Active device polling jobs

Using the active polling jobs, you can conduct a security audit of monitored devices in terms of receiving accurate and complete information about devices and their configurations directly from the devices themselves. Active polling is achieved using connectors. To actively poll devices, you need to add one or more Active poll connectors to the application.

Connectors provide different active polling methods. Active polling methods stipulate the protocols as well as commands and functions of these protocols. The built-in Active poll connector type contains a set of methods that support active polling over application-layer protocols as well as general-purpose protocols. Kaspersky Anti Targeted Attack Platform supports the following methods for active polling of devices:

• Polling via ARP (only for computers with the kernel version 4.3 or later)
• Polling via SMB
• Polling via SNMP
• Polling via SSH
• Polling via WinRM HTTP
• Polling via WinRM HTTPS
• Polling via WMI

The methods let you get different sets of device information. You can select the information that you need and the methods to be used when configuring active polling.

Some methods use secrets to connect to devices. Device connections are made using credentials from secrets added to the application.

Using appropriate methods, the application can automatically update the following device information based on active polling results:

• Name that represents the device in the application
• Name that represents the device on the network (network name)
• Vendor name of the device hardware
• Model name of the device
• Version number of the device hardware
• Vendor name of the device software
• Name of the device software
• Version number of the device software
• Address information for network interfaces of the device
• Name of the operating system installed on the device (only for devices running Windows and Linux operating systems)

For a list of operating systems supported by the application for actively polling devices, see the Appendix.

The application does not update data for which the automatic update function was disabled using the Autoupdate toggle button when the device was added or when device information was edited. The application also evaluates the accuracy of received device information and in some case may not update previously received information.

Some active polling methods support detecting risks and modifying the topology map with the obtained device information.

You can manually run security audit jobs or configure a schedule to automatically run each job. Only users with the Senior security officer role can run active polling jobs.

When using the active polling functionality, you must keep in mind the following special considerations and limitations:

• The functionality becomes available after adding a license key.
• Application modules of connectors that are used for actively polling of devices need network access to the devices to send requests to and receive data from the devices. If the application modules are running on the host with installed application components, to ensure network access to devices, this computer must have a network interface with a connection to the network of the devices to be polled. Network interfaces of monitoring points cannot be used for this purpose if these network interfaces receive mirrored corporate LAN traffic (for example, from SPAN ports of network switches).
• Unexpected problems may arise when active polling devices if these devices misinterpret the commands of the active poll. The problems may be caused by misconfiguration or highly specialized configuration of devices. Also, problems can arise due to hidden errors in the network configuration, which do not manifest during normal communication of devices. Therefore, the risks of the following potential consequences are involved in active polling of a device:
  • The device powering off
  • Connectivity being lost with the device
  • Complete or partial device malfunction
  • Slower-than-normal operation
  • Other potential faults of the network and equipment

Adding active polling job

For devices known to the application, you can add active polling jobs.

Only users with the Senior security officer role can add active polling jobs. Adding active polling jobs is available after adding a license key.

The active polling job is configured using the Wizard. The wizard lets you configure the job step by step. After completing the configuration, you can wait until the scanning begins on schedule or start the job manually.

When adding an active polling job, you can invoke the Configuration Wizard in the following ways:

• Adding a job with blank settings. To do this:
  1. Select the Assets section.
  2. On the Active polling tab, click Add job.

  The settings of the configuration wizard do not have default values.

• Adding a job for selected devices. To do this:
  1. Select the Assets section.
  2. On the Devices tab, select the devices for which you want to add an active polling job. You can select no more than 100 devices.
  3. In the toolbar above the devices table, open the Create job drop-down list and select Active polling.

  By default, a list of devices made up of the selected devices is created in the settings of the configuration wizard.

To configure the job in the window of the configuration wizard:

1. Read the active polling considerations in the warning window, and confirm that you accept the risks associated with using the active polling module.
2. In the Select devices section of the Wizard, create a list of devices for which you want to perform active polling. Select up to 100 devices.

