be sent in decrypted form (depending on encryption settings), compressed files are sent as-is.
Viewing the table of objects that were placed in Storage
The table of objects placed in Storage is in the Storage section, Files subsection of the application web interface window.
The table of objects placed in Storage contains the following information:
- Type is the method by which the object was placed in Storage.
The following methods are possible:
— The object was placed in Storage in one of the following ways:
- The Get file task was run.
- A copy was received of an object that was quarantined on hosts with the Endpoint Agent component (in the Storage section, Quarantine subsection, Get file from quarantine action was selected in the menu for the link with the directory of the object).
— The object was placed in Storage in one of the following ways:
- The Get forensics task was run.
- The Get process memory dump task was run.
- The Get registry key task was run.
- The Get NTFS metafiles task was run.
— The object was manually downloaded by the user in the Storage section, Files subsection.
- Object—Information about the object. For example, the file name or file path.
- Scan results—Object scan result.
The scan result is displayed as one of the following values:
- Not detected—As a result of a scan, the application did not detect signs of a targeted attack, probably infected objects, or suspicious activity.
- Error—Object scan ended with an error.
- In process—Object scan has not yet completed.
- Not scanned—Object was not sent to be scanned.
- Detected—As a result of a scan, the application detected signs of a targeted attack, a probably infected object, or suspicious activity.
- Servers is the name of the server with the PCN or SCN role. The host from which the object was received is connected to this server.
This column is displayed if you are using the distributed solution and multitenancy mode.
- Source—IP address or name of the host from which the object was received, or the name of the user account that uploaded the object.
- Time stored—Date and time when the object was placed in Storage.
- Actions—Actions that can be performed with the object. The following actions are available:
— delete an object from Storage.
— send the object in Storage for scanning by the Anti-Malware Engine, YARA, and Sandbox technologies.
— download the object from Storage to your computer.
Clicking the link with the file name or file path opens a list in which you can select one of the following actions:
- Filter by this value.
- Exclude from filter.
- Download.
- Send file for scanning.
- Find events:
- File path.
- MD5.
- SHA256.
- Find alerts:
- File path
- MD5.
- SHA256
- Copy value to clipboard.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Filter by this value.
- Exclude from filter.
- Find events.
- Find alerts.
- Copy value to clipboard.
Viewing information about an object manually placed in Storage using the web interface
To view information about an object manually placed in Storage:
- In the application web interface window, select the Storage section, Files subsection.
This opens the object table.
- In the table, select the object with the
icon for which you want to view information.
This opens the object details window.
The window contains the following information:
- File name—Name of the file.
- Size—Size of the file.
- MD5—MD5 hash of a file.
- SHA256—SHA256 hash of a file.
- Time uploaded—Time of upload for objects that were manually uploaded by a user.
- User name—Name of the user account that manually uploaded the object to Storage.
- Scan results—Result of object scan by the application.
The Find on Kaspersky TIP button allows to find a file on the Kaspersky Threat Intelligence Portal.
Click Create prevention rule to prevent the file from running.
You can click Download to download the file to your computer's hard drive.
Clicking the link with the file name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Clicking the link with MD5 opens a list in which you can select one of the following actions:
- Find on Kaspersky TIP.
- Find events.
- Find alerts.
- Create prevention rule.
- Copy value to clipboard.
Clicking the link with SHA256 opens a list in which you can select one of the following actions:
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find events.
- Find alerts.
- Create prevention rule.
- Copy value to clipboard.
Viewing information about an object placed in Storage by a get file task
To view information about an object placed in Storage by a Get file or Get file from quarantine task:
- In the application web interface window, select the Storage section, Files subsection.
This opens the object table.
- In the table, select the object with the
icon for which you want to view information.
This opens the object details window.
The window contains the following information:
- Recommendations group. The following recommendations can be displayed:
- Object—File name or path.
- Size—Size of the file.
- MD5—MD5 hash of a file.
- SHA256—SHA256 hash of a file.
- Time stored—Time when the object was placed in Storage.
- Tenant —Name of the tenant to which the Central Node, PCN, or SCN server belongs.
- Server—Name of the Central Node, PCN, or SCN server. The host from which the object was received is connected to this server.
- Host—Name of the host from which the object was received.
- Scan results—Result of object scan by the application.
Clicking Sandbox detection displays detailed information about the results of the file behavior analysis.
The Find on Kaspersky TIP button allows to find a file on the Kaspersky Threat Intelligence Portal.
Click Create prevention rule to prevent the file from running.
You can click Download to download the file to your computer's hard drive.
Clicking the link with the file name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Clicking the link with MD5 opens a list in which you can select one of the following actions:
- Find on Kaspersky TIP.
- Find events.
- Find alerts.
- Create prevention rule.
- Copy value to clipboard.
Clicking the link with SHA256 opens a list in which you can select one of the following actions:
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find events.
- Find alerts.
- Create prevention rule.
- Copy value to clipboard.
Viewing information about an object placed in Storage by a get data task
To view information about an object placed in Storage by Get forensics, Get process memory dump, Get registry key, Get NTFS metafiles tasks:
- In the application web interface window, select the Storage section, Files subsection.
This opens the object table.
- In the table, select the object with the
icon for which you want to view information.
This opens the object details window.
The window contains the following information:
- Object is the file name or path.
- Size—Size of the file.
- MD5—MD5 hash of a file.
- SHA256—SHA256 hash of a file.
- Time stored—Time when the object was placed in Storage.
- Host—Name of the host from which the object was received.
You can click Download to download the file to your computer's hard drive.
Clicking the link with the file name opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Clicking the link with MD5 opens a list in which you can select one of the following actions:
- Find on Kaspersky TIP.
- Find events.
- Find alerts.
- Create prevention rule.
- Copy value to clipboard.
Clicking the link with SHA256 opens a list in which you can select one of the following actions:
- Find on Kaspersky TIP.
- Find on virustotal.com.
- Find events.
- Find alerts.
- Create prevention rule.
- Copy value to clipboard.
Downloading objects from Storage
If you consider an object in Storage to be safe, you can download it to a local computer.
Downloading infected objects could pose a threat to the security of your local computer.
To download an object from Storage:
- In the application web interface window, select the Storage section, Files subsection.
This opens the object table.
- In the right part of the line with the name of the object that you want to download, click
.
The object will be saved to your local computer in the browser's downloads folder. The file is downloaded as a ZIP archive protected with the password "infected".
Uploading objects to Storage
If you need to scan a specific object, you can upload this object to Storage and send it to be scanned.
To upload an object to Storage:
- In the application web interface window, select the Storage section, Files subsection.
This opens the object table.
- In the upper-right corner of the window, click Upload.
This opens the file selection window.
- Select the object that you want to upload to Storage.
- If you want to upload a file with the .Lnk extension to Storage:
- In the File name field, enter *.Lnk and press Enter.
- Select the object.
- Click Open.
The object is uploaded to Storage and displayed in the table of objects.
Users with the Security auditor role cannot upload objects to Storage.
Sending objects in Storage for scanning
You can scan Storage objects with the Central Node component using the Anti-Malware Engine and YARA technologies, and with the Sandbox component.
It is recommended to send objects from Storage to be scanned in the following cases:
- Scanning of objects when placed in Storage had been disabled.
- Application databases have been updated.
- An object was manually uploaded to Storage.
To send an object from Storage for scanning:
- In the application web interface window, select the Storage section, Files subsection.
This opens the object table.
- Click the object that you want to scan.
This opens the object details window.
- Click Scan.
The object scan will start.
After the object scan is complete, its status will be displayed in the object table.
You can also send an object in Storage for scanning by clicking in the right part of the object information row in the table of objects placed in Storage.
Users with the Security auditor role cannot scan objects in Storage.
Deleting objects from Storage
To delete an object from Storage:
- In the application web interface window, select the Storage section, Files subsection.
This opens the object table.
- Click the object that you want to delete.
This opens the object details window.
- Click Delete.
This opens the action confirmation window.
- Click Yes.
The object will be deleted from Storage.
You can also delete an object in Storage by clicking in the right part of the object information row in the table of objects placed in Storage.
To delete all or multiple objects from Storage:
- In the application web interface window, select the Storage section, Files subsection.
This opens the object table.
- Select check boxes next to objects that you want to delete from Storage.
You can select all objects by selecting the check box in the row containing the headers of columns.
- In the pane that appears in the lower part of the window, click Delete.
This opens the action confirmation window.
- Click Yes.
The selected objects are removed from Storage.
Users with the Security auditor role cannot delete objects in Storage.
Filtering objects in Storage by object type
To filter objects in Storage by type:
- In the application web interface window, select the Storage section, Files subsection.
This opens the object table.
- Click the Type link to open the object filtering menu.
- Select one or more check boxes:
- Uploaded by a Get file task if you want the table to display objects that were placed in Storage by Get file and Restore file from quarantine tasks.
- Uploaded through the web interface if you want the table to display objects uploaded by the user using the Kaspersky Anti Targeted Attack Platform web interface.
- Uploaded by a get data task if you want the table to display objects placed in Storage by Get forensics, Get NTFS metafiles, Get registry key, Get process memory dump tasks.
- Click Apply.
The objects table will display only objects matching the filter criteria you have set.
You can use multiple filters at the same time.
Filtering objects in Storage by object description
To filter objects in Storage by object description:
- In the application web interface window, select the Storage section, Files subsection.
This opens the object table.
- Click the Object link to open the object filtering menu.
- In the drop-down list, select one of the following options:
- File path.
- MD5.
- SHA256.
- In the drop-down list, select one of the following object filtering operators:
- Contain
- Not contain
- Equal to
- Not equal to
- Matches
- Not matches
- In the entry field, specify one or several characters of the object description.
- To add a filter condition using a different criterion, click
and specify the filter condition.
- Click Apply.
The objects table will display only objects matching the filter criteria you have set.
You can use multiple filters at the same time.
Filtering objects in Storage based on scan results
To filter objects in Storage by scan results for these objects:
- In the application web interface window, select the Storage section, Files subsection.
This opens the object table.
- Click the Scan results link to open the object filtering menu.
- Select one or more check boxes:
- Not detected.
- Error.
- In process.
- Not scanned.
- Detected.
- Click Apply.
The objects table will display only objects matching the filter criteria you have set.
You can use multiple filters at the same time.
Filtering objects in Storage based on the name of Central Node, PCN, or SCN server
To filter objects in Storage by the name of Central Node, PCN, or SCN server:
- In the application web interface window, select the Storage section, Files subsection.
This opens the object table.
- Click the Servers link to open the object filtering menu.
- Select one or multiple check boxes opposite those servers by which you want to filter objects in Storage.
- Click Apply.
The objects table will display only objects matching the filter criteria you have set.
You can use multiple filters at the same time.
Filtering objects in Storage by object source
To filter objects in Storage by the source from which they were received:
- In the application web interface window, select the Storage section, Files subsection.
This opens the object table.
- Click the Source link to open the object filtering menu.
- In the drop-down list, select one of the following object filtering operators:
- Contain
- Not contain
- In the entry field, specify one or several characters of the IP address, host name or name of the user account that manually uploaded the object.
- To add a filter condition using a different criterion, click
and specify the filter condition.
- Click Apply.
The objects table will display only objects matching the filter criteria you have set.
You can use multiple filters at the same time.
Filtering objects based on the time they were placed in Storage
To filter objects by the time when they were placed in Storage:
- In the application web interface window, select the Storage section, Files subsection.
This opens the object table.
- Click the Time stored link to open the object filtering menu.
- Select one of the following object display periods:
- All if you want the table to display all objects that were placed in Storage.
- Last hour if you want the table to display objects that were placed in Storage during the last hour.
- Last day if you want the table to display objects that were placed in Storage during the last day.
- Custom range if you want the table to display objects that were placed in Storage during the period you specify.
- If you have selected the Custom range object display period:
- In the calendar that opens, specify the start and end dates of the object display period.
