For administrators: Getting started with the application web interface

The intended audience of this section are personnel who install and administer Kaspersky Anti Targeted Attack Platform and manage PCN and SCN servers and tenants in

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Kaspersky Anti Targeted Attack Platform Interface

The application is managed through the web interface. Sections of the application web interface differ depending on the role of the user: Administrator or Senior security officer (Senior security officer, Security officer, Security auditor).

The window of the application web interface contains the following:

• Sections in the left part and in the lower part of the application web interface window.
• Tabs in the upper part of the application web interface window for certain sections of the application.
• The workspace in the lower part of the application web interface window.

Sections of the application web interface window

The application web interface for the Administrator role contains the following sections:

• Dashboard. Contains Kaspersky Anti Targeted Attack Platform Monitoring data.
• Operating mode. Contains information about PCN and SCN servers and about tenants in distributed solution and multitenancy mode.
• Assets. Contains information about connected computers with the Kaspersky Endpoint Agent component and their settings.
• Logs: User activity, Application messages, Audit. Contains information about the application performance and audit records for user activity in the web interface.
• Settings. Contains the settings of the server with the Central Node component.
• Sensor servers. Contains information about connected Sensor components and their settings.
• Sandbox servers. Contains information about the connection of the Central Node component to Sandbox components.
• External systems. Contains information about application integration with mail sensors.
• Server configuration. Contains information about the sizing parameters of the application.

Workspace of the application web interface window

The workspace displays the information you choose to view in the sections and on the tabs of the application web interface window. It also contains control elements that you can use to configure how the information is displayed.

Users with the Security auditor role can also view these sections of the application web interface.

Monitoring the performance of the application

You can monitor application operation using the widgets in the Dashboard section of the application web interface window. You can add, delete, and move widgets, configure the display scale of widgets, and select the data display period.

About widgets and layouts

You can use widgets to monitor application operation.

A layout is the appearance of the workspace of the application web interface window in the Dashboard section. You can add, delete, and move widgets in the layout.

The following widgets are available in the application:

• Administration:
  • Sandbox processing time. Displays how long it took on average for objects to be scanned by Sandbox.
  • Processed. Displays the processing state for traffic coming from Sensors and Endpoint Agents to the Central Node.
  • Queues. Displays information on the number and volume of objects waiting to be scanned by application modules and components.

  If you are using the distributed solution and multitenancy mode, the section displays information about the tenant and server that you chose.

• NDR:
  • Custom widget. Widget with arbitrary static content. For example, you can use custom widgets to logically separate groups of widgets in the Dashboard section.
  • Traffic. Rate of incoming traffic. The widget can display information for all monitoring points of all nodes with installed application components, for monitoring points of a selected node, or for an individual monitoring point.
  • CPU usage. CPU load on the selected node that has an application component installed.
  • RAM usage. Amount of physical RAM being used on the selected node that has an application component installed.
  • NDR health. Information about the current state of application performance. This widget can display the following values:
    • OK—No messages regarding performance issues, or all performance issues have been resolved.
    • Non-critical malfunction—Non-critical malfunctions reported. This value is displayed until the performance problem is resolved.
    • Operation disrupted—Disruptions of the application reported. This value is displayed until the performance problem is resolved.
    • Maintenance mode—The application is running in maintenance mode.
  • Storage—Information about the drive in the local file system on the selected node with the application component installed. In this widget, you can select the following information to be displayed:
    • Disk usage—Percentage of time taken to process data read/write operations.
    • Occupied on disk—Filled disk space.
    • Read from disk—Rate of reading data from the disk.
    • Write to disk—Rate of writing data to the disk.
  • Traffic processing latency. The current latency while processing traffic, counting from the moment it arrives at the monitoring point of the node. The maximum latency from among all enabled monitoring points is displayed. The widget can display information for all monitoring points of all nodes with installed application components, for monitoring points of a selected node.
  • Status of protection functions. General information about the current state of protection functions in the application. This widget can display the following values:
    • All are enabled—All technologies and methods intended for continuous use are enabled, and all created monitoring points are enabled.
    • Not all are enabled—Some protection functions are disabled or are enabled in learning mode, or not all monitoring points are enabled.
  • Uptime. Uptime of Kaspersky Anti Targeted Attack Platform. In this widget, you can select the following information to be displayed:
    • Effective uptime—Duration of normal operation of the application (without malfunctions) since the most recent launch up to the current moment.
    • Total uptime—Time from the first launch of the application up to the current moment. Includes periods of normal operation of the application and periods of malfunctioning.
    • Since first start of application—The total time elapsed from the first launch of the application up to the current moment. Includes periods of normal operation, periods of malfunctioning, and periods of inoperability.

  Widgets employ various means of drawing attention, depending on the incoming information. For example, widgets with information about the application and hardware resources can automatically change color if the information requires attention (in particular, when the load on a hardware resource is close to critical).

  Widgets display only basic information that changes dynamically. If you need to view detailed information, you can navigate from the Dashboard section to other sections of the application web interface. You can navigate the web interface by clicking widgets.

  For correct information to be displayed in NDR widgets, you must configure the synchronization of date and time between Central Node and Sensor components.

Selecting a tenant and a server to manage in the Dashboard section

If you are using the distributed solution and multitenancy mode, before using the Dashboard section, you must select the tenant and server whose data you want to view. Widgets of the NDR functionality will display information for the current node or for the node that is selected in widget settings.

To select a tenant and server for which you want to display data in widgets of the Dashboard section:

1. In the upper right part of the application web interface window, click the arrow next to the server name.
2. In the drop-down list, select the tenant and server from the list.

Data for the selected server is displayed. If you want to select a different tenant and server, repeat the steps to select a tenant and server.

Adding a widget to the current layout

To add a widget to the current layout:

1. Select the Dashboard section in the application web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Customize.
4. Click Widgets.
5. In the Manage widgets window that opens:
   • If you want to add the Sandbox processing time widget, turn on the toggle switch next to the name of this widget.
   • If you want to add a different widget, click next to the name of that widget.
6. Close the Manage widgets window and click Apply.

The selected widget is added to the current layout.

Moving a widget in the current layout

To move a widget in the current layout:

1. Select the Dashboard section in the application web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Customize.
4. Select the widget that you want to move within the layout.
5. Click and hold the upper part of the widget to drag and drop the widget to a different place in the layout.
6. Click Apply.

The current layout is saved.

Changing the display of information in NDR widgets

After an NDR widget is added, it displays information in accordance with the default settings. If necessary, you can edit the display settings.

To edit NDR widget display settings:

1. Select the Dashboard section in the application web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Customize.
4. In the upper-right corner of the NDR widget that you want to configure, click the button.

   This opens the display settings window.

5. Manage the display settings of the NDR widget.

   Depending on the selected NDR widget, the window may contain the following settings:

   • Change name – if the Change name check box is selected, you can define any name for the widget (different from the default name) in the Widget name field. The Change name setting is absent from custom widgets.
   • Widget name – field for entering a widget name different from the default name.
   • Edit description – if the Edit description check box is selected, you can provide any description for the widget (different from the default description) in the Widget description field. The Edit description setting is absent from custom widgets.
   • Widget description – field for entering a widget name different from the default name.
   • Refresh period – the time in seconds after which the displayed information is updated.
   • Display – defines the type of displayed data (for widgets that let you select which data to display).
   • Data source – the host with installed application components whose information the widget displays. If Entire application is selected, the widget displays data from all nodes.
   • Change color based on status – if this check box is selected, the background color of the widget automatically changes depending on the severity of the incoming data. Critical (maximum) importance level is represented by a red background. If this check box is cleared, background color is disabled.
   • Defined background – defines the color of the background on the custom widget. You can choose a background color that corresponds to one of the severity levels (Info, Warning, or Critical) or select Neutral to disable background coloring.
6. Click Apply.

Removing a widget from the current layout

To remove a widget from the current layout:

1. Select the Dashboard section in the application web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Customize.
4. Click the icon in the upper right corner of the widget that you want to remove from the layout.

   The widget is removed from the workspace of the application web interface window.

5. Click Apply.

The widget is removed from the current layout.

Saving a layout to PDF

NDR widgets in the layout are not saved to PDF.

To save a layout to PDF:

1. Select the Dashboard section in the application web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Save as PDF.

   This opens the Saving as PDF window.

4. In the lower part of the window, in the Layout drop-down list, select the page orientation.
5. Click Download.

   The layout in PDF format is saved to the hard drive of your computer in the downloads folder of the browser.

6. Click Close.

Configuring the data display period in widgets

You can configure the display of data in widgets for the following periods:

• Day.
• Week.
• Month.

For NDR widgets, you can use the following periods:

• 1h
• 12h
• 24h
• 7d

You can configure a data display period for each individual NDR widget.

Changing the display of information in widgets

To configure the display of data in widgets for a day (from 00:00 a.m. to 11:59 p.m.):

1. Select the Dashboard section in the application web interface window.
2. In the upper-right corner of the application web interface window, in the drop-down list of data display periods, select Day.
3. In the calendar to the right of the Day period name, select the date for which you want to display data in the widget.

All widgets on the Dashboard page display data for the period you selected.

To configure the display of data on widgets for a week (Monday through Sunday):

1. Select the Dashboard section in the application web interface window.
2. In the upper-right corner of the application web interface window, in the drop-down list of data display periods, select Week.
3. In the calendar to the right of the Week period name, select the week for which you want to display data in the widget.

All widgets on the Dashboard page display data for the period you selected.

To display data display in widgets for a month (calendar month):

1. Select the Dashboard section in the application web interface window.
2. In the upper-right corner of the application web interface window, in the drop-down list of data display periods, select Month.
3. In the calendar to the right of the Month period name, select the month for which you want to display data in the widget.

All widgets on the Dashboard page display data for the period you selected.

Changing the display of information in widgets

To configure the display of information in an NDR widget:

1. Select the Dashboard section in the application web interface window.
2. In the upper-right corner of the NDR widget that you want to configure, click the button that stands for the time interval that you need.

The NDR widget displays information for the selected period.

Monitoring the receipt and processing of incoming data

In the Processed widget, you can assess the processing status of data coming from Sensors and Endpoint Agents to the Central Node, and track data processing errors.

To select the component (Sensor or Endpoint Agent) for which you want to assess incoming data, use the drop-down list to the right of the Processed widget name.

You can select the type of data display in the drop-down list to the right of the component name (Sensor or Endpoint Agent):

• Current load—The last 5 minutes.
• Selected period. In this case, you can also configure the period for which data is displayed in widgets.

The left part of each widget displays the legend for colors used in the widget itself.

If the Current load data display type is selected, the average data processing rate over the past 5 minutes is displayed to the right of the key.

If the Selected period data display type is selected, to the right of the legend, you can see the average rate of incoming traffic to the Central Node and the number of objects processed during the selected period.

Monitoring the queues for data processing by application modules and components

You can use the Queues widget to assess the status of data processing by the

Data transfer in the queue is measured in messages.

You can select the type of data display in the drop-down list to the right of the Queues widget name:

• Current load—The last 5 minutes.
• Selected period. In this case, you can also configure the period of data display on widgets.

The left part of the widget displays the legend for colors used in the widget.

The Queues widget displays the following data:

• Number of messages and Data volume processed by application modules and components:
  • YARA—blue.
  • Sandbox—violet.
  • AM Engine—green.
• Unprocessed – amount of unprocessed data indicated by vertical red lines.

When you hover the mouse cursor over a widget, you see a pop-up window that displays the status of data processing by the YARA and AM Engine application modules and the Sandbox component, as well as the amount of unprocessed data during a specific time period.

Monitoring the processing of data by the Sandbox component

The Sandbox processing time widget displays the average time elapsed from the moment data is sent to one or multiple Sandbox component servers (including the time spent in the queue before getting sent) to the moment when the Sandbox processing results are displayed in the web interface of Kaspersky Anti Targeted Attack Platform for the selected period.

You can increase the rate at which data is processed by the Sandbox component and the throughput of the Sandbox component by increasing the number of servers with the Sandbox component and by distributing the data to be processed among those servers.

Viewing the working condition of modules and components of the application

If modules or components of the application encounter errors that the administrator is advised to look at, a yellow warning box is displayed in the upper part of the Dashboard section of the application web interface.

Users with the Administrator or Security auditor role can gain access to information about the working condition of the Central Node, PCN, or SCN server that the user is currently managing.

Users with the Senior security officer, Security officer, or Security auditor role can gain access to the following information about the working condition:

• If you are using a standalone Central Node server, the user can access information about the working condition of the Central Node server which the user is currently managing.
• If you are using the distributed solution and multitenancy mode, and the user is managing an SCN server, the user can gain access to information about the working condition of that SCN server for tenants to whose data the user has access.
• If you are using the distributed solution and multitenancy mode, and the user is managing the PCN server, the user can gain access to information about the working condition of the PCN server and all SCN servers connected to that server, for tenants to whose data the user has access.

For details about the working condition of application modules and components,

click View details to open the System health window.

In the System health window, one of the following icons is displayed depending on the working condition of the application modules and components:

• if the modules and components of the application are working normally.
• An icon with the number of problems (for example, ) if problems are found that the administrator is recommended to pay attention to. In this case, detailed problem information is displayed in the right part of the System health window.

The System health window contains the following sections:

• Component health contains information on the operational status of application modules and components, quarantine, and database update on all servers where the application is running.

  Example: If the databases of one or more application components have not been updated in 24 hours, the icon is displayed next to the name of the server on which the application modules and components are installed. To resolve the problem, make sure that update servers are accessible. If you are using a proxy server to connect to update servers, make sure the proxy server has no errors pertaining to the connection to Kaspersky Anti Targeted Attack Platform servers.

• Processed—Status of receiving and processing incoming data. The status is generated based on the following criteria:
  • State of receiving data from servers with the Sensor component, from the server or virtual machine with the mail sensor, from hosts with the Endpoint Agent component.
  • Information about exceeding the maximum allowed time that objects wait in the queue to be scanned by application modules and components.
• Connection with servers—Status of the connection between the PCN server and connected SCN servers (displayed if you are using the distributed solution and multitenancy mode).

If problems are detected with the performance of application modules or components and you cannot resolve those problems on your own, please contact Kaspersky Technical Support.

Managing Central Node or Sensor server information

Information about servers with the Central Node or Sensor components is displayed in the Sensor servers of the application web interface window.

This section displays cards of components (on the left) and cards of network interfaces detected on these components (to the right of each component).

Above the card of the Sensor component is the card of the Central Node component to which the Sensor is connected. If the Central Node component is deployed with a built-in Sensor component, the name of that Sensor component is displayed the card as Embedded Sensor.

You can view component cards and network interface cards.

Viewing information about Central Node or Sensor servers

To view information about a Central Node or Sensor component:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant component.

   This opens a window with information about the component.

The Settings tab for the Central Node and Sensor components displays the following information:

• Status is the current status of the component indicated by an icon and text description.
• Node type indicates the application component: Server (Central Node component) or Sensor (Sensor component).
• Disk space currently used by the application is the disk space occupied by application files. Includes installed files and files created by the application in the course of its operation.
• Maximum disk space that can be used by the application is the disk space that can be occupied by application files. Includes installed files and the sum total of all space limits configured in data storage rules. This value may not exceed the amount of available disk space.
• Occupied on disk is the disk space used by all files. Includes application files, operating system files, and files of other applications. The space is calculated on the disk that contains the /var directory in the file system of the component.
• Free disk space is the disk space that is not used by files. The space is calculated on the disk that contains the /var directory in the file system of the component.
• Total disk space is the total volume of disk space on the drive that contains the /var directory in the file system of the component.
• BPF filtering indicates whether filtering using the Berkley Packet Filter (BPF) technology based on address parameters in network packets is enabled or disabled.
• External storage for traffic dump files indicates the connection status of the external storage. The following statuses may be displayed: Connected, Not connected.
• Retention rules indicate current and maximum values of size, number of items, and storage duration of application data.

For the Sensor component, in addition to the Settings tab, the External storage, Other, ICAP integration, POP3 integration, and SMTP integration tabs are also displayed.

• The External storage tab displays information about the configuration of the external storage for mirrored SPAN traffic.
• On the Other tab, the following information is displayed:
  • Maximum size of scanned file is the current limit on the size of files that can be scanned by the component.
  • Dump HTTP body indicates whether HTTP body content dumping is enabled or disabled.
• The ICAP Integration tab displays the settings of integration with a proxy server via ICAP.
• The POP3 Integration tab displays the POP3 mail server integration settings.
• The SMTP Integration tab displays the SMTP mail server integration settings.