   You can create a list of devices using the Add to job and Delete from job buttons. To add a device, the application opens a window with the device selection table. You can filter and sort the table to display the devices that you need.

3. In the Select parameters section of the wizard, select the check boxes for the specific device information that you want to update using active polling. You can also enable risk detection (the Risks check box) and discovery of topology settings for devices (the Topology settings check box).
4. In the Select methods section of the wizard, do the following:
   1. Select an active polling module.
   2. Select the check boxes for the specific methods that you want to use for getting device information, risk detection, and/or reading topology settings.

      Methods that can be used are grouped by connectors that provide the ability of actively polling devices. The list contains only methods that support getting the selected information. If a connector cannot be used to actively poll the selected devices, the available methods are not displayed for this connector (for example, if the connector is disabled or an address space that does not contain the addresses of the selected devices is selected for the connector).

   3. Configure the methods for each connector as needed. For example, for Polling via SSH, specify a port and a credentials secret.

      If a secret with the required credentials has not been added to the application, you can open a new tab in the browser without closing the Configuration Wizard window, connect to the Server and add the secret, and then use the button in the Configuration Wizard window to refresh the list of secrets.

      We do not recommend using the same secret for active polling of devices on the network because this negatively affects the level of information security.

      Methods that require configuring settings are highlighted in red. To update the settings, click the button to the right of the desired method.

5. In the Job configuration section of the wizard, configure the rest of the job settings:
   1. Enter a name and description for the job.

      You can use letters, numerals, spaces, and the following special characters: ! @ # № $ % ^ & ( ) [ ] { } / \ : ; , . - _. The name of the job must begin and end with any valid character other than a space.

      The job name must contain no more than 256 characters. The job description must contain no more than 4,096 characters.

   2. To run the job according to a schedule, enable the Run job according to schedule option and configure the schedule settings:
      • In the Frequency drop-down list, select how often to run the job: Hourly, Daily, Weekly, or Monthly.
      • Depending on the selected option, specify the values for the settings to define the precise job start time.

      The application run the job according to the schedule, provided that the previous start of this job has been completed. If by the time a scheduled job is started its previous launch has the Running status, the application skips the run of the scheduled job.

6. Click Create job or Create and run to close the wizard.

The specified settings are displayed in the job details.

Editing an active polling job

Only users with the Senior security officer role can edit active polling jobs.

To edit an active polling job:

1. Select the Assets section.
2. On the Active polling tab, select the job for which you want to change the settings.
3. Click Edit.

   The Configuration Wizard starts. the settings of the selected job are specified as default values in the settings of the configuration wizard.

4. In the Job configuration section of the wizard, configure the rest of the job settings:
   1. Enter a name and description for the job.

      You can use letters, numerals, spaces, and the following special characters: ! @ # № $ % ^ & ( ) [ ] { } / \ : ; , . - _. The name of the job must begin and end with any valid character other than a space.

      The job name must contain no more than 256 characters. The job description must contain no more than 4,096 characters.

   2. To run the job according to a schedule, enable the Run job according to schedule option and configure the schedule settings:
      • In the Frequency drop-down list, select how often to run the job: Hourly, Daily, Weekly, or Monthly.
      • Depending on the selected option, specify the values for the settings to define the precise job start time.

      The application run the job according to the schedule, provided that the previous start of this job has been completed. If by the time a scheduled job is started its previous launch has the Running status, the application skips the run of the scheduled job.

5. Click Edit job to close the wizard.

The specified settings are displayed in the job details.

Viewing the table of active polling jobs

The table of active polling jobs is displayed in the Assets section on the tab Active polling.

Job settings are displayed in the following columns of the table:

• Job ID.

  Job ID assigned in Kaspersky Anti Targeted Attack Platform.

• Name.

  Name that represents the job in the application.

• Description.

  Job description

• Created.

