Managing technologies

Kaspersky Anti Targeted Attack Platform uses various technologies to analyze network traffic. You can enable or disable the technologies individually. For the Device Activity Detection (AM) technology, you can select the mode: learning mode or monitoring mode.

We recommend enabling the learning mode for a predetermined time to have the application automatically switch the technology to monitoring mode at the right time. The monitoring mode is the normal mode of the technology (as opposed to the learning mode, in which the application only accumulates data for future use). When setting up the learning mode, you can configure the time when you want the technology to switch to monitoring mode.

You can specify the same technology settings for all components and monitoring points, or you can specify special settings for some components and/or monitoring points. Technology settings can be automatically inherited from parent objects to child objects. If technology inheritance is enabled for a component or monitoring point, the technology settings specified for the parent object (Central Node or Sensor) are applied to that object. If technology inheritance is disabled, you can configure special settings for technologies on that component or monitoring point.

By default, all technologies are enabled after application installation. Learning mode is enabled by default for technologies that support modes.

Enabling or disabling technologies

You can enable or disable technologies for Central Node and Sensor components and monitoring points. However, enabling and disabling technologies for Sensor components and monitoring points is available if technology inheritance is disabled on these objects.

Some technologies include methods that can be enabled or disabled individually. If a technology or method is disabled, the application does not monitor device interactions using the technology or method. However, you can still manage application settings related to disabled technologies or methods (for example, add or edit rules).

The following technologies and methods support enabling and disabling:

• Asset Management, hereinafter also "AM":
  • Device Activity Detection.
  • Device Information Detection.
  • Network Session Detection.
• Intrusion Detection, hereinafter also "IDS":
  • Rule-based Intrusion Detection.
  • ARP Spoofing Detection.
  • IP Protocol Anomaly Detection.
  • TCP Protocol Anomaly Detection.
  • Brute-force Attack and Scan Detection.

To change the state of technologies and methods:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant component or monitoring point.

   This opens a window with information about the component or monitoring point.

3. If you want to change the state of technologies and methods for a Sensor component or a monitoring point, set the Inherit Server technologies toggle switch to Disabled.
4. Use the toggle switches in the left part of the window to enable or disable technologies and/or methods. You can enable or disable all technologies and methods simultaneously by clicking Enable all or Disable all.
5. After enabling or disabling a technology or method, wait until the changes are applied. The switch does not become available again until the transition to the other state is completed.

The state of technology and methods is changed.

Configuring Device Activity Detection mode

You can configure the learning mode or enable the monitoring mode for the Device Activity Detection (AM) technology.

To change and configure the mode of the technology:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant component or monitoring point.

   This opens a window with information about the component or monitoring point.

3. If you want to configure the mode of the technology for a Sensor component or a monitoring point, set the Inherit Server technologies toggle switch to Disabled.
4. In the drop-down list to the right of the technology name, select a mode (Learning or Monitoring).
5. After selecting the mode, wait for the changes to be applied. Before the mode is applied, the Changing status is displayed in the drop-down list.
6. If you want to specify the date and time when the technology must switch from learning mode to monitoring mode, click the Set until link and select a date and time. If a date and time has been configured before, the date and time is displayed next to the name of the mode.

The mode of the technology is configured.

Managing technology inheritance

You can enable technology inheritance if you want technology settings configured for the parent object to be automatically applied to a Sensor component or monitoring point. This means the Sensor component gets the technology settings of the Central Node component, and the monitoring point gets the settings of the component on which the monitoring point was added (Central Node or Sensor).

If necessary, you can disable technology inheritance for the Sensor component or the monitoring point. You may need to do this to specify special technology settings.

To enable or disable technology inheritance for a Sensor component or monitoring point:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant component or monitoring point.

   This opens a window with information about the component or monitoring point.

3. Set the Inherit Server technologies toggle switch as necessary.

Technology inheritance for a Sensor component or monitoring point is enabled or disabled.