Viewing network interface information

The network interface card in the Sensor servers section of the application web interface displays the following information:

• Network interface name
• MAC address of the network interface
• IP address of the network interface
• Network interface bandwidth
• Blink. This link lets you identify the Ethernet port associated with a network interface

If a monitoring point has been added to the network interface, the following information about the monitoring point is displayed in the card of the network interface:

• Monitoring point name.
• Technology mode is the state of the technology inheritance functionality. It can be Enabled or Disabled.

You can view network interface details.

To view network interface details:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant network interface.

   This opens a window with information about the network interface.

The network interface card displays the following information:

• Network interface is the name of the network interface in the operating system.
• Connection is the icon indicating that a network cable is connected to the Ethernet port of the network interface:
  •  – the network cable is connected.
  •  – the network cable is disconnected.

    The icon blinks when the Ethernet port indication mode is enabled.

  • MAC address is the MAC address of the network interface.
  • IP address is the IP address of the network interface.

    If multiple IP addresses are found on the network interface, a maximum of 16 IP addresses are displayed in the details area.

If a monitoring point has been added to the network interface, the following information is displayed in the card of the network interface:

• Status is the current status of the monitoring point indicated by an icon and a text description:
  • OК. The monitoring point is available.
  • Switchover. The operating mode of the monitoring point is being changed.
  • Error. An error was detected when switching over the operating mode of the monitoring point.
• Connection is the icon indicating that a network cable is connected to the Ethernet port of the network interface:
  •  – the network cable is connected.
  •  – the network cable is disconnected.

  The icon blinks when the Ethernet port indication mode is enabled.

• Network interface is the name of the network interface in the operating system.
• Mode is the current mode of the monitoring point:
  • Enabled.
  • Disabled.
• On the Settings tab:
  • The Inheritance of technologies indicates whether inheritance of technologies is enabled or disabled for the server.
  • MAC address is the MAC address of the network interface.
  • IP address is the IP address of the network interface.

Identifying the Ethernet port associated with a network interface

The server on which application components are installed can have multiple Ethernet ports for connecting to the local network. You can use the application to enable blink mode for a network interface and find out which Ethernet port is associated with this interface. In blink mode, the LED next to the Ethernet port blinks for 15 seconds.

If the network interface does not support LED indication (for example, if the Ethernet port is not equipped with a LED, or the network interface is a logical bonded interface), an error is displayed when attempting to enable blinking mode.

To identify the Ethernet port associated with a network interface:

1. Select the Sensor servers section in the window of the application web interface.
2. In the card of the relevant network interface, click the Blink button.

   If the network interface supports LED indication, the network cable connection icon starts blinking in the card of the network interface. At the same time, the LED next to the Ethernet port starts blinking on the corresponding network adapter of the computer.

When a network interface is in blinking mode, you cannot turn on blinking mode for any other network interface on the same server.

Managing Central Node, PCN, or SCN servers using the application web interface

You can use the application web interface to perform the following actions with the server on which the Central Node component is installed:

• Configure the date and time on the server.
• Power off and restart the server.
• Generate or upload a server certificate that you can prepare on your own.
• Configure the network settings of the server.
• Monitor the disk space usage on the server.

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

Changing the server name

To rename the Central Node server:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant Central Node component.

   This opens a window with information about the component.

3. Click Edit.
4. Go to the General tab.
5. In the Server name field, enter a new name.

   The name must be unique (may not be the same as the name of another component) and may contain up to 100 characters. You can use letters of the English alphabet, numerals, a space, and the special characters: _ and - (for example, Server_1). The name must begin and end with any valid character other than a space.

6. Click Save.

The server is renamed.

Configuring the date and time on the server

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure the date and time on the server.

1. In the window of the application web interface, select the Settings section, Date and time subsection.
2. In the Time zone drop-down list, select the time zone of the physical location of the Central Node server.
3. Under NTP servers, specify the value of the Maximum packet transmission time setting, which limits the maximum possible time it takes to deliver a packet from the Central Node server to the NTP server.

   The default setting is 5 seconds.

4. In the NTP servers section:
   • If you want to add a new
     NTP server

     Precision time server using the Network Time Protocol.

     :
     1. Click Add.
     2. In the field that opens, enter the IP address or domain name of the NTP server.
     3. Click the button to the right of the field.
   • If you want to edit the IP address or domain name of the NTP server, click the button in the line containing the server.
   • If you want to delete an NTP server, click the button in the line containing the server.
5. Click Apply.

The date and time of the server will be configured.

Generating or uploading a TLS certificate of the server

If you are already using a server TLS certificate, generating or uploading a new certificate causes the currently used certificate to be removed and replaced with the new certificate.

You must enter the data of the new certificate everywhere the old certificate was used.

If you replace the TLS certificate, you will need to:

• Reauthorize mail sensors (KSMG, KLMS) on Central Node
• Reconfigure the connection of Central Node, PCN, and SCN to Sandbox
• Reconfigure traffic forwarding from Endpoint Agent to Sensor and trusted connection with Endpoint Agent

Make sure to delete all Endpoint Agent host isolation rules. Connection with isolated hosts will be lost and you will not be able to manage them

You can generate a new certificate in the web interface: of the Central Node server or upload a certificate that you have created independently.

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To generate a TLS certificate for a Central Node server:

1. Sign in to the Kaspersky Anti Targeted Attack Platform web interface with the administrator credentials.
2. In the window of the application web interface, select the Settings section, Certificates subsection.
3. In the Server certificate section, click Generate and export.

   This opens the action confirmation window.

4. Click Yes.

Kaspersky Anti Targeted Attack Platform generates a new TLS certificate. The page is automatically refreshed.

Communication with the mail sensors, the Sandbox component, and the Kaspersky Endpoint Agent application is interrupted until reauthorization.

You can choose to prepare the TLS certificate on your own and upload it using the Kaspersky Anti Targeted Attack Platform web interface.

The TLS certificate file prepared for upload must satisfy the following requirements:

• The file must contain the certificate itself and a private encryption key for the connection.
• The file must be in PEM format.

  The application does not support other formats of certificates.

  If you have prepared a certificate in a different format, you must convert it to the PEM format.

• The private key length must be 2048 bits or longer.

For more details on preparing TLS certificates for import, please refer to the documentation on Open SSL.

Upload the TLS certificate in the web interface of the PCN or SCN server to which you want to upload the certificate.

To upload an independently prepared TLS certificate using the Kaspersky Anti Targeted Attack Platform web interface:

1. Sign in to the Kaspersky Anti Targeted Attack Platform web interface with the administrator credentials.
2. In the window of the application web interface, select the Settings section, Certificates subsection.
3. In the Server certificate section, click Upload.

   This opens the file selection window.

4. Select a TLS certificate file to download and click the Open button.

   This closes the file selection window.

The TLS certificate is added to the Kaspersky Anti Targeted Attack Platform.

Communication with the mail sensors, the Sandbox component, and the Kaspersky Endpoint Agent application is interrupted until reauthorization.

Downloading the TLS certificate of the server

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To download the TLS certificate of the server:

1. In the window of the application web interface, select the Settings section, Certificates subsection.
2. In the Server certificate section, click Download.

The server certificate file will be saved in the downloads folder of the browser.

Assigning a server DNS name

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To assign the server name to be used by DNS servers:

1. In the window of the program web interface, select the Settings section, Network settings subsection.
2. Enter the full domain name of the server into the Server name (FQDN) field.

   Specify the server name in FQDN format (for example: host.domain.com or host.domain.subdomain.com).

3. Click Apply.

The server name will be assigned.

Configuring DNS settings

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure DNS:

1. In the window of the program web interface, select the Settings section, Network settings subsection.
2. In the DNS settings group, enter the IP addresses of the DNS servers in the DNS servers field.
3. Click Apply.

The DNS settings will be configured.

Configuring settings of the network interface

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure the network interface:

1. In the window of the program web interface, select the Settings section, Network settings subsection.
2. Select the network interface whose settings you want to configure.

   This opens the Edit network interface window.

3. In the State settings group, select one of the following options:
   • Disabled
   • Enabled, using DHCP server if you want the settings received from the DHCP server to be used for the network interface.
   • Enabled, manual configuration if you want the manually configured network interface to be used.
4. If you selected Enabled, manual configuration, specify values for the following parameters:
   1. In the IP field, specify the IP address of the network interface.
   2. In the Subnet mask field, specify the subnet mask of the network interface.
   3. In the Gateway text box, enter the IP address of the gateway.
5. Click Save.

The settings of the network interface will be configured.

Configuring the default network route

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure the default network route:

1. In the window of the program web interface, select the Settings section, Network settings subsection.
2. In the Network route settings group, in the Network interface drop-down list, select the network interface for which you want to configure the network route.
3. In the Gateway text box, enter the IP address of the gateway.
4. Click Apply.

The default network route will be configured.

Configuring proxy server connection settings

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure the proxy server connection:

1. In the window of the application web interface, select the Settings section, Network settings subsection.
2. In the Proxy server settings group, set the toggle switch to Enabled.
3. In the Host field, specify the URL of the proxy server.
4. In the Port field, specify the port for connecting to the proxy server.
5. In the User name field, specify the user name for authentication on the proxy server.
6. In the Password field, specify the password for authentication on the proxy server.
7. If you do not want to use a proxy server when connecting to local addresses, select the Bypass proxy server for local addresses check box.
8. Click Apply.

The proxy server connection settings will be configured.

Configuring the mail server connection

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

The application can send notifications about alerts and system performance. To do so, you must configure the settings of the server used for sending notifications.

To configure the server for sending notifications:

1. In the main window of the application web interface, select the Settings section, Notifications subsection.
2. Go to the Mail server configuration tab.
3. In the Host field, specify the IP address of the mail server.
4. In the Port field, specify the port for connecting to the mail server.
5. In the Email from field, specify the email address from which the notifications will be sent.
6. If you want to enable authentication on the mail server, select the Use SMTP authentication of message recipients check box.
7. In the User name field, specify the user name for authentication on the server used for sending notifications.
8. In the Password field, specify the password for authentication on the server used for sending notifications.
9. If you want to use TLS encryption when sending notifications, select the Use TLS encryption check box.
10. If you want to validate the certificate of the mail server, select the Validate TLS encryption check box.

    The Certificate fingerprint field displays the fingerprint of the mail server certificate.

    If the Validate TLS encryption check box is not selected, the application will consider any certificate of the mail server as trusted.

11. Click Apply.

The settings of the server used for sending notifications will be configured.

Managing traffic saving settings

The application can save traffic received at the time when an event was registered. Traffic is saved in the database of the Central Node server when registering events for which traffic saving is enabled. The application can also directly save traffic in the server database upon a traffic download request, using temporary traffic dump files.

The application stores traffic data in blocks. If a block of traffic is associated with multiple events (for events recorded within a short period of time), such a block of traffic is not duplicated in the database.

To manage the settings for saving traffic in the server database:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant Central Node component.

   This opens a window with information about the component.

3. Click Edit.
4. Go to the General tab.
5. Under Traffic for events, specify the maximum volume of traffic to be saved in the Max volume field.

   You can select the unit of measure for the size limit: MB or GB.

   When editing the value, you also need to take into account that the sum total of all size limits may not exceed the specified maximum storage capacity for the server.

6. Click Save.

Traffic saving settings are modified.

Managing the settings for saving traffic dump files

The application saves traffic received through monitoring points as traffic dump files. The application uses these files for analysis of incoming traffic. You can also use these files to perform the following actions in the application:

• Downloading traffic when managing the network interactions map
• Downloading network session traffic
• Downloading traffic for events (traffic dump files allow you to load traffic for events, even if traffic saving is disabled for the relevant event type)

Traffic dump files are saved in internal storage on servers with the Sensor component. If you use the Central Node component with built-in Sensor, traffic dump files are saved in the internal storage of the Central Node server.

The application stores traffic dump files on a temporary basis. As traffic arrives, the application automatically deletes the oldest traffic dump files from storages if the total size of files approaches the limit set for the storage. You can configure the settings for storing traffic in the internal storage.

To configure the saving of traffic dump files to the internal storage:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant Central Node component.

   This opens a window with information about the component.

3. Click Edit.
4. Go to the General tab.
5. If necessary, in the Filtering stored traffic section, enable filtering and enter a filtering expression using the Berkeley Packet Filter (BPF) technology based on the address settings of the network packets.

   Filtering can reduce the size of stored traffic by discarding network packets that do not match the filter. However, if you rely on filtering, consider that filtered traffic may not provide all data that the application needs for high-quality traffic analysis. You need to configure filtering in such a way that all network packets that the application needs to analyze traffic are saved in the traffic dump files.

6. Under Traffic dump files, use the Max volume setting to set the size limit for stored traffic dump files.

   You can select the unit of measure for the space limit: MB or GB.

   When editing the value, you also need to take into account the amount of received traffic, the rate at which it is received, and the fact that the sum total of all size limits may not exceed the specified maximum storage capacity for the node.

7. Click Save.

Traffic dump saving in internal storage is configured.

Selecting operating systems to use when scanning objects in Sandbox

You can select a set of operating systems that will be used to generate tasks for scanning objects using the Sandbox component. On the Sandbox server, you must install virtual machines with operating systems that match the configured set.

To select the set of operating systems:

1. Select the Sandbox servers section in the window of the application web interface.
2. Go to the Settings tab.
3. Under OS set, select one of the following options:
   • Windows 7, Windows 10.
   • CentOS 7.8, Windows 7, Windows 10.
   • Astra Linux 1.7, Windows 7, Windows 10.
   • Custom.
4. If you selected Custom, under Set composition, select the check boxes next to the operating systems that you want to include in the set.

   Custom operating systems are displayed in the list if virtual machines with these operating systems are installed on the Sandbox server. Preset operating systems are always displayed in the list, but if virtual machines running these operating systems are not deployed, the Unknown status is displayed next to the name of the operating system.

Kaspersky Anti Targeted Attack Platform will create tasks for scanning objects in Sandbox in accordance with the selected set.

If the set of operating systems installed on the Sandbox server does not match the set selected on the Central Node server, objects are not sent to be scanned by that Sandbox server. If multiple Sandbox servers are connected to the Central Node server, the application sends objects to those Sandbox servers whose installed operating systems match the set selected on Central Node.

You can change the set of operating systems in the course of using the application. In this case, you need to make sure that the configuration of the Sandbox server satisfies hardware requirements.

In distributed solution and multitenancy mode, the settings of the operating system set configured on the PCN server are not applied to SCN servers connected to that PCN server. You can select the set of operating systems for each PCN and SCN server individually.

Password policies

You can configure password policies for users of Kaspersky Anti Targeted Attack Platform: enforce password change after the first successful authentication in the application web interface and/or regularly.

These policies apply to all Kaspersky Anti Targeted Attack Platform users with the KATA user account account type regardless of the assigned role.

Enforced password change after the first successful authentication

If this functionality is enabled, passwords are changed in accordance with the following scenario:

1. The administrator creates a user account.
2. The user authenticates in the Kaspersky Anti Targeted Attack Platform web interface.
3. The next time this user logs in to the web interface, the application prompts the user to change the account password. The old password becomes invalid.

The first login of the user to the main web interface of the application is counted as the first authentication. No password change prompt is displayed if the user comes back and logs in to the web interface for sizing management or the administrator menu of the application. Neither is a password change prompt displayed if the user account is used for connecting the SCN to the PCN.

Regular password change

If regular password change is enabled, the application prompts the user to change the password after the period set by the administrator expires. The countdown starts from the moment when the account password is changed and is tracked individually for each user.

Distributed solution and multitenancy mode

In distributed solution and multitenancy mode, password policy settings specified on the PCN are applied to the SCNs.

Enforced password change after the first successful authentication

For details on this feature, see the Password policies section.

To enable enforced password change after the first successful authentication:

1. Select the Settings section in the application web interface window.
2. Go to the Authentication policies tab.
3. In the Change password after first authentication section, set the Request password change toggle switch to Enabled.
4. Click Apply.

Enforced password change after the first authentication is enabled.

Enforced regular password change

For details on this feature, see the Password policies section.

