Managing NDR reports

You can use Kaspersky Anti Targeted Attack Platform to get reports with various information saved by the application. Kaspersky Anti Targeted Attack Platform generates reports as PDF files. The application can send report files to email addresses.

You can view information about generated reports and export them to files in the Reports section, Reports (NDR) subsection, Generated reports tab.

The following types of NDR report templates are possible:

• System templates, created automatically during application installation. In the table of report templates, system templates are displayed with the icon. You cannot delete system templates.

  Kaspersky Anti Targeted Attack Platform supports the following system report templates:

  • Inventory report.

    Contains information about devices and system commands, as well as protocols used and detected risks on devices.

  • System security report.

    Contains information about the security status of devices, registered events, detected risks, and interactions with devices on external networks.

  • Executive summary.

    Contains brief information about devices and the security status of the system.

  • Full report.

    Contains complete information about devices and the security status of the system.

• Custom templates, created manually by duplicating templates. You can duplicate system or custom templates. Only users with the Senior security officer role can duplicate report templates.

Information in reports is presented as separate information blocks. Each Kaspersky Anti Targeted Attack Platform report includes a fixed set of information blocks, which are arranged in a fixed order. Information blocks used in reports and their descriptions are listed in the table below.

Using information blocks in reports

Name of the information block	Inventory report	System security report	Executive summary	Full report
Device categories How many devices are in which categories
Device vendors Most frequently specified device vendors
Device operating systems How many devices use certain operating systems
Devices with the greatest number of risks. Devices with the greatest number of risks, taking into account the risk severity levels
Situational awareness Notifications about detected system security threats in order of importance
New devices in the network Number of new devices detected by Kaspersky Anti Targeted Attack Platform
Protocols with the most traffic Most frequently used protocols by traffic volume
Devices with the most connections to other nodes Devices with the most connections to other devices, taking into account the traffic volume of the connections
Network traffic volume Amount of network traffic during the given period.
Common protocols Discovered common protocols with the greatest traffic volume
Device security status How many devices are in which security state
Distribution of devices by status How many devices have which statuses
Statistics on events How many events have which severity level
Distribution of events by detection technologies How many events were logged by which technology
Devices with the most events Devices most frequently occurring in events
Most critical events Events with the highest severity scores
Most frequently triggered malicious activity detection rules Malicious activity detection rules that were triggered most frequently on the devices
Devices with signs of access to public resources Devices with the most interactions with devices on subnets of the Public type
Connections via remote control protocols Devices with the most interactions over protocols used by remote control software
Active risks How many risks have which severity level

Viewing the table of NDR report templates

You can view the table of report templates in the web interface of the application, in the Reports section, Reports (NDR) subsection, on the Report templates tab.

Report template settings are displayed in the following columns of the table:

• Name.

  Report template name. The icon is displayed next to the names of system report templates.

• Schedule.

  Information about the schedule used by Kaspersky Anti Targeted Attack Platform to automatically generate a report based on the template. Schedule information is displayed if a user with the Senior security officer role configured a schedule in the report template. If the schedule is not configured, the column displays Disabled.

• Type/use.

  Name of the user who last modified the report template. System is displayed for system templates that have default settings.

• Last report.

  Time when the last report was generated based on the report template.

• Destinations.

  Icon signifying that email report recipients are configured. The following icons have the following meanings:

  •  – report recipients are defined.
  •  – report recipients are not defined.

Viewing NDR report template details

To view report template information:

In the Reports section, Reports (NDR) subsection, on the Report templates tab, select the relevant template.

The details area is displayed in the right part of the web interface window. The details area displays all specified details.

Details of the report template include the following fields:

• Name is the name of the report template.
• Type/user is the name of the user that last modified the report template. System is displayed for system templates that have default settings.
• Period is the time period covered by the report that Kaspersky Anti Targeted Attack Platform generates based on the template.
• Modified is the time when the most recent change to the template was made.
• Last report is the time when the last report was generated based on the template.
• Next start (local time) is the time when the next report generation based on the template will start. This setting is displayed if a schedule is configured for the report template.
• Schedule displays information about the schedule used by Kaspersky Anti Targeted Attack Platform to automatically generate a report based on the template. This setting is displayed if a schedule is configured for the report template.