- Click Apply.
The objects table will display only objects matching the filter criteria you have set.
You can use multiple filters at the same time.
Clearing a Storage objects filter
To clear the Storage objects filter for one or more filtering criteria:
- In the application web interface window, select the Storage section, Files subsection.
This opens the object table.
- Click
to the right of the header of the Storage objects table column for which you want to clear the filter conditions.
If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.
The selected filters are cleared.
The objects table will display only objects matching the filter criteria you have set.
Viewing the table of objects quarantined on computers with the Kaspersky Endpoint Agent component
The table of objects quarantined on computers with the Endpoint Agent component can be found in the Storage section, Quarantine subsection of the application web interface.
The Kaspersky Anti Targeted Attack Platform server stores metadata of objects quarantined on computers with the Endpoint Agent component. The objects themselves are kept in special storage on each computer where the threatening object was detected.
The table of objects quarantined on computers with the Endpoint Agent component contains the following information:
- Object—Information about the object. For example, the file name or file path.
- Source—IP address or host name of the computers with the Endpoint Agent component where the object is quarantined.
- Time stored—Date and time when the object was quarantined.
- State—State of the object.
The right part of the object information row contains buttons:
- You can click
to delete the metadata of the object on the Kaspersky Anti Targeted Attack Platform server.
- You can click
to restore the object from quarantine on a computer with the Endpoint Agent component.
- You can click
to copy the object from quarantine on a computer with the Endpoint Agent component to the Kaspersky Anti Targeted Attack Platform server.
Clicking the link with the file name or file path opens a list in which you can select one of the following actions:
- Filter by this value.
- Exclude from filter.
- Download.
- Send file for scanning.
- Find events:
- File path.
- MD5.
- SHA256.
- Find alerts:
- File path
- MD5.
- SHA256
- Copy value to clipboard.
Clicking the link with the host name opens a list in which you can select one of the following actions:
- Filter by this value.
- Exclude from filter.
- Find events.
- Find alerts.
- Copy value to clipboard.
Viewing information about a quarantined object
To view information about an object quarantined on a computer with the Endpoint Agent component:
- In the application web interface window, select the Storage section, Quarantine subsection.
This opens the object table.
- In the table, select the object whose information you want to view.
This opens the object details window.
The window contains the following information:
- Recommendations group. The Task recommendation can be displayed, which is a link that opens the Tasks section; this is the task that has quarantined the object.
- Type is the type of the quarantined object.
The following types of objects are available:
— file.
— process memory dump.
- Object—File name or path.
- State is the state of the file (whether the file can be restored from quarantine).
- Source is the name of the computer with the Endpoint Agent component on which the object is quarantined.
- Recording time is the date and time when the object was quarantined.
- Actions is the state of the file (whether the file can be restored from quarantine).
The following actions are available:
— delete the file from quarantine.
— obtain a copy of the file on the Kaspersky Anti Targeted Attack Platform server.
Clicking the link with the file name or file path opens a list in which you can select one of the following actions:
- Find events.
- Find alerts.
- Copy value to clipboard.
Restoring an object from Quarantine
To restore the object from quarantine on a computer with the Endpoint Agent component:
- In the application web interface window, select the Storage section, Quarantine subsection.
This opens the object table.
- In the table, select the object that you want to restore from quarantine on the computer with the Endpoint Agent component.
This opens the object details window.
- Click Restore in the lower part of the window.
This opens the Tasks section and the Restore file from quarantine task.
- In the Description field, enter the task description.
- Click Add.
The file is restored from quarantine.
You can also run the task to restore the file from quarantine by clicking in the right part of the row with object information of the table of objects quarantined on computers with the Endpoint Agent component.
In distributed solution and multitenancy mode, a file that is quarantined on an SCN server cannot be restored on the PCN server. You can restore the file on the SCN server on which the quarantine file task was created.
Users with the Security auditor role cannot restore objects from quarantine.
Obtaining a copy of a quarantined object on a Kaspersky Anti Targeted Attack Platform server
The object that you want to download a copy of must not exceed 100 MB. If the object exceeds 100 MB, the task finishes with an error.
To copy an object quarantined on a computer with the Kaspersky Endpoint Agent component to a Kaspersky Anti Targeted Attack Platform server:
- In the application web interface window, select the Storage section, Quarantine subsection.
This opens the object table.
- In the table, select the object that you want to restore from quarantine on the computer with the Endpoint Agent component.
This opens the object details window.
- Click Get file in the lower part of the window.
This creates a task for getting a copy of an object that was quarantined on a computer with the Endpoint Agent component. If the task completes successfully, the copy of the object is uploaded to the Kaspersky Anti Targeted Attack Platform server. The object is displayed in the Storage section, Files subsection of the application web interface in the table of objects placed in Storage.
Information about the created task is displayed in the Tasks section of the web interface.
You can also copy an object from quarantine on a computer with the Endpoint Agent component to the Kaspersky Anti Targeted Attack Platform server by clicking in the right part of the object information row in the table of objects quarantined on computers with the Endpoint Agent component.
Users with the Security auditor role cannot get copies of objects from quarantine.
Removing information about the quarantined object from the table
To delete the information of an object quarantined on a computer with the Kaspersky Endpoint Agent component from the Kaspersky Anti Targeted Attack Platform table:
- In the application web interface window, select the Storage section, Quarantine subsection.
This opens the object table.
- Click the object for which you want to delete information from the table.
This opens the object details window.
- Click Delete.
This opens the action confirmation window.
- Click Yes.
The information about the object quarantined on the computer with the Endpoint Agent component is deleted from the table.
You can also delete the information of an object quarantined on a computer with the Endpoint Agent component from the table by clicking in the right part of the object information row in the table of quarantined objects.
Users with the Security auditor role cannot delete information about a quarantined object from the table.
Filtering information about quarantined objects by object type
To filter quarantined object details by object type:
- In the application web interface window, select the Storage section, Quarantine subsection.
This opens the object table.
- Click the Type link to open the object filtering menu.
- Select one or more check boxes:
- File if you want the table to display metadata of quarantined objects.
- Process memory dump if you want the table to display metadata of quarantined dumps.
- Click Apply.
The objects table will display only objects matching the filter criteria you have set.
You can use multiple filters at the same time.
Filtering information about quarantined objects by object description
To filter quarantined object details by object description:
- In the application web interface window, select the Storage section, Quarantine subsection.
This opens the object table.
- Click the Object link to open the object filtering menu.
- In the drop-down list, select one of the following object filtering operators:
- Contain
- Not contain
- In the entry field, specify one or several characters of the object description.
- To add a filter condition using a different criterion, click
and specify the filter condition.
- Click Apply.
The objects table will display only objects matching the filter criteria you have set.
You can use multiple filters at the same time.
Filtering information about quarantined objects by host name
To filter quarantined object details by the name of the host where they were quarantined:
- In the application web interface window, select the Storage section, Quarantine subsection.
This opens the object table.
- Click the Source link to open the object filtering menu.
- In the drop-down list, select one of the following object filtering operators:
- Contain
- Not contain
- In the entry field, specify one or several characters of the host name.
- To add a filter condition using a different criterion, click
and specify the filter condition.
- Click Apply.
The objects table will display only objects matching the filter criteria you have set.
You can use multiple filters at the same time.
Filtering information about quarantined objects by time
To filter quarantined object details by the time when the objects were quarantined:
- In the application web interface window, select the Storage section, Quarantine subsection.
This opens the object table.
- Click the Time stored link to open the object filtering menu.
- Select one of the following object display periods:
- All if you want the table to display all objects.
- Last hour if you want the table to display objects that were quarantined during the last hour.
- Last day if you want the table to display objects that were quarantined during the last day.
- Custom range if you want the table to display objects that were quarantined during the period you specify.
- If you have selected the Custom range object display period:
- In the calendar that opens, specify the start and end dates of the object display period.
- Click Apply.
The objects table will display only objects matching the filter criteria you have set.
You can use multiple filters at the same time.
Resetting the filter for information about quarantined objects
To clear the filter for one or more filtering criteria:
- In the application web interface window, select the Storage section, Quarantine subsection.
This opens the object table.
- Click
to the right of the header of the column of the quarantined objects table for which you want to reset the filter conditions.
If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.
The selected filters are cleared.
The objects table will display only objects matching the filter criteria you have set.
Managing reports
Users with the Senior security officer role can use Kaspersky Anti Targeted Attack Platform to manage reports about application alerts: create report templates, create reports based on a template, view, and delete reports and report templates.
Users with the Security auditor role can view reports and report templates and create reports from templates.
The following types of reports are available:
- General reports. Templates for these reports are available in the Reports section, Templates subsection. You can manage the generated reports in the Reports section, Generated reports subsection.
You can manage report templates and reports in all modes of the application in accordance with your license. Reports are generated based on a selection of alerts for a specified period. If you are using distributed solution and multitenancy mode, the selection can also be based on the tenant and this tenant's servers.
- NDR functionality reports. Available in the Reports section, Reports (NDR) subsection.
You can manage report templates and reports if you add a KATA + NDR license key. Reports are generated based on a selection of alerts for the specified period in accordance with the data of the node on which the report is generated.
Managing common reports
When managing the application web interface, users with the Senior security officer role can manage KATA reports about application alerts: create report templates, create reports based on a template, view, and delete reports and report templates.
Users with the Security auditor role can view KATA reports and report templates and create reports from templates.
To create a KATA report:
Viewing the table of templates and reports
Templates and reports are displayed in the Reports section of the application web interface window.
The Generated reports subsection contains a report table. The table contains the following information:
- Time created—Date and time of report creation.
- Report name—Name of the report created based on the template.
- Period—Period for which the report was generated.
- Servers is the name of the server with the PCN or SCN role to which the rule applies.
This column is displayed if you are using the distributed solution and multitenancy mode.
- Created by—Name of the user that created report.
- State—Report state (whether the file can be downloaded).
The Templates subsection displays the table of templates. The table contains the following information:
- Time created—Date and time when the template was created.
- Time updated—Date and time of last modification of the template.
- Report name—Name of the template.
- Created by—Name of the user that created the template.
Creating a template
When creating a report template, you need to specify all the information that you want to display in the report: report name, its description, availability of a table, graph or image. You can also select the data that you want to display in the report and define the position of report elements.
When creating a report in the Reports section, Generated reports subsection of the interface, you can only select the template for creating the report and the data display period.
A new report template is created for each data sample.
To create a template:
- In the application web interface window, select the Reports section, Templates tab.
This opens the table of templates.
- Click Add.
This opens the template creation window. This window contains the body of the report and the report builder in a floating window. You can move the report builder over the workspace of the web interface window.
- In the Template name field in the upper-right corner of the window, type the name that you want to assign to reports that are created from this template. For example, Alerts by technology.
This name is displayed in the table in the Reports section, Generated reports subsection when creating all reports in this template.
- In place of the Report title text, type the report name that will be displayed in a report after the report is created. If you do not want to add a report name, you can delete the Report title text and leave this report section blank.
You can format text using the buttons in the Text section in the template builder.
- In place of the Report description text, type the report description that will be displayed in a report after the report is created. If you do not want to add a report description, you can delete the Report description text and leave this report section blank.
You can format text using the buttons in the Text section in the template designer.
- Using the report builder, add one or more report elements:
- Table.
- Pie chart.
- Image.
- If you chose to add an image, the Image window opens. Do the following:
- Click Upload.
- Upload the image. For example, you can upload your company logo.
- In the list on the right of the upload button, select the alignment of the image on the report page: Left, Right or Center.
- Click Apply.
- If you chose to add a pie chart, the Pie chart of alert attributes window opens. Do the following:
- In the Name field, type the name of the pie chart. For example, Top 5 alerts by technology. You can also leave the field blank.
- In the Data source list, select the alert property for which you want to create a pie chart. For example, Technologies.