To enable and configure enforced regular password change:

1. Select the Settings section in the application web interface window.
2. Go to the Authentication policies tab.
3. In the Change password regularly section, set the Request password change toggle switch to Enabled.
4. In the Change password after field, enter the number of days after which you want to change the password.
5. Click Apply.

Enforced password change after the specified period is enabled and configured.

Managing the Sensor component

The Sensor component receives data from network traffic and mail traffic.

You can install the Sensor and Central Node components on the same server or on separate servers. The Sensor component installed on a standalone server must be connected to the server with the Central Node component. If you are using the distributed solution and multitenancy mode, follow the steps to connect the Sensor component on the PCN or SCN server to which you want to connect the component.

Centralized management of Sensor components with the PCN in distributed solution and multitenancy mode is not supported. The Sensor component can be configured only from the specific Central Node server to which the component is connected.

Connecting the Sensor component to the Central Node

When the Sensor component is added, a configuration package is generated on the Central Node, containing the certificate and configuration data for the Sensor component. The added component is connected using the web interface of the Sensor component. The web interface of the component lets you upload a configuration package and connect the component in the following ways:

• Using a communication data package.

  In this case, the configuration package is saved as a file in which the certificate is password-protected. This file is called a communication data package. The communication data package must be uploaded to the web interface of the Sensor component. After uploading the communication data package, the Sensor component automatically connects to the Central Node on which the communication data package was created.

• Automatically over the network.

  In this case, the configuration package is sent over the network to the specified IP address of the server with the Sensor component. The Sensor processes the configuration package, generates a certificate signing request (CSR) based on it, and sends this request to the Central Node component. After receiving the CSR, the fingerprint of the CSR is displayed in the web interface of Kaspersky Anti Targeted Attack Platform as a sequence of characters. The same fingerprint is displayed at the same time in the web interface of the Sensor component. You must make sure that the fingerprints are identical before terminating the connection.

If the connection between the Central Node and Sensor components is established outside of a trusted medium, to protect the connection from traffic interception, you need to use external cryptographic information protection facilities that support encryption algorithms approved in your country. If the components are connected by a trusted medium, for example, a patch cord within a server rack that precludes third-party access, using external cryptographic information protection facilities is not necessary.

Adding and connecting the Sensor component automatically over the network

To connect the Sensor component automatically over the network:

1. Select the Sensor servers section in the window of the application web interface.
2. Click Add sensor.

   This opens the Adding a new sensor window.

3. Go to the Automatically over the network tab.
4. In the Sensor name field, enter a name for the Sensor component that you want to connect.

   After the connection to the Central Node is established, the title of the browser tab with the web interface page of the component displays the name that you configure at this step.

5. In the Server address field, enter the IP address of the Central Node server to which you want to connect the Sensor component.
6. In the Sensor IP address field, enter the IP address of the server with the Sensor component that you want to connect to the Central Node component.

   The application establishes a connection with the server on which the Sensor component is installed, and a prompt is displayed in the web interface of the application asking you to confirm the fingerprint of the received certificate signing request.

7. In a browser on any computer that allows access to the Sensor server, in the address bar of the browser, enter: https://<IP address of the Sensor server>:<9443>.

   The web interface of the Sensor component is displayed in the browser. The web interface displays a message with information about the fingerprint of the certificate signing request that was sent to the Central Node component.

8. Make sure that the character sequences representing the fingerprint of the certificate request are identical in the web interfaces of the Sensor and Central Node components.
9. In the application web interface, click the button to confirm the received fingerprint of the certificate signing request.

The Sensor component is connected to the Central Node component, after which the connection information in the web interfaces of the Sensor and Central Node components.

Connecting the Sensor component using a communication data package

To connect the Sensor component using a communication data package:

1. Select the Sensor servers section in the window of the application web interface.
2. Click Add sensor.

   This opens the Adding a new sensor window.

3. In the Sensor name field, enter a name for the Sensor component that you want to connect.

   After the connection to the Central Node is established, the title of the browser tab with the web interface page of the component displays the name that you configure at this step.

4. In the Server address field, enter the IP address of the Central Node server to which you want to connect the Sensor component.
5. In the Sensor IP address field, enter the IP address of the server with the Sensor component that you want to connect to the Central Node component.
6. In the Encryption of certificate in communication data package section, set the certificate protection password that you want to use.

   The password must satisfy the following requirements:

   • Contains 8 to 256 ASCII characters.
   • Contains one or more uppercase letters of the Latin alphabet.
   • Contains one or more lowercase letters of the Latin alphabet.
   • Contains one or more numerals.
   • Does not contain four or more identical characters in a row.
7. Click Create communication data package. Your browser saves the downloaded file. Depending on your browser's settings, a window may be displayed on your screen in which you can specify the path and name of the downloaded file.
8. In a browser on any computer that allows access to the Sensor server, in the address bar of the browser, enter: https://<IP address of the Sensor component>:<9443>.
9. On the sensor web interface page, click Select file.

   This opens the standard browser window for selecting a file.

10. Specify the path to the communication data package.
11. Click the open file button.
12. After the file finishes uploading, enter the password for the certificate that you set at step 6 of these instructions.

    The Sensor component is connected to the Central Node component, after which the connection information in the web interfaces of the Sensor and Central Node components.

Managing the certificate of the Sensor component

This section describes how to manage the TLS certificate of the Sensor component.

The certificate can be managed in the application administrator menu.

Generating a TLS certificate for the Sensor server in the administrator menu of the Sensor server

To create a TLS certificate for the server with the Sensor component, do the following in the administrator menu of the Sensor server:

1. In the main window of the administrator menu, select Program settings.
2. Press ENTER.

   This opens the next window of the administrator menu.

3. Select Manage server certificate.
4. Press ENTER.

   This opens the Certificate management window.

5. In the lower part of the window, select New.
6. Press ENTER.

   This opens a window containing information about the new certificate.

7. Click Continue.

   This opens the action confirmation window.

8. Click Generate.

   Creation of the certificate starts.

9. After creation of the certificate is completed, press ENTER.

   This opens a window containing information about the installed certificate.

10. Click Continue.

    This opens the action confirmation window.

11. Click Ok.

The certificate will be created. The data of previously installed certificates will be overwritten.

Uploading your own TLS certificate in the administrator menu of the Sensor server

You can prepare your own TLS certificate and upload it to the Sensor server using SCP. For more details on the methods for uploading files via the SCP protocol, see the documentation for the operating system installed on the computer from which you want to upload the TLS certificate.

The TLS certificate file prepared for upload to the server must satisfy the following requirements:

• The file must contain the certificate itself and a private encryption key for the connection.
• The file must be in PEM format.
• The file name must be kata.pem.
• The private key length must be 2048 bits or longer.

For more details on preparing TLS certificates for import, please refer to the documentation on Open SSL.

To upload your own TLS certificate to the Sensor server using SCP, do the following in your computer's SCP interface (Linux is used in the example):

1. Run the following command: scp kata.pem admin@<IP address of the server with the Sensor component>:
2. At the password prompt, enter the administrator password for managing the administrator menu of the Sensor server that was set during installation.

The TLS certificate is uploaded to the server with the Sensor.

To apply the uploaded TLS certificate on the Sensor server, do the following in the administrator menu of the Sensor server:

1. In the main window of the administrator menu, select Program settings.
2. Press ENTER.

   This opens the next window of the administrator menu.

3. Select Manage server certificate.
4. Press ENTER.

   This opens the Certificate management window.

5. In the lower part of the window, select Install from file.
6. Press ENTER.

The certificate will be applied. The data of previously installed certificates will be overwritten.

Downloading the TLS certificate of the Sensor server to your computer

You can download a TLS certificate from the Sensor server to any computer that can connect to the Sensor server over the SCP protocol. For more details on the methods for uploading files via the SCP protocol, see the documentation for the operating system installed on the computer to which you want to download the TLS certificate.

To download the TSL certificate from the server with the Sensor component over the SCP protocol, do the following in your computer's interface used for working over the SCP protocol (using the Linux operating system as an example):

1. Run the following command: scp admin@<IP address of the server with the Sensor component>:ssl/kata.crt.
2. At the password prompt, enter the administrator password for working in the administrator menu of the server with the Sensor component that was set during installation.

The TLS certificate is downloaded from the server with the Sensor component to the current directory.

Logging in to the web interface of the Sensor component

The Sensor web interface is located on the server hosting the Sensor component.

The Sensor web interface is protected against CSRF attacks and works only if the user's browser provides the Referer header of an HTTP POST request. Make sure that the browser that you are using to work with the Sensor web interface does not modify the Referer header of an HTTP POST request. If the connection with the web interface is established through a proxy server of your organization, check the settings and make sure that the proxy server does not modify the Referrer header for an HTTP POST request.

To get started with the web interface of the Sensor application:

In a browser on any computer that allows access to the Sensor server, in the address bar of the browser, enter: https://<IP address of the server with the Sensor component>:<9443>.

The web interface of the Sensor component is displayed in the browser. The name of the browser tab with the web interface page contains the name of the Sensor component that was specified when the component was connected to the Central Node.

In the web interface of the Sensor component, you can do the following:

• Upload a communication data package to connect the component to the Central Node component.
• View the fingerprint of the certificate signing request to compare it with the fingerprint in the web interface of Kaspersky Anti Targeted Attack Platform, when the component is connected to the Central Node automatically over the network.
• View the status of the connection of the component to the Central Node.

Changing the server name

To rename the Central Node server:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant Sensor component.

   This opens a window with information about the component.

3. Click Edit.
4. Go to the General tab.
5. In the Sensor name field, enter a new name.

   The name must be unique (may not be the same as the name of another component) and may contain up to 100 characters. You can use letters of the English alphabet, numerals, a space, and the special characters: _ and - (for example, Server_1). The name must begin and end with any valid character other than a space.

6. Click Save.

The server is renamed.

Managing monitoring points

Kaspersky Anti Targeted Attack Platform uses

Each monitoring point must be associated with a network interface that receives a copy of traffic from a certain network segment. To add monitoring points, you can use network interfaces that satisfy the following conditions:

• Network interface type: Ethernet.
• MAC address: not 00:00:00:00:00:00.
• The network interface is designated for receiving a copy of network traffic and is not used for other purposes (for example, for connecting servers with installed application components).

Monitoring points can be enabled or disabled. You can disable a monitoring point to temporarily stop monitoring a network segment from which a copy of the traffic is received on the network interface. When you need to resume monitoring, you can re-enable the monitoring point.

After disabling or removing a monitoring point, the application may log events involving this monitoring point for some time. This is due to a possible lag in processing incoming traffic when the Central Node component is under high load.

Monitoring point details are displayed in the card of the network interface to which this monitoring point is linked. If necessary, you can rename the monitoring point.

Adding a monitoring point

To receive and process traffic from the network on a network interface of a node, you need to add a monitoring point to that network interface.

To add a monitoring point to a network interface:

1. Select the Sensor servers section in the window of the application web interface.
2. In the card of the relevant network interface, click the Add monitoring point link.

   This opens the window for adding a monitoring point.

3. In the Monitoring point name field, enter a name for the monitoring point.

   You can use uppercase and lowercase letters of the Latin alphabet, numbers, and _ and - characters.

   The name of the monitoring point must satisfy the following requirements:

   • Is unique (not assigned to any other monitoring point).
   • Contains 1 to 100 characters.
4. Click Add monitoring point.

The monitoring point is added.

Renaming a monitoring point

You can rename the monitoring point associated with a network interface.

The new name of the monitoring point is reflected in the events logged after the renaming. Previously logged events keep the old name of the monitoring point.

To rename a monitoring point:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant network interface.
3. This opens a window with information about the network interface.
4. Click Edit.
5. In the Monitoring point name field, enter a new name.

   You can use uppercase and lowercase letters of the Latin alphabet, numbers, and _ and - characters.

   The name of the monitoring point must satisfy the following requirements:

   • Is unique (not assigned to any other monitoring point).
   • Contains 1 to 100 characters.
6. Click Save.

The monitoring point is renamed.

Enabling monitoring points

If a monitoring point is disabled, the application does not receive or process traffic arriving at its network interface. If you want to resume receiving and processing traffic, you must enable the monitoring point.

You can enable monitoring points individually or all at once, for one component or for all components.

Only users with the Administrator role can enable monitoring points.

To enable monitoring points:

1. Select the Sensor servers section in the window of the application web interface.
2. Do one of the following:
   • If you want to enable an individual monitoring point, in the card of the relevant component, click the Enable button. The button is available if the monitoring point is disabled.
   • If you want to enable all monitoring points, in the card of the relevant component, click the Enable all button. The button is available if the component has network interfaces with disabled monitoring points.
   • If you want to enable all monitoring points for all components, click the Enable on all nodes link in the toolbar.
3. Wait for the changes to be applied.

The selected monitoring points are enabled.

Disabling monitoring points

You can disable a monitoring point if you want to temporarily stop receiving and processing traffic on the network interface of that monitoring point.

You can disable monitoring points individually or all at the same time, for all components.

To disable monitoring points:

1. Select the Sensor servers section in the window of the application web interface.
2. Do one of the following:
   • If you want to disable an individual monitoring point, in the card of the relevant component, click the Disable button. The button is available if the monitoring point is enabled.
   • If you want to disable all monitoring points, in the card of the relevant component, click the Disable all button. The button is available if the component has network interfaces with enabled monitoring points.
   • If you want to disable all monitoring points for all components, click the Disable on all nodes link in the toolbar.
3. Wait for the changes to be applied.

The selected monitoring points are disabled.

Deleting a monitoring point

You can delete the monitoring point associated with a network interface. Deleting a monitoring point may be necessary if the network interface will no longer be used to receive traffic.

If you need to temporarily stop receiving traffic on the network interface of the monitoring point (for example, during maintenance and commissioning), you can disable the monitoring point without deleting it.

Traffic received from the monitoring point before it was deleted is not deleted from the database. Also, information about this monitoring point is kept in the table of logged events.

To delete a monitoring point:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant network interface.
3. This opens a window with information about the network interface.
4. Click Delete.

   A window with a confirmation prompt opens. If the monitoring point is enabled, the application prompts you to disable the monitoring point.

5. In the prompt window, confirm the deletion of the monitoring point.

The monitoring point is deleted.

Configuring the maximum size of a scanned file

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure the maximum size of a scanned file:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant Sensor component.

   This opens a window with information about the component.

3. Click Edit.
4. Go to the Other tab.
5. Set the Set size limit toggle switch to Enabled.
6. In the Unit of measure field, select a unit of measure.
7. In the Space field, enter the maximum allowed size of a file.
8. Click Save.

The maximum size of a scanned file will be configured.

If you want to set the maximum size of a scanned file to a value greater than 100 MB:

1. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
2. When the system prompts you, enter the administrator user name and the password that was specified during installation of the component.
3. The application component administrator menu is displayed.
4. Select the Technical Support Mode.
5. Press ENTER.
6. This opens the Technical Support Mode confirmation window.
7. Confirm that you want to manage the application in Technical Support Mode. To do so, select Yes and press ENTER.
8. To view the current scanned file size limit, run the following command:

   docker exec $(docker ps -q -f name=nta_core) grep body-limit /var/opt/kaspersky/kics4net/ids/client/templates/suricata.yaml.templ | grep -v '#'

9. The current limit is displayed in the request-body-limit and response-body-limit fields. The current limit is displayed in bytes.
10. To change the current limit, run the following command:

    exec $(docker ps -q -f name=nta_core) sed -i 's/<previous value in bytes>/<new value in bytes>/' /var/opt/kaspersky/kics4net/ids/client/templates/suricata.yaml.templ

11. Complete steps 1–8 of the instructions above.

You can set the maximum size for a scanned file over 100 MB.

Configuring HTTP packet body dumping

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure HTTP packet body dumping:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant Sensor component.

   This opens a window with information about the component.

3. Click Edit.
4. Go to the Other tab.
5. In the Dump HTTP body section:
   • If you want to enable HTTP packet body dumping, set the Enable http-body toggle switch to Enabled.

     By default, the toggle switch is in the Disabled position.

   • If you want to disable HTTP packet body dumping, set the Enable http-body toggle switch to Disabled.
6. Click Save.

HTTP packet body dumping is enabled or disabled.

Configuring integration with a mail server via SMTP

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure integration with a mail server over SMTP:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant Sensor component.

   This opens a window with information about the component.