  Date and time when the job was added to the application.

• Changed.

  Date and time of the last modification in the application.

• Devices selected.

  Number of devices selected for the job.

• Schedule.

  Information about the schedule that the application uses to run the job.

• Status of last run.

  The resulting status of all device scans when the job was last run.

• Last run.

  Date and time when the job was last run.

• Next run.

  Date and time of the next scheduled run of the job.

When viewing the table of active polling jobs, you can use the configuration, filter, search, and sorting functions.

Page top

Starting and stopping active polling jobs

You can manually start and stop active polling jobs. When you start or stop a job, the application starts or stops all scans on the devices that are selected for that job.

You can stop or run the job depending on the status of the last job run. For example, a job cannot be started if the status of its last run is Running.

Only users with the Senior security officer role can manually start and stop active polling jobs.

To start an active polling job:

1. Use the web interface to connect to the Central Node with the Senior security officer role.
2. Select the Assets section.
3. On the Active polling tab, select the job you want to start.

   The details area is displayed in the right part of the web interface window.

4. Click Start. The button is disabled if the job cannot be started.

   Kaspersky Anti Targeted Attack Platform starts the job. You can view information about the device scans in progress on the Runs tab in the job details.

To stop an active polling job:

1. Use the web interface to connect to the Central Node with the Senior security officer role.
2. Select the Assets section.
3. On the Active polling tab, select the job you want to stop.

   The details area is displayed in the right part of the web interface window.

4. Click Stop. The button is disabled if the job cannot be stopped.

Page top

Viewing general information about the active polling job runs

You can view general information on the runs of active polling jobs in the jobs table. The table displays information about the most recent runs not including the information about device scans. To view general information on all job runs, including information about the device scans, select the job and in the details area, open the Runs tab.

General information about active polling job runs includes the following:

• The status of the job or device scan.

  The following statuses are possible:

  • Pending – a command to start the scan has not been sent yet.
  • In progress – the job is starting, or the scan is in progress.
  • Canceling – the start of the job or scanning is being stopped.
  • Canceled – the start of the job or scanning is stopped.
  • Completed – the scan completed successfully or all scans within the job run completed successfully.
  • Error – an error occurred during a scan or errors occurred in all scans within the job run.
  • Partially successful – the job completed with a partially successful result: some scans have the Completed status while some scans have a status of Canceled or Error.
• Start date and time.
• End date and time.
• Run time

Page top

Viewing a report on the active polling job execution

You can view reports containing the device scan results when viewing the details of an active polling job run. The application generates reports for the jobs completed with the following statuses: Completed, Partially successful, Canceled, and Error.

In the report, the following details are displayed:

• Name of the device that was scanned.
• Device settings update status.
• List of device settings grouped by their update status.
• List of methods grouped by their execution status. If an error occurs when a method is being employed, the application displays its reason.

To view a report on the active polling job execution:

1. Use the web interface to connect to the Central Node with the Senior security officer role.
2. Select the Assets section.
3. On the Active polling tab, select the job for which you want to view the run report.

   The details area is displayed in the right part of the web interface window.

4. In the details area, go to the Runs tab and select the desired job run.

   The details area is displayed in the right part of the web interface window. The details area displays detailed information about the selected job run.

Deleting active polling jobs

You can delete active polling jobs. However, you cannot delete the jobs with a last run status of Running or Pending.

Only users with the Senior security officer role can delete active polling jobs.

To delete active polling jobs:

1. Use the web interface to connect to the Central Node with the Senior security officer role.
2. Select the Assets section.
3. On the Active polling tab, select the jobs you want to delete.
4. Click Delete.

   This opens a confirmation prompt window.

5. In the prompt window, confirm deletion of the jobs.

   You can delete only the jobs whose last run status is not Running or Pending. If there are jobs with a status of Running or Pending among the selected jobs, the corresponding message is displayed. To delete such jobs, you must first stop the jobs.