Recipient addresses are email addresses to which Kaspersky Anti Targeted Attack Platform sends the generated reports. This setting is displayed if recipient addresses are configured for the report template.

Viewing the table of NDR reports

You can view the table of reports in the web interface of the application, in the Reports section, Reports (NDR) subsection, on the Generated reports tab.

Report settings are displayed in the following columns of the table:

• ID.

  Unique ID of the report.

• Report name.

  Name of the generated report.

• Template name.

  Name of the template used to generate the report.

• Start.

  Date and time when the report generation started.

• Status.

  Status of the report. A report can have one of the following statuses:

  Pending. The report is queued for generation. A report can have the Pending status when multiple reports are generated at the same time.

  In progress. The report is being generated.

  Error. An error occurred while generating the report.

  Done. The report is successfully generated.

  Canceling. Report generation is being canceled.

  Canceled. Report generation has been canceled.

• User.

  Name of the user that initiated the generation of the report or configured the schedule for running the report based on a template.

• Run type.

  Report generation type: manual or scheduled.

• Completed.

  Date and time when the report generation ended.

Manually generating an NDR report based on a template

You can manually start generating a report based on a template.

To start report generation:

1. Select the Reports section, then the Reports (NDR) subsection.
2. On the Report templates tab, select one or more templates that you want to use to generate reports.

   When multiple templates are selected, the application generates reports based on these templates simultaneously. You can select up to 10 templates.

3. In the toolbar above the table of report templates, click Get reports.

   Kaspersky Anti Targeted Attack Platform starts generating the report.

You will be taken to the Generated reports tab, which displays the status of the reports being generated. After the reports are generated, Kaspersky Anti Targeted Attack Platform sends report files in PDF format to the email addresses specified in the report template. If an email address is not defined in the report template, you can individually export generated reports to files manually on the Generated reports tab. The maximum size of a report file is 10 MB.

If necessary, you can cancel the generation of the report.

Duplicating an NDR report template

You can create custom templates by duplicating existing report templates. You can duplicate system templates or custom templates. When duplicating a template, you cannot choose which information blocks to include in the report or rearrange them.

The maximum number of templates in the application is 5000.

To duplicate a report template:

1. Select the Reports section, then the Reports (NDR) subsection.
2. On the Report templates tab, select the relevant template.

   The details area is displayed in the right part of the web interface window.

3. Click Create new template.
4. In the Name field, edit the name of the report template.

   You can use Latin and Cyrillic letters, numerals, the space character, as well as -, –, _ characters.

   The name of the report template must satisfy the following requirements:

   • Does not reuse the name of another report template (case-insensitive).
   • Contains up to 100 characters.

   Names of reports generated from the updated template will reflect the new name of the template.

5. In the Data period drop-down list, select the time period for which you want to get system information in the report.

   You can generate reports with information received by the application within the last 24 hours, 7 days, 30 days, the last year, or a manually configured time frame.

6. If you need to generate reports on a schedule, turn on the Generate report by schedule toggle switch and set up a schedule:
   1. In the Frequency drop-down list, select how often you want to generate the report: Hourly, Daily, Weekly, or Monthly.
   2. Depending on the selected option, specify the values for the settings to refine the report generation start time.
7. If necessary, use the Recipient addresses field to enter the email address to which you want to send the generated reports. If you need to specify additional recipients of the report, click Add recipient address and enter the email address.

   The maximum number of report recipients is 20.

8. Click Save.

The new report is added to the table of report templates.

Editing an NDR report template

To edit the settings of a report template:

1. Select the Reports section, then the Reports (NDR) subsection.
2. On the Report templates tab, select the relevant template.