3. Click Edit.
4. Go to the SMTP integration tab.
5. If you want to enable integration with a mail server via SMTP, set the Enable SMTP integration toggle switch to Enabled.
6. In the Destination domains field, specify the name of the mail domain or subdomain. The application will scan email messages sent to mailboxes of the specified domains.

   To disable a domain or subdomain, enclose it in the !domain.tld form.

   If you leave the mail domain name blank, the application will receive messages sent to any email address.

7. In the Clients field, specify the IP addresses of hosts and/or masks of subnets (in CIDR notation) with which the application is allowed to interact over the SMTP protocol.

   To disable a host or subnet, enclose the address in the !host form.

   If you leave this field blank, the application will receive the following messages:

   • From any email addresses if you specified email domains in the Destination domains field.
   • From a mail server in the same subnet as the Sensor server component if no domain is indicated in the Destination domains field.
8. If you want to set the maximum allowed size of incoming messages, set the Set message size toggle switch to Enabled.
9. In the Unit of measure field, select a unit of measure.
10. In the Space field, enter the maximum allowed size of a file.
11. If you want to configure TLS encryption of SMTP connections to the mail server, under Client TLS security level, select one of the following options:
    • No TLS encryption.

      The application will not employ TLS encryption of connections with a mail server.

    • Allow TLS encryption for incoming messages.

      The application will support TLS encryption of the connection, but encryption will not be mandatory.

    • Require TLS encryption for incoming messages.

      The application will receive messages only over encrypted channels.

12. Click the Download TLS certificate button to save the TLS certificate of the server with the Sensor component on the computer in the browser's downloads folder.

    This certificate is required for authentication on the mail server.

13. In the Requesting client TLS certificate settings group, select one of the following options:
    • Do not request.

      The application will not verify the TLS certificate of the mail server.

    • Request.

      The application will request a TLS certificate from the mail server, if one is available.

    • Require.

      The application will receive messages only from those mail servers that have a TLS certificate.

14. Click Save.

Integration with a mail server via SMTP will be configured. The application will scan email messages received over the SMTP protocol according to the defined settings.

If you have deployed the Central Node and Sensor components as a cluster, you can configure high availability integration with the mail server.

To configure high availability integration with the mail server:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the mail server settings.

Integration with the mail server will be configured based on the domain name. The mail server will communicate with a random server in the cluster. If this server fails, the mail server will communicate with another healthy server in the cluster.

For version 7.0 of the the application in a cluster configuration, when integrated with a mail server, an error may occur when sending an email message: "451 4.3.0 Error: queue file write error".

To resolve the error:

1. Enter the management console of any cluster server over SSH or using a terminal.
2. When the system prompts you, enter the administrator user name and the password that was specified during installation of the component.

   The application component administrator menu is displayed.

3. In the application administrator menu, select Technical Support Mode.
4. Press ENTER.

   This opens the Technical Support Mode confirmation window.

5. Confirm that you want to manage the application in Technical Support Mode. To do so, select Yes and press ENTER.
6. Run the following command:

   for addr in <IP addresses of cluster servers (separated by spaces)>; do nc -zv $addr 10025; done

   The list of servers is displayed on the console.

7. In the web interface of the application, at step 7 of the instructions above, specify the IP address of the server for which the localhost [127.0.0.1] 10025 (?) open string is displayed on the console.

The error is resolved.

If you do not get a localhost [127.0.0.1] 10025 (?) open string for any of the cluster servers, please contact Technical Support.

When installing the Central Node component of version 7.0.3 on the server, Kaspersky Anti Targeted Attack Platform may refuse email messages received via SMTP. The sender may get a "Connection refused" error.

To remove the limitation:

1. Log in to the management console of the relevant Central Node server over SSH or through a terminal.
2. When the system prompts you, enter the administrator user name and the password that was specified during installation of the component.

   The application component administrator menu is displayed.

3. In the application administrator menu, select Technical Support Mode.
4. Press ENTER.

   This opens the Technical Support Mode confirmation window.

5. Confirm that you want to manage the application in Technical Support Mode. To do so, select Yes and press ENTER.
6. Run the following command:

   sudo -i

7. Run the following commands:
   1. docker exec $(docker ps -q -f name=preprocessor_span) supervisorctl restart preprocessor
   2. docker exec $(docker ps -q -f name=preprocessor_smtp) supervisorctl restart preprocessor

The limitation is removed.

Configuring integration with a proxy server via ICAP

Integration with a proxy server over ICAP with feedback allows you to prevent malicious objects from entering the corporate LAN and prevent users of the host from visiting malicious or phishing websites. Kaspersky Anti Targeted Attack Platform acts as an ICAP server, and your proxy server acts as an ICAP client. The proxy server sends ICAP requests to the ICAP server. The ICAP server runs a scan and returns the result to the proxy server. If any threats are detected, a notification HTML page is displayed to the user on the host.

Enabling and disabling integration with a proxy server via ICAP

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

When a standalone proxy server is used, Kaspersky Anti Targeted Attack Platform does not provide encryption of ICAP traffic or authentication of ICAP clients by default. The application administrator must take steps to ensure a secure network connection between your proxy server and Kaspersky Anti Targeted Attack Platform by using traffic tunneling or iptables.

To enable or disable integration with a proxy server via ICAP on a server with the Central Node and Sensor components installed:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant Sensor component.

   This opens a window with information about the component.

3. Click Edit.
4. Go to the ICAP integration with proxy server tab.
5. Do the following:
   • If you want to enable integration with a proxy server via ICAP, move the Enable ICAP integration toggle switch to Enabled.
   • If you want to disable integration with a proxy server via ICAP, move the Enable ICAP integration toggle switch to Disabled.

Integration with a proxy server via ICAP is enabled.

To enable or disable integration with a proxy server via ICAP on an individual server with the Sensor component:

1. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
2. When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.

   This opens the settings menu for the Sensor component. If the menu does not open, enter the kata-admin-menu command and press ENTER.

3. Go to the Program settings → Configure ICAP integration section.

   To select a row, you can use the ↑, ↓, and ENTER keys. The selected row is highlighted in red.

4. This opens a window, in that window, select the Enabled line and press the ENTER key.

   [x] is displayed to the right of the Enabled setting.

5. In the settings of your proxy server, enter the URL from the RESPMOD field.

Integration with the proxy server and an individual server with the Sensor component via ICAP is configured.

If you have deployed the Central Node and Sensor components as a cluster, you can configure high availability integration with a proxy server.

To configure the high availability integration with the proxy server:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the proxy server settings.

Integration with the proxy server will be configured based on the domain name. The proxy server will communicate with a random server in the cluster. If this server fails, the proxy server will communicate with another healthy server in the cluster.

Enabling or disabling real-time scanning of ICAP traffic

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

You can enable or disable real-time scanning of ICAP traffic if integration with a proxy server via ICAP is enabled.

If real-time scanning of ICAP traffic is enabled, Kaspersky Anti Targeted Attack Platform sends information about scanned objects to the ICAP client in real time. This helps prevent downloading malicious objects and clicking untrusted links.

To enable or disable real-time scanning of ICAP traffic on a server with the Central Node and Sensor components installed:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant Sensor component.

   This opens a window with information about the component.

3. Click Edit.
4. Go to the ICAP integration with proxy server tab.
5. Under Real-time scanning, select one of the following options:
   • Disabled

     If you select this option, real-time scanning of ICAP traffic is disabled. This option is selected by default.

   • Enabled, standard ICAP traffic scanning.

     When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Sandbox component and Anti-Malware Engine and YARA modules. The files remain available while they are being scanned by the Sandbox component.

   • Enabled, advanced ICAP traffic scanning.

     When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Sandbox component and Anti-Malware Engine and YARA modules. The files are unavailable while they are being scanned by the Sandbox component.

6. Under Extract user name:

   If you want to get the user name from the ICAP server, set the Extract user name toggle switch field to Enabled. If you need to use Base64 decoding, select the Use Base64 decoding check box.

7. Click Save.

Real-time scanning of ICAP traffic is enabled or disabled.

To enable or disable real-time scanning of ICAP traffic on an individual server with the Sensor component installed:

1. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
2. When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.

   This opens the settings menu for the Sensor component. If the menu does not open, enter the kata-admin-menu command and press ENTER.

3. Go to the Program settings → Configure ICAP integration section.

   To select a row, you can use the ↑, ↓, and ENTER keys. The selected row is highlighted in red.

4. This opens a window; in that window, make sure that [x] is displayed to the right of the Enabled setting.
5. Select one of the following options:
   • Disable real-time scanning.

     If you select this option, real-time scanning of ICAP traffic is disabled. This option is selected by default.

   • Standard ICAP scanning.

     When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Anti-Malware Engine and YARA modules.

   • Advanced ICAP scanning.

     When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Sandbox component and Anti-Malware Engine and YARA modules.

6. Select an option and press ENTER. (O) is displayed to the right of the selected option.

   To select a row, you can use the ↑ and ↓ keys. The selected row is highlighted in red.

7. If you enabled real-time scanning of ICAP traffic and enabled the advanced scanning mode or the standard scanning mode, specify the URL from the REQMOD field in the settings of your proxy server.

Real-time scanning of ICAP traffic on an individual server with the Sensor component is enabled or disabled.

If you enabled real-time scanning of ICAP traffic, scanning does not work if integration with the proxy server is disabled. All ICAP traffic scanning settings are saved. When you re-enable integration with the proxy server, ICAP traffic scanning is also enabled.

Configuring real-time scanning of ICAP traffic

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

Real-time ICAP traffic scanning on standalone servers with the Sensor component can only be configured in Technical Support Mode. To perform actions in Technical Support Mode, we recommend contacting Technical Support.

You can configure real-time ICAP traffic scanning on a server with the Central Node and Sensor components for anti-virus scanning of data. Scan results are displayed to the user of the host on a notification HTML page.

To configure real-time ICAP traffic scanning:

1. In the window of the application web interface, select the Settings section, ICAP traffic scanning subsection.

   The ICAP traffic scanning settings page is displayed.

   By default, under Notifications, pages corresponding to the following events are loaded:

   • The page uploaded in the Link blocked field is displayed if a threat is detected at the address requested by the user.
   • The page uploaded in the File blocked field is displayed if a threat is detected in a scanned file.
   • The page uploaded in the Scan file field is displayed if a file scan is started. If the file is safe, the user can click a link to download the file.
   • The page uploaded in the File expired field is displayed if the file was scanned, but the storage duration for that file has expired.

   By default, HTML pages from the distribution kit are loaded in Kaspersky Anti Targeted Attack Platform. You can upload your own notification pages and configure how they must be displayed. The size of a notification page must not exceed 1.5 MB. If the uploaded notification page is larger than 1.5 MB, an error is displayed.

2. Under File block threshold, in the Sandbox alert importance field, select a value from the drop-down list. These values correspond to the possible impact of the alert on the security of a computer or your corporate network based on the expert opinion of Kaspersky.

   This setting can take one of the following values:

   • High for a high importance alert. This option is selected by default.
   • Medium for a medium-importance alert.
   • Low for a low-importance alert.
3. Under Scan timeout, in the Timeout field, specify the time after which the link to the scanned file is unblocked and downloading the scanned file becomes possible.

   The default value is 10 minutes. You can set any value greater than 1 minute.

4. Click Apply.

The scan is performed with the specified settings.

Configuring recording of mirrored traffic from SPAN ports

With Kaspersky Anti Targeted Attack Platform, you can save mirrored traffic from SPAN ports for investigation and detection of malicious activity within the perimeter of your corporate LAN. With mirrored traffic recording, you can perform retrospective analysis of network events and investigate the actions of hackers. Traffic is saved as dumps in PCAP format.

To save mirrored traffic from SPAN ports, enable the recording of such traffic and configure it in the web interface of the application or in the administrator menu of the Sensor component. You can also select network protocols for receiving traffic.

Selecting network protocols for receiving mirrored traffic from SPAN ports

You can select network protocols for receiving mirrored traffic from SPAN ports in the Kaspersky Anti Targeted Attack Platform web interface or in the administrator menu of the Sensor component.

If you are using the distributed solution and multitenancy mode, perform the configuration actions in the web interface of the PCN or SCN server to which the Sensor component is connected.

To select network protocols for receiving mirrored traffic from SPAN ports in the administrator menu of the Sensor component:

1. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
2. When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.

   This opens the settings menu for the Sensor component. If the menu does not open, enter the kata-admin-menu command and press ENTER.

3. Go to the Program settings → Configure traffic capture → Setup capture protocols section using the ↑, ↓, and ENTER keys. The selected row is highlighted in red.

   This opens a window where you can enable or disable receipt of mirrored traffic from SPAN ports for the following network protocols:

   • DNS
   • FTP
   • HTTP
   • HTTP2
   • SMTP
   • SMB
   • NFS

     To analyze NFS traffic, you must mount the NFS partition and specify the version of the protocol.

     Example: for NFS v.4: mount -t nfs -o vers=4 -O uid=1000,iocharset=utf-8 <address>:/from/dir /to/dir for NFS v.3: mount -t nfs -o vers=3 -O uid=1000,iocharset=utf-8 <address>:/from/dir /to/dir

   If receipt of mirrored traffic from a SPAN port via a network protocol is enabled, [x] is displayed to the right of the network protocol name. If receiving mirrored traffic from a SPAN port is disabled for a particular network protocol, [ ] is displayed to the right of the name of that protocol.

   By default, receipt of mirrored traffic from SPAN ports is enabled for all network protocols except HTTP2.

4. If you want to enable or disable the receipt of mirrored traffic from SPAN ports for a particular network protocol, select that using the ↑, ↓ keys and press ENTER.
5. Select the line containing Apply and Exit and press ENTER.

Network protocols for receiving mirrored traffic from SPAN ports are selected.

Configuring the recording of mirrored traffic from SPAN ports using the web interface

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To enable and configure the recording of mirrored traffic from SPAN ports:

1. Connect and configure external storage.
2. Select the Sensor servers section in the window of the application web interface.
3. Click the card of the relevant Sensor component.

   This opens a window with information about the component.

4. Click Edit.
5. Go to the External storage tab.

   This tab is not displayed if an external storage is not connected.

   In the External storage section, the Oldest packet field displays the date and time of the first saved dump in the external storage. The Newest packet field displays the date and time of the last dump saved to external storage.

6. If you want to use the external storage, set the Record traffic toggle switch to Enabled.

   By default, the toggle switch is in the Disabled position.

7. In the Path for saving traffic field, specify the path to the directory in which you want the application to save traffic dumps.
8. Do the following:
   1. Under Maximum storage size, specify the maximum size of traffic dumps that will be stored in the storage.

      If the size of dumps in the storage exceeds the specified value, the earliest dumps are deleted, the total size of which is equal to the size of the new dumps.

      If you reduce the maximum dump storage size, the earliest dumps are deleted, the total size of which is equal to the change of the setting.

   2. If you want to limit the capture of data in traffic, under Traffic filtering upon capture, set the BPF filtering toggle switch to Enabled. Traffic filtering can reduce the size of dumps in dump storage and facilitate traffic analysis.

      In the BPF filtering rules, the filtering rule. The BPF filtering rule is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.

      Example of a filtering expression:

      tcp port 102 or tcp port 502

   3. If you want to configure the traffic dump storage duration, in under Storage duration, set the Enable storage duration toggle switch to Enabled. In the Storage time (days) field, enter the number of days for which you want to store traffic dumps. Traffic dumps that are stored longer than the specified duration are deleted from the storage.
   4. Click Save.

The recording of mirrored traffic from SPAN ports is configured.

Configuring the recording of mirrored traffic from SPAN ports using the administrator menu of the Sensor component

To enable recording of mirrored SPAN traffic in the administrator menu of the Sensor component:

1. Connect and configure external storage.
2. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
3. When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.

   This opens the settings menu for the Sensor component. If the menu does not open, enter the kata-admin-menu command and press Enter.

4. Go to the Program settings → Configure traffic capture section.

   To select a row, you can use the ↑, ↓, and Enter keys. The selected row is highlighted in red.

5. This opens a window, in that window, select the Enabled traffic storage line and press Enter.

   [x] is displayed to the right of the title of the line.

   Raw network traffic recording on the standalone server with the Sensor component will be enabled.

