Kaspersky Anti Targeted Attack Platform
7.0
English

Contents

Filtering objects on the network interactions map

This section provides instructions on filtering objects on the network interactions map to limit the number of nodes and links displayed.

In this section:

Comprehensive filtering of nodes and links

Filtering of nodes

Filtering links

Resetting filtering criteria
Page top
[Topic 181405]

Comprehensive filtering of nodes and links

This section contains instructions on comprehensive filtering of nodes and links.

In this section

Filtering using a period on the timeline

Filtering by registered events
Page top
[Topic 283733]

Filtering using a period on the timeline

To filter nodes and links, you can select a time period on the timeline. The timeline is displayed in the lower part of the network interactions map window.

The timeline contains the following elements:

  • The starting date and time of the timeline.
  • Periods when events with scores of 4.0 and higher were recorded. These periods are displayed as red bars in the lower part of the scale. Periods are not displayed if the configured length of the timeline is more than seven days.
  • Filtering period. This period is displayed as a yellow bar with dragging handles at both ends.
  • Graph of traffic volume processed by the application. The graph is not displayed if the configured length of the timeline is more than seven days.
  • The end of the timeline. Depending on the filtering period, the end of the timeline is displayed as a date and time (if a date and time is specified) or as a Now link.

The following types of filtering periods are possible:

  • Period with reference to the current moment. The right end of such a period coincides with the right end of the timeline corresponding to the current moment.
  • Period without reference to the current moment. A period of this type can be placed anywhere in the timeline.

To configure filtering of objects by period with reference to the current moment:

  1. Click the Now button to the right of the timeline. This button is not displayed if the period is already defined with reference to the current moment.
  2. If you want to specify a different length of the period, do one of the following:
    • Drag the left end of the yellow period bar to the required position (the maximum length of period is 7 days).
    • Open the settings window by clicking the button above the yellow period bar, select the Anchor to boundary check box, then select a duration (Hour, Day, 7 days) and click OK.

The network interactions map displays only those nodes and connections for which interactions were detected from the beginning of the specified period to the current moment.

To configure filtering by period without reference to the current moment:

  1. If the period you want to set is out of bounds of the timeline, change the start and/or end date and time of the timeline:
    1. To change the start date and time of the timeline, click the link in the left part of the timeline to open a window and in that window, select one of the following options:
      • Day.
      • 7 days.
      • 30 days.
      • Set the date. For this option, specify a date and time in the displayed field.
    2. To change the end date and time of the timeline, click the link in the right part of the timeline to open a window and in that window, select one of the following options:
      • Now.
      • Specify a date. For this option, specify a date and time in the displayed field.
  2. Set the period you want. To do so, do one of the following:
    • Drag the period on the timeline to where you want it to be.
    • Move one or both edges of the yellow period bar on the timeline to where you want the period to be (the maximum length of a period is 7 days).
    • Open the settings window by clicking the button above the yellow period bar, then select a duration (Hour, Day, 7 days) and click OK.
  3. If the period is automatically anchored to the current moment (when you move the period to the extreme right position, the Now button to the right of the timeline is no longer displayed) and you don't want this, disable the automatic anchoring. To do so, open the settings window by clicking the button above the yellow period bar, clear the Anchor to boundary check box and click OK.
Page top
[Topic 283735]

Filtering by registered events

On the network interactions map, you can display nodes and links whose information is stored in events associated with the selected nodes.

You can use the filtering functionality if no more than 200 nodes are selected on the network interactions map. You can select nodes either individually or as part of collapsed groups that include the required devices. When you select a collapsed group, all devices in child groups at all nesting levels also end up in the selection.

You can use the following ways of filtering by events:

  • Initial filtering by events. Use this method to filter objects by events associated only with the selected nodes.
  • Additional filtering by events. Use this method when the initial filtering by events already has been performed (for example, when going to the network interactions map from the table of events) and you need to supplement the filter with events associated with additional selected nodes from among the network interactions displayed on the network interactions map.

To display nodes and links based on initial event filtering:

  1. On the network interactions map, select one or more nodes and/or collapsed groups.

    To select multiple nodes and/or groups, do one of the following:

    • Press and hold the SHIFT key, then use the mouse to select a rectangular area with the objects that you want to select.
    • Press and hold the CTRL key and click every object that you want to select.
  2. In the toolbar above the network interactions map, open the Event filter drop-down list.
  3. In the drop-down list, select Filter.

The network interaction map displays only nodes and links whose information is contained in events associated with the selected nodes. In the toolbar above the network interactions map, a list is displayed with event IDs (the IDs are listed in the chronological order of detection of the associated events).

To add nodes and links to the displayed objects using additional filtering by events:

  1. Make sure the initial filtering by events already has been performed. To do so, look for the list of event IDs in the toolbar above the network interactions map.
  2. From among the displayed nodes on the network interactions map, select nodes whose associated events you want to add to the filter.

    The details area is displayed in the right part of the web interface window.

  3. In the toolbar above the network interactions map, open the Event filter drop-down list.
  4. In the drop-down list, select Add to filter.

The network interaction map additionally displays nodes and links whose information is contained in the events associated with the selected nodes. IDs of detected events are added to the list of IDs in the toolbar.