- In the Number of slices field, specify the maximum number of sectors of the pie chart.
When a report is created, the application selects the most frequently encountered data. For example, if you specified 5 sectors and want to create a pie chart by technology, the application displays a chart for the 5 technologies that generated the greatest number of alerts. Technologies that generated fewer alerts are not included in the chart.
- Click Apply.
- If you chose to add a table, the Alerts table window opens. Do the following:
- In the Available columns field, double-click to select the alert properties that you want to add to the report table.
The selected properties are moved to the Selected columns field. You can drag the names of columns between the Available columns and Selected columns fields, and change the order of columns in the report table.
For example, if you move the Technologies, Detected, and Time created properties to the Selected columns field, the table of the created report displays technologies that generated alerts, a list of detected objects, and the time when the alerts were generated.
- If you want to filter alerts by the State property, select the check boxes next to the processing statuses of alerts whose data you want to display in the report.
- If you want to filter alerts by the Technologies property, select the check boxes next to the names of application modules and components whose data you want to display in the report.
- If you want to filter alerts by the Importance property, select the check boxes next to the importance levels of alerts whose data you want to display in the report.
- If you want to filter alerts by the VIP status, select VIP in the list. Only alerts with the VIP status are displayed in the report.
- Click Apply.
- In the Available columns field, double-click to select the alert properties that you want to add to the report table.
- Click the Save button in the upper-right corner of the window.
A new template will be created.
Users with the Security auditor and Security officer roles cannot create report templates.
Creating a report based on a template
To create a report based on a template:
- In the window of the program web interface, select the Reports section, Generated reports subsection.
This opens the table of reports.
- Click Add.
This opens the New report window.
- Do the following:
- In the Template drop-down list, select one of the templates for creating a report.
- Under Period, select one of the following options:
- Last hour if you want the report to contain information about application operation during the last hour.
- Last day if you want the report to contain information about application operation during the last day.
- Last 7 days if you want the report to contain information about application operation during the last week.
- Last 30 days, if you want the report to contain information about system operation during the last month.
- Custom, if you want the report to contain information about system operation during the period you specify.
- If you have selected the Custom display period for information about application operation:
- In the calendar that opens, specify the start and end dates of the period for which the report will be generated.
- Click Apply.
- If you are using distributed solution and multitenancy mode, in the Servers settings group, select the check boxes next to the tenants and servers whose data you want to include in the report.
- Click Create.
The created report is displayed in the table of reports. You can download the report for viewing on your computer.
Users with the Security officer role cannot create report templates.
Viewing a report
To view a report:
- In the window of the program web interface, select the Reports section, Generated reports subsection.
This opens the table of reports.
- Select the report that you want to view.
The report opens in a new tab in your browser.
Downloading a report to a local computer
To download a report to your computer:
- In the window of the program web interface, select the Reports section, Generated reports subsection.
This opens the table of reports.
- In the line containing the report that you want to view, click the
icon.
The report is saved in HTML format to your local computer in the browser's downloads folder.
To view a report, you can use any application that lets you view HTML files (for example, a browser).
Editing a template
To edit a template:
- In the application web interface window, select the Reports section, Templates tab.
- This opens the table of templates. Select the template that you want to edit.
This opens the template editing window.
- You can edit the following settings:
- Template name is the report name that is displayed in the table in the Reports section, Generated reports subsection when creating all reports based on this template.
- Report title is the report name that is displayed in the report after the report is created.
You can format text using the buttons in the Text section in the template builder.
- Report description is the report description that is displayed in a report after the report is created.
You can format text using the buttons in the Text section in the template builder.
- Image. You can upload or delete an image.
- Pie chart. You can change the following pie chart settings:
- Name.
- Data source.
- Number of slices.
Click Apply.
- Table. You can change the following table settings:
- Selected columns. You can drag the names of columns between the Available columns and Selected columns fields, and change the order of columns in the report table.
- State.
- Technologies.
- Importance.
- VIP status.
- Select one of the following methods to save the template:
- If you want to apply changes to the current template, click the Save button.
The template is modified.
- If you want to create a new template, enter a name for the template and click Save as.
The name of the new template must not be the same as the name of an already existing template.
The new template will be saved.
- If you want to apply changes to the current template, click the Save button.
Users with the Security auditor and Security officer roles cannot edit templates.
Filtering templates by name
To filter templates by name:
- In the application web interface window, select the Reports section, Templates tab.
- This opens the table of templates. Click the Report name link to open the template filtering menu.
- In the drop-down list, select one of the following template filtering operators:
- Contain
- Not contain
- Enter one or several characters of the template name.
- If you want to add a filtering criterion to the filter, click the
button under the list of filtering operators and repeat the sequence for specifying filtering criteria.
- Click Apply.
The table of templates will display only templates that match the filter criteria you have set.
Filtering templates based on the name of the user that created the template
To filter templates by the name of the user that created the template:
- In the application web interface window, select the Reports section, Templates tab.
- This opens the table of templates. Click the Created by link to open the menu for filtering templates.
- In the drop-down list, select one of the following template filtering operators:
- Contain
- Not contain
- Enter one or several characters of the user name.
- If you want to add a filtering criterion to the filter, click the
button under the list of filtering operators and repeat the sequence for specifying filtering criteria.
- Click Apply.
The table of templates will display only templates that match the filter criteria you have set.
Filtering templates by creation time
To filter report templates by creation time:
- In the application web interface window, select the Reports section, Templates tab.
- This opens the table of templates. Click the Time created link to open the menu for filtering templates.
- Select one of the following template display periods:
- All if you want the application to display all created templates in the table.
- Last hour if you want the application to display the templates that were created during the last hour in the table.
- Last day if you want the application to display the templates that were created during the last day in the table.
- Custom range if you want the application to display templates that were created during the period you specify in the table.
- If you have selected the Custom range template display period:
- This opens the calendar; in the calendar, specify the start and end dates of the template display period.
- Click Apply.
The table of templates will display only templates that match the filter criteria you have set.
Clearing a template filter
To clear the template filter for one or more filtering criteria:
- In the application web interface window, select the Reports section, Templates tab.
- This opens the table of templates. Click
to the right of the header of the column of the template table for which you want to clear the filter conditions.
If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.
The selected filters are cleared.
The table of templates will display only templates that match the filter criteria you have set.
Deleting a template
To delete a template:
- In the application web interface window, select the Reports section, Templates tab.
- This opens the table of templates. Select the check box in the line containing the template that you want to delete.
- Click Delete.
This opens the action confirmation window.
- Click Yes.
The template that you selected will be deleted.
Users with the Security auditor and Security officer roles cannot delete templates.
Filtering reports by creation time
To filter reports by creation time:
- In the window of the program web interface, select the Reports section, Generated reports subsection.
This opens the table of reports.
- Click the Time created link to open the report filtering menu.
- Select one of the following report display periods:
- All if you want the application to display all created reports in the table.
- Last hour if you want the application to display the reports that were created during the last hour in the table.
- Last day if you want the application to display the reports that were created during the last day in the table.
- Custom range if you want the application to display reports that were created during the period you specify in the table.
- If you have selected the Custom range report display period:
- In the calendar that opens, specify the start and end dates of the report display period.
- Click Apply.
The table of reports will display only reports that match the filter criteria you have set.
Filtering reports by name
To filter reports by name:
- In the window of the program web interface, select the Reports section, Generated reports subsection.
This opens the table of reports.
- Click the Report name link to open the report filtering menu.
- In the drop-down list, select one of the following report filtering operators:
- Contain
- Not contain
- In the text box, enter one or more characters of the report name.
- If you want to add a filtering criterion to the filter, click the
button under the list of filtering operators and repeat the sequence for specifying filtering criteria.
- Click Apply.
The table of reports will display only reports that match the filter criteria you have set.
Filtering reports by the name of the server with the Central Node component
To filter reports by the name of the server with the Central Node component:
- In the window of the program web interface, select the Reports section, Generated reports subsection.
This opens the table of reports.
- Click the Servers link to open the report filtering menu.
- Select the check boxes opposite those servers by which you want to filter reports.
- Click Apply.
The table of reports will display only reports that match the filter criteria you have set.
Filtering reports based on the name of the user that created the report
To filter reports by the name of the user that created the report:
- In the window of the program web interface, select the Reports section, Generated reports subsection.
This opens the table of reports.
- Click the Created by link to open the report filtering menu.
- In the drop-down list, select one of the following report filtering operators:
- Contain
- Not contain
- Enter one or several characters of the user name.
- If you want to add a filtering criterion to the filter, click the
button under the list of filtering operators and repeat the sequence for specifying filtering criteria.
The table of reports will display only reports that match the filter criteria you have set.
Clearing a report filter
To clear the report filter for one or more filtering criteria:
- In the window of the program web interface, select the Reports section, Generated reports subsection.
This opens the table of reports.
- Click
to the right of the header of the column of the reports table for which you want to clear the filter conditions.
If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.
The selected filters are cleared.
The table of reports will display only reports that match the filter criteria you have set.
Deleting a report
To delete an application operation report:
- In the window of the program web interface, select the Reports section, Generated reports subsection.
This opens the table of reports.
- Select the check box in the line containing the report that you want to delete.
- Click Delete.
This opens the action confirmation window.
- Click Yes.
The selected report will be deleted.
Users with the Security auditor and Security officer roles cannot delete reports.
Managing NDR reports
You can use Kaspersky Anti Targeted Attack Platform to get reports with various information saved by the application. Kaspersky Anti Targeted Attack Platform generates reports as PDF files. The application can send report files to email addresses.
You can view information about generated reports and export them to files in the Reports section, Reports (NDR) subsection, Generated reports tab.
The following types of NDR report templates are possible:
- System templates, created automatically during application installation. In the table of report templates, system templates are displayed with the
icon. You cannot delete system templates.
Kaspersky Anti Targeted Attack Platform supports the following system report templates:
- Inventory report.
Contains information about devices and system commands, as well as protocols used and detected risks on devices.
- System security report.
Contains information about the security status of devices, registered events, detected risks, and interactions with devices on external networks.
- Executive summary.
Contains brief information about devices and the security status of the system.
- Full report.
Contains complete information about devices and the security status of the system.
- Inventory report.
- Custom templates, created manually by duplicating templates. You can duplicate system or custom templates. Only users with the Senior security officer role can duplicate report templates.
Information in reports is presented as separate information blocks. Each Kaspersky Anti Targeted Attack Platform report includes a fixed set of information blocks, which are arranged in a fixed order. Information blocks used in reports and their descriptions are listed in the table below.
Using information blocks in reports
Name of the information block |
Inventory report |
System security report |
Executive summary |
Full report |
---|---|---|---|---|
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
Viewing the table of NDR report templates
You can view the table of report templates in the web interface of the application, in the Reports section, Reports (NDR) subsection, on the Report templates tab.
Report template settings are displayed in the following columns of the table:
- Name.
Report template name. The
icon is displayed next to the names of system report templates.
- Schedule.
Information about the schedule used by Kaspersky Anti Targeted Attack Platform to automatically generate a report based on the template. Schedule information is displayed if a user with the Senior security officer role configured a schedule in the report template. If the schedule is not configured, the column displays Disabled.
- Type/use.
Name of the user who last modified the report template. System is displayed for system templates that have default settings.
- Last report.
Time when the last report was generated based on the report template.
- Destinations.
Icon signifying that email report recipients are configured. The following icons have the following meanings:
– report recipients are defined.
– report recipients are not defined.
Viewing NDR report template details
To view report template information:
In the Reports section, Reports (NDR) subsection, on the Report templates tab, select the relevant template.
The details area is displayed in the right part of the web interface window. The details area displays all specified details.
Details of the report template include the following fields:
- Name is the name of the report template.
- Type/user is the name of the user that last modified the report template. System is displayed for system templates that have default settings.
- Period is the time period covered by the report that Kaspersky Anti Targeted Attack Platform generates based on the template.
