Kaspersky Anti Targeted Attack Platform

Contents

[Topic 209940]

Viewing the table of devices

To manage devices, the application generates a table of devices. The application considers all devices in the table to be known devices.

To view the table of devices:

  1. Select the Assets section in the application web interface window.
  2. Go to the Devices tab.

    The table of devices is displayed.

The table displays the following information:

  • Name is the name that represents the device in the application.
  • Device ID is the ID of the device assigned in Kaspersky Anti Targeted Attack Platform.
  • Status is the device status that determines whether the device is allowed to be active on the corporate LAN. A device can have one of the following statuses:
    • Authorized. This status is assigned to a device that is allowed to be active on the network.
    • Unauthorized. This status is assigned to a device that is not allowed to be active on the network.
    • Archived. This status is assigned to a device if it is no longer in use or must not be used on the network, or if the device has not been active for a long time (30 days or more) and information about this device has not been updated.
  • Address information lists MAC and/or IP addresses of the device. If a device has multiple network interfaces, each network interface can have a different MAC and/or IP address.
  • Category is the name of the category that characterizes the functional purpose of the device. Kaspersky Anti Targeted Attack Platform recognizes the following device categories:
    • Server for a computer on which server software is deployed.
    • Network device for a piece of network equipment (for example, a router, a switch).
    • Workstation for a stationary personal computer or operator workstation.
    • Mobile device for a portable electronic device with computing functionality.
    • Laptop for a portable personal computer.
    • Printer for a printing device.
    • UPS for an uninterruptible power supply connected to a computer network.
    • Network camera for a device that performs video surveillance and transmits digital imaging data.
    • Gateway for a device that connects networks by converting various interfaces (for example, Serial Ethernet) in networks with a heterogeneous data transmission medium and different protocols.
    • Storage system for a device that stores information inside memory systems.
    • Firewall for a device that act as a firewall to scan and block unwanted traffic.
    • Switch for a device that physically connects hosts of the local network.
    • Virtual switch for a device that logically combines physical switches or software switches for virtualization systems.
    • Router for a device that forwards network packets between segments of a computer network.
    • Virtual router for a device that logically combines physical routers or routers that use multiple independent routing and forwarding tables.
    • Wi-Fi for an access point that provides wireless connection of devices from Wi-Fi networks.
    • Historian server for a server with archived data.
    • Other for a device that does not belong to any of the above categories.
  • Group is the name of the group in which the device is placed in the device group tree (contains the name of the group itself and the names of all its parent groups).
  • Security state is the security state of the device, which is determined by the existence of events related to the device. A device can have one of the following security states:
    • Critical. The device has associated events that have a 8.0–10.0 severity score.
    • Warning. The device has associated events that have a 4.0–7.9 severity score.
    • . The device has associated events that have a 0.0-3.9 severity score, or the device has no associated events.
  • Importance is the importance of the device. Importance is assigned to the device in accordance with its category. A device can have one of the following importance ratings:
    • High. Assigned to devices of the Server category.
    • Medium. Assigned to devices of the following categories: Network device, Workstation, Gateway, Storage system, Firewall, Switch, Virtual switch, Router, Virtual router, Wi-Fi, Historian server.
    • Low. Assigned to devices of the following categories: Mobile device, Laptop, Printer, UPS, Network camera, or Other.
  • Last seen is the date and time of the last recorded activity of the device.
  • Risks lists the categories of risks detected for the device. By default, the device table displays information only for current risks. To display information for all risks, you can select the Show remediated and accepted risks check box when configuring the device table.
  • Last modified is the date and time when the device information was last modified.
  • Created is date and time when the device was added to the table of devices.
  • OS is the name of the operating system installed on the device.
  • Hardware vendor is the name of the vendor of the hardware of the device. In the details area, this parameter is called Vendor and is displayed on the General tab under Hardware.
  • Hardware Model is the name of the device model. In the details area, this parameter is called Model and is displayed on the General tab under Hardware.
  • Hardware version is the version number of the device hardware. In the details area, this parameter is called Version and is displayed on the General tab under Hardware.
  • Software vendor is the vendor name of the device software. In the details area, this parameter is called Vendor and is displayed on the General tab under Software.
  • Software name is the name of the device software. In the details area, this parameter is called Name and is displayed on the General tab under Software.
  • Software version is the version number of the device software. In the details area, this parameter is called Version and is displayed on the General tab under Software.
  • Network name is the name that represents the device on the network.
  • Labels lists labels assigned to the device.
  • EPP application is the short name of the EPP application installed on the device (if this application has communicated with Kaspersky Anti Targeted Attack Platform).
  • EPP connection is the status of the connection of the Endpoint Agent component installed on the device to the integration server. The following statuses are possible:
    • Active. Less than 24 hours have passed since the application last connected to the integration server.
    • Inactive. Over 24 hours have passed since the application last connected to the integration server.
    • N/A. The connection status is unknown.
  • Last connection to EPP is the date of the last connection of the Endpoint Agent component to the integration server.
Page top
[Topic 175616]

Viewing device information

To view device information:

  1. Select the Assets section in the application web interface window.
  2. Go to the Devices tab.
  3. Select the device for which you want to view information.

This opens a window containing information about the device.

This window can contain the following information:

  • Device information:
    • Security status is the security status of the device, which is determined by the existence of events related to the device. A device can have one of the following security states:
      • Critical. The device has associated events that have a 8.0–10.0 severity score.
      • Warning. The device has associated events that have a 4.0–7.9 severity score.
      • . The device has associated events that have a 0.0-3.9 severity score, or the device has no associated events.
    • Importance is the importance of the device to the organization. Importance is assigned to the device in accordance with its category. A device can have one of the following importance ratings:
      • High. Assigned to devices of the Server category.
      • Medium. Assigned to devices of the following categories: Network device, Workstation, Gateway, Storage system, Firewall, Switch, Virtual switch, Router, Virtual router, Wi-Fi, Historian server.
      • Low. Assigned to devices of the following categories: Mobile device, Laptop, Printer, UPS, Network camera, or Other.
    • Status is the device status that determines whether the device is allowed to be active on the corporate LAN. A device can have one of the following statuses:
      • Authorized. This status is assigned to a device that is allowed to be active on the network.
      • Unauthorized. This status is assigned to a device that is not allowed to be active on the network.
      • Archived. This status is assigned to a device if it is no longer in use or must not be used on the network, or if the device has not been active for a long time (30 days or more) and information about this device has not been updated.
    • Category is the name of the category that characterizes the functional purpose of the device.
    • Network name is the name that represents the device on the network.
    • Group is the name of the group in which the device is placed in the device group tree (contains the name of the group itself and the names of all its parent groups).
  • The Main tab:
    • Created is date and time when the device was added to the table of devices.
    • Last modified is the date and time when the device information was last modified.
    • Last seen is the date and time of the last recorded activity of the device.
    • Address information lists MAC and/or IP addresses of the device. If a device has multiple network interfaces, each network interface can have a different MAC and/or IP address.
    • Hardware contains information about the hardware characteristics of the device.
    • Software contains information about the software of the device.
    • Endpoint Agent contains information about the Endpoint Agent component. This section is displayed if the Endpoint Agent component is installed on the device.
    • EPP application contains information about the application that is being used in the role of an Endpoint Agent component.
    • Router is the attribute that marks the device as a routing device.

      If the application cannot determine the routing device attribute automatically, you must set the attribute manually. This attribute allows the application to use additional algorithms for detecting devices that interact with each other through a router.