6. If necessary, edit raw network traffic recording settings:
   1. Select the Traffic storage size line and press Enter. This opens a window; in that window, specify the maximum total size of stored raw traffic dumps, in terabytes.

      The minimum value is set to 100 GB by default. The maximum value is 1,000,000 TB. For correct operation of the application, the connected drive must have at least the specified amount of free disk space. If the number entered in this field exceeds the free disk space on the connected drive, an error is displayed.

   2. Select the OK button and press Enter.
   3. Select the Traffic capture BPF-filter line and press Enter. This opens a window; in that window, enter the filtering rule. The BPF filtering rule is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.

      Example of a filtering expression:

      tcp port 102 or tcp port 502.

   4. Select the OK button and press Enter.
   5. Select the Traffic storage duration (in days) line and press Enter. This opens a window; in that window, enter the storage duration for raw network traffic dumps in the storage, in days.
   6. Select the OK button and press Enter.

The recording of mirrored SPAN traffic is configured in the administrator menu of the Sensor component.

Configuring integration with a mail server via POP3

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure integration with a mail server over POP3:

1. Select the Sensor servers section in the window of the application web interface.
2. Click the card of the relevant Sensor component.

   This opens a window with information about the component.

3. Click Edit.
4. Go to the POP3 integration tab.
5. Set the Enable POP3 integration toggle switch to Enabled.
6. In the Mail server field, specify the IP address of the mail server with which you want to configure integration.
7. In the Port field, specify the port for connecting to the mail server.
8. In the Receive every field, specify the mail server connection frequency (in seconds).
9. If you want to use TLS encryption of connections with the mail server via POP3, select the Use TLS encryption check box.
10. In the User name field, specify the account name used for accessing the mail server.
11. In the Password field, specify the password for accessing the mail server.

    The mail server must support Basic Authentication.

12. In the TLS certificate drop-down list, select one of the following options:
    • Accept any.
    • Accept untrusted self-signed.
    • Accept only trusted.

    When establishing a connection with an external mail server, it is recommended to configure the acceptance of only trusted TLS certificates. If you accept untrusted TLS certificates, protection of the connection against

    MITM attacks

    Man in The Middle. An attack on the IT infrastructure of an organization in which a hacker hijacks the communication link between two access points, relays it, and modifies the connection between these access points if necessary.

    cannot be guaranteed. Even though the acceptance of trusted TLS certificates also cannot guarantee protection of the connection against MITM attacks, it is the most secure of the supported methods for integration with a mail server over the POP3 protocol.

13. If necessary, in the Cipher suite field, modify the OpenSSL settings used when establishing a connection with the mail server via POP3.

    You can view reference information on OpenSSL by clicking the Help link.

14. Click Save.

Integration with the mail server via POP3 will be configured.

If you have deployed the Central Node and Sensor components as a cluster, you can configure high availability integration with the mail server.

To configure high availability integration with the mail server:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the mail server settings.

Integration with the mail server will be configured based on the domain name. The mail server will communicate with a random server in the cluster. If this server fails, the mail server will communicate with another healthy server in the cluster.

Managing the cluster

You can view the table of cluster servers, add servers to the cluster, decommission servers, and enable or disable the cluster. if necessary, you can increase the disk space on the storage server.

Viewing the table of servers of the cluster

The table of cluster servers is displayed in the Cluster section of the application web interface.

The table contains the following information:

• Server type—server type depending on its role in the cluster.

  The following values can be displayed:

  • Storage.
  • Processing.
• Status—server status.

  The following values can be displayed:

  • Connected.
  • Not connected.
• Host name—server name.
• IP— IP address of the server.
• RAM—RAM load level of the server.
• CPU—CPU load level of the server.
• Action—Actions that you can perform with the server.

  The following action is available: Delete.

Adding a server to a cluster

To add a server to the cluster, you need to start the installation of Kaspersky Anti Targeted Attack Platform on this server and follow the steps to install the components. The added server is displayed in the cluster server list.

Increasing the disk space on the storage server

You can increase the disk space on an operational storage server by installing an additional disk.

To increase the disk space of the storage server by means of an additional disk, you need to contact Technical Support.

The server is configured in Technical Support Mode.

Decommissioning servers

To decommission an operational server, you need to contact Technical Support.

If a server fails, you can decommission it on your own.

To decommission an inoperable processing server:

1. Add a new processing server to the cluster.
2. Remove the server from the cluster.
3. Configure the sizing of the application for the new configuration.

The processing server will be decommissioned.

To decommission an inoperable storage server:

1. Add a new storage server to the cluster.
2. Contact Technical Support to remove the inoperable server from the cluster.

The storage server will be decommissioned.

Removing a server from a cluster

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

A removed server cannot be restored. Make sure that the selected server is not operational.

To remove a server from the cluster:

1. In the window of the application web interface, select the Cluster section.
2. In the Action column, click the Delete link opposite the server that you want to remove.
3. Click Proceed.

The removal process will start. Removal may take about a day. Information about the removed server will not be displayed in the table of servers.

After removing the server, you can reconfigure the servers in the cluster or add a server with the same role to maintain the same level of application performance.

Starting up and shutting down the cluster

To shut down or start the cluster, we recommend contacting Technical Support. Do not shut down or start the cluster if you encounter problems with application health.

If you want to power off the healthy servers in the cluster, you must first shut down the cluster to avoid data loss.

To shut down a cluster:

1. In the application web interface, go to the Cluster section.
2. Click the Shut down button.

The main components of the application are stopped. You can now power off the cluster servers.

To start up the cluster servers:

1. Disconnect power to the servers if it has not been previously disconnected.
2. Power on the storage server.
3. Power up the remaining servers.

The cluster servers will start up.

It takes approximately 90 minutes for all servers in the cluster to start up. The application web interface becomes available before all cluster servers are started. However, for users with the Senior security officer, Security officer, Security auditor roles, the application web interface does not display the application menu, and users with the Administrator can manage only the Server configuration section.

We strongly discourage managing the sizing settings of the application until all the servers in the cluster are up and running.

When all of the servers in the cluster are up and running, the application web interface menu is displayed normally.

Notifications about the maximum allowed CPU and RAM load for the Central Node and Sensor servers

Maintaining a high load on the CPU and RAM of the Central Node and Sensor servers may prevent application components from working.

You can configure the maximum CPU and RAM usage on Central Node and Sensor servers; if these limits are exceeded, in the upper part of the Dashboard section of the application web interface for users with the Senior security officer, Security officer, and Administrator roles, a yellow warning box is displayed. You can also configure notifications to be sent to one or more email addresses and an SNMP protocol connection for sending information about the CPU and RAM load to external systems that support this protocol.

If you have deployed the Central Node and Sensor components as a cluster, warnings are displayed separately for each server in the cluster.

Users with the Senior security officer or Security officer role can also create rules for sending notifications. In this case, sending notifications correctly requires configuring maximum allowed load values for the CPU and RAM of servers, as well as notification settings on the server.

In existing rules for sending notifications about application components, the CPU load and RAM load notifications are enabled automatically if the All check box is selected under Components when the rule is created.

Configuring the maximum allowable CPU and RAM load of the Central Node and Sensor servers

In the distributed solution and multitenancy mode, you need to set the maximum allowed load values for the CPU and RAM load of each Central Node server from which you want to receive notifications. If you use a Central Node cluster, you can configure these settings on any cluster server.

To configure the maximum allowed load on the CPU and RAM of the Central Node and Sensor servers:

1. In the window of the application web interface, select the Settings section, General settings subsection.
2. Under Monitoring:
   • In the Warning of CPU usage above N % for M minutes field, enter the maximum allowed CPU usage and time period for which the maximum load can be maintained.

     By default, the maximum CPU load is 95% for 5 minutes.

   • In the Warning of RAM usage above N % for M minutes field, enter the maximum allowed RAM usage and time period for which the maximum usage can be maintained.

     By default, the maximum RAM usage is 95% for 5 minutes.

3. Click Apply.

The maximum allowed load of server CPU and RAM will be configured. If one of the values is exceeded on the Central Node and/or Sensor server, in the upper part of the Dashboard section of the application web interface for users with Senior security officer, Security officer, and Administrator roles, a yellow warning box is displayed.

Configuring the SNMP protocol connection

You can send information about the CPU and RAM load on Central Node and Sensor servers to external systems that support the SNMP protocol. To do so, you must configure the connection for the protocol.

If the Central Node component is deployed as a cluster, data about the CPU and RAM load of each server in the cluster is sent to external systems.

To configure the SNMP protocol connection on the Central Node server:

1. In the window of the application web interface, select the Settings section, General settings subsection.
2. Under SNMP, select the Use SNMP check box.
3. In the Protocol version field, select a protocol version:
   • v2c.
   • v3.
4. If you selected the v2c protocol version, in the Community string field, enter the password that will be used for connecting to Kaspersky Anti Targeted Attack Platform.
5. If you selected v3:
   1. In the Authentication protocol field, select one of the following options for checking the accuracy and integrity of data sent to the external system:
      • MD5.
      • SHA256.
   2. In the User name field, enter the user name.
   3. In the Password field, enter the password for authentication.

      User name and password configured in the User name and Password fields must match the user name and password configured when creating the account in the external system. If the credentials do not match, the connection cannot be established.

   4. In the Privacy protocol field, select an encryption type:
      • DES.
      • AES.
   5. In the Password field, enter the encryption password.

      The password configured in this field must match the password configured in the external system.

Protocol connection on the Central Node server is configured. If the request for data is successfully processed, the server of the external system displays information about CPU and RAM load of the Central Node server.

To configure the SNMP protocol connection on the Sensor server:

1. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
2. When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.

   The application component administrator menu is displayed.

3. Follow steps 2 through 5 of the instructions above.

Protocol connection on the Sensor server is configured. If the request is successfully processed, the server of the external system displays information about CPU and RAM load of the Sensor server.

In distributed solution and multitenancy mode, SNMP connection settings for each PCN, SCN, and Sensor server must be configured separately.

Description of MIB objects of Kaspersky Anti Targeted Attack Platform

The tables below provide information about

Information about hard drive, CPU, and RAM load of Central Node and Sensor servers

Information about hard drive, CPU, and RAM load of Central Node and Sensor servers

Page top

Managing Endpoint Agent host information

The application that is used as the Endpoint Agent component is installed on individual computers (hereinafter also referred to as "hosts") in the IT infrastructure of the organization. The application continuously monitors processes running on those hosts, active network connections, and files that are being modified.

Users with the Senior security officer, Security officer, Security auditor, and Administrator roles can assess how regularly data is received from hosts with the Endpoint Agent component on the Endpoint Agents tab of the web interface window of the Central Node server for tenants to whose data the user has access. If you are using the distributed solution and multitenancy mode, the web interface of the PCN server displays the list of hosts with the Endpoint Agent component for the PCN and all connected SCNs.

Users with the Administrator role can configure the display of how regularly data is received from hosts with Endpoint Agent for tenants to whose data they have access.

If suspicious network activity is detected, users with the Senior security officer role can isolate from the network any host with Kaspersky Endpoint Agent, for tenants to whose data the user has access. In this case, the connection between the server with the Central Node component and a host with the Endpoint Agent component will not be interrupted.

In order to provide support in case of problems with the Endpoint Agent component, Technical Support staff may ask you to perform the following actions for debugging purposes (including in Technical Support Mode):

• Activate collection of extended diagnostic information.
• Modify the settings of individual application components.
• Modify the settings for storing and sending the obtained diagnostic information.
• Configure network traffic to be intercepted and saved to a file.

Technical Support staff will provide all the information needed to perform these operations (description of the sequence of steps, settings to be modified, configuration files, scripts, additional command line functionality, debugging modules, special-purpose utilities, and other resources) and inform you about the scope of data obtained for debugging purposes. The retrieved diagnostic information is saved on the user's computer. The retrieved data is not automatically sent to Kaspersky.

The operations listed above should be performed only when instructed by and under the supervision of Technical Support experts. Unsupervised changes to application settings performed in ways other than those described in this manual or according to the instructions of Technical Support experts can slow down or crash the operating system, reduce computer security, or compromise the availability and integrity of data being processed.

Selecting a tenant to manage in the Endpoint Agents section

If you are using the distributed solution and multitenancy mode, prior to using the Assets → Endpoint Agents section, you must select the tenant whose data you want to view.

To select a tenant to manage in the Assets → Endpoint Agents section:

1. In the upper part of the application web interface menu, click the arrow next to the name of the tenant.
2. In the drop-down list, select a tenant.

Data for the selected tenant is displayed. If you want to select a different tenant, repeat the steps to select the tenant.

Viewing the table of hosts with the Endpoint Agent component on a standalone Central Node server

The table of hosts with the Endpoint Agent component is located in the Endpoint Agents section of the application web interface window.

The table can display the following data:

• Number of hosts and activity indicators of the Endpoint Agent component:
  • Critical inactivity is the number of hosts from which latest data was received a very long time ago.
  • Warning is the number hosts from which latest data was received a long time ago.
  • Normal activity is the number of hosts from which latest data was recently received.
• Host—Name of the host with the Endpoint Agent component.
• Servers—Names of servers to which the host with the Endpoint Agent component is connected.

  This field is displayed if you are using the distributed solution and multitenancy mode.

• IP—IP address of the computer where the Endpoint Agent component is installed.
• OS—Version of the operating system that is installed on the computer with the Endpoint Agent component.
• License is the status of the license key of the application that is used as the Endpoint Agent component.
• Version is the version of the application that is used in the role of the Endpoint Agent component.
• Activity—Activity indicator of the Endpoint Agent component. Possible values:
  • Normal activity for hosts from which latest data was recently received.
  • Warning for hosts from which latest data was received a long time ago.
  • Critical inactivity for hosts from which latest data was received an extremely long time ago.
• Last connection for the date and time of the last connection of the Endpoint Agent component to the Central Node server.

Clicking a link in a column of the table opens a list in which you can select one of the following actions:

• Filter by this value.
• Exclude from filter.
• Copy value to clipboard.

Viewing information about a host

To view information about a host with the Endpoint Agent component:

1. Select the Assets section in the application web interface window.
2. Go to the Endpoint Agents tab.
3. Select the host for which you want to view information.

This opens a window containing information about the host.

The window contains the following information:

• In the Host section:
  • Name is the name of the host with the Endpoint Agent component.
  • IP is the IP address of the host where the Endpoint Agent component is installed.
  • OS is the version of the operating system on the host with the Endpoint Agent component installed.
  • Server—Name of the SCN or PCN server. Only displayed in distributed solution and multitenancy mode.
• In the Endpoint Agent section:
  • Version is the version of the application that is used in the role of the Endpoint Agent component.
  • Activity is the activity indicator of the Endpoint Agent component. Possible values:
    • Normal activity for hosts from which latest data was recently received.
    • Warning for hosts from which latest data was received a long time ago.
    • Critical inactivity for hosts from which latest data was received an extremely long time ago.
  • Connected to server—Name of the Central Node, SCN, or PCN server to which the host is connected.
  • Last connection—time of the last connection to the Central Node, SCN, or PCN server.
  • License key status is the status of the license key of the application that is used as the Endpoint Agent component.

The following action is available by clicking the links with the host name and its IP address: Copy value to clipboard.

Filtering and searching hosts with the Endpoint Agent component by host name

To filter or search for hosts with the Endpoint Agent component by host name:

1. Select the Assets section in the application web interface window.
2. Go to the Endpoint Agents tab.

   This opens the table of hosts.

3. Click the Host link to open the filter configuration window.
4. If you want to display only isolated hosts, select the Show isolated Endpoint Agents only check box.
5. In the drop-down list, select one of the following filtering operators:
   • Contain
   • Not contain
6. In the entry field, specify one or several characters of the host name.
7. To add a filter condition using a different criterion, click and specify the filter condition.
8. If you want to delete the filter condition, click the button to the right of the field.
9. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with the Endpoint Agent component that have been isolated from the network

To filter or search for hosts with the Endpoint Agent component that are isolated from the network:

1. Select the Assets section in the application web interface window.
2. Go to the Endpoint Agents tab.

   This opens the table of hosts.

3. Click the Host link to open the filter configuration window.
4. Select the Show isolated Endpoint Agents only check box.
5. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with the Endpoint Agent component by PCN and SCN server names

If you are using the distributed solution and multitenancy mode, you can filter or find hosts with the Kaspersky Endpoint Agent component based on the names of PCN and SCN servers to which those hosts are connected.