- Modified is the time when the most recent change to the template was made.
- Last report is the time when the last report was generated based on the template.
- Next start (local time) is the time when the next report generation based on the template will start. This setting is displayed if a schedule is configured for the report template.
- Schedule displays information about the schedule used by Kaspersky Anti Targeted Attack Platform to automatically generate a report based on the template. This setting is displayed if a schedule is configured for the report template.
Recipient addresses are email addresses to which Kaspersky Anti Targeted Attack Platform sends the generated reports. This setting is displayed if recipient addresses are configured for the report template.
Page topViewing the table of NDR reports
You can view the table of reports in the web interface of the application, in the Reports section, Reports (NDR) subsection, on the Generated reports tab.
Report settings are displayed in the following columns of the table:
- ID.
Unique ID of the report.
- Report name.
Name of the generated report.
- Template name.
Name of the template used to generate the report.
- Start.
Date and time when the report generation started.
- Status.
Status of the report. A report can have one of the following statuses:
Pending. The report is queued for generation. A report can have the Pending status when multiple reports are generated at the same time.
In progress. The report is being generated.
Error. An error occurred while generating the report.
Done. The report is successfully generated.
Canceling. Report generation is being canceled.
Canceled. Report generation has been canceled.
- User.
Name of the user that initiated the generation of the report or configured the schedule for running the report based on a template.
- Run type.
Report generation type: manual or scheduled.
- Completed.
Date and time when the report generation ended.
Manually generating an NDR report based on a template
You can manually start generating a report based on a template.
To start report generation:
- Select the Reports section, then the Reports (NDR) subsection.
- On the Report templates tab, select one or more templates that you want to use to generate reports.
When multiple templates are selected, the application generates reports based on these templates simultaneously. You can select up to 10 templates.
- In the toolbar above the table of report templates, click Get reports.
Kaspersky Anti Targeted Attack Platform starts generating the report.
You will be taken to the Generated reports tab, which displays the status of the reports being generated. After the reports are generated, Kaspersky Anti Targeted Attack Platform sends report files in PDF format to the email addresses specified in the report template. If an email address is not defined in the report template, you can individually export generated reports to files manually on the Generated reports tab. The maximum size of a report file is 10 MB.
If necessary, you can cancel the generation of the report.
Page topDuplicating an NDR report template
You can create custom templates by duplicating existing report templates. You can duplicate system templates or custom templates. When duplicating a template, you cannot choose which information blocks to include in the report or rearrange them.
The maximum number of templates in the application is 5000.
To duplicate a report template:
- Select the Reports section, then the Reports (NDR) subsection.
- On the Report templates tab, select the relevant template.
The details area is displayed in the right part of the web interface window.
- Click Create new template.
- In the Name field, edit the name of the report template.
You can use Latin and Cyrillic letters, numerals, the space character, as well as -, –, _ characters.
The name of the report template must satisfy the following requirements:
- Does not reuse the name of another report template (case-insensitive).
- Contains up to 100 characters.
Names of reports generated from the updated template will reflect the new name of the template.
- In the Data period drop-down list, select the time period for which you want to get system information in the report.
You can generate reports with information received by the application within the last 24 hours, 7 days, 30 days, the last year, or a manually configured time frame.
- If you need to generate reports on a schedule, turn on the Generate report by schedule toggle switch and set up a schedule:
- In the Frequency drop-down list, select how often you want to generate the report: Hourly, Daily, Weekly, or Monthly.
- Depending on the selected option, specify the values for the settings to refine the report generation start time.
- If necessary, use the Recipient addresses field to enter the email address to which you want to send the generated reports. If you need to specify additional recipients of the report, click Add recipient address and enter the email address.
The maximum number of report recipients is 20.
- Click Save.
The new report is added to the table of report templates.
Page topEditing an NDR report template
To edit the settings of a report template:
- Select the Reports section, then the Reports (NDR) subsection.
- On the Report templates tab, select the relevant template.
The details area is displayed in the right part of the web interface window.
- Click Edit.
- In the Name field, edit the name of the report template.
You can use Latin and Cyrillic letters, numerals, the space character, as well as -, –, _ characters.
The name of the report template must satisfy the following requirements:
- Does not reuse the name of another report template (case-insensitive).
- Contains up to 100 characters.
Names of reports generated from the updated template will reflect the new name of the template.
- In the Data period drop-down list, select the time period for which you want to get system information in the report.
You can generate reports with information received by the application within the last 24 hours, 7 days, 30 days, the last year, or a manually configured time frame.
- If you need to generate reports on a schedule, turn on the Generate report by schedule toggle switch and set up a schedule:
- In the Frequency drop-down list, select how often you want to generate the report: Hourly, Daily, Weekly, or Monthly.
- Depending on the selected option, specify the values for the settings to refine the report generation start time.
- If necessary, use the Recipient addresses field to enter the email address to which you want to send the generated reports. If you need to specify additional recipients of the report, click Add recipient address and enter the email address.
The maximum number of report recipients is 20.
- Click Save.
The changes are displayed in the corresponding columns of the table of report templates.
Page topExporting an NDR report to a file
You can export the generated report to a PDF file.
To export a report to a file:
- In the Reports section, select the Reports (NDR) subsection.
- On the Generated reports tab, select the relevant report.
The reports are filtered by the IDs of the reports that were started last in the current Server connection session. To display all generated reports, reset the filter settings by clicking Default filter. If necessary, you can configure filtering by a time period of your choice.
The details area is displayed in the right part of the web interface window.
- Click Export.
The browser save the report file. By default, the report file has a name in the <report name>_<date and time when the report was generated>
format. Depending on your browser's settings, a window may be displayed on your screen in which you can specify the path and name of the downloaded file.
Deleting an NDR report template
Only custom report templates can be deleted.
To delete a report template:
- Select the Reports section, then the Reports (NDR) subsection.
- On the Report templates tab, select one or more report templates that you want to delete.
- Click Delete.
System templates cannot be deleted. In the table of report templates, system templates are displayed with the
icon.
- In the displayed prompt window, confirm the deletion of report templates.
Deleting an NDR report
To delete a report:
- Select the Reports section, then the Reports (NDR) subsection.
- On the Generated reports tab, select one or more reports that you want to delete.
The reports in the table of reports are filtered by the IDs of the reports that were started last in the current Server connection session. To display all generated reports, reset the filter settings by clicking Default filter. If necessary, you can configure filtering by a time period of your choice.
The details area is displayed in the right part of the web interface window.
- Click Delete.
- In the displayed prompt window, confirm the deletion of the report.
Canceling NDR report generation
You can cancel report generation only for a report with the In progress status.
To cancel report generation:
- Select the Reports section, then the Reports (NDR) subsection.
- On the Generated reports tab, select the report with the In progress status that you want to cancel.
The details area is displayed in the right part of the web interface window.
- Click Cancel.
- In the displayed prompt window, confirm the cancellation of the report.
After this request is completed, the report status changes to Canceled.
Managing the settings for storing report files
You can change the maximum total size limit for stored report files.
To edit report file storage settings:
- Log in to the web interface with the application administrator account.
- Select the Sensor servers section.
- Select the card of the local host (IP address 0.0.0.0).
The details area is displayed in the right part of the web interface window.
- Click Edit.
In the details area, tabs are displayed, on which you can manage the settings of the server.
- On the General tab, under Reports, use the Max volume setting to set a size limit for the stored report files.
You can select the unit of measure for the size limit: MB or GB.
When editing the value, you also need to take into account that the sum total of all size limits may not exceed the specified maximum storage capacity for the node.
- If necessary, use the Storage time (days) setting to limit the storage duration of report files, and specify the duration in days.
- Click Save.
Managing rules for assigning the VIP status to alerts
Users with the Senior security officer role can create, delete, modify, import and export a list of rules for assigning the VIP status to alerts.
You can create the following types of rules:
- IP. The VIP status will be assigned to new alerts associated with this IP address of the computer.
- Host name. The VIP status will be assigned to new alerts associated with this host name.
- Email address. The VIP status will be assigned to new alerts associated with this email address.
Users with the Security auditor role can view and export a list of rules for assigning the VIP status to alerts.
Users with the Security officer role cannot view the list of rules for assigning VIP status to alerts.
Viewing the table of VIP status assignment rules
The table of rules for assigning the VIP status is located in the Settings section, VIP status subsection of the web interface of the application.
The table contains the following information:
- Criterion—Criterion for adding an entry to the list of rules.
- Value—Value of the criterion.
- Description—Additional information specified when creating the rule.
Creating a VIP status assignment rule
To add a rule for assigning the VIP status to alerts:
- In the main window of the application web interface, select the Settings tab, VIP status section.
- In the upper-right corner of the application web interface window, click Add.
This opens the window for adding a rule.
- In the Criterion drop-down list, select one of the following rule types:
- IP, if you want to add a rule for a computer IP address.
- Host, if you want to add a rule for a host name.
- Email address, if you want to add a rule for an email address.
- Enter the necessary value in the Value field.
For example, if under Criterion, you selected Email address, enter the email address that you want to add in the Value field.
- In the Description field, enter additional information if necessary.
- Click Add.
The rule is added. The VIP status will be assigned to new alerts associated with the added IP address, host name, or email address.
Users with the Security auditor role cannot create VIP status assignment rules.
Users with the Security officer role cannot view the list of rules for assigning VIP status to alerts.
Deleting a VIP status assignment rule
To delete a rule for assigning the VIP status to alerts:
- In the main window of the application web interface, select the Settings tab, VIP status section.
- Select the check box to the left of each rule that you want to remove from the list.
- If you want to delete all rules, select the check box above the list.
- In the upper-right corner of the application web interface window, click Delete.
The action confirmation window is displayed.
- Click Yes.
The selected rules will be deleted.
Users with the Security auditor role cannot delete VIP status assignment rules.
Users with the Security officer role cannot view the list of rules for assigning VIP status to alerts.
Modifying a VIP status assignment rule
To modify a rule for assigning the VIP status to alerts:
- In the main window of the application web interface, select the Settings tab, VIP status section.
- Select the rule that you want to modify.
This opens the rule editing window.
- Make the necessary changes to the Criterion, Value and Description fields.
- Click Save.
The rule is modified.
Users with the Security auditor role cannot modify VIP status assignment rules.
Users with the Security officer role cannot view the list of rules for assigning VIP status to alerts.
Importing a list of VIP status assignment rules
To import a list of rules for assigning VIP status to alerts:
- In the main window of the application web interface, select the Settings tab, VIP status section.
- Click Import.
You will be prompted for confirmation of the list import.
The imported list of rules for assigning the VIP status to alerts will replace the current list of VIP status alert assignment rules.
- Click Yes.
This opens the file selection window.
- Select a JSON file containing the list of rules that you want to import and click Open.
This closes the file selection window.
The list is imported.
Exporting the list of data excluded from the scan
To export the scan exclusion list:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Go to the Scan tab.
- In the upper-right corner of the application web interface window, click Export.
The JSON file containing the exported list of scan exclusions is saved in the browser's downloads folder on your computer.
Filtering and searching by type of VIP status assignment rule
To filter or search for VIP status assignment rules by rule type:
- In the main window of the application web interface, select the Settings tab, VIP status section.
- Click the Criterion link to open the filter configuration window.
- Select one or several check boxes next to the types of rules:
- IP.
- Host.
- Email address.
- Click Apply.
The filter configuration window closes.
The table will display only the rules that match the filter criteria you have set.
You can use multiple filters at the same time.
Filtering and searching by value of VIP status assignment rule
To filter or search for VIP status assignment rules by rule value:
- In the main window of the application web interface, select the Settings tab, VIP status section.
- Click the Value link to open the filter configuration window.
- Enter one or several characters of the rule value.
- Click Apply.
The filter configuration window closes.
The table will display only the rules that match the filter criteria you have set.
You can use multiple filters at the same time.