    • Public key is a public key for authenticating the device before establishing an SSH connection and scanning the device as part of security audit tasks.
    • Additional information contains additional information about the device specified by the user of the application (for example, description of the physical location of the device).
    • Custom fields is a set of non-standard information about the device, specified by the user of the application (for example, categories and protection classes of the device). Up to 16 custom fields can be specified for a device.
    • Dynamic fields is a set of extended device information that is detected in traffic using the Device Information Detection method. A field is displayed if the application has detected extended information.
  • Addresses tab:
    • DHCP server is the DHCP server attribute.

      This field displays Yes if the device has the DHCP server attribute.

    • DHCP relay is the DHCP relay attribute.

      This field displays Yes if the device has the DHCP relay attribute.

    • Network interface <number> contains information about the network interface of the device.
  • The Topology settings tab contains information about the last active polling of the device, as well as information about the links of the device with other nodes.
  • The Equipment tab contains information about BIOS programs and CPUs of the device, the amount of free RAM and free local disk space, and USB devices and optical drives being used. Information is displayed if it was obtained using the hardware monitoring functionality.
  • The Configurations tab contains information about obtained device configurations. Information is displayed if it was obtained by configuration monitoring tasks.
Page top
[Topic 175743]

Automatically adding and updating devices

The application can automatically add devices to the table and update device information. To enable automatic adding and updating of devices in Kaspersky Anti Targeted Attack Platform, you must enable and configure the Device Activity Detection (AM) technology. If the technology is enabled, the application adds and updates device information using data obtained from network traffic and the integration with the Endpoint Agent component.

When adding a device, the application sets a default device name using the following template: Device <internal device counter value>. This internal counter value in the device name may not match the device ID that is displayed in the Device ID column.

The application can automatically update vendor information of network equipment based on the MAC addresses of devices. To identify vendors by MAC addresses, the application looks up the MAC addresses of devices in the ranges of addresses registered in the open database of the Institute of Electrical and Electronics Engineers (IEEE). If the vendor of the network equipment is identified by its MAC address, the application keeps the name from the IEEE database.

After installing the application, a copy of the IEEE database is used, which contains information about MAC addresses and vendors at the time when the current version of the application was released. You can keep your local copy of the IEEE database up to date by installing updates.

Page top
[Topic 175623]

Manually adding devices

This section provides instructions on manually adding devices. You can manually add a new device to the table of devices. You must specify the MAC and/or IP address of the device that you want to add.

The MAC and IP addresses of the added device must be unique within the address space to which these addresses belong. If extra address spaces are added to the application, you can add devices with the same address to different address spaces.

Only users with the Senior security officer role can manually add devices.

After adding a device, you can add process monitoring settings for the device.

In this section:

Adding a device while managing the table of devices

Adding a device while managing the topology map

Adding a device based on an unknown device node on the network interactions map

Adding a device based on an unmanaged switch on the topology map

Page top
[Topic 175678]

Adding a device while managing the table of devices

To add a device while managing the table of devices:

  1. Select the Assets section in the application web interface window.
  2. In the table of devices on the Devices tab, select the device for which you want to view information.

    This opens a window containing information about the device.

  3. Click Add device.
  4. On the Settings tab, in the details area, specify your values in the device information fields.
  5. On the Address information tab, in the details area:
    1. In the DHCP server drop-down list, select Yes if the device is a DHCP server.
    2. In the DHCP relay drop-down list, select Yes if the device is a DHCP relay.

      In learning mode, for devices that are DHCP servers and DHCP relays, these attributes are assigned automatically. You can disable automatic update of attributes (see step 6 of these instructions).

      In monitoring mode, only users with the Senior security officer role can edit attributes.

    3. In the Address space drop-down list, select the address space to which you want the device to belong.
    4. In the MAC address field, enter the MAC address of the device.
    5. In the IP address drop-down list select the IP address assignment type (static or dynamic), and enter the IP address of the device.

      You can specify multiple IP addresses for the same network interface of a device. To create a list of IP addresses, do one of the following:

      • If you want to add an IP address, click Add IP address.
      • If you want to delete an IP address, click the Empty trashcan icon. icon to the right of the field with the IP address.

      If the device has multiple network interfaces, create a list of the network interfaces:

      • If you want to add a network interface, click Add interface below the settings of the last network interface.
      • If you want to delete a network interface, click the X icon for clearing or deleting objects. icon to the right of the name of the network interface (if the device has two or more network interfaces).
      • If you want to enter a different name for the network interface, click the Gray pencil icon. icon to the right of the current name, and enter the new name in the displayed field.
  6. On the Settings and Address information tabs, in the details area, enable or disable automatic modification of certain elements of device information. To do so, click the Closed padlock icon. or Open padlock icon. icons.

    If you disable automatic updating of a device's IP address, automatic updating of the IP address type (static or dynamic) and address space information is also disabled.

  7. On the Custom fields tab in the details area, create a list of custom fields, if necessary.
  8. Click Save.

    This button is unavailable if the device settings do not contain all the required information or if some of the specified settings are invalid. Tabs with settings that require a correct value is marked with the Red dot icon. icon.

A new device appears in table of devices with the Authorized status.

Page top
[Topic 283636]

Adding a device while managing the topology map

You can add a new device to the table of devices while managing the topology map.

To add a new device to the table of devices while managing the topology map:

  1. Select the Network map section in the application web interface window.
  2. Go to the Topology map tab.
  3. Click Add device.
  4. On the Settings tab, in the details area, specify your values in the device information fields.
  5. On the Address information tab, in the details area:
    1. In the DHCP server drop-down list, select Yes if the device is a DHCP server.
    2. In the DHCP relay drop-down list, select Yes if the device is a DHCP relay.

      In learning mode, for devices that are DHCP servers and DHCP relays, these attributes are assigned automatically. You can disable automatic update of attributes (see step 6 of these instructions).

      In monitoring mode, only users with the Senior security officer role can edit attributes.

    3. In the Address space drop-down list, select the address space to which you want the device to belong.
    4. In the MAC address field, enter the MAC address of the device.
    5. In the IP address drop-down list select the IP address assignment type (static or dynamic), and enter the IP address of the device.

      You can specify multiple IP addresses for the same network interface of a device. To create a list of IP addresses, do one of the following:

      • If you want to add an IP address, click Add IP address.
      • If you want to delete an IP address, click the Empty trashcan icon. icon to the right of the field with the IP address.

      If the device has multiple network interfaces, create a list of the network interfaces:

      • If you want to add a network interface, click Add interface below the settings of the last network interface.
      • If you want to delete a network interface, click the X icon for clearing or deleting objects. icon to the right of the name of the network interface (if the device has two or more network interfaces).
      • If you want to enter a different name for the network interface, click the Gray pencil icon. icon to the right of the current name, and enter the new name in the displayed field.
  6. On the Settings and Address information tabs, in the details area, enable or disable automatic modification of certain elements of device information. To do so, click the Closed padlock icon. or Open padlock icon. icons.

    If you disable automatic updating of a device's IP address, automatic updating of the IP address type (static or dynamic) and address space information is also disabled.

  7. On the Custom fields tab in the details area, create a list of custom fields, if necessary.
  8. Click Save.

    This button is unavailable if the device settings do not contain all the required information or if some of the specified settings are invalid. Tabs with settings that require a correct value is marked with the Red dot icon. icon.

A new device appears in table of devices with the Authorized status.

Page top
[Topic 283640]

Adding a device based on an unknown device node on the network interactions map

While managing the network interactions map, you can add a new device to the table of devices based on the node that represents the device that the application does not recognize.