Page top
[Topic 283736][Topic 283737]

Filtering nodes by device status

To filter nodes by device status:

  1. In the toolbar above the network interactions map, open the Device statuses drop-down list.

    A list is displayed with status names for devices known to the application (Unauthorized, Authorized, Archived), as well as the Unknown device status for devices that application does not recognize.

  2. In the drop-down list, select check boxes for statuses that you want to use as a filtering condition for nodes displayed on the network interactions map.
  3. Click OK.

The network interactions map displays only those nodes that represent devices with selected statuses.

Page top
[Topic 283738]

Filtering nodes by device security state

To filter nodes by device security state:

  1. In the toolbar above the network interactions map, open the Device states drop-down list.

    A list is displayed containing the security state names of the devices (OK, Warning, Critical).

  2. In the drop-down list, select check boxes for security states that you want to use as a filtering condition for nodes displayed on the network interactions map.
  3. Click OK.

The network interactions map displays only those nodes that represent devices with selected security states.

Page top
[Topic 283739]

Filtering nodes by device category

To filter nodes by device category:

  1. In the toolbar above the network interactions map, open the Device categories drop-down list.

    A list is displayed containing the names of categories of devices known to the application as well as special categories for unknown devices.

  2. In the drop-down list, select check boxes for categories that you want to use as a filtering condition for nodes displayed on the network interactions map.
  3. Click OK.

The network interactions map displays only those nodes that represent devices of the selected categories.

Page top
[Topic 283740]

Showing and hiding nodes linked to filtered nodes

After filtering the nodes, the network interactions map displays only those nodes that satisfy the specified filtering conditions. However, for a node to be displayed on the network interactions map, this node must have a link to another displayed node. If, given the specified filtering conditions, not all nodes are displayed with which the node has interactions, such a node is also not displayed on the network interactions map. Filtering is applied in the same way to nodes rolled up into the common node of unknown devices: if not all nodes that have interactions with an unknown devices node, this node is excluded from the list of nodes of the common node of unknown devices.

If necessary, you can show the network interactions of all nodes associated with the filtered nodes. All nodes that have been interacted with will be displayed together with the filtered nodes (regardless of the current filtering conditions).

To show or hide nodes associated with filtered nodes:

Use the Linked devices toggle switch in the toolbar above the network interactions map.

Page top
[Topic 283741]

Filtering links

This section contains instructions on how to filter links.

In this section

Filtering links by severity score

Filtering links by communication protocol

Filtering links by OSI model layer
Page top
[Topic 283742]

Filtering links by criticality score

To filter links on the network interactions map by their severity scores:

  1. In the toolbar above the network interactions map, open the Scores of links drop-down list.

    A list of event severity levels and ranges is displayed: Low (0.0–3.9), Medium (4.0–7.9), High (8.0–10.0); as well as the No events item, which lets you filter links that have no registered events.

  2. In the drop-down list, select the check boxes for the severity levels by which you want to filter.
  3. Click OK.

The network interaction map displays only links that have associated events with selected severity levels.

Page top
[Topic 283743]

Filtering links by communication protocol

To filter links on the network interactions map by protocol:

  1. In the toolbar above the network interactions map, open the Protocols drop-down list.

    This opens a window with a table of protocols displayed as a protocol stack tree. You can control the display of tree nodes using the + and - buttons next to the names of protocols that encompass protocols of the next tiers.

    The table columns contain the following information:

    • Protocol is the name of the protocol in the protocol stack tree.
    • EtherType is the number of the next-layer protocol encapsulated by the Ethernet protocol (if the protocol has a specified number). Displayed in decimal format.
    • IP number is the number of the next-layer protocol encapsulated by the IP protocol (if the protocol has a specified number). Specified only for protocols that are part of the IP protocol structure. Displayed in decimal format.
  2. If necessary, use the search bar above the table to find the protocols that you need.
  3. In the list of protocols, select check boxes for protocols that you want to use in search conditions.

    If you select or clear the check box for a protocol that contains nested protocols, check boxes are also automatically selected or cleared for all nested protocols.

  4. Click OK.

Only links that used the selected protocols are displayed on the network interactions map.

Page top
[Topic 283744]

Filtering links by OSI model layer

You can filter links by interaction layers that correspond to the layers of the Open Systems Interconnection (OSI) network protocol stack.

To filter link on the network interactions map by OSI model layers:

  1. In the toolbar above the network interactions map, open the OSI model layers drop-down list.

    A list of OSI model layer names is displayed:

    • Data Link. This layer includes connections that used MAC addresses to communicate with devices.
    • Network. This layer includes connections that used IP addresses to communicate with devices.
  2. In the drop-down list, select check boxes for OSI model layers that you want to use as a filtering condition for links displayed on the network interactions map.
  3. Click OK.

Only links that belong to the selected OSI model layer are displayed on the network interactions map.

Page top
[Topic 283745]

Resetting filtering criteria

You can reset specified node and link filtering criteria to their default condition.

To reset specified filtering criteria on the network interactions map:

In the toolbar above the network interactions map, click Default filter (the button is displayed if non-default filtering criteria are specified).

The network interactions map displays all nodes and links for which interactions were detected during the specified period.

Page top
[Topic 283746]