To filter or search for hosts with the Endpoint Agent component by the names of PCN and SCN servers:

1. Select the Assets section in the application web interface window.
2. Go to the Endpoint Agents tab.

   This opens the table of hosts.

3. Click the Servers link to open the filter configuration window.
4. Select check boxes next to names of servers by which you want to filter or search for hosts with the Endpoint Agent component.
5. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with the Endpoint Agent component by computer IP address

To filter or search for hosts with the Endpoint Agent component by IP address of the computer on which the application is installed:

1. Select the Assets section in the application web interface window.
2. Go to the Endpoint Agents tab.

   This opens the table of hosts.

3. Click the IP link to open the filter configuration window.
4. In the drop-down list, select one of the following filtering operators:
   • Contain
   • Not contain
5. In the entry field, specify one or several characters of the computer IP address. You can enter the IP address or subnet mask in IPv4 format (for example, 192.0.0.1 or 192.0.0.0/16).
6. To add a filter condition using a different criterion, click and specify the filter condition.
7. If you want to delete the filter condition, click the button to the right of the field.
8. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with the Endpoint Agent component by operating system version on the computer

To filter or search for hosts with the Endpoint Agent component by version of the operating system installed on the computer:

1. Select the Assets section in the application web interface window.
2. Go to the Endpoint Agents tab.

   This opens the table of hosts.

3. Click the OS link to open the filter settings window.
4. In the drop-down list, select one of the following filtering operators:
   • Contain
   • Not contain
5. In the entry field, specify one or several characters of the operating system version.
6. To add a filter condition using a different criterion, click and specify the filter condition.
7. If you want to delete the filter condition, click the button to the right of the field.
8. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with the Endpoint Agent component by component version

You can filter hosts by version of the application that is used in the role of the Endpoint Agent component.

To filter or search for hosts with the Endpoint Agent component by component version:

1. Select the Assets section in the application web interface window.
2. Go to the Endpoint Agents tab.

   This opens the table of hosts.

3. Click the Version link to open the filter settings window.
4. In the drop-down list, select one of the following filtering operators:
   • Contain
   • Not contain
5. In the entry field, specify one or more characters of the version of the application that is used as the Endpoint Agent component.
6. To add a filter condition using a different criterion, click and specify the filter condition.
7. If you want to delete the filter condition, click the button to the right of the field.
8. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with the Endpoint Agent component by their activity

To filter or search for hosts with the Endpoint Agent component by their activity:

1. Select the Assets section in the application web interface window.
2. Go to the Endpoint Agents tab.

   This opens the table of hosts.

3. Click the Activity link to open the filter configuration window.

   Select check boxes next to one or multiple activity indicators:

   • Normal activity, if you want to find hosts from which the last data was recently received.
   • Warning, if you want to find hosts from which the last data was received a long time ago.
   • Critical inactivity, if you want to find hosts from which the last data was received an extremely long time ago.
4. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Quickly creating a filter for hosts with the Endpoint Agent component

To quickly create a filter for hosts with the Endpoint Agent component:

1. Select the Assets section in the application web interface window.
2. Go to the Endpoint Agents tab.

   This opens the table of hosts.

3. Do the following to quickly add filter conditions to the filter being created:
   1. Position the mouse cursor on the link containing the table column value that you want to add as a filter condition.
   2. Left-click it.

      This opens a list of actions to perform on the value.

   3. In the list that opens, select one of the following actions:
      • Filter by this value, if you want to include this value in the filter condition.
      • Exclude from filter, if you want to exclude the value from the filter condition.

4. If you want to add several filter conditions to the filter being created, perform the actions to quickly add each filter condition to the filter being created.

The table displays only those hosts that match the filter criteria you have set.

Resetting the filter for hosts with the Endpoint Agent component

To clear the Endpoint Agent host filter for one or more filtering criteria:

1. Select the Assets section in the application web interface window.
2. Go to the Endpoint Agents tab.
3. Click to the right of the header of the table column for which you want to clear the filter conditions.

   If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.

The selected filters are cleared.

The table displays only those hosts that match the filter criteria you have set.

Configuring activity indicators of the Endpoint Agent component

Users with the Administrator role can define what durations of inactivity of the application that is used as the Endpoint Agent component are to be considered normal, low, or very low activity, and can configure the activity indicators for the application. Users with the Security auditor role can only view the settings of application activity indicators. Users with the Senior security officer or Security officer role can see activity indicators that you configured for the Endpoint Agent component in the Activity field of the Endpoint Agent host table in the Endpoint Agents section of the application web interface.

To configure activity indicators for the Endpoint Agent component:

1. Log in to the application web interface under an Administrator or Senior security officer user account.
2. In the window of the application web interface, select the Settings section, Endpoint Agents subsection.
3. In the fields under the section name, enter the number of days of inactivity of hosts with the Endpoint Agent component that you want to display as Warning and Critical inactivity.
4. Click Apply.

Activity indicators of the Endpoint Agent component are configured.

Removing hosts with the Endpoint Agent component

To remove one or more hosts from the Endpoint Agents table:

1. Select the Assets section in the application web interface window.
2. Go to the Endpoint Agents tab.
3. Select check boxes next to one or more hosts that you want to remove. You can select all hosts by selecting the check box in the row containing the headers of columns.

   A control panel appears in the lower part of the window.

4. Click Delete.
5. This opens the action confirmation window; in that window, click Yes.

The selected hosts are removed from the Endpoint Agents table.

When hosts are removed the following changes are made in the web interface of Kaspersky Anti Targeted Attack Platform:

• You cannot create a task, prevention rule, or network isolation rule for a removed host.
• If a prevention rule was previously created for a host, its name in the rule window (the Prevent on field) is hidden when the host is removed. The rule continues to apply.

  If this host reconnects to the Central Node server, the host name is restored in the Prevent on field and the prevention rule is applied to it again.

• If a network isolation rule was previously created for a host, it continues to apply until the time specified in the rule expires.

  When this host reconnects to the Central Node, the rule is reapplied to this host.

• The metadata of objects quarantined on the remote host are deleted from Kaspersky Anti Targeted Attack Platform quarantine.

  When this host reconnects to the Central Node server, the metadata of objects in Kaspersky Anti Targeted Attack Platform quarantine are not restored. You can avoid quarantine filling up on a host by clearing it on command line or in Kaspersky Security Center. For details, see the Help of the application that you are using in the role of the Endpoint Agent component.

• If an object was quarantined by the Quarantine file task on one host only and that host was removed, the Restore all button in the task window is inactive because the file cannot be restored on a removed host.

Event search by the name of the removed host remains available.

Page top

Automatic removal of inactive hosts

You can enable or disable the automatic removal of inactive hosts from the Endpoint Agents table. Inactive hosts are hosts that have not connected to the Central Node server for the configured time.

To enable or disable the automatic removal of hosts from the Endpoint Agents table:

1. In the window of the application web interface, select the Settings section, Endpoint Agents subsection.
2. Under Remove inactive hosts automatically, do the following:
   • If you want to enable this functionality, move the Remove hosts toggle switch to Enabled.
   • If you want to enable this functionality, move the Remove hosts toggle switch to Disabled.
3. If you have enabled this functionality, in the Delete after field, specify the number of days after which hosts that have not connected to the Central Node component must be considered inactive.

   The minimum value is 1 and the maximum value is 365.

Automatic removal of inactive hosts is enabled or disabled.

If the value specified in the Delete after field is less than the values specified in the Warning and/or Critical inactivity fields under Activity indicators, hosts are removed earlier than an inactivity warning is displayed in the Dashboard section.

When hosts are removed the following changes are made in the web interface of Kaspersky Anti Targeted Attack Platform:

• You cannot create a task, prevention rule, or network isolation rule for a removed host.
• If a prevention rule was previously created for a host, its name in the rule window (the Prevent on field) is hidden when the host is removed. The rule continues to apply.

  If this host reconnects to the Central Node server, the host name is restored in the Prevent on field and the prevention rule is applied to it again.

• If a network isolation rule was previously created for a host, it continues to apply until the time specified in the rule expires.

  When this host reconnects to the Central Node, the rule is reapplied to this host.

• The metadata of objects quarantined on the remote host are deleted from Kaspersky Anti Targeted Attack Platform quarantine.

  When this host reconnects to the Central Node server, the metadata of objects in Kaspersky Anti Targeted Attack Platform quarantine are not restored. You can avoid quarantine filling up on a host by clearing it on command line or in Kaspersky Security Center. For details, see the Help of the application that you are using in the role of the Endpoint Agent component.

• If an object was quarantined by the Quarantine file task on one host only and that host was removed, the Restore all button in the task window is inactive because the file cannot be restored on a removed host.

Event search by the name of the removed host remains available.

Page top

Supported interpreters and processes

Kaspersky Endpoint Agent application monitors the execution of scripts by the following interpreters:

• cmd.exe
• reg.exe
• regedit.exe
• regedt32.exe
• cscript.exe
• wscript.exe
• mmc.exe
• msiexec.exe
• mshta.exe
• rundll32.exe
• runlegacycplelevated.exe
• control.exe
• explorer.exe
• regsvr32.exe
• wwahost.exe
• powershell.exe
• java.exe and javaw.exe (only if started with the –jar option)
• InstallUtil.exe
• msdt.exe
• python.exe
• ruby.exe
• rubyw.exe

Information about the processes monitored by Kaspersky Endpoint Agent application is presented in the table below.

Processes and the file extensions that they open

Configuring integration with the Sandbox component

You can connect one Sandbox component to multiple Central Node components.

The following procedure is used to configure the Sandbox component connection with the Central Node component:

1. Creating a request to connect to the Sandbox component

   You can create a request in the application web interface under an administrator account. If you have several Central Node components installed on the server, you need to create a request for each server with the Central Node component that you want to connect to the Sandbox component. If the Central Node component is deployed as a cluster, you can create a request for connection from any server in the cluster.

2. Processing a connection request in the Sandbox web interface

   You can accept or reject each request.

If you want to connect several Sandbox components to a single Central Node component, make sure that the Sandbox components you connect have the same set of operating systems used for scanning objects, and maximum number of simultaneously running virtual machines.

After configuring the connection, the Sandbox server needs 5 to 10 minutes to get ready for operation. During this time, the System health window of the application web interface display a warning: A problem occurred with the standard configuration. When the server is ready for operation, the warning disappears.

Viewing the table of servers with the Sandbox component

Users with the Security auditor role can view the table of servers with the Sandbox component.

The table of servers with the Sandbox component is located in the Sandbox servers section, on the Servers tab of the application web interface window.

The Certificate fingerprint field displays the fingerprint of the TLS certificate of the Central Node server.

The Server list table contains the following information:

• IP and name—IP address or fully qualified domain name of the server with the Sandbox component.
• Certificate fingerprint—Certificate fingerprint of the server with the Sandbox component.
• Authorization—Status of the request to connect to the Sandbox component.
• Status—Status of the connection to the Sandbox component.

Users with the Security officer role cannot view the table of servers with the Sandbox component.

Creating a request to connect to the server with the Sandbox component

To create a request to connect to the server with the Sandbox component through the application web interface:

1. Select the Sandbox servers section in the window of the application web interface.
2. In the upper-right corner of the window, click the Add button.

   This opens the Sandbox server connection window.

3. In the IP field, specify the IP address of the server with the Sandbox component to which you want to connect.
4. Click Get certificate fingerprint.

   The workspace displays the fingerprint of the certificate of the server with the Sandbox component.

5. Compare the obtained certificate fingerprint with the fingerprint indicated in the Sandbox web interface in the KATA authorization section in the Certificate fingerprint field.

   If the certificate fingerprints match, perform the next steps of the instructions.

   If certificate fingerprints do not match, confirming the connection is not recommended. Make sure the data you entered is correct.

6. In the Name field, specify the Sandbox component name that will be displayed in the web interface of the Central Node component.

   This name is not related to the name of the host where the Sandbox is installed.

7. If you want to activate a connection with Sandbox immediately after connecting, select the Enable check box.
8. Click Add.

The connection request is displayed in the web interface of the Sandbox component.

Enabling and disabling a connection with the Sandbox component

To make a connection with the Sandbox component active or to disable it:

1. Select the Sandbox servers section in the window of the application web interface.

   The table of servers with Sandbox components is displayed.

2. In the row containing the relevant server in the Status column, perform one of the following actions:
   • If you want to activate a connection with the Sandbox component, set the toggle switch to Enabled.
   • If you want to disable a connection with the Sandbox component, set the toggle switch to Disabled.
3. Click Apply.

The connection with the Sandbox component will become active or will be disabled.

Deleting a connection with the Sandbox component

To delete a connection with the Sandbox component:

1. Select the Sandbox servers section in the window of the application web interface.

   This displays the table of computers on which the Sandbox component is installed.

2. Select the check box in the line containing the Sandbox component whose connection you want to delete.
3. In the upper-right corner of the window, click the Delete button.
4. In the confirmation window, click Yes.

The connection with the Sandbox component will be deleted.

Manually sending files from Endpoint Agent hosts to be scanned by Sandbox

You can enable or disable the manual sending of files from hosts with the Endpoint Agent component to be scanned by the Sandbox component. If this functionality is enabled, users of hosts with the Endpoint Agent component can use Sandbox to scan any file that they consider unsafe.

This functionality is available if the Kaspersky Endpoint Security for Windows and/or Kaspersky Endpoint Security for Linux applications are being used as the Endpoint Agent component and integration with Kaspersky Anti Targeted Attack Platform is configured for these components.

Sending files for scanning involves the following steps:

1. Enabling the manual sending of files from hosts with the Endpoint Agent component to be scanned by the Sandbox component in the Kaspersky Anti Targeted Attack Platform web interface.
2. Sending files to be scanned by the Sandbox component in Kaspersky Endpoint Security for Windows and Kaspersky Endpoint Security for Linux.

Based on the results of the scan, Kaspersky Anti Targeted Attack Platform may record an alert in the alert database. Details of these alerts are displayed in the Alerts by attack vector widget.

In distributed solution and multitenancy mode, you must enable the manual sending of files to be scanned by the Sandbox component on each Central Node server on which you want to use it. If the Central Node component is deployed as a cluster, you can enable the functionality on any server in the cluster.

If you use only KATA functionality (KATA license key), in the Kaspersky Anti Targeted Attack Platform web interface, the Endpoint Agents section displays a list of hosts from which files have been sent for scanning by the Sandbox component. You can view this list and information about the selected host.

Enabling and disabling the manual sending of files from Endpoint Agent hosts to be scanned by Sandbox

To enable or disable the manual sending of files to be scanned by the Sandbox component:

1. In the window of the application web interface, select the Settings section, Endpoint Agents subsection.
2. Under Send files from hosts for analysis to Sandbox manually, do the following:
   • Set the Send files toggle switch to Enabled if you want to enable the manual sending of files to be scanned by the Sandbox component.

     This functionality is enabled by default.

   • Set the Send files toggle switch to Disabled if you want to disable the manual sending of files to be scanned by the Sandbox component.
3. Click Apply.

The manual sending of files from Endpoint Agent hosts to be scanned by the Sandbox component is enabled or disabled.

Configuring integration with external systems

You can configure integration of Kaspersky Anti Targeted Attack Platform with external systems to scan files stored in those systems. Their scan results are displayed in the alert table.

The role of an external system can be served by a mail sensor, such as Kaspersky Secure Mail Gateway or Kaspersky Security for Linux Mail Server. The mail sensor sends email messages to Kaspersky Anti Targeted Attack Platform for processing. Based on the results of processing of email messages in Kaspersky Anti Targeted Attack Platform, the mail sensor may block the transfer of messages.

Integration of Kaspersky Anti Targeted Attack Platform with external systems involves the following procedure:

1. Enter the integration settings and create an integration request from the external system.

   For more details about entering integration settings for the mail sensor, please refer to the Kaspersky Secure Mail Gateway Help or the Kaspersky Security for Linux Mail Server Help.

   To integrate other external systems, use the REST API.

2. Confirm integration for Kaspersky Anti Targeted Attack Platform

   External systems must use unique certificates for authorization on the server with the Central Node component. If this is the case, a single integration request will be displayed in the interface of Kaspersky Anti Targeted Attack Platform. To connect multiple external systems that have the same IP address, you must use a unique certificate for each external system.

   When using one certificate, you can configure integration with only one external system.