To add an unrecognized device node to the table of devices:

  1. Select the Network map section in the application web interface window.
  2. On the Network interactions map tab, select the node representing the device that the application does not recognize.

    The details area is displayed in the right part of the web interface window.

  3. Click Add to the devices table.
  4. On the Settings tab, in the details area, specify your values in the device information fields.
  5. On the Address information tab, in the details area:
    1. In the DHCP server drop-down list, select Yes if the device is a DHCP server.
    2. In the DHCP relay drop-down list, select Yes if the device is a DHCP relay.

      In learning mode, for devices that are DHCP servers and DHCP relays, these attributes are assigned automatically. You can disable automatic update of attributes (see step 6 of these instructions).

      In monitoring mode, only users with the Senior security officer role can edit attributes.

    3. In the Address space drop-down list, select the address space to which you want the device to belong.
    4. The IP address and MAC address fields are filled in automatically; we do not recommend changing these settings.

      You can specify multiple IP addresses for the same network interface of a device. To create a list of IP addresses, do one of the following:

      • If you want to add an IP address, click Add IP address.
      • If you want to delete an IP address, click the Empty trashcan icon. icon to the right of the field with the IP address.

      If the device has multiple network interfaces, create a list of the network interfaces:

      • If you want to add a network interface, click Add interface below the settings of the last network interface.
      • If you want to delete a network interface, click the X icon for clearing or deleting objects. icon to the right of the name of the network interface (if the device has two or more network interfaces).
      • If you want to enter a different name for the network interface, click the Gray pencil icon. icon to the right of the current name, and enter the new name in the displayed field.
  6. On the Settings and Address information tabs, in the details area, enable or disable automatic modification of certain elements of device information. To do so, click the Closed padlock icon. or Open padlock icon. icons.

    If you disable automatic updating of a device's IP address, automatic updating of the IP address type (static or dynamic) and address space information is also disabled.

  7. On the Custom fields tab in the details area, create a list of custom fields, if necessary.
  8. Click Save.

    This button is unavailable if the device settings do not contain all the required information or if some of the specified settings are invalid. Tabs with settings that require a correct value is marked with the Red dot icon. icon.

A new device appears in table of devices with the Authorized status. A node on the network interactions map that previously represented a device that the application did not recognize now represents a device that is known to the application.

Page top
[Topic 283645]

Adding a device based on an unmanaged switch on the topology map

While managing the topology map, you can add a new device to the table of devices based on the node that represents an unmanaged switch.

To add an unmanaged switch node to the table of devices:

  1. Select the Network map section in the application web interface window.
  2. On the Network interactions map tab, select the node representing the unmanaged switch.

    The details area is displayed in the right part of the web interface window.

  3. Click Add to the devices table.
  4. On the Settings tab, in the details area, specify your values in the device information fields.
  5. On the Address information tab, in the details area:
    1. In the DHCP server drop-down list, select Yes if the device is a DHCP server.
    2. In the DHCP relay drop-down list, select Yes if the device is a DHCP relay.

      In learning mode, for devices that are DHCP servers and DHCP relays, these attributes are assigned automatically. You can disable automatic update of attributes (see step 6 of these instructions).

      In monitoring mode, only users with the Senior security officer role can edit attributes.

    3. In the Address space drop-down list, select the address space to which you want the device to belong.
    4. In the MAC address field, enter the MAC address of the device.
    5. In the IP address drop-down list select the IP address assignment type (static or dynamic), and enter the IP address of the device.

      You can specify multiple IP addresses for the same network interface of a device. To create a list of IP addresses, do one of the following:

      • If you want to add an IP address, click Add IP address.
      • If you want to delete an IP address, click the Empty trashcan icon. icon to the right of the field with the IP address.

      If the device has multiple network interfaces, create a list of the network interfaces:

      • If you want to add a network interface, click Add interface below the settings of the last network interface.
      • If you want to delete a network interface, click the X icon for clearing or deleting objects. icon to the right of the name of the network interface (if the device has two or more network interfaces).
      • If you want to enter a different name for the network interface, click the Gray pencil icon. icon to the right of the current name, and enter the new name in the displayed field.
  6. On the Settings and Address information tabs, in the details area, enable or disable automatic modification of certain elements of device information. To do so, click the Closed padlock icon. or Open padlock icon. icons.

    If you disable automatic updating of a device's IP address, automatic updating of the IP address type (static or dynamic) and address space information is also disabled.

  7. On the Custom fields tab in the details area, create a list of custom fields, if necessary.
  8. Click Save.

    This button is unavailable if the device settings do not contain all the required information or if some of the specified settings are invalid. Tabs with settings that require a correct value is marked with the Red dot icon. icon.

A new device appears in the table of devices with the Authorized status. The node on the topology map that previously represented an unmanaged switch now represents a device that is known to the application.

Page top
[Topic 283646]

Automatically assigning device status

When monitoring device activity, the application can automatically assign a status to discovered devices based on the obtained MAC and/or IP addresses of such devices. Status is assigned depending on the current asset management mode.

In learning mode, the application assigns the Authorized status to all devices (both new and previously added to the table), except for those devices that have had the Unauthorized status assigned previously.

In monitoring mode, the assigned status depends on whether the device that has exhibited activity is a device that the application knows or does not recognize. In this mode, status is assigned according to the following rules:

  • If the device is new (it was absent from the device table at the time of discovery), this device is assigned the Unauthorized status.
  • If the device is present in the table of devices with the Authorized or Unauthorized status, its status does not change.
  • If a device is present in the table of devices with the Archived status, the device is assigned the Unauthorized status.

By default, if a device with the Authorized status has been inactive for more than 30 days and device information has not changed during this period, such a device is automatically assigned the Archived status. You can disable the automatic assignment of the Archived status when you change the device status manually (for example, to prevent the Authorized status from changing to Unauthorized for a device that rarely connects to the network).

When using connectors of the Cisco Switch type, network access of devices may be automatically restricted after these devices get the Unauthorized status. You need to take into account the specified settings of connectors of this type to prevent blocking necessary devices because of a status change.

Page top
[Topic 175710]

Automatically grouping devices based on a criterion

This section contains instructions on how to automatically group devices based on a criterion. You can automatically group devices in the device group tree based on one of the following criteria:

  • IP addresses belonging to subnets that are known to the application
  • Device categories
  • Device vendors

Only users with the Senior security officer role can automatically group devices.

In this section

Automatically grouping devices based on a criterion, starting from the root of the group tree

Automatically grouping devices in a selected device group

Page top
[Topic 212946]

Automatically grouping devices based on a criterion, starting from the root of the group tree

To automatically group devices based on a criterion, starting from the root of the group tree:

  1. Use the web interface to connect to the Central Node with the Senior security officer role.
  2. In the Network map section, on the Network interactions map tab, click one of the following buttons for selecting a grouping criterion in the toolbar in the left part of the network interactions map display area:
    • Icon representing a network structure of nodes. to group devices by subnet.
    • Icon representing devices of various types. to group devices by category.
    • Icon representing a brand label. to group devices by vendor.

    This opens a prompt window in which you can select a grouping option.

  3. To group devices by category and vendor based on address spaces, in the prompt window, select the Take into account the address spaces check box.
  4. Click on one of the following buttons, depending on the what you want to do:
    • To group devices by subnets, click Group.
    • To group devices by category and vendor based on address spaces in all groups of the device group tree, click With child groups.
    • To group devices by category and vendor based on address spaces only at the top level of the device group tree hierarchy, click Selected only.