   The details area is displayed in the right part of the web interface window.

3. Click Edit.
4. In the Name field, edit the name of the report template.

   You can use Latin and Cyrillic letters, numerals, the space character, as well as -, –, _ characters.

   The name of the report template must satisfy the following requirements:

   • Does not reuse the name of another report template (case-insensitive).
   • Contains up to 100 characters.

   Names of reports generated from the updated template will reflect the new name of the template.

5. In the Data period drop-down list, select the time period for which you want to get system information in the report.

   You can generate reports with information received by the application within the last 24 hours, 7 days, 30 days, the last year, or a manually configured time frame.

6. If you need to generate reports on a schedule, turn on the Generate report by schedule toggle switch and set up a schedule:
   1. In the Frequency drop-down list, select how often you want to generate the report: Hourly, Daily, Weekly, or Monthly.
   2. Depending on the selected option, specify the values for the settings to refine the report generation start time.
7. If necessary, use the Recipient addresses field to enter the email address to which you want to send the generated reports. If you need to specify additional recipients of the report, click Add recipient address and enter the email address.

   The maximum number of report recipients is 20.

8. Click Save.

The changes are displayed in the corresponding columns of the table of report templates.

Exporting an NDR report to a file

You can export the generated report to a PDF file.

To export a report to a file:

1. In the Reports section, select the Reports (NDR) subsection.
2. On the Generated reports tab, select the relevant report.

   The reports are filtered by the IDs of the reports that were started last in the current Server connection session. To display all generated reports, reset the filter settings by clicking Default filter. If necessary, you can configure filtering by a time period of your choice.

   The details area is displayed in the right part of the web interface window.

3. Click Export.

The browser save the report file. By default, the report file has a name in the <report name>_<date and time when the report was generated> format. Depending on your browser's settings, a window may be displayed on your screen in which you can specify the path and name of the downloaded file.

Deleting an NDR report template

Only custom report templates can be deleted.

To delete a report template:

1. Select the Reports section, then the Reports (NDR) subsection.
2. On the Report templates tab, select one or more report templates that you want to delete.
3. Click Delete.

   System templates cannot be deleted. In the table of report templates, system templates are displayed with the icon.

4. In the displayed prompt window, confirm the deletion of report templates.

Deleting an NDR report

To delete a report:

1. Select the Reports section, then the Reports (NDR) subsection.
2. On the Generated reports tab, select one or more reports that you want to delete.

   The reports in the table of reports are filtered by the IDs of the reports that were started last in the current Server connection session. To display all generated reports, reset the filter settings by clicking Default filter. If necessary, you can configure filtering by a time period of your choice.

   The details area is displayed in the right part of the web interface window.

3. Click Delete.
4. In the displayed prompt window, confirm the deletion of the report.

Canceling NDR report generation

You can cancel report generation only for a report with the In progress status.

To cancel report generation:

1. Select the Reports section, then the Reports (NDR) subsection.
2. On the Generated reports tab, select the report with the In progress status that you want to cancel.

   The details area is displayed in the right part of the web interface window.

3. Click Cancel.
4. In the displayed prompt window, confirm the cancellation of the report.

After this request is completed, the report status changes to Canceled.

Managing the settings for storing report files

You can change the maximum total size limit for stored report files.

To edit report file storage settings:

1. Log in to the web interface with the application administrator account.
2. Select the Sensor servers section.
3. Select the card of the local host (IP address 0.0.0.0).

   The details area is displayed in the right part of the web interface window.

4. Click Edit.

   In the details area, tabs are displayed, on which you can manage the settings of the server.

5. On the General tab, under Reports, use the Max volume setting to set a size limit for the stored report files.

   You can select the unit of measure for the size limit: MB or GB.

   When editing the value, you also need to take into account that the sum total of all size limits may not exceed the specified maximum storage capacity for the node.

6. If necessary, use the Storage time (days) setting to limit the storage duration of report files, and specify the duration in days.
7. Click Save.