3. Check the connection between the external system and Kaspersky Anti Targeted Attack Platform

Viewing the table of external systems

The table of external systems is in the External systems section of the application web interface window. The table contains the following information:

• Sensor—IP address or domain name of the external system server.
• Type—Type of external system (mail sensor or other system).
• Name—Name of the integrated external system that is not a mail sensor.

  A dash is displayed in this column for a mail sensor.

• ID—ID of the external system.
• Certificate fingerprint—Fingerprint of the TLS certificate of the server with the external system used to establish an encrypted connection with the server hosting the Central Node component.

  The certificate fingerprint of the server with the Central Node component is displayed in the upper part of the window in the Certificate fingerprint field.

• State—State of the integration request.

Processing a request from an external system

To process an integration request from an external system:

1. Select the External systems section in the window of the application web interface.

   The Server list table displays the already connected external systems, and requests for integration with Kaspersky Anti Targeted Attack Platform from external systems.

2. In the line containing the integration request, perform one of the following actions:
   • If you want to configure integration with the external system, click the Accept button.
   • If you do not want to configure integration with the external system, click the Reject button.
3. In the confirmation window, click Yes.

The integration request from the external system will be processed.

Removing an external system from the list of those allowed to integrate

After you have accepted an integration request from an external system, you can remove it from the list of those allowed to integrate. If this is the case, the connection between Kaspersky Anti Targeted Attack Platform and the external system will be terminated.

To remove an external system from the list of systems allowed to integrate:

1. Select the External systems section in the window of the application web interface.

   The Server list displays the already added external systems and the requests to integrate with Kaspersky Anti Targeted Attack Platform from external systems.

2. Click the Delete button in the line containing the integration request from the external system that you want to remove.
3. In the confirmation window, click Yes.

The external system will be removed from the list of those allowed to integrate.

Configuring the priority for processing traffic from mail sensors

You can enable or disable the maximum priority for processing traffic from mail sensors.

To enable or disable the maximum priority for processing traffic from mail sensors:

1. Select the External systems section in the window of the application web interface.
2. Do one of the following:
   • Turn on the toggle switch next to the name of the Maximum scan priority parameter if you want to enable the maximum priority for processing traffic from mail sensors.
   • Turn off the toggle switch next to the name of the Maximum scan priority parameter if you want to disable the maximum priority for processing traffic from mail sensors.

The priority for processing traffic from mail sensors will be configured.

Configuring integration with Kaspersky Managed Detection and Response

Kaspersky Managed Detection and Response (hereinafter also "MDR") detects and prevents fraud in the client's infrastructure. MDR provides continuous managed protection and allows organizations to automatically discover hard-to-detect threats while freeing up IT security personnel to work on issues requiring their participation.

Kaspersky Anti Targeted Attack Platform obtains data and sends it to Kaspersky Managed Detection and Response using a Kaspersky Security Network stream. Therefore, participation in KSN is necessary for configuring integration with MDR.

Integration with MDR is only available if at least one KATA or EDR license is active. If only one license key (only KATA or only EDR) is added in the application statistics is limited to the functionality provided by that license. If both license keys are added in the application, complete statistics is sent.

Before configuring the integration of Kaspersky Anti Targeted Attack Platform with the MDR application, you must download an archive with the configuration file from the MDR portal.

Enabling the MDR integration

Make sure that an active license key is added and participation in KSN is configured in the application. Otherwise the MDR integration is unavailable.

To enable integration with MDR:

1. Log in to the application web interface with the administrator account.
2. Select the Settings section, KSN/KPSN and MDR subsection.
3. Under MDR integration, click Upload to upload the configuration file.

   This opens the file selection window.

4. Select the archive you downloaded during registration at the MDR portal and click Open.

   The following information about the MDR license is displayed in the window:

   • Serial number.
   • Expiration date.
   • Days remaining.

Integration with MDR is enabled. Integration settings configured in the configuration file are applied to all connected Sensor components. MDR starts using alert statistics sent via the KSN stream.

Disabling the MDR integration

To disable integration with MDR:

1. Log in to the application web interface with the administrator account.
2. Select the Settings section, KSN/KPSN and MDR subsection.
3. Under MDR integration, click Delete file.
4. In the confirmation window, click Yes.

The configuration file is deleted and the MDR integration is disabled. Statistics is still sent to KSN servers, but this information is not used by MDR.

Replacing the MDR configuration file

To replace the MDR configuration file:

1. Log in to the application web interface with the administrator account.
2. Select the Settings section, KSN/KPSN and MDR subsection.
3. Under MDR integration, click Replace file.

   This opens the file selection window.

4. Select a new archive containing a configuration file and click Open.

   MDR license information is updated in the application web interface.

The configuration file is replaced. New integration settings are applied to all connected Sensor components.

Configuring integration with an SIEM system

Kaspersky Anti Targeted Attack Platform can publish information about user actions in the application web interface as well as alerts to your organization's

You can use

If you have deployed the Central Node and Sensor components as a cluster, you can configure high availability integration with an external system using one of the following options:

• Using the Round Robin function.
• Configure the settings of the external system so that the external system switches between the IP addresses of the cluster servers if a network error occurs.

To configure high availability integration with an external system using the Round Robin function:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the mail server settings.

Integration with the external system is configured based on the domain name. The external system will communicate with a random server in the cluster. If this server fails, the external system will communicate with another healthy server in the cluster.

Enabling and disabling information logging to a remote log

You can configure the logging of information about user actions in the web interface and alerts to a remote log. The log file is stored on the server on which the SIEM system is installed. To write to the remote log, you must configure the integration with the SIEM system.

To enable or disable the logging of information about user actions in the web interface and alerts to the remote log:

1. In the window of the application web interface, select the Settings section, SIEM system subsection.
2. If you want to enable / disable the recording of information about user actions in the web interface to the remote log, do one of the following:
   • If you want to enable recording of information about user actions in the web interface, select the User activity check box.
   • If you want to disable the recording of information about user actions in the web interface, clear the User activity check box.
3. If you want to enable / disable the recording of information about alerts to the remote log, do one of the following:
   • If you want to enable recording of alert information, select the Detections check box.
   • If you want to disable recording of alert information, clear the Detections check box.

   You can select both check boxes simultaneously.

4. Click Apply in the lower part of the window.

Information logging in the remote log is enabled or disabled.

Users with the Security auditor role can only view information about remote logging settings.

Configuring the main settings for SIEM system integration

To configure the main settings for SIEM system integration:

1. In the window of the application web interface, select the Settings section, SIEM system subsection.
2. Select the User activity and/or Detections check boxes.

   You can select one check box or both check boxes.

3. In the Host/IP field, enter the IP address or host name of the server of your SIEM system.
4. In the Port field, enter the port number used for connecting to your SIEM system.
5. In the Protocol field, select TCP or UDP.
6. In the Host ID field, enter the host ID. The host with that ID is specified as the alert source in the log of the SIEM system.
7. In the Heartbeat field, enter the interval for sending messages to the SIEM system.
8. Click Apply in the lower part of the window.

The main settings of integration with the SIEM system will be configured.

Users with the Security auditor role can only view information about the SIEM system integration settings.

Uploading a TLS certificate

To upload a TLS certificate for encrypting the connection with the SIEM system:

1. In the window of the application web interface, select the Settings section, SIEM system subsection.
2. In the TLS encryption section, click the Upload button.

   This opens the file selection window.

3. Select a TLS certificate file to download and click the Open button.

   This closes the file selection window.

   The TLS certificate is added to the application.

4. Click Apply in the lower part of the window.

The uploaded TLS certificate will be used to encrypt the connection with the SIEM system.

Enabling and disabling TLS encryption of the connection with the SIEM system

To enable or disable TLS encryption of the connection with the SIEM system:

1. In the window of the application web interface, select the Settings section, SIEM system subsection.
2. Select the User activity and/or Alerts check boxes.

   You can select one check box or both check boxes.

3. In the TLS encryption section, perform one of the following actions:
   • Turn on the toggle switch next to the name of the TLS encryption parameter if you want to enable TLS encryption of the connection with the SIEM system.
   • Turn off the toggle switch next to the name of the TLS encryption parameter if you want to disable TLS encryption of the connection with the SIEM system.

   The toggle switch next to the name of the TLS encryption setting can be used only if a TLS certificate is loaded.

4. Click Apply in the lower part of the window.

TLS encryption of the connection with the SIEM system will be enabled or disabled.

Content and properties of syslog messages about alerts

Information about each alert is transmitted in a separate syslog category (syslog facility) that is not used by the system to deliver messages from other sources. Information about each alert is transmitted as a separate syslog message in CEF format. If the alert was generated by the Targeted Attack Analyzer module, information about that alert is transmitted as multiple separate syslog messages in CEF format.

The default maximum size of a syslog message about an alert is 32 KB. Messages that exceed the maximum size are truncated at the end.

The header of each syslog message about an alert contains the following information:

• Format version.

  Current version number: 0. Current field value: CEF:0.

• Vendor.

  Current field value: AO Kaspersky Lab.

• Application name.

  Current field value: Kaspersky Anti Targeted Attack Platform.

• Application version

  Current field value: 7.0.1-500.

• Alert type.

  See the table below.

• Event name.

  See the table below.

• Alert importance.

  Allowed field values: Low, Medium, High or 0 (for heartbeat messages).

• Additional information.

  Example: CEF:0|AO Kaspersky Lab| Kaspersky Anti Targeted Attack Platform |6.0.0-200|url_web| URL from web detected|Low|

The body of a syslog message about an alert matches the information about the alert that is displayed in the application web interface. All fields are presented in the "<key>=<value>" format. Depending on whether the alert occurred in network traffic or mail traffic, and depending on the technology that generated the alert, various keys may be transmitted in the body of a syslog message. If the value is empty, the key is not transmitted.

The keys, as well as their values contained in a message, are presented in the table below.

Information about an alert in syslog messages

Page top

Renewing the certificate for connecting to the Central Node using the API

To renew the certificate for connecting to the Central Node server using the Kaspersky Anti Targeted Attack Platform API, you need to replace the certificate used by the REST API server. You can specify the new certificate of the REST API server in the Settings section, Connection servers subsection, on the REST API server tab.

Managing connectors

This section contains information about managing connectors in Kaspersky Anti Targeted Attack Platform. Connectors are special software modules that handle communication with Kaspersky Anti Targeted Attack Platform and can allow to perform management tasks in the application itself or with the help of the application.

Connectors extend the functionality of the application letting it interact with third-party systems. Depending on their functional purpose, connectors can send data to third-party systems (for example, events, application messages, and audit records to a SIEM system) or fetch data from third-party systems. The application can also use connectors for active polling of devices.

Computers on which the connector software modules are running are called connector deployment nodes. You can deploy the connector on any computer that has network access to the Central Node server (including nodes with installed application components, including the Central Node server itself).

The table of connectors and the table of connector types are displayed in the Settings section, Connectors subsection in the application web interface. Only users with the Administrator role can manage connectors and connector types. Users with the Security auditor, Security officer, and Senior security officer roles can view connectors and connector types.

The functionality of the connector depends on the selected connector type. You can select a connector type when adding the connector to the application. The following types of connectors are built into the application out of the box:

• Syslog

  This connector type enables data forwarding to a Syslog server.

  When adding a Syslog connector or editing its settings, configure both the general settings of the connector, and the additional settings under Details:

  • Syslog server address
  • Syslog server port
  • Data Transfer Systems
• SIEM

  This connector type enables data forwarding to a SIEM system.

  When adding a SIEM connector or editing its settings, configure both the general settings of the connector, and the additional settings under Details:

  • SIEM system server address
  • SIEM system server port
  • Data Transfer Systems
• Generic

  This connector type allows connecting applications that use the Kaspersky Anti Targeted Attack Platform API NDR.

• Email

  This connector type provides the capabilities for forwarding data by email.

  When adding an Email connector or editing its settings, configure both the general settings of the connector, and the additional settings under Details:

  • Address to be used as the sender of email messages.
  • Recipient addresses of email messages.
  • Email subject lines for events, application messages, and audit records.
  • Text description templates for events, application messages, audit records, descriptions of network interactions, and the whole notification email message. You can use variables in templates.
  • The subject and body of the email message sent when the maximum number of sent notifications is reached.
  • Maximum number of email messages sent per day.
  • Maximum number of notifications in each message. Specifies the maximum number of registered notifications of the same type (events, application messages, or audit records) that can be put in a single email message. If there more registered notifications exist, an additional email message is generated (within the daily limit).

  For the Email connector to work, you must first configure the mail server connection.

• Active poll

  This connector type provides the capabilities for active device polling with configuration control and active polling jobs.

  When adding an Active poll connector or editing its settings, configure both the general settings of the connector, and the additional settings under Details:

  • Active polling methods that will be available to the application user when using the connector.
  • The ranges of allowed and denied IP addresses of the devices for which active polls are allowed or denied. The 0.0.0.0 address matches all possible IP addresses.

    If an address is included among allowed as well as denied IP addresses, Kaspersky Anti Targeted Attack Platform classifies it as a denied IP address.

  • Names of address spaces whose corresponding devices will be available for active polling. If necessary, select the address spaces for IP addresses in the L3 address space field and select the address spaces for MAC addresses in the L2 address space field.

    If you select an address space that differs from the Default one, add a new rule for this address space (or edit an existing rule). The rule must specify the connector for which this address space is selected. The rules settings are configured when the address space is changed.

• KUMA

  This connector type provides integration with Kaspersky Unified Monitoring and Analysis Platform (KUMA). Software modules for connectors of this type are distributed separately from Kaspersky Anti Targeted Attack Platform. A connector of this type lets you send information about devices and risks to KUMA, as well as run commands in KUMA to change device statuses. After adding a connector, you must configure the integration in KUMA (create a connection to Kaspersky Anti Targeted Attack Platform). The KUMA connector interacts with the Central Node server using the Kaspersky Anti Targeted Attack Platform API.

  The integration provided by the KUMA connector involves sending information about devices and risks, and applying commands to change device statuses. To send events to KUMA, you can add a Syslog or SIEM connector to Kaspersky Anti Targeted Attack Platform and specify the settings for connection to the KUMA server for this connector. After adding the connector, you need to configure a collector on the KUMA side.

• Cisco Switch

  This connector type provides support for automatic network access control for devices via Cisco network switches.

  When adding a Cisco Switch connector or editing its settings, configure both the general settings of the connector, and the additional settings under Details:

  • Name of the switch that you want to be specified in events for actions that the application performed using the connector.
  • Addressing information for connecting the connector to the switch: IP address and SSH port.
  • Credentials for connecting to the switch via SSH.
  • Public key to be matched against the public key received from network switch before establishing an SSH connection; this is done to protect against spoofing of this device in the network. If the value is empty, the check is not performed.
  • Method used to restrict network access for devices. The application provides methods for creating deny rules in switch access control lists based on MAC addresses (MAC ACL), IP addresses (IP ACL), and by disabling Ethernet ports to which devices are connected.

    To use the method of disabling Ethernet ports, configure the switch connections to prevent multiple devices from being connected to one port. Otherwise, disabling an Ethernet port to block one device will also block network access for all devices that connect to the network using that port.

  • This setting resets deny rules when changing the network access restriction method. If this setting is enabled, changing the method resets the rules that have been set for blocking devices.
  • This setting excludes network devices from the network access restriction method. If this setting is enabled, the method is not applied to devices of the Network device, Firewall, Switch, Virtual switch, Router, Virtual router, Wi-Fi.
  • This setting applies deny rules only to new devices. If this setting is enabled, the method is applied only to those unauthorized devices for which a new device detection event with event type code 4000005003 has been registered.
  • Polling interval for Authorized and Unauthorized devices in the device table.
  • This setting lets you configure notifications about blocked devices when the connector is restarted. If this setting is enabled, after enabling or restarting the connector, a list of devices for which network access restrictions have been previously applied is sent to the Central Node server.

If necessary, you can add other connector types that will facilitate data exchange or provide the capabilities for performing management tasks when the application interacts with other recipient systems.

Certain ports and protocols are used for the connections of connectors to the Central Node server.

Third-party systems are connected through the connector on behalf one of the application users. We recommend using a separate user account for each connector. This will help you analyze actions performed through the connectors using audit records.

The maximum number of connectors in the application is 20. The maximum number of connector types is 100.

Managed and unmanaged connectors

The application can use managed and unmanaged connectors.