The application identifies devices that match the selected grouping criterion, creates groups for these devices, and arranges the devices into these groups.

Page top
[Topic 283658]

Automatically grouping devices in a selected device group

To automatically group devices in a selected device group:

  1. Use the web interface to connect to the Central Node with the Senior security officer role.
  2. In the Network map section, on the Network interactions map tab, select the group in which you want to automatically group devices.
  3. Right-click to open the context menu.
  4. In the context menu, select one of the following commands:
    • Group by subnet.
    • Group by category.
    • Group by vendor.

    This opens a prompt window in which you can select a grouping option.

  5. To group devices by category and vendor based on address spaces, in the prompt window, select the Take into account the address spaces check box.
  6. In the prompt window, click on one of the following buttons, depending on the what you want to do:
    • To group devices by subnets, click Group.
    • If you want to group devices by category or vendor in all child groups of the selected group, click With child groups.
    • If you want to group devices by category or vendor only in the selected group, click Selected only.

The application identifies devices that match the selected grouping criterion, creates groups for these devices and arranges devices into these groups (devices in other groups are not affected).

Page top

[Topic 283661]

Manually arranging devices into groups

This section contains instructions on how to manually manage the placement of devices in the group tree. Only users with the Senior security officer role can arrange devices in the group tree.

In this section:

Including a device in a group

Including multiple devices in a group

Removing a device from a group

Removing multiple devices from groups

See also

Moving servers with components and groups to other groups on the network interactions map

Page top
[Topic 189342]

Adding a device to a group

To add an individual device to a group when managing the table:

  1. Use the web interface to connect to the Central Node with the Senior security officer role.
  2. Select the device in the Assets section on the Devices tab or in the Network map section.

    In the Network map section, you can select the device to add to a group on the network interactions map as well as the topology map.

    The details area is displayed in the right part of the web interface window.

  3. Click Edit.
  4. In the details area, go to the Settings tab.
  5. Click the Icon representing a structure of folders. icon in the right part of the Group field.

    The Select group in tree window appears.

  6. In the device group tree, select the relevant group.

    If the relevant group is not in the tree, you can add it in the currently displayed Select group in tree window.

  7. Click Select.

    The path to the selected group appears in the Group field.

  8. Click Save in the details area.

    This button is unavailable if the device settings do not contain all the required information or if some of the specified settings are invalid. Tabs with settings that require a correct value is marked with the Red dot icon. icon.

Page top
[Topic 283664]

Adding multiple devices to a group

You can add multiple devices to a group while managing the table of devices.

Also, when managing the network interactions map, you can add to a group multiple known devices on the network interactions map. You can select component servers either individually or as part of collapsed groups that include the required devices. When you select a collapsed group, all devices in child groups at all nesting levels also end up in the selection.

To add multiple devices to a group when managing the table:

  1. Use the web interface to connect to the Central Node with the Senior security officer role.
  2. Select the Assets section.
  3. On the Devices tab, select the devices that you want to add to a group.
  4. Right-click to open the context menu.
  5. In the context menu, select Group management → Move to group.

    The Select group in tree window appears.

  6. In the device group tree, select the relevant group.

    If the relevant group is not in the tree, you can add it in the currently displayed Select group in tree window.

  7. Click Select.

    The path to the selected group appears in the Group column.

To add multiple devices to a group when managing the network interactions map:

  1. Use the web interface to connect to the Central Node with the Security officer or Senior security officer role.
  2. In the Network map section, on the Network interactions map tab, select the relevant component servers and/or collapsed groups.

    To select multiple component servers and/or groups, do one of the following:

    • Press and hold the SHIFT key, then use the mouse to select a rectangular area with the objects that you want to select.
    • Press and hold the CTRL key and click every object that you want to select.
  3. Right-click to open the context menu.
  4. In the context menu, select Move to group.

    The Select group in tree window appears.

  5. In the device group tree, select the relevant group.

    If the relevant group is not in the tree, you can add it in the currently displayed Select group in tree window.

  6. Click Select.

    The selected component servers are displayed inside the selected group.

Page top
[Topic 283666]

Removing a device from a group

To remove an individual device from a group when managing the table:

  1. Use the web interface to connect to the Central Node with the Senior security officer role.
  2. Select the device in the Assets section on the Devices tab or in the Network map section.

    In the Network map section, you can select devices to remove from a group on the network interactions map as well as the topology map.

    The details area is displayed in the right part of the web interface window.

  3. Click Edit.
  4. In the details area, go to the Settings tab.
  5. In the Group field, delete the path to the group by clicking the X icon for clearing or deleting objects. icon in the field (the icon is displayed if a group is defined).
  6. Click Save.

    This button is unavailable if the device settings do not contain all the required information or if some of the specified settings are invalid. Tabs with settings that require a correct value is marked with the Red dot icon. icon.

After saving the changes for the device, its Group value is cleared and the device is assigned to the root level of the group tree.

Page top
[Topic 283671]

Removing multiple devices from groups

You can remove multiple devices from groups while managing the table of devices. Devices selected for removal from groups can belong to the same group or to different groups.

Also, when managing the network interactions map, you can exclude from groups multiple known devices on the network interactions map. You can select component servers either individually or as part of collapsed groups that include the required devices. When you select a collapsed group, all devices in child groups at all nesting levels also end up in the selection.

To remove multiple devices from groups when managing the table:

  1. Use the web interface to connect to the Central Node with the Senior security officer role.
  2. Select the Assets section.
  3. On the Devices tab, select the devices that you want to remove from groups.
  4. Right-click to open the context menu.
  5. In the context menu, select Group management → Remove from groups.

    This opens a confirmation prompt window.

  6. In the prompt window, confirm the removal of devices from groups.

For all selected devices, the Group value is cleared and these devices are assigned to the root level of the group tree.

To remove multiple devices from groups when managing the network interactions map:

  1. Use the web interface to connect to the Central Node with the Security officer or Senior security officer role.
  2. In the Network map section, on the Network interactions map tab, select the component servers in expanded groups and/or collapsed groups.

    To select multiple component servers and/or groups, do one of the following:

    • Press and hold the SHIFT key, then use the mouse to select a rectangular area with the objects that you want to select.
    • Press and hold the CTRL key and click every object that you want to select.
  3. Right-click to open the context menu.
  4. In the context menu, select Remove from group.

    This opens a confirmation prompt window.

  5. In the prompt window, confirm the removal of devices from groups.

For all selected devices, the Group value is cleared and these devices are displayed outside of groups.

Page top
[Topic 283679]

Moving servers with components and groups to other groups on the network interactions map

You can rearrange component servers and groups in the device group tree by dragging and dropping objects on the network interactions map. The location of moved component servers and groups in the device group tree changes in the same way as when you add devices to a group or remove devices from groups.

Only users with the Senior security officer role can move component servers and groups to other groups.

To move component servers and/or groups to other groups:

  1. Use the web interface to connect to the Central Node with the Senior security officer role.
  2. In the Network map section, on the Network interactions map tab, select the relevant component servers and/or collapsed groups.

    To select multiple component servers and/or groups, do one of the following:

    • Press and hold the SHIFT key, then use the mouse to select a rectangular area with the objects that you want to select.
    • Press and hold the CTRL key and click every object that you want to select.
  3. Point to one of the selected objects (a group or a component server).
  4. Press and hold the CTRL key and drag the selected objects to the group you want (or to any space outside the groups if you want to move the selected objects to the top hierarchy level of the group tree).

    A window with a confirmation prompt opens.