Filtering and searching by description of VIP status assignment rule
To filter or search for VIP status assignment rules by description:
- In the main window of the application web interface, select the Settings tab, VIP status section.
- Click the Description link to open the filter configuration window.
- Enter one or several characters of the description.
- Click Apply.
The filter configuration window closes.
The table will display only the rules that match the filter criteria you have set.
You can use multiple filters at the same time.
Clearing a VIP status assignment rule filter
To clear the VIP status assignment rule filter for one or more filtering criteria:
- In the main window of the application web interface, select the Settings tab, VIP status section.
- Click
to the right of the header of the table column for which you want to clear the filter conditions.
If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.
The selected filters are cleared.
The table will display only the rules that match the filter criteria you have set.
Managing allow rules for NDR events
Kaspersky Anti Targeted Attack Platform can monitor network interactions between devices. Allow rules are used to configure authorized and unauthorized network interactions. All network interactions that matches active allow rules is treated as allowed. When allowed interactions are detected, the application does not log NDR events or generate alerts.
You can view, create, copy, modify, delete, enable or disable allow rules.
Viewing the table of allow rules
To view the table of allow rules:
- Select the Settings section in the application web interface window.
- Go to the Allow rules tab.
The table of allow rules is displayed.
The table contains the following information:
- Rule ID is the unique ID of the rule.
- Status (
icon) is the current status of the rule (Enabled or Disabled).
- Rule type: for rules that disable event registration, the EVT type is specified.
- Protocols/Commands defines a set of protocols.
- Side 1 is the device name / address information of one of the sides of the network interaction. You can enable or disable the display of addresses and ports in address information using the following settings: MAC address, IP address, and Port number. If additional address spaces are added to application, you can enable or disable the display of address space names using the following settings:
- AS for MAC addresses: Address spaces containing the MAC addresses in the rule. This setting can contain the names of only those address spaces that have address space rules with Data Link (L2) selected as the OSI layer.
- AS for IP addresses: Address spaces containing the IP addresses in the rule. This setting can contain the names of only those address spaces that have address space rules with Network (L3) selected as the OSI layer.
- Side 1 is the device name / address information of the other side of the network interaction. The display of address information can be configured the same way as the Side 1 column.
- Comment lets you provide additional information about the rule.
- Created is the date and time when the rule was created.
- Changed is the date and time when the rule was last modified.
- Monitoring point is the name of the monitoring point to be specified in events (for rules of the EVT type).
- Event type is the ID and title of the event type.
- Origin provides information about the origin of the rule.
- SID of the system IDS rule is the ID of the system IDS rule. If an ID was not specified when creating the allow rule, All rules is displayed.
Creating an allow rule with blank settings or settings from a template
To create an allow rule with blank settings or settings from a template:
- Select the Settings section in the application web interface window.
- Go to the Allow rules tab.
- Click Add rule.
- If you want to use settings from a template, in the details area click Use template, select the necessary template in the opened window and click Apply.
- In the details area, click EVT.
- In the Protocol field, specify the protocol for interaction between devices.
Selecting the Protocol field opens the window with the table of supported protocols displayed as a protocol stack tree. You can control the display of tree nodes using the + and - buttons next to the names of protocols that encompass protocols of the next tiers.
If necessary, use the search bar above the table to find the protocols that you need.
To specify the protocol:
- In the table of protocols, select the protocol that you want to specify for the rule. To select a protocol, click the button in the left column of the table of protocols.
- Click OK.
If you select a protocol that the application can detect by the contents of network packets, the corresponding warning is displayed under the Protocol field.
- If necessary, enter additional information about the rule in the Comment field.
- Under Side 1 and Side 2, specify the editable address information for the sides of network interaction. Depending on the selected protocol (or set of protocols), the address information may contain the MAC address, IP address, and/or port number. If additional address spaces have been added to the application, you can specify the names of the address spaces for the addresses.
To automatically fill in the address information for the side of the network interaction, you can select devices known to the application. To do so:
- Open the device selection window by clicking Specify device addresses.
- In the device selection window, select check boxes next to the devices that you want to use.
The device selection window contains a table in which you can configure the layout and order of columns, and also filter, search, and sort similarly to the devices table in the Assets section.
- Click OK in the device selection window.
- In the Event type field, specify the event type whose numerical code is indicated in events.
Selecting the Event type field opens a window containing a list of event types that may be specified in allow rules. If necessary, use the search bar above the list to find the event type that you need. To specify the event type, select it in the list and click Apply.
- In the Monitoring point field, specify the name of the monitoring point that is indicated in events.
Selecting the Monitoring point field opens a window containing a list of all monitoring points on all nodes that have application components installed. If necessary, use the search bar above the list to find the name of the monitoring point that you need. To specify the monitoring point name, select it in the list and click Apply.
- If you do not want the application to use the selected system IDS rule to scan network connections that match the conditions of this allow rule, specify the ID of this rule in the SID of the system IDS rule field. You can view the SID of the system IDS rule in the details of the IDS alert.
If a SID is not specified, the application disables scanning by all system IDS rules for network interactions that match the conditions of this allow rule.
- In the details area, click Save.
The rule is added to the table of allow rules.
Page topCreating an allow rule from a registered event
To create an allow rule from a registered event:
- In the Network traffic events section in the table of events, select the event on which you want to base the allow rule for events that you are creating.
- In the details area, click Create allow rule.
This opens the Allow rules section in the browser window. In the right part of the web interface window, the details area is displayed in rule settings editing mode. The settings of the new rule are initialized with values from the saved event details.
- If necessary, edit the settings of the new rule. To do this, follow steps 4–12 of the procedure for creating a rule with initially blank settings. If you do not need to edit the settings of the new rule, save the rule by clicking Save.
An allow rule is created based on the registered event.
Page topCopying an allow rule
To create an interaction control rule from an existing one:
- Select the Settings section in the application web interface window.
- Go to the Allow rules tab.
- Select the rule that you want to base the new rule on.
- Right-click to open the context menu.
- In the context menu, select Copy rule.
In the right part of the web interface window, the details area is displayed in rule settings editing mode. The settings of the new rule are initialized with values of the saved event settings.
- Edit the settings as needed. To do this, follow steps 4–12 described in the procedure for creating a rule.
The allow rule is copied.
Page topEditing the settings of an allow rule
You can edit the settings of an enabled allow rule. Disabled rules are not editable.
To edit the settings of an allow rule:
- Select the Settings section in the application web interface window.
- Go to the Allow rules tab.
- Select the rule whose settings you want to edit.
The details area is displayed in the right part of the web interface window.
- Click Edit.
- Edit the settings as needed. To do this, follow steps 4–12 described in the procedure for creating a rule.
- Click Save.
The rule settings are modified.
Page topEnabling or disabling allow rules
Allow rules can have the Enabled or Disabled status. By default, rules are enabled after creation.
To change the status of allow rules:
- Select the Settings section in the application web interface window.
- Go to the Allow rules tab.
- In the table of rules, select the rules whose status you want to change.
- Enable or disable rules by clicking Enable or Disable. Each of these buttons is displayed the selected rules include rules to which the corresponding operation can be applied.
The status of the selected rules is changed.
Page topDeleting allow rules
You can selectively delete one or more allow rules.
To delete allow rules:
- Select the Settings section in the application web interface window.
- Go to the Allow rules tab.
- In the rule table, select the allow rules that you want to delete.
- Click Delete.
This opens a confirmation prompt window. Depending on the state of the selected rules, the prompt offer the following options:
- If all of the selected rules are enabled, the application prompts you to delete the selected rules, disable them, or cancel the operation. This condition is not checked if all rules that match the current filter and search conditions are selected, and the number of selected rules is greater than 1000.
- If the selected rules include disabled rules or all rules that satisfy the current filter and search conditions are selected, and the number of selected rules is greater than 1000, the application prompts you to delete the selected rules or cancel the operation.
- In the prompt window, confirm deletion of the rules.
The selected rules will be deleted.
Page topManaging the list of scan exclusions
Users with the Senior security officer role can create, import and export the list of scan exclusions, that is, the list of data that Kaspersky Anti Targeted Attack Platform treats as safe and does not display in the alerts table. You can create scan exclusion rules for the following data:
- MD5
- Format.
- URL mask.
- Email recipient.
- Email sender.
- Source IP or subnet.
- Destination IP or subnet.
- User Agent.
Users with the Security auditor and Security officer roles can view the list of scan exclusion rules as well as export it.
Viewing the table of data excluded from the scan
To view the table with data excluded from the scan:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Go to the Scan tab.
This opens the table with a list of data that Kaspersky Anti Targeted Attack Platform will treat as safe and will not create alerts for. You can filter the rules by clicking links in column headers.
The table contains the following information:
- Criterion—Criterion for adding an entry to the list of allowed objects.
- Value—Value of the criterion.
Adding a scan exclusion rule
To add to scan exclusions:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Go to the Scan tab.
- In the upper-right corner of the application web interface window, click Add.
This opens the New rule window.
- In the Criterion drop-down list, select one of the following criteria for adding a rule to the list of scan exclusions:
- MD5.
- Format.
- URL mask.
- Email recipient.
- Email sender.
- Source IP or subnet.
- Destination IP or subnet.
- User Agent.
- If you selected Format, select the file format that you want to add from the Value drop-down list.
For example, you can select the MSOfficeDoc format.
- If you selected MD5, URL mask, Email recipient, Email sender, Source IP or subnet, Destination IP or subnet, or User Agent, in the Value field, enter the value of the relevant criterion that you want to add to the list of scan exclusions:
- If you selected MD5, enter the MD5 hash of the file in the Value field.
- If you selected URL mask, enter the URL mask in the Value field.
You can use the following special characters in the mask:
* – any sequence of characters.
Example:
If you enter
*abc*
as the mask, the application considers as safe any URL that contains the sequenceabc
. For example,www.example.com/download_virusabc
? – any single character.
Example:
If you enter
example_123?.com
as the mask, the application considers as safe any URL that contains the given character sequence and any character following3
. For example,example_1234.com
If the
*
or?
characters are part of the full URL that you want to add to the list of scan exclusions, use the\
character when entering the URL to escape a single*
,?
, or \ character that follows it.Example:
You need to add the following URL as a trusted address:
www.example.com/download_virus/virus.dll?virus_name=
You do not want the application to treat
?
as a special mask character so you put a\
character before the?
character.The URL added to the list of scan exclusions looks as follows:
www.example.com/download_virus/virus.dll\?virus_name=
- If you selected Email recipient or Email sender, enter the email address in the Value field.
- If you selected User Agent, enter the User agent header of HTTP requests containing browser information in the Value field.
- If you selected Source IP or subnet or Destination IP or subnet, enter the address or subnet (for example, 255.255.255.0) in the Value field.
In the URL mask, Email recipient, and Email sender field, you can enter domain names containing Cyrillic characters. In this case, the address is converted to Punycode and processed in accordance with application settings.
- Click Add.
The rule is added to the scan exclusion list.
Users with the Security auditor and Security officer roles cannot add a scan exclusion rule.
Deleting a scan exclusion rule
To remove one or multiple rules from scan exclusions:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Go to the Scan tab.
- Select the check box to the left of each rule that you want to remove from the list of scan exclusions.
If you want to delete all rules, select the check box above the list.
- In the lower part of the window, click Delete.
The action confirmation window is displayed.
- Click Yes.
The selected rules are removed from the list of scan exclusions.
Users with the Security auditor and Security officer roles cannot remove entries from the list of scan exclusions.
Editing a rule added to scan exclusions
To edit a rule in the scan exclusion list:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Go to the Scan tab.
- Select the rule that you want to modify.
This opens the Edit rule window.
- Make the necessary changes to the Criterion and Value fields.
- Click Save.
The rule is modified.
Users with the Security auditor and Security officer roles cannot edit rules in the list of scan exclusions.
Exporting the list of data excluded from the scan
To export the scan exclusion list:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Go to the Scan tab.