  5. In the prompt window, confirm the movement of the selected objects.
Page top
[Topic 190837]

Device group tree

The purpose of the device group tree is to arrange devices in accordance with their function, location, or any other arbitrary attribute. Devices can be arranged into groups manually or automatically (by their IP addresses belonging to subnets, by category, or by vendor).

If a device is not included in any of the groups, such a device belongs to the top level of the group tree. Devices automatically added to the table are not included in any group by default.

You can see which groups devices belong to when viewing the device table. Paths to groups are indicated in the Group column. Device groups are also displayed on the network interactions map, however, devices belonging to these groups may not be displayed if they do not satisfy the filtering criteria for objects on the network interactions map.

Page top
[Topic 188132]

Manually editing the device group tree

You can edit the device group tree when managing the device table, the network interactions map, and the topology map. Tree creation functions are available in the Create group tree or Select group in tree window.

Only users with the Senior security officer role can create the device group tree.

To use the device tree group editing functionality:

  1. Use the web interface to connect to the Central Node with the Senior security officer role.
  2. In the Assets section on the Devices tab or in the Network map section, do one of the following:
    • Open the Create group tree window by clicking Configure groups.

      The Configure groups button in the Assets section is available in the Group management drop-down list in the toolbar.

      The Configure groups button in the Network map section is only available on the Network interactions map tab.

    • Open the Select group in tree window while adding devices to groups. You can also open this window when filtering the table of devices by the Group column.

Any changes made to the device group tree in the Create group tree or Select group in tree window are applied immediately.

This section provides instructions on using the features for generating a device group tree.

In this section:

Adding a group

Renaming a group

Deleting groups

Moving a group

Searching for groups

Updating the tree

Page top
[Topic 188372]

Adding a group

To add a group to the device group tree:

  1. In the Create group tree or Select group in tree window, add a new group in one of the following ways:
    • If the tree is empty and you want to add the first group, click Add or press either INSERT or ENTER.
    • If you want to add a group at the same hierarchy level as an existing group, select that group and press ENTER.
    • If you want to add a child group to an existing group, select this group and click Add or press INSERT.
  2. Enter a name for the group in the text box.

    You can use letters, numbers, the space character, and the following special characters: ! @ # № $ % ^ & ( ) [ ] { } ' , . - _ /.

    The group name must satisfy the following requirements:

    • Begins and ends with any character other than a space.
    • Contains up to 255 characters.
    • Is not the same as the name of another group name under the same parent group (case-insensitive).
  3. Click the Green check mark icon. icon to the right of the text box.
Page top
[Topic 283681]

Renaming a group

To rename a group to the device group tree:

  1. In the Create group tree or Select group in tree window, select the group that you want to rename.
  2. Click Rename or press F2.
  3. Enter the new name for the group in the text box.

    You can use letters, numbers, the space character, and the following special characters: ! @ # № $ % ^ & ( ) [ ] { } ' , . - _ /.

    The group name must satisfy the following requirements:

    • Begins and ends with any character other than a space.
    • Contains up to 255 characters.
    • Is not the same as the name of another group name under the same parent group (case-insensitive).
  4. Click the Green check mark icon. icon to the right of the text box.

The new group name is displayed in device information for devices that are added to this group or to its child groups.

Page top
[Topic 283682]

Deleting groups

Deleting a group does not delete devices added to the group. Devices from a deleted group are moved to the same hierarchy level in the device tree as the deleted group.

To delete a group from the device group tree:

  1. In the Create group tree or Select group in tree window, select the group that you want to delete.
  2. Click the Trashcan icon. icon.

    This opens a prompt window in which you can select a deletion option.

  3. In the prompt window, click on one of the following buttons, depending on the what you want to do:
    • If you want to delete only the selected group and keep its child groups, click Selected only.
    • If you want to delete the selected group together with all of its child groups, click With child groups.

    This opens a confirmation prompt window.

  4. In the prompt window, click OK.
Page top
[Topic 283684]

Moving a group

To move a group in the device group tree:

  1. In the Create group tree or Select group in tree window, select the group that you want to move.
  2. Use the arrow icons or the corresponding shortcuts (ALT+↓, ALT+↑, ALT+←, ALT+→) to move the group relative to other elements of the tree. If an operation cannot be performed, the icon of that operation is not available.
Page top
[Topic 283686]

Searching for groups

You can find relevant groups in the device group tree by using the Search groups field in the Create group tree or Select group in tree window. The device group tree displays groups that match the search conditions. For child groups, their parent groups are also displayed.

Page top
[Topic 283687]

Updating the tree

The makeup of the device group tree may be modified on the Central Node while you are managing the tree (for example, by another user who has connected to the Central Node).

You can manually update the tree by clicking the Two arrows biting each other's tails icon. icon in the Create group tree or Select group in tree window.

Page top
[Topic 283688]

Adding and removing device labels

This section provides instructions on how to add or remove device labels. The labels you add to devices can be arbitrary.

A device label contains a text description that allows you to quickly find or filter devices in the table. You can save any text descriptions that you find convenient as labels. A device can have up to 16 labels. Each device can have its own set of labels.

Lists of device labels are displayed in the devices table in the Labels column. Labels in a cell are sorted alphabetically.

Only users with the Senior security officer role can add or remove device labels.

In this section

Adding labels to an individual device

Adding labels to multiple devices

Removing labels from an individual device

Clearing the lists of labels for multiple devices

Page top
[Topic 188133]

Adding labels to an individual device

To add a label to one device:

  1. Use the web interface to connect to the Central Node with the Senior security officer role.
  2. Select the device in the Assets section on the Devices tab or in the Network map section.

    In the Network map section, you can select a device for adding a label on the network interactions map as well as the topology map.

    The details area is displayed in the right part of the web interface window.

  3. Click Edit.

    In the details area, go to the Settings tab.

  4. In the Labels field, enter the text descriptions that you want to use as labels. To separate the labels, you can use newline by pressing ENTER or the semicolon character (;).

    You can use uppercase and lowercase letters, numbers, the space character, and the following special characters: ! @ # № $ % ^ & ( ) [ ] { } ' , . - _.

    The label name must satisfy the following requirements:

    • Begins and ends with any character other than a space.
    • Is unique in the list of that device's labels (case-insensitive).
    • Contains 1 to 255 characters.
  5. If necessary, click Copy labels to copy the list of labels. The link is displayed if the list of labels is not empty.
  6. Click Save.

    This button is unavailable if the device settings do not contain all the required information or if some of the specified settings are invalid. Tabs with settings that require a correct value is marked with the Red dot icon. icon.

Page top
[Topic 283690]

Adding labels to multiple devices

You can add labels to multiple devices while managing the table of devices.

Also when managing the network interactions map and the topology map, you can add labels to devices known to the application, represented by nodes on the maps. You can select nodes either individually or as part of collapsed groups that include the required devices. When you select a collapsed group, all devices in child groups at all nesting levels also end up in the selection.

To add labels to multiple devices while managing the table:

  1. Use the web interface to connect to the Central Node with the Senior security officer role.
  2. Select the Assets section.
  3. On the Devices tab, select the devices to which you want to add labels.
  4. Right-click one of the selected devices to open the context menu.
  5. In the context menu, select Add labels.

    This opens the Add labels window.

  6. In the Labels field, enter the text descriptions that you want to use as labels. To separate the labels, you can use newline by pressing ENTER or the semicolon character (;).

    You can use uppercase and lowercase letters, numbers, the space character, and the following special characters: ! @ # № $ % ^ & ( ) [ ] { } ' , . - _.

    The label name must satisfy the following requirements:

    • Begins and ends with any character other than a space.
    • Is unique in the list of that device's labels (case-insensitive).
    • Contains 1 to 255 characters.
  7. If necessary, click Copy labels to copy the list of labels. The link is displayed if the list of labels is not empty.
  8. If you want to clear the current lists of labels for selected devices and provide only new labels for these devices, select the Delete existing check box.

    If the Delete existing check box is cleared, the current list of labels will remain on each device. The new tags are appended to the lists of labels on all selected devices. For some of the selected devices, this may cause the total number of labels to exceed the limit (up to 16 labels for each device). The application checks the limit before adding new tags.

  9. Click OK.

    The button is not available if the names of entered labels do not meet the requirements, or if the list of labels is empty while the Delete existing check box is cleared.

To add labels to multiple devices while managing the maps:

  1. Use the web interface to connect to the Central Node with the Senior security officer role.
  2. Select the Network map section.
  3. On the Network interactions map or Topology map tab, select the relevant nodes of known devices and/or collapsed groups.

    To select multiple nodes and/or groups, do one of the following:

    • Press and hold the SHIFT key, then use the mouse to select a rectangular area with the objects that you want to select.
    • Press and hold the CTRL key and click every object that you want to select.
  4. Right-click one of the selected objects to open the context menu.
  5. In the context menu, select Add labels.

    This opens the Add labels window.

  6. In the Labels field, enter the text descriptions that you want to use as labels. To separate the labels, you can use newline by pressing ENTER or the semicolon character (;).

    You can use uppercase and lowercase letters, numbers, the space character, and the following special characters: ! @ # № $ % ^ & ( ) [ ] { } ' , . - _.

    The label name must satisfy the following requirements:

    • Begins and ends with any character other than a space.
    • Is unique in the list of that device's labels (case-insensitive).
    • Contains 1 to 255 characters.
  7. If necessary, click Copy labels to copy the list of labels. The link is displayed if the list of labels is not empty.
  8. If you want to clear the current lists of labels for selected devices and provide only new labels for these devices, select the Delete existing check box.

    If the Delete existing check box is cleared, the current list of labels will remain on each device. The new tags are appended to the lists of labels on all selected devices. For some of the selected devices, this may cause the total number of labels to exceed the limit (up to 16 labels for each device). The application checks the limit before adding new tags.

  9. Click OK.

    The button is not available if the names of entered labels do not meet the requirements, or if the list of labels is empty while the Delete existing check box is cleared.

Page top
[Topic 283691]

Removing labels from an individual device

To remove a label from one device:

  1. Use the web interface to connect to the Central Node with the Senior security officer role.
  2. Select the device in the Assets section on the Devices tab or in the Network map section.

    In the Network map section, you can select a device for removing a label on the network interactions map as well as the topology map.

    The details area is displayed in the right part of the web interface window.

  3. Click Edit.

    In the details area, go to the Settings tab.

  4. In the Labels field, delete the labels that you no longer need:
    • Click the X icon for clearing or deleting objects. icon next to the label names if you want to remove individual labels.
    • If you want to delete all labels, use the X icon for clearing or deleting objects. icon on the right side of the Labels field.
  5. Click Save.

    This button is unavailable if the device settings do not contain all the required information or if some of the specified settings are invalid. Tabs with settings that require a correct value is marked with the Red dot icon. icon.

Page top
[Topic 283693]

Clearing the lists of labels for multiple devices

You can clear the lists of labels for multiple devices while managing the table of devices.

Also when managing the network interactions map and the topology map, you can clear the lists of labels for devices known to the application, represented by nodes on the maps. You can select nodes either individually or as part of collapsed groups that include the required devices. When you select a collapsed group, all devices in child groups at all nesting levels also end up in the selection.

To clear the lists of labels for multiple devices while managing the table:

  1. Use the web interface to connect to the Central Node with the Senior security officer role.
  2. Select the Assets section.
  3. On the Devices tab, select the devices for which you want to clear the lists of labels.
  4. Right-click one of the selected devices to open the context menu.
  5. In the context menu, select Add labels.

    This opens the Add labels window.

  6. Select the Delete existing check box.
  7. Click OK.

To clear the lists of labels for multiple devices while managing the maps:

  1. Use the web interface to connect to the Central Node with the Senior security officer role.
  2. Select the Network map section.
  3. On the Network interactions map or Topology map tab, select the relevant nodes of known devices and/or collapsed groups.

    To select multiple nodes and/or groups, do one of the following:

    • Press and hold the SHIFT key, then use the mouse to select a rectangular area with the objects that you want to select.
    • Press and hold the CTRL key and click every object that you want to select.
  4. Right-click one of the selected objects to open the context menu.
  5. In the context menu, select Add labels.

    This opens the Add labels window.

  6. Select the Delete existing check box.
  7. Click OK.
Page top
[Topic 283694]

Group response

To create a task for a group of devices:

  1. Select the Assets section in the application web interface window.
  2. Go to the Devices tab.
  3. Select the devices for which you want to create a common task.

    If too many devices are listed, you can apply filters to display devices that you need. For example, you can find devices with certain labels or devices that belong to certain groups.

  4. In the Response menu, select a task type.

    This opens the task creation window.

  5. Specify task settings depending on its type:
  6. Click Save.

The task is created.

See also

Viewing the table of devices

Viewing device information

Automatically adding and updating devices

Manually adding devices

Automatically assigning device status

Automatically grouping devices based on a criterion

Manually arranging devices into groups

Moving servers with components and groups to other groups on the network interactions map

Device group tree

Manually forming the device group tree

Adding and removing device labels

Monitoring device users

Monitoring file execution on devices

Active device polling jobs

Page top
[Topic 294072]

Monitoring users on devices

Kaspersky Anti Targeted Attack Platform can monitor user accounts on devices known to the application. When monitoring users, the application automatically gets information about user accounts registered in the operating systems of the devices. Based on this information, the application generates user tables.

When getting information about user accounts, the application uses this information to monitor all user accounts on devices with the exception of some local system users, which only operating system services can use. For example, the application does not monitor the LocalSystem and NetworkService accounts on Windows devices.

To use the user monitoring functionality, Asset Management methods must be enabled to detect device activity and device information. These methods must be enabled on all servers with application components from which information is received.

User monitoring is based of information received from the following types of sources:

  1. Telemetry (Endpoint Agent)

    Information about devices and the processes running on these devices is received when the Endpoint Agent component is integrated with the NDR functionality.

  2. External source

    Information is received from systems that use the Kaspersky Anti Targeted Attack Platform API NDR and send information about users to Kaspersky Anti Targeted Attack Platform.

Sources are listed in order of decreasing priority of information coming in from these sources. The application processes information about users in accordance with the priority of the received information. User information from a higher-priority source may override information from other sources. The application also automatically removes users from tables if information about such a user had been obtained from an External source, but the users are missing in new information received from these sources.

You can view information about users in the Assets section on the Users tab.

When viewing the table of users, you can configure, filter, search, and sort users, as well as navigate to related items. The table of all users can contain up to 200,000 users.