- In the upper-right corner of the application web interface window, click Export.
The JSON file containing the exported list of scan exclusions is saved in the browser's downloads folder on your computer.
Filtering rules in the scan exclusion list by criterion
To filter scan exclusion list entries by rule type:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Go to the Scan tab.
- Click the Criterion link to open the filter configuration window.
- Select one or more check boxes next to criteria by which you want to filter the rules:
- MD5.
- Format.
- URL mask.
- Email recipient.
- Email sender.
- Source IP or subnet.
- Destination IP or subnet.
- User Agent.
- Click Apply.
The filter configuration window closes.
The list of scan exclusions displays only those rules that match your criteria.
You can use multiple filters at the same time.
Searching for rules in the scan exclusion list by value
To search rules in the scan exclusion list by value:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Go to the Scan tab.
- Click the Value link to open the filter configuration window.
- Enter value characters.
- Click Apply.
The list of scan exclusions displays only those rules that match your criteria.
You can use multiple filters at the same time.
Resetting the rule filter in the scan exclusion list
To clear an exclusion list record filter by one or more filtering criteria:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Go to the Scan tab.
- Click
to the right of the header of the column in the table of scan exclusion list entries for which you want to clear the filter conditions.
If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.
The selected filters are cleared.
The list of scan exclusions displays only those rules that match your criteria.
Managing Intrusion Detection rule exclusions
Users with the Senior security officer role can add Kaspersky Intrusion Detection rules to scan exclusions. Kaspersky Anti Targeted Attack Platform does not create alerts when scanning by excluded Intrusion Detection rules.
You can add to exclusions only Intrusion Detection rules made by Kaspersky. If you do not want to apply a user-defined Intrusion Detection rule when scanning, you can disable this rule or delete it.
If you want to configure a singular exclusion, for example, for a specific source address, you can:
- Open the alert details of the IDS alert for which you want to create a singular exception.
- Copy the IDS alert data in Suricata format and save it in any way that you find convenient.
- Add the Kaspersky Intrusion Detection rule that generated the alert to exclusions from scanning.
- Add a new rule based on the properties of the excluded Kaspersky rule to the list of user-defined Intrusion Detection rules in one of the following ways:
- If the system already has user-defined Intrusion Detection rules, export a file with the rules and add a new rule to this file with conditions that narrow down the rule using the Suricata syntax. An example of creating user-defined Intrusion Detection rules is shown below.
- If no user-defined Intrusion Detection rules exist in the system yet, create a text file and add to it a rule with qualifying conditions using the Suricata syntax. An example of creating user-defined Intrusion Detection rules is shown below.
- Import a file with the added rule.
We do not recommend using the above method of creating singular exclusions on a regular basis because a large number of user-defined Intrusion Detection rules can get out of control and reduce the level of protection of the corporate LAN. We strongly recommended monitoring the results of the created exclusions. We also strongly recommended testing the user-defined rules in a test environment before importing. User-defined Intrusion Detection rules may cause performance issues, in which case stable operation of Kaspersky Anti Targeted Attack Platform is not guaranteed.
Users with the Security auditor role can view the list of Intrusion Detection rules added to exclusions, and view the properties of a selected rule.
Users with the Security officer role cannot view the list of Intrusion Detection rules added to exclusions.
Examples of creating user-defined Intrusion Detection rules based on the properties of an excluded Kaspersky rule
If you do not want one or more of the source and/or destination addresses to be reflected in the IDS alert, you can use the ! (NOT) operator.
Example: For an IDS alert with data:
You can create the following user-defined Intrusion Detection rules with singular exclusions:
|
Viewing the table of Intrusion Detection rules added to exclusions
To view the table of Intrusion Detection rules added to exclusions:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Go to the IDS tab.
The table of excluded IDS rules is displayed. You can filter the rules by clicking links in column headers.
The table contains the following information:
- Time created—Date and time when the Intrusion Detection rule was added to exclusions.
- Rule name—Name of the Intrusion Detection rule.
- Rule ID—ID of the Intrusion Detection rule (SID or signature ID) in Suricata format.
- Description—Description of the Intrusion Detection rule.
- Created by—Name of the user whose account was used to add the Intrusion Detection rule to exclusions.
Adding an Intrusion Detection rule to exclusions
You can exclude Kaspersky Intrusion Detection rules with medium or high importance alerts from event scanning.
You can add to exclusions only Intrusion Detection rules made by Kaspersky. If you do not want to apply a user-defined Intrusion Detection rule when scanning events, you can disable this rule or delete it.
To add an Intrusion Detection rule to exclusions:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click the link in the Technologies column to open the filter configuration window.
- In the drop-down list on the left, select Contain.
- In the drop-down list on the right, select the (IDS) Intrusion Detection System technology.
- Click Apply.
- If you want to filter detections, click
to expand the list of filtering parameters and select the required filter.
- Select an alert for which the Detected column displays the name of the relevant Intrusion Detection rule.
This opens a window containing information about the alert.
- In the right part of the window, in the Recommendations section, Qualifying subsection, click Add to exclusions.
This opens the Add IDS rule to exclusions window.
- In the Description field, enter a description for the Intrusion Detection rule.
- Click Add.
The Intrusion Detection rule is added to exclusions and is displayed in the exclusion list in the Settings section, Exclusions subsection on the IDS tab in the application web interface. This rule is no longer used for creating alerts.
Users with the Security auditor role cannot modify entries in the list of allowed objects.
Users with the Security officer role do not have access to the list of Intrusion Detection rules added to exclusions.
Editing the description of an Intrusion Detection rule added to exclusions
To edit the description of an excluded Intrusion Detection rule, in the Alerts section:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click the link in the Technologies column to open the filter configuration window.
- In the drop-down list on the left, select Contain.
- In the drop-down list on the right, select the (IDS) Intrusion Detection System technology.
- Click Apply.
- If you want to filter detections, click
to expand the list of filtering parameters and select the required filter.
- Select an alert for which the Detected column displays the name of the relevant Intrusion Detection rule.
This opens a window containing information about the alert.
- In the right part of the window, in the Recommendations section, Qualifying subsection, click Edit IDS exclusion.
This opens the Edit IDS exclusion window.
In the Description field, edit the description of the rule.
Click Save.
The description of the excluded Intrusion Detection rule is modified. This rule is no longer used for creating alerts.
Users with the Security auditor role cannot edit Intrusion Detection rule descriptions.
Users with the Security officer role do not have access to the list of Intrusion Detection rules added to exclusions.
Removing Intrusion Detection rules from exclusions
You can remove from exclusions a single Intrusion Detection rule, multiple rules, or all rules at the same time.
To remove an Intrusion Detection rule from exclusions:
- In the application web interface window, select the Settings → Exclusions section and go to the IDS tab.
- The list of excluded Intrusion Detection rules is displayed.
- Select the rule that you want to remove from exclusions.
This opens a window containing information about the rule.
- Click Delete.
This opens the action confirmation window.
- Click Yes.
The rule is removed from exclusions. This rule is used for creating alerts.
To remove all or multiple IDS rules from exclusions:
- In the application web interface window, select the Settings → Exclusions section and go to the IDS tab.
- The list of excluded Intrusion Detection rules is displayed.
- Select check boxes next to rules that you want to remove from exclusions.
You can select all rules by selecting the check box in the row containing the headers of columns.
- In the pane that appears in the lower part of the window, click Delete.
This opens the action confirmation window.
- Click Yes.
The selected rules are removed from exclusions. These rules are used for creating alerts.
Users with the Security auditor role cannot remove Intrusion Detection rules from exclusions.
Users with the Security officer role do not have access to the list of exclusions from Intrusion Detection rules.
Managing TAA exclusions
TAA (IOA) rules created by Kaspersky experts contain indicators of suspicious behavior of an object in the corporate IT infrastructure. Kaspersky Anti Targeted Attack Platform scans the events database of the application and creates alerts for events that match behaviors described by TAA (IOA) rules. If you do not want the application to create alerts for events generated as part of host activity that is normal for your organization, you can add a TAA (IOA) rule to exclusions.
TAA (IOA) rule modes added to exclusions can work in the following modes:
- The rule is always excluded.
In this case, Kaspersky Anti Targeted Attack Platform does not mark events as matching the TAA (IOA) rule and does not create alerts based on that rule.
- The rule is supplemented by a condition.
In this case, the TAA (IOA) rule is supplemented by conditions in the form of a search query. Kaspersky Anti Targeted Attack Platform does not mark events that match specified conditions as matching the TAA (IOA) rules. For events that match the TAA (IOA) rule, but do not satisfy the conditions of the applied exclusion, the application marks the events and creates alerts.
If you are using the distributed solution and multitenancy mode, TAA exclusions can have the following types:
- Local—Created on the SCN server. These exclusions apply only to hosts that are connected to this SCN server. Exclusions belong to the tenant which the user is managing in the application web interface.
- Global—Created on the PCN server. Exclusions apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Exclusions belong to the tenant which the user is managing in the application web interface.
Users with the Senior security officer role can create, edit, and delete exclusions for tenants to whose data they have access.
Users with the Security auditor and Security officer roles can only view the list of TAA exclusions and the properties of a selected exclusion.
For each TAA (IOA) rule, you can create only one local or global exclusion.
If one TAA (IOA) rule has exclusions created both on an SCN server and the PCN server, Kaspersky Anti Targeted Attack Platform processes events in accordance with exclusion settings on the PCN server.
Viewing the table of TAA (IOA) rules added to exclusions
To view the table of TAA (IOA) rules added to exclusions:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Click the TAA tab.
The table of excluded TAA (IOA) rules is displayed. You can filter the rules by clicking links in column headers.
The table contains the following information:
is the importance of the alert generated as a result of scanning by this TAA (IOA) rule.
The importance level can have one of the following values:
– Low.
– Medium.
– High.
- Type is the type of the rule depending on the role of the server which generated it:
- Local—Created on the SCN server. These exclusions apply only to hosts that are connected to this SCN server. Exclusions belong to the tenant which the user is managing in the application web interface.
- Global—Created on the PCN server. Exclusions apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Exclusions belong to the tenant which the user is managing in the application web interface.
- Confidence – level of confidence depending on the likelihood of false alarms caused by the rule:
- High.
- Medium.
- Low.
The higher the confidence level, the lower the likelihood of false alarms.
- Exclude rule is the operating mode of the rule that is added to exclusions.
- Always means the rule is always excluded. In this case, Kaspersky Anti Targeted Attack Platform does not mark events as matching the TAA (IOA) rule and does not create alerts based on that rule.
- Based on conditions means the rule is excluded if a condition is added. In this case, the TAA (IOA) rule is supplemented by conditions in the form of a search query. Kaspersky Anti Targeted Attack Platform does not mark events that match specified conditions as matching the TAA (IOA) rules. For events that match the TAA (IOA) rule, but do not satisfy the conditions of the applied exclusion, the program marks the events and creates alerts.
- Name is the name of the rule.
Adding a TAA (IOA) rule to exclusions
You can add to exclusions only TAA (IOA) rules made by Kaspersky. If you do not want to apply a user-defined TAA (IOA) rule for scanning events, you can disable that rule or delete it.
To add a TAA (IOA) rule to exclusions from the Alerts section:
- Select the Alerts section in the window of the application web interface.
This opens the table of alerts.
- Click the link in the Technologies column to open the filter configuration window.
- In the drop-down list on the left, select Contain.
- In the drop-down list on the right, select the (TAA) Targeted Attack Analyzer technology.
- Click Apply.
The table displays alerts generated by the TAA technology based on TAA (IOA) rules.
- Select an alert for which the Detected column displays the name of the relevant rule.
This opens a window containing information about the alert.
- Under Scan results, click the link with the name of the rule to open the rule information window.
- To the right of the TAA exclusions setting name, click Add to exclusions.
This opens a window that allows you to add the TAA (IOA) rule to exclusions.