The application displays the following information about device users in the table and in the details area of the selected user:

  • User ID is the user ID assigned in Kaspersky Anti Targeted Attack Platform.
  • User name is the name of the user account without the domain name or host name of the device.
  • Full name is the name of the user account with the domain name or host name of the device.
  • Groups lists names of user groups of which the user is a member.
  • Device is the name and address of the device.
  • Origin is the source of information about the user.
  • SID is the user's security ID.
  • Account status is the status corresponding to the received value for enabling or disabling the account.
  • Lock is the status corresponding to the received value of the account blocking setting.
  • Change password at next logon is an attribute that reflects whether the user must change the password at next logon.
  • Block password change by user is an attribute that reflects whether the user is prohibited from changing the user's own password.
  • Password validity period is the status corresponding to the received value of the setting that enables or disables the validity period limit for the user's password.
  • Data received is the date and time when the information about the user account was last received.
  • Description is the description specified for the user account.

When monitoring users, the application registers events using the Asset Management technology. Events are registered with system event type code 4000005600. Events are registered when user accounts are automatically added, modified, or deleted on devices.

You can edit the available settings of event types.

Page top
[Topic 269820]

Monitoring file execution on devices

Kaspersky Anti Targeted Attack Platform can monitor file execution on devices known to the application. File execution is monitored based on information received from EPP applications. Based on this information, the application generates a table of executable files.

To automatically get information about file execution from EPP applications, the following conditions must be satisfied:

  • Endpoint Agent must be installed on the devices.
  • Asset Management methods must be enabled to detect device activity and device information.

For the table of executable files, the following restrictions on the number of items and storage durations apply:

  • The total number of executable files may not exceed 100,000.

    If the maximum number of executable files is reached, the application automatically removes 10% of the oldest entries.

  • The maximum storage duration of an executable file before information about its execution is received again is 90 days.

    If new information about file execution is not received before the maximum storage duration expires, the application automatically removes the entry of this file.

If necessary, users with the Administrator role can delete executable files manually.

To view the table of executable files:

  1. Select the Assets section in the application web interface window.
  2. Go to the Executable files tab.

The table of executable files is displayed.

When viewing the table of executable files, you can configure, filter, search, and sort the files, as well as navigate to related items.

The table displays the following information:

  • File ID is the file ID assigned in Kaspersky Anti Targeted Attack Platform.
  • Device is the name and address of the device.
  • Name is the name and version of the application, or the file name.
  • Data received is the date and time when the information about the file was last received.
  • Product is the name of the software product saved in the operating system of the device.
  • Product version is the version of the software product saved in the operating system of the device.
  • Vendor is the name of the vendor of the application.
  • Path is the full path to the file.
  • File size is the amount of disk space occupied by the file.
  • MD5 hash is the checksum of the file calculated using the MD5 hashing algorithm.
  • SHA256 hash is the checksum of the file calculated using the SHA256 hashing algorithm.
  • Signature is the result of verifying the digital signature of the file: Valid (if the digital signature was verified successfully) or Invalid (for example, if the certificate has expired).
  • Created is the date and time when the file was created.
  • Changed is the date and time the file was last modified.
  • Origin is the source of information about the file.
  • Attributes is the list of file attributes.
  • Description is the description set for the file.
Page top
[Topic 272858]

Active device polling jobs

Using the active polling jobs, you can conduct a security audit of monitored devices in terms of receiving accurate and complete information about devices and their configurations directly from the devices themselves. Active polling is achieved using connectors. To actively poll devices, you need to add one or more Active poll connectors to the application.

Connectors provide different active polling methods. Active polling methods stipulate the protocols as well as commands and functions of these protocols. The built-in Active poll connector type contains a set of methods that support active polling over application-layer protocols as well as general-purpose protocols. Kaspersky Anti Targeted Attack Platform supports the following methods for active polling of devices:

  • Polling via ARP (only for computers with the kernel version 4.3 or later)
  • Polling via SMB
  • Polling via SNMP
  • Polling via SSH
  • Polling via WinRM HTTP
  • Polling via WinRM HTTPS
  • Polling via WMI

The methods let you get different sets of device information. You can select the information that you need and the methods to be used when configuring active polling.

Some methods use secrets to connect to devices. Device connections are made using credentials from secrets added to the application.

Using appropriate methods, the application can automatically update the following device information based on active polling results:

  • Name that represents the device in the application
  • Name that represents the device on the network (network name)
  • Vendor name of the device hardware
  • Model name of the device
  • Version number of the device hardware
  • Vendor name of the device software
  • Name of the device software
  • Version number of the device software
  • Address information for network interfaces of the device
  • Name of the operating system installed on the device (only for devices running Windows and Linux operating systems)

For a list of operating systems supported by the application for actively polling devices, see the Appendix.

The application does not update data for which the automatic update function was disabled using the Autoupdate toggle button when the device was added or when device information was edited. The application also evaluates the accuracy of received device information and in some case may not update previously received information.

Some active polling methods support detecting risks and modifying the topology map with the obtained device information.

You can manually run security audit jobs or configure a schedule to automatically run each job. Only users with the Senior security officer role can run active polling jobs.

When using the active polling functionality, you must keep in mind the following special considerations and limitations:

  • The functionality becomes available after adding a license key.
  • Application modules of connectors that are used for actively polling of devices need network access to the devices to send requests to and receive data from the devices. If the application modules are running on the host with installed application components, to ensure network access to devices, this computer must have a network interface with a connection to the network of the devices to be polled. Network interfaces of monitoring points cannot be used for this purpose if these network interfaces receive mirrored corporate LAN traffic (for example, from SPAN ports of network switches).
  • Unexpected problems may arise when active polling devices if these devices misinterpret the commands of the active poll. The problems may be caused by misconfiguration or highly specialized configuration of devices. Also, problems can arise due to hidden errors in the network configuration, which do not manifest during normal communication of devices. Therefore, the risks of the following potential consequences are involved in active polling of a device:
    • The device powering off
    • Connectivity being lost with the device
    • Complete or partial device malfunction
    • Slower-than-normal operation
    • Other potential faults of the network and equipment

In this section

Adding active polling job

Editing an active polling job

Viewing the table of active polling jobs

Starting and stopping active polling jobs

Viewing general information about the active polling job runs

Viewing a report on the active polling job execution

Deleting active polling jobs

Page top
[Topic 236044]

Adding active polling job

For devices known to the application, you can add active polling jobs.

Only users with the Senior security officer role can add active polling jobs. Adding active polling jobs is available after adding a license key.

The active polling job is configured using the Wizard. The wizard lets you configure the job step by step. After completing the configuration, you can wait until the scanning begins on schedule or start the job manually.

When adding an active polling job, you can invoke the Configuration Wizard in the following ways:

  • Adding a job with blank settings. To do this:
    1. Select the Assets section.
    2. On the Active polling tab, click Add job.

    The settings of the configuration wizard do not have default values.

  • Adding a job for selected devices. To do this:
    1. Select the Assets section.
    2. On the Devices tab, select the devices for which you want to add an active polling job. You can select no more than 100 devices.
    3. In the toolbar above the devices table, open the Create job drop-down list and select Active polling.

    By default, a list of devices made up of the selected devices is created in the settings of the configuration wizard.

To configure the job in the window of the configuration wizard:

  1. Read the active polling considerations in the warning window, and confirm that you accept the risks associated with using the active polling module.
  2. In the Select devices section of the Wizard, create a list of devices for which you want to perform active polling. Select up to 100 devices.

    You can create a list of devices using the Add to job and Delete from job buttons. To add a device, the application opens a window with the device selection table. You can filter and sort the table to display the devices that you need.

  3. In the Select parameters section of the wizard, select the check boxes for the specific device information that you want to update using active polling. You can also enable risk detection (the Risks check box) and discovery of topology settings for devices (the Topology settings check box).
  4. In the Select methods section of the wizard, do the following:
    1. Select an active polling module.
    2. Select the check boxes for the specific methods that you want to use for getting device information, risk detection, and/or reading topology settings.

      Methods that can be used are grouped by connectors that provide the ability of actively polling devices. The list contains only methods that support getting the selected information. If a connector cannot be used to actively poll the selected devices, the available methods are not displayed for this connector (for example, if the connector is disabled or an address space that does not contain the addresses of the selected devices is selected for the connector).

    3. Configure the methods for each connector as needed. For example, for Polling via SSH, specify a port and a credentials secret.

      If a secret with the required credentials has not been added to the application, you can open a new tab in the browser without closing the Configuration Wizard window, connect to the Server and add the secret, and then use the button in the Configuration Wizard window to refresh the list of secrets.

      We do not recommend using the same secret for active polling of devices on the network because this negatively affects the level of information security.

      Methods that require configuring settings are highlighted in red. To update the settings, click the Setting regulator icon. button to the right of the desired method.

  5. In the Job configuration section of the wizard, configure the rest of the job settings:
    1. Enter a name and description for the job.

      You can use letters, numerals, spaces, and the following special characters: ! @ # № $ % ^ & ( ) [ ] { } / \ : ; , . - _. The name of the job must begin and end with any valid character other than a space.

      The job name must contain no more than 256 characters. The job description must contain no more than 4,096 characters.

    2. To run the job according to a schedule, enable the Run job according to schedule option and configure the schedule settings:
      • In the Frequency drop-down list, select how often to run the job: Hourly, Daily, Weekly, or Monthly.
      • Depending on the selected option, specify the values for the settings to define the precise job start time.

      The application run the job according to the schedule, provided that the previous start of this job has been completed. If by the time a scheduled job is started its previous launch has the Running status, the application skips the run of the scheduled job.

  6. Click Create job or Create and run to close the wizard.

The specified settings are displayed in the job details.

Page top
[Topic 236152]

Editing an active polling job

Only users with the Senior security officer role can edit active polling jobs.

To edit an active polling job:

  1. Select the Assets section.
  2. On the Active polling tab, select the job for which you want to change the settings.
  3. Click Edit.

    The Configuration Wizard starts. the settings of the selected job are specified as default values in the settings of the configuration wizard.

  4. In the Job configuration section of the wizard, configure the rest of the job settings:
    1. Enter a name and description for the job.

      You can use letters, numerals, spaces, and the following special characters: ! @ # № $ % ^ & ( ) [ ] { } / \ : ; , . - _. The name of the job must begin and end with any valid character other than a space.

      The job name must contain no more than 256 characters. The job description must contain no more than 4,096 characters.

    2. To run the job according to a schedule, enable the Run job according to schedule option and configure the schedule settings:
      • In the Frequency drop-down list, select how often to run the job: Hourly, Daily, Weekly, or Monthly.
      • Depending on the selected option, specify the values for the settings to define the precise job start time.

      The application run the job according to the schedule, provided that the previous start of this job has been completed. If by the time a scheduled job is started its previous launch has the Running status, the application skips the run of the scheduled job.

  5. Click Edit job to close the wizard.

The specified settings are displayed in the job details.

Page top
[Topic 278732]

Viewing the table of active polling jobs

The table of active polling jobs is displayed in the Assets section on the tab Active polling.

Job settings are displayed in the following columns of the table:

  • Job ID.

    Job ID assigned in Kaspersky Anti Targeted Attack Platform.

  • Name.

    Name that represents the job in the application.

  • Description.

    Job description

  • Created.

    Date and time when the job was added to the application.

  • Changed.

    Date and time of the last modification in the application.

  • Devices selected.

    Number of devices selected for the job.

  • Schedule.

    Information about the schedule that the application uses to run the job.

  • Status of last run.

    The resulting status of all device scans when the job was last run.

  • Last run.

    Date and time when the job was last run.

  • Next run.

    Date and time of the next scheduled run of the job.

When viewing the table of active polling jobs, you can use the configuration, filter, search, and sorting functions.

Page top

[Topic 272950]

Starting and stopping active polling jobs

You can manually start and stop active polling jobs. When you start or stop a job, the application starts or stops all scans on the devices that are selected for that job.

You can stop or run the job depending on the status of the last job run. For example, a job cannot be started if the status of its last run is Running.

Only users with the Senior security officer role can manually start and stop active polling jobs.

To start an active polling job:

  1. Use the web interface to connect to the Central Node with the Senior security officer role.
  2. Select the Assets section.
  3. On the Active polling tab, select the job you want to start.

    The details area is displayed in the right part of the web interface window.

  4. Click Start. The button is disabled if the job cannot be started.

    Kaspersky Anti Targeted Attack Platform starts the job. You can view information about the device scans in progress on the Runs tab in the job details.

To stop an active polling job:

  1. Use the web interface to connect to the Central Node with the Senior security officer role.
  2. Select the Assets section.
  3. On the Active polling tab, select the job you want to stop.

    The details area is displayed in the right part of the web interface window.

  4. Click Stop. The button is disabled if the job cannot be stopped.

Page top

[Topic 272948]

Viewing general information about the active polling job runs

You can view general information on the runs of active polling jobs in the jobs table. The table displays information about the most recent runs not including the information about device scans. To view general information on all job runs, including information about the device scans, select the job and in the details area, open the Runs tab.

General information about active polling job runs includes the following:

  • The status of the job or device scan.

    The following statuses are possible:

    • Pending – a command to start the scan has not been sent yet.
    • In progress – the job is starting, or the scan is in progress.
    • Canceling – the start of the job or scanning is being stopped.
    • Canceled – the start of the job or scanning is stopped.
    • Completed – the scan completed successfully or all scans within the job run completed successfully.
    • Error – an error occurred during a scan or errors occurred in all scans within the job run.
    • Partially successful – the job completed with a partially successful result: some scans have the Completed status while some scans have a status of Canceled or Error.
  • Start date and time.
  • End date and time.
  • Run time

Page top

[Topic 272955]

Viewing a report on the active polling job execution

You can view reports containing the device scan results when viewing the details of an active polling job run. The application generates reports for the jobs completed with the following statuses: Completed, Partially successful, Canceled, and Error.

In the report, the following details are displayed:

  • Name of the device that was scanned.
  • Device settings update status.
  • List of device settings grouped by their update status.
  • List of methods grouped by their execution status. If an error occurs when a method is being employed, the application displays its reason.

To view a report on the active polling job execution:

  1. Use the web interface to connect to the Central Node with the Senior security officer role.
  2. Select the Assets section.
  3. On the Active polling tab, select the job for which you want to view the run report.

    The details area is displayed in the right part of the web interface window.

  4. In the details area, go to the Runs tab and select the desired job run.

    The details area is displayed in the right part of the web interface window. The details area displays detailed information about the selected job run.

Page top
[Topic 272957]

Deleting active polling jobs

You can delete active polling jobs. However, you cannot delete the jobs with a last run status of Running or Pending.

Only users with the Senior security officer role can delete active polling jobs.

To delete active polling jobs:

  1. Use the web interface to connect to the Central Node with the Senior security officer role.
  2. Select the Assets section.
  3. On the Active polling tab, select the jobs you want to delete.
  4. Click Delete.

    This opens a confirmation prompt window.

  5. In the prompt window, confirm deletion of the jobs.

    You can delete only the jobs whose last run status is not Running or Pending. If there are jobs with a status of Running or Pending among the selected jobs, the corresponding message is displayed. To delete such jobs, you must first stop the jobs.

Page top
[Topic 272985]