- In the Exclude rule field, select the exclusion operating mode:
- Always if you do not want the application to create alerts for events that match the selected TAA (IOA) rule.
- Based on conditions if you do not want the application to create events only for events that match specified conditions. Alerts are created for events that match the TAA (IOA) rule with the configured exclusion conditions taken into account.
If you selected Based on conditions:
- Click Configure additional conditions to open the event search form.
- If you are using the distributed solution and multitenancy mode and want to enable the display of events for all tenants, turn on the Search in all tenants toggle switch.
- Perform an event search in builder mode.
A table is displayed of events that match the TAA (IOA) rule given the specified exclusion criteria.
If you are using the distributed solution and multitenancy mode, found events are grouped in tiers: Server – Tenant names – Server names.
- Click the name of the server for which you want to view events.
The host table of the selected server is displayed. Event grouping levels are displayed above the table.
If necessary, you can change event search conditions.
- Click Add exclusion.
- If you are using the distributed solution and multitenancy mode, in the Apply to servers* field, select check boxes for tenants and servers to which the rule must be applied.
- Click Add.
The TAA (IOA) rule is added to exclusions and is displayed in the exclusion list in the Settings section, Exclusions subsection on the TAA tab in the application web interface. This rule is no longer used for creating alerts.
To add a TAA (IOA) rule to exclusions from the Threat Hunting section:
- Select the Threat Hunting section in the application web interface window.
This opens the event search form.
- Define the search conditions and click the Search button. For example, you can select event search criteria in the TAA properties group in builder mode.
The table of events that satisfy the search criteria is displayed.
- Select an event.
- To the right of the IOA tags setting, click the name of the rule.
This opens a window containing information about the rule.
- To the right of the TAA exclusions setting name, click Add to exclusions.
This opens a window that allows you to add the TAA (IOA) rule to exclusions.
- In the Exclude rule field, select the exclusion operating mode:
- Always if you do not want the application to create alerts for events that match the selected TAA (IOA) rule.
- Based on conditions if you do not want the application to create events only for events that match specified conditions. Alerts are created for events that match the TAA (IOA) rule with the configured exclusion conditions taken into account.
If you selected Based on conditions:
- Click Configure additional conditions to open the event search form.
- If you are using the distributed solution and multitenancy mode and want to enable the display of events for all tenants, turn on the Search in all tenants toggle switch.
- Perform an event search in builder mode.
A table is displayed of events that match the TAA (IOA) rule given the specified exclusion criteria.
If you are using the distributed solution and multitenancy mode, found events are grouped in tiers: Server – Tenant names – Server names.
- Click the name of the server for which you want to view events.
The host table of the selected server is displayed. Event grouping levels are displayed above the table.
If necessary, you can change event search conditions.
- Click Add exclusion.
- Click Add.
The TAA (IOA) rule is added to exclusions and is displayed in the exclusion list in the Settings section, Exclusions subsection on the TAA tab in the application web interface. This rule is no longer applied when scanning events.
When creating a search query to be saved as an exclusion criterion, avoid using the following fields:
- IOAId.
- IOATag.
- IOATechnique.
- IOATactics.
- IOAImportance.
- IOAConfidence.
These fields are only displayed after Kaspersky Anti Targeted Attack Platform marks events as matching TAA (IOA) rules.
Users with the Security auditor and Security officer roles cannot add TAA (IOA) rules to exclusions.
Viewing a TAA (IOA) rule added to exclusions
To view a TAA (IOA) rule added to exclusions:
- In the application web interface window, select the Settings section, Exclusions subsection and go to the TAA tab.
The table of excluded TAA (IOA) rules is displayed.
- Select the rule that you want to view.
This opens a window containing information about the rule.
The window contains the following information:
- TAA (IOA) rule: click this link to open a window containing a description of the MITRE technique corresponding to this rule, recommendations on responding to the event, and information about the likelihood of false alarms.
- ID is the ID that the application assigns to each rule.
- Name is the name of the rule that you specified when you added the rule.
- Importance is an estimate of the probable impact of the event on the security of computers or the corporate LAN as assessed by Kaspersky experts.
- Confidence is the level of confidence depending on the probability of false positives as estimated by Kaspersky experts.
- Exclude rule is the operating mode of the rule that is added to exclusions.
- Always means the rule is always excluded. In this case, Kaspersky Anti Targeted Attack Platform does not mark events as matching the TAA (IOA) rule and does not create alerts based on that rule.
- Based on conditions means the rule is excluded if a condition is added. In this case, the TAA (IOA) rule is supplemented by conditions in the form of a search query. Kaspersky Anti Targeted Attack Platform does not mark events that match specified conditions as matching the TAA (IOA) rules. For events that match the TAA (IOA) rule, but do not satisfy the conditions of the applied exclusion, the program marks the events and creates alerts.
- Configure additional conditions: click this link to open the event search form with search conditions.
The field is displayed if, when adding the TAA (IOA) rule to exclusions, you have selected the Based on conditions mode, and configured some search criteria.
- The search criteria are configured in the
<IOA ID> AND NOT <search criteria>
format.Search criteria are displayed if, when adding the TAA (IOA) rule to exclusions, you have selected the Based on conditions mode, and configured some search criteria.
- Apply to servers* are hosts to which the exclusion applies.
This field is displayed in distributed solution and multitenancy mode.
Removing a TAA (IOA) rule from exclusions
You can remove from exclusions a single TAA (IOA) rule, multiple rules, or all rules at the same time.
To remove a TAA (IOA) rule from exclusions:
- In the application web interface window, select the Settings section, Exclusions subsection and go to the TAA tab.
The table of excluded TAA (IOA) rules is displayed.
- Select the rule that you want to remove from exclusions.
This opens a window containing information about the rule.
- Click Delete.
This opens the action confirmation window.
- Click Yes.
The rule is removed from exclusions. The rule is applied when creating alerts or scanning events.
To remove all or multiple TAA (IOA) rules from exclusions:
- In the application web interface window, select the Settings section, Exclusions subsection and go to the TAA tab.
- The table of excluded TAA (IOA) rules is displayed.
- Select check boxes next to rules that you want to remove from exclusions.
You can select all rules by selecting the check box in the row containing the headers of columns.
- In the pane that appears in the lower part of the window, click Delete.
This opens the action confirmation window.
- Click Yes.
The selected rules are removed from exclusions. The rules are applied when creating alerts or scanning events.
Users with the Security auditor and Security officer roles cannot remove TAA (IOA) rules from exclusions.
Managing ICAP exclusions
Users with the Senior security officer can create an ICAP exclusion list, that is, a list of data that Kaspersky Anti Targeted Attack Platform must not scan. You can create ICAP exclusion rules for the following data:
- Format.
- User Agent.
- MD5.
- URL mask.
- Source IP or subnet.
Users with the Security auditor and Security officer roles can view the list of ICAP exclusion rules.
In distributed solution mode, ICAP exclusions created on an SCN apply to all Sensor components connected to that SCN. ICAP exclusions created on a PCN apply to the SCN installed on the same device as the PCN and to all Sensor components connected to that SCN.
Viewing the ICAP exclusion table
To view the ICAP exclusion table:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Open the ICAP tab.
The table of data that Kaspersky Anti Targeted Attack Platform must not scan is displayed. You can filter the rules by clicking links in column headers.
The table columns contain the following information:
- Value—Value of the criterion.
- Criterion—Criterion for adding an entry to the list of allowed objects.
- State is the state of the rule.
Adding a rule to ICAP exclusions
ICAP exclusion rules are processed if a rule for the data has not been previously added to the scan exclusion rules.
To add rule to ICAP exclusions:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Open the ICAP tab.
- In the upper-right corner of the application web interface window, click Add.
This opens the New rule window.
- Move the State toggle switch to the position you need.
By default, the toggle switch is in the Enabled position.
- In the Criterion drop-down list, select one of the following criteria for adding a rule to the list of ICAP exclusions:
- Format.
- User Agent.
- MD5.
- URL mask.
- Source IP or subnet.
- Depending on the selected criterion, in the Value field, specify the following information:
- If you selected Format, select the file format that you want to add from the drop-down list.
When you add an ICAP exclusion rule by format, web page content of the corresponding format is loaded without scanning, and the display of web pages is not disrupted.
- If you selected User Agent, enter the
User agent header of HTTP requests
containing browser information. - If you selected MD5, enter the MD5 hash of the file.
- If you selected URL mask, enter the URL mask.
You can use the following special characters in the mask:
* – any sequence of characters.
? – any single character.
If the
*
or?
characters are part of the full URL that you want to add to the list of scan exclusions, use the\
character when entering the URL to escape a single*
,?
, or \ character that follows it.In the URL mask field, you can enter domain names containing Cyrillic characters. In this case, the address is converted to Punycode and processed in accordance with application settings.
- If you selected Source IP or subnet, enter an address or subnet (for example, 255.255.255.0).
- If you selected Format, select the file format that you want to add from the drop-down list.
- Click Add.
The rule is added to the ICAP exclusion list.
Users with the Security auditor and Security officer roles cannot add an ICAP exclusion rule.
Page topRemoving rules from ICAP exclusions
To remove one or more rules from ICAP exclusions:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Open the ICAP tab.
- Select the check box to the left of each rule that you want to remove from the list of ICAP exclusions.
If you want to delete all rules, select the check box above the list.
- In the lower part of the window, click Delete.
- This opens a window; in that window, click Yes to confirm the deletion of rules.
The selected rules are removed from the list of ICAP exclusions. Data that was previously listed in the ICAP exclusion rules are now scanned by Kaspersky Anti Targeted Attack Platform.
Users with the Security auditor and Security officer roles cannot remove entries from the list of ICAP exclusions.
Editing or disabling a rule in the ICAP exclusion list
To edit a rule in the ICAP exclusion list:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Open the ICAP tab.
- Select the rule that you want to modify.
This opens the Edit rule window.
- Make the necessary changes to the State, Criterion, and Value fields.
- Click Save.
The rule is modified.
To disable a rule in the ICAP exclusion list:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Open the ICAP tab.
- To the right of the rule that you want to disable in the ICAP exclusion list, in the State column, move the toggle switch to the Disabled position.
- This opens a window; in that window, click Yes to confirm the disabling of the rule.
The rule is disabled.
Users with the Security auditor and Security officer roles cannot edit or disable rules in the list of ICAP exclusions.
Filtering rules in the ICAP exclusion list by criterion
To filter rules in the ICAP exclusion list by criterion:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Open the ICAP tab.
- Click the Criterion link to open the filter configuration window.
- Select one or more check boxes next to criteria by which you want to filter the rules:
- Format.
- User Agent.
- MD5.
- URL mask.
- Source IP or subnet.
- Click Apply.
The filter configuration window closes.
The list of ICAP exclusions displays only rules that match the specified filtering conditions. You can filter by the Value and State columns at the same time.
Page topFiltering rules in the ICAP exclusion list by value
To filter rules in the ICAP exclusion list by value:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Open the ICAP tab.
- Click the Value link to open the filter configuration window.
- Enter a value.
- Click Apply.
The list of ICAP exclusions displays only rules that match the specified search conditions. You can filter by the Criterion and State columns at the same time.
Filtering rules in the ICAP exclusion list by state
To filter rules in the ICAP exclusion list by state:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Open the ICAP tab.
- Click the State link to open the filter configuration window.
- Select the check box next to one of the values:
- Enabled
- Disabled
- Click Apply.
The list of ICAP exclusions displays only rules that match the specified search conditions. You can filter by the Criterion and Value columns at the same time.
Page topClearing rule filter conditions in the ICAP exclusion list
To clear the filter conditions for rules in the ICAP exclusion list:
- In the main window of the application web interface, select the Settings section, Exclusions subsection.
- Open the ICAP tab.
- Click
to the right of the header of the Value, Criterion, or State column in the table for which you want to reset the filter conditions.
If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.
The selected filter conditions are cleared. The list of ICAP exclusions displays only rules that match the specified conditions.
Page topManaging mirrored traffic from SPAN ports
When managing the web interface, users with the Senior security officer role can download dumps of mirrored traffic from SPAN ports in PCAP format from servers with the Sensor component and conduct investigations to detect suspicious activity.
If you are using the distributed solution and multitenancy mode, follow the steps on the PCN or SCN server to which the server with the Sensor component is connected.
To download mirrored traffic from SPAN ports:
- Select the Sensor servers section in the window of the application web interface.
- Click the card of the relevant Sensor component.
This opens a window with information about the component.
- Click Download traffic.
The download options window is displayed.
In the Internal storage section, the Oldest packet field displays the date and time of the first saved dump in the internal storage. In the Used / maximum field, the first number indicates the occupied space in the internal storage, and the second number indicates the total size of the internal storage. The External storage section displays the storage status: Connected or Not connected.
- Do the following:
- In the Period of traffic to download, set the bounds for the period for which you want to download traffic dumps.
If recorded traffic does not exist for your selected period, when you click Download traffic, Kaspersky Anti Targeted Attack Platform suggests selecting the period from the first recorded network traffic dump to the last. If no recorded dumps exist at all, a warning is displayed indicating the lack of data for the specified period.
- In the Download volume limit field, you can specify the maximum amount of traffic to be downloaded.
If the amount of downloaded traffic exceeds the specified limit, the newest traffic is dropped.
- If necessary, enable filtering under Filtering by monitoring points and specify the monitoring points from which you want to get traffic.
- If necessary, enable filtering in the Filtering using BPF section and enter a filtering expression using the Berkeley Packet Filter (BPF) technology. The BPF filtering expression is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.
Example of a filter expression:
tcp port 102 or tcp port 502
- If necessary, enable filtering in the Filtering using regular expressions section and enter an expression for filtering based on payload data in traffic.
Example of a filtering expression:
^test.+xABxCD
- In the Period of traffic to download, set the bounds for the period for which you want to download traffic dumps.
- Click Download traffic.
Dumps of mirrored traffic from SPAN ports are downloaded in PCAP format.
Recommendations for sequential traffic download requests
We recommend taking into account the time it takes to process the previous traffic download request when sending a new one.
If the next traffic download request arrives before the previous one has completed, dump file download may fail without any error messages.
The request processing time depends on various factors: the search range, the volume of traffic to be downloaded, and the speed of the connection between the Sensor, the server and the client computer.
The volume of traffic to be downloaded depends on the client's requirements; small volumes can be downloaded in a matter of seconds. If the user attempts to download all available traffic, the download speed limit of 50 Mbps is applied. This limitation protects the system from overload caused by downloading a large volume of traffic. At 50 Mbps, downloading 1 GB of traffic takes about 20 seconds, and 1 TB downloads in about 5.5 hours.
Page topCreating a list of passwords for archives
The application does not scan password-protected archives. You can create a list of the most frequently encountered passwords for archives that are used when exchanging files within your organization. If you do so, the application will try passwords from the list when scanning an archive. If one of the passwords match, the archive will be unlocked and scanned.
The list of passwords set in application settings is also transmitted to the server with the Sandbox component.
To create a list of archive passwords:
- In the window of the application web interface, select the Settings section, Passwords for archives subsection.
- In the Passwords for archives field, enter the passwords that the application will use for password-protected archives.
Enter each password on a new line. You can enter up to 50 passwords.
- Click Apply.
The list of passwords for archives will be created. When scanning PDF files and files of Microsoft Word, Excel, and PowerPoint that are password protected, the application will use the passwords from the defined list.
Users with the Security auditor role can view the list of passwords for archives, but cannot edit it.
Page topManaging Central Node or Sensor server information
Users with the Security auditor role can view information about servers with the Central Node and Sensor components.
Information about servers with the Central Node or Sensor components is displayed in the Sensor servers of the application web interface window.
This section displays cards of components (on the left) and cards of network interfaces detected on these components (to the right of each component).
Above the card of the Sensor component is the card of the Central Node component to which the Sensor is connected.
If the Central Node component is deployed with Embedded Sensor, the name of that Sensor component is displayed the card as Embedded Sensor.
The network interface card displays the following information:
- Network interface name
- MAC address of the network interface
- IP address of the network interface
- Network interface bandwidth
If a monitoring point has been added to the network interface, the following information about the monitoring point is displayed in the card of the network interface:
- Monitoring point name.
- Technology mode is the state of the technology inheritance functionality. It can be Enabled or Disabled.
You can view details of the Central Node and Sensor components and the network interfaces discovered on these components.
To view component or network interface details:
Click its card.
The Settings tab for the Central Node and Sensor components displays the following information:
- Status is the current status of the component indicated by an icon and text description.
- Node type indicates the application component: Server (Central Node component) or Sensor (Sensor component).
- Disk space currently used by the application is the disk space occupied by application files. Includes installed files and files created by the application in the course of its operation.
- Maximum disk space that can be used by the application is the disk space that can be occupied by application files. Includes installed files and the sum total of all space limits configured in data storage rules. This value may not exceed the amount of available disk space.
- Occupied on disk is the disk space used by all files. Includes application files, operating system files, and files of other applications. The space is calculated on the disk that contains the /var directory in the file system of the component.
- Free disk space is the disk space that is not used by files. The space is calculated on the disk that contains the /var directory in the file system of the component.
- Total disk space is the total volume of disk space on the drive that contains the /var directory in the file system of the component.
- BPF filtering indicates whether filtering using the Berkley Packet Filter (BPF) technology based on address parameters in network packets is enabled or disabled.
- External storage for traffic dump files indicates the connection status of the external storage. The following statuses may be displayed: Connected, Not connected.
- Retention rules indicate current and maximum values of size, number of items, and storage duration of application data.
For the Sensor component, in addition to the Settings tab, the External storage, Other, ICAP integration, POP3 integration, and SMTP integration tabs are also displayed.
- The External storage tab displays information about the configuration of the external storage for mirrored SPAN traffic.
- On the Other tab, the following information is displayed:
- Maximum size of scanned file is the current limit on the size of files that can be scanned by the component.
- Dump HTTP body indicates whether HTTP body content dumping is enabled or disabled.
- The ICAP Integration tab displays the settings of integration with a proxy server via ICAP.
- The POP3 Integration tab displays the POP3 mail server integration settings.
- The SMTP Integration tab displays the SMTP mail server integration settings.
For a network interface that does not have a monitoring point added, the following information is displayed in the details area:
- Network interface is the name of the network interface in the operating system.
- Connection is the icon indicating that a network cable is connected to the Ethernet port of the network interface:
– the network cable is connected.
– the network cable is disconnected.
The icon blinks when the Ethernet port indication mode is enabled.
- MAC address is the MAC address of the network interface.
- IP address is the IP address of the network interface. If multiple IP addresses are found on the network interface, a maximum of 16 IP addresses are displayed in the details area.
If a monitoring point has been added to the network interface, the following information is displayed in the card of the network interface:
- Status is the current status of the monitoring point indicated by an icon and a text description:
OК. The monitoring point is available.
Switchover. The operating mode of the monitoring point is being changed.
Error. An error was detected when switching over the operating mode of the monitoring point.
- Connection is the icon indicating that a network cable is connected to the Ethernet port of the network interface:
– the network cable is connected.
– the network cable is disconnected.
The icon blinks when the Ethernet port indication mode is enabled.
- Network interface is the name of the network interface in the operating system.
- Mode is the current mode of the monitoring point:
- Enabled.
- Disabled.
- On the Settings tab:
- The Inheritance of technologies indicates whether inheritance of technologies is enabled or disabled for the server.
- MAC address is the MAC address of the network interface.
- IP address is the IP address of the network interface.
Viewing server settings
Users with the Security auditor role can view Central Node server and PCN settings in distributed solution and multitenancy mode.
The server settings are located in the Settings section of the web interface window. In this section, you can view the following information:
- Users—List of user accounts of application web interface users.
- General settings—General settings of the server.
- Database update—Database update.
- Monitoring—Maximum allowed hard drive space usage for Central Node and Sensor servers.
- SNMP—SNMP connection settings.
- Authentication policies—Password policy settings.
- Certificates—Status of server certificates and computers with the Endpoint Agent component.
- Date and time—Server date and time settings.
- Endpoint Agents—Program functionality available when integrating with the Endpoint Agent component.
- IOC scanning schedule—Settings for the IOC scan schedule.
- Send files to Sandbox automatically—Automatically send files to be scanned by the Sandbox component.
- Activity indicators—Activity indicators of the Endpoint Agent component.
- Remove inactive hosts automatically—Automatic removal of inactive hosts from the Endpoint Agents table.
- Send files from hosts for analysis to Sandbox manually—Manual sending of files to be scanned by the Sandbox component.
- Use TAA (IOA) rules for chains of events—Use TAA (IOA) rules to scan chains of events. This functionality is disabled by default.
- ICAP traffic scanning—Settings of integration with a proxy server via ICAP.
- Connection servers—Servers that act as integration servers for the Endpoint Agent component.
- Connectors—Connector settings.
- Secrets—Settings of secrets.
- Event types—Settings of event types.
- Risk types—Settings of risk types.
- KSN/KPSN and MDR—Settings for participation in Kaspersky Security Network and Kaspersky Private Security Network.
- KPSN reputation database—Settings for using the KPSN reputation database.
- SIEM system—Settings for integration with a SIEM system.
- Notifications—Notification settings.
- VIP status—List of rules for assigning the VIP status to alerts.
- Exclusions—List of allowed objects and lists of exclusions from TAA and IDS rules.
- Network settings—Settings for the network interface parameters.
- Allow rules—Rules for controlling the interactions of devices on the network.
- Passwords for archives—List of passwords for archives.
- License—State of the license key.
Viewing the table of servers with the Sandbox component
Users with the Security auditor role can view the table of servers with the Sandbox component.
The table of servers with the Sandbox component is located in the Sandbox servers section, on the Servers tab of the application web interface window.
The Certificate fingerprint field displays the fingerprint of the TLS certificate of the Central Node server.
The Server list table contains the following information:
- IP and name—IP address or fully qualified domain name of the server with the Sandbox component.
- Certificate fingerprint—Certificate fingerprint of the server with the Sandbox component.
- Authorization—Status of the request to connect to the Sandbox component.
- Status—Status of the connection to the Sandbox component.
Users with the Security officer role cannot view the table of servers with the Sandbox component.
Page topViewing the settings of the set of operating systems used for scanning objects in Sandbox
Users with the Security auditor role can view the settings of a set of operating systems used as the basis for creating tasks for scanning objects by the Sandbox component. The Sandbox server must have virtual machines installed that match the selected set.
Information about the settings of the set of operating systems for scanning objects in Sandbox is located in the Sandbox servers section, on the Settings tab of the application web interface window.
Sets of operating systems on which the Sandbox component can scan objects are displayed under OS set.
Operating systems that are part of the selected set are displayed under Set composition.
Page topViewing the table of external systems
Users with the Security auditor role can view the table of external systems.
The table of external systems is in the External systems section of the application web interface window.
The Certificate fingerprint field displays the fingerprint of the TLS certificate of the Central Node server.
The Server list table contains the following information:
- Sensor—IP address or domain name of the external system server.
- Type—Type of external system (mail sensor or other system).
- Name—Name of the integrated external system that is not a mail sensor.
A dash is displayed in this column for a mail sensor.
- ID—ID of the external system.
- Certificate fingerprint—Fingerprint of the TLS certificate of the server with the external system used to establish an encrypted connection with the Central Node server.
The certificate fingerprint of the server with the Central Node component is displayed in the upper part of the window in the Certificate fingerprint field.
- State—State of the integration request.
Users with the Senior security officer and Security officer roles cannot view the table of external systems.
Page top