A connector is managed if its software modules can automatically register and start after the connector is added, and these modules can be managed when the connector is enabled or disabled, or when it is deleted. Only nodes that have application components installed can serve as deployment nodes for managed connectors.

An unmanaged connector does not provide the functionality of a managed connector. You must register such a connector, start, stop, or delete its software modules manually on the node where the connector is deployed. When you enable or disable an unmanaged connector, the application reflects this by allowing or denying the interaction with the connector on the side of the Central Node server.

Connections between connectors and the Central Node server are secured using certificates. Connector certificates are generated when the connectors are added to the application. For software modules of managed connectors, the application automatically sends the generated certificates. When adding an unmanaged connector (or when adding a managed connector in the ignore managed connector mode), you must manually upload the certificate for software modules of the connector using a communication data package. If you need to replace a certificate (issue a new one) for such a connector, you need to create a new communication data package and use it to upload the new certificate. The only way of replacing certificates of managed connectors is by deleting and re-adding the connectors.

Sending events, application messages, and audit records to third-party systems

You can configure the forwarding of events, application messages or audit records (hereinafter also "registered notifications") to a third-party system through connectors. For the connector types named Syslog, SIEM, and Email, the ability to send registered notifications is enabled by default. For the KUMA connector type, the capability to forward registered notifications is available if application modules are installed. When using other connector types that were added to the application, whether this capability is available depends on the settings of these specific connector types.

Registered notifications are configured for each connector individually. When configuring event types, you can select which types of events you want to be forwarded through the connectors. When creating a connector or editing its settings, you can enable or disable the forwarding of all application messages and all audit records through this connector.

Connectors of the Email type allow limiting the amount of transmitted data. For this connector type, you can set the maximum number of email messages about new registered notifications and the maximum number of registered notifications in each message. If the maximum number of email messages already has been sent, another message is sent to recipients to notify them about the limit being exceeded. After that, no new messages are sent until the end of the current day in the time zone of the Central Node server.

Email messages sent through an Email connector are generated separately for each type of registered notifications. That is, different email messages are generated for events, application messages, and audit records.

The contents and order of information about registered notifications that are forwarded through connectors of the Syslog and SIEM types may differ in these systems from the contents and order of information displayed in the Kaspersky Anti Targeted Attack Platform web interface.

Automatic network access control for devices via Cisco Switch connectors

You can configure automatic network access control for devices via Cisco Switch connectors. Connectors of this type interface with switches to send commands that add or remove network access deny rules (restrictions) for the devices connected to the switches.

Network access control for devices is driven by their status. The connector creates deny rules on the switch for devices with the Unauthorized status and removes the rules once the Authorized status is assigned to the devices.

Each connector can only interface with one network switch.

A Cisco Switch connector is used for restricting network access only for those devices whose details include their MAC addresses. Also, these MAC addresses must be stored in the ARP table of the network switch. That is, devices with these MAC addresses must be connected to the network switch to which the connector is connected.

A connector can use various methods to restrict network access for devices. The application provides methods for creating deny rules in switch access control lists based on MAC addresses (MAC ACL), IP addresses (IP ACL), and by disabling Ethernet ports to which devices are connected.

To use the method of disabling Ethernet ports, configure the switch connections to prevent multiple devices from being connected to one port. Otherwise, disabling an Ethernet port to block one device will also block network access for all devices that connect to the network using that port.

To minimize the risk of the connector impacting network accessibility of devices, you can enable the following settings during configuration:

• This setting excludes network devices from the network access restriction method. If this setting is enabled, the method is not applied to devices of the Network device, Firewall, Switch, Virtual switch, Router, Virtual router, Wi-Fi.
• This setting applies deny rules only to new devices. If this setting is enabled, the method is applied only to those unauthorized devices for which a new device detection event with event type code 4000005003 has been registered.

The connector interfaces with the network switch via SSH. SSH connection credentials are specified and stored within the connector configuration. To protect these sensitive credentials, which are essential for identification and authentication, the connector verifies the switch public key it receives against a stored value as a safeguard against switch spoofing. Identification and authentication details are sent to the switch after verifying that the received public key matches the public key saved in the connector.

The connector logs events within the application based on the outcomes of its actions. These event types are logged via External technology. The following event headers are generated:

• Reset device deny rules for <switch name>

  This type of event is logged when the connector resets previously defined deny rules for devices due to a change of network access restriction method.

• Updated information about <device name> with address <device MAC address> according to data from <switch name>

  This type of event indicates that the connector has received information from a switch that a device connected to a certain port.

• Added a device deny rule for <device name> on <switch name>

  This type of event is logged when the connector restricts network access for an unauthorized device.

• Removed deny rule for <device name> on <switch name>

  This type of event is logged when the connector has successfully removed network access restrictions for a specific device.

• <switch name> has previously added deny rules

  This type of event indicates that upon turning on or restarting, the connector discovered preexisting deny rules on a specific switch.

• SSH connection made to <switch name> without verifying public key

  This type of event is logged when the connector successfully establishes an SSH connection to a switch but fails to verify its public key. We recommend verifying that there is no spoofed device on the network, and then saving the new public key in the connector settings.

• Detected public key mismatch for <switch name>

  This type of event is logged when the connector detects a mismatch between the stored and received public keys for a switch. This prevents an SSH connection with the switch. We recommend verifying that there is no spoofed device on the network and that the switch public key has indeed changed, and then saving the new public key in the connector settings.

• Failure to establish SSH connection with switch <switch name>: incorrect credentials

  This event is logged when the connector failed to establish SSH connection with the switch due to incorrect credentials specified in the connector settings (user name or password).

• Action for the privileged mode has not been performed on the switch <switch name>: incorrect password

  This event is logged when the connector does not have privileged mode capabilities to add and remove device deny rules on the switch. In this case, enter the correct privileged mode password in the connector settings.

Adding a connector

You can add a connector based on one of the connector types available in the application. An unmanaged connector should only be created based on custom connector types.

Before adding a connector, we recommend creating a separate user account that the third-party system will use to connect to the application. For the Email connector to work, you must first configure the mail server connection.

To add a connector:

1. Log in to the web interface with the application administrator account.
2. Select the Settings section, Connectors subsection.
3. On the Connectors tab, open the details area by clicking Add connector.
4. Configure the connector general settings:
   1. Select a connector type and enter a name for the connector.
   2. If you want to add an unmanaged connector (or a connector in ignore managed connector mode), enter the password of the connector certificate.

      The specified password is used to encrypt the certificate in the communication data package of the connector.

   3. Specify the IP address of the Central Node server.

      The connector uses the specified address to connect to the Central Node.

   4. Specify the node where you want to deploy the connector:
      • If you want to add a managed connector, you can specify one of the nodes with installed application components as the connector deployment node.
      • If you want to add an unmanaged connector, you must enter the IP address of the computer on which you want the software modules of the connector to run.
   5. Select the user that the third-party system will use to connect to the application through the connector. You must specify the name of one of the application users.
5. Under Details, specify the advanced settings depending on the type of connector. The Details group of settings is not shown in the details area if the connector type does not allow managing advanced settings.
6. If the type of the connector allows forwarding audit records and application messages, enable or disable the forwarding of this data using the corresponding check boxes.
7. If necessary, enter a description for the connector.
8. Click Save.

The new connector is added to the table of connectors.

If you added an unmanaged connector, Central Node generates a communication data package for the new connector, after which your browser saves the downloaded file. Depending on your browser's settings, a window may be displayed on your screen in which you can specify the path and name of the downloaded file. You will need to upload the contents of the new communication data package to the application that will use the connector.

Viewing the table of connectors

The table of connectors is displayed in the Settings section, Connectors subsection, on the Connectors tab.

Connector settings are displayed in the following columns of the table:

• Name.

  The name specified for the connector.

• Connector ID.

  ID assigned to the connector when it was created.

• Enabled.

  Indicates whether the Central Node is ready to interact with the software modules of the connector. If this setting has a value of No, the Central Node server does not accept requests from application modules of the connector.

• Status.

  Status of software modules of the connector. The following statuses are possible:

  • Awaiting registration: after adding an unmanaged connector or creating a new communication data package for the unmanaged connector, no connection has been established through this connector.
  • Switchover: the status of application modules of the connector is switched from Off to On, or vice versa.
  • Off means that the Central Node server is not accepting requests from application modules of the connector. If the connector is managed, a stop command is sent to its application modules.
  • On means a connection was successfully established through this connector using the certificate created for this connector.
  • Error means an error occurred when attempting to perform actions with the application modules of the connector.
• Type.

  Icon and name of the connector type.

• Last connection.

  Date and time of the last connection through the connector.

• Manageable.

  Indicates that the connector is managed. If this is set to No, the connector is either unmanaged, or is configured to ignore the managed connector functionality.

• Changed.

  Date and time of the last modification of connector settings.

• Description.

  The description specified for the connector.

When viewing the table of connectors, you can use the configuration, filtering, searching, and sorting functionality.

Enabling or disabling a connector

If you want to temporarily prevent software modules of a connector from connecting to the Central Node server, you can disable the connector. If you want to restore the connection, enable the connector.

To enable or disable a connector:

1. Log in to the web interface with the application administrator account.
2. Select the Settings section, Connectors subsection.
3. On the Connectors tab, select the connector that you want to enable or disable.

   The details area is displayed in the right part of the web interface window.

4. Click Enable or Disable as necessary.

   This opens a confirmation prompt window.

5. In the prompt window, click OK.

Editing connector settings

To edit connector settings:

1. Log in to the web interface with the application administrator account.
2. Select the Settings section, Connectors subsection.
3. On the Connectors tab, select the relevant connector.

   The details area appears in the right part of the web interface window.

4. Click Edit.
5. Edit the settings in the same way as you would when adding a connector.

   Not all settings are editable. For example, you cannot change the type of the connector.

6. Click Save.

The changes are displayed in the corresponding columns of the table of connectors. If you changed the name of the connector, the new name is displayed in the column heading in the table of event types.

Editing some settings of an unmanaged connector causes the Central Node server to generate a new communication data package for the connector (for example, if you change the server address for a Syslog connector in ignore managed connector mode). Depending on your browser settings, a window may be displayed in which you can change the path and name of the communication data package that you are saving. Upload the contents of the new communication data package to the application that is using the connector. Otherwise, a new connection through the connector will be impossible for this application.

Creating a new communication data package for a connector

When an unmanaged connector is added, a communication data package is automatically created for that connector. If necessary, you can create a new communication data package for the connector (for example, if the certificate from the old communication data package has been compromised).

After creating a new communication data package, the certificate from the old communication data package becomes invalid. Therefore, for the next connection of a third-party system through this connector, you must use the new communication data package.

To create a new communication data package for an unmanaged connector:

1. Log in to the web interface with the application administrator account.
2. Select the Settings section, Connectors subsection.
3. On the Connectors tab, select the unmanageable connector for which you want to create a new communication data package.

   The details area appears in the right part of the web interface window.

4. Click Get new communication data package.

   This opens the Generating a new communication data package window.

5. Specify the settings for creating the communication data package:
   • The name of the user that the third-party system will use to connect to the application through the connector. You must specify the name of one of the application users.

     We recommended specifying a user name that was specified when adding the connector. If you need to specify a different user name, we recommended selecting an application user that is not used by other connectors and is not used for connecting to the Central Node through the web interface.

   • Address of the node on which the software modules of the connector are running.
   • Password of the connector certificate. The specified password is used to encrypt the certificate in the communication data package of the connector.
6. Click Create communication data package.

The server generates a new communication data package for the selected connector, after which your browser saves the downloaded file. Depending on your browser settings, your screen may show a window in which you can change the path and name of the saved file. Upload the contents of the downloaded communication data package to the application that is using the connector. Otherwise, a new connection through the connector will be impossible for this application.

Deleting a connector

When a managed connector is deleted, its software modules are automatically stopped and removed on the node where the connector is deployed.

If you are deleting an unmanaged connector or a connector in ignore managed connector mode, you must manually stop and remove the connector's software modules before deleting the connector.

To delete a connector:

1. Log in to the web interface with the application administrator account.
2. Select the Settings section, Connectors subsection.
3. On the Connectors tab, select the connector that you want to delete.

   The details area is displayed in the right part of the web interface window.

4. Click Delete.

   This opens a confirmation prompt window.

5. In the prompt window, confirm the deletion of the selected connector.

Adding and deleting connector types

Connector types define which capabilities are available for connectors and which functionality is implemented within these capabilities. You can use both connector types built into the application, the vendor of which is Kaspersky, or additional types of connectors from any other vendors.

To add a connector type to the application, you must get the following files from the vendor:

• Files for installing software modules of connectors
• Connector type description file

If the connector type from a third-party vendor allows you to store user credentials for accessing the third-party system in the connectors, we recommend taking steps to protect such credentials from being compromised. To minimize risks in the event of compromised credentials, we recommend granting the minimum necessary rights to such accounts (sufficient only for establishing a connection through the connector).

The table of connector types is displayed in the Settings section, Connectors subsection, on the Connector types tab.

Viewing the table of connector types

The table of connector types is displayed in the Settings section, Connectors subsection, on the Connector types tab.

Connector settings are displayed in the following columns of the table:

• Name.

  Name of the connector type specified by the vendor.

• Vendor.

  Name of the vendor of the connector type.

• Version.

  Version number of the connector type.

• Code.

  Unique number of the connector type.

• Capabilities.

  List of capabilities that connectors of this type must have.

When viewing the table of connector types, you can use the configuration, filtering, searching, and sorting functionality.

Adding a connector type

You can add a connector type to the application using the description file provided by the vendor of the connector type. The connector type description file must be packed into a ZIP archive.

You must manually install software modules of connectors for the connector type that you are adding, using files provided by the vendor of the connector type. Install the software modules on the computers that you want to specify as connector deployment nodes when adding connectors.

To add a connector type:

1. Log in to the web interface with the application administrator account.
2. Select the Settings section, Connectors subsection.
3. On the Connector types tab, open the details area by clicking Add connector type.
4. Click Browse to select the connector type description file.
5. Click Save.

The new connector type is added to the table of connectors.

Removing a connector type

When you delete a connector type, the application deletes information about that connector type, as well as all connectors that have been added using this type.

To delete a connector type:

1. Log in to the web interface with the application administrator account.
2. Select the Settings section, Connectors subsection.
3. On the Connector types tab, select the connector type that you want to delete.

   The details area is displayed in the right part of the web interface window.

4. Click Delete.

   This opens a confirmation prompt window.

5. In the prompt window, confirm the deletion of the selected connector type.
6. If the application has connectors of this type, confirm the deletion of these connectors as well.

Managing account credentials secrets for remote connections

Kaspersky Anti Targeted Attack Platform implements a secret storage. Secrets allow securely storing and using identification and authentication information that the application needs for automatic remote connections to devices. Secrets are used in active polling jobs.

The application supports various types of secrets. Depending on the purpose of the secret, you can select a relevant type and enter the appropriate data when adding or editing the secret settings.

Keep in secret the credentials required for remote connections to devices using remote connection protocols. Active polling jobs can use various protocols for remote connections, depending on the selected polling methods.

To ensure that identification and authentication details stored in secrets are used securely, the application implements protection against compromise of secrets when connecting to remote devices. After public keys received from devices are saved in the application, it monitors all subsequent remote connections to these devices and does not send information from secrets if devices on the network are spoofed.

Critical information of the secret (password or private key of the certificate) is accessible to you in plain text only once, when you enter this information while creating the secret. After a secret is saved, its critical information can no longer be viewed. You can only replace the critical information of a secret with new critical information while editing the secret (for example, you can enter a different password).

You can manage secrets in the Settings section, Secrets subsection. No more than 500 secrets can be added to the application.

Only users with the Administrator role can manage secrets.

Adding a secret

You can add secrets to the application secrets storage.

To add a secret:

1. Log in to the web interface with the application administrator account.
2. Select the Settings section, Secrets subsection.
3. Click Add secret.

   This opens the details area.

4. Enter a name for the secret.

   The secret name must be unique (must not match the names of other secrets) and must contain up to 256 characters. You can use letters, numerals, spaces, and the following special characters: ! @ # № $ % ^ & ( ) [ ] { } / \ : ; , . - _. The name of the secret must begin and end with any valid character other than a space.

5. Select the type of secret and configure its settings.

   You can select the following types of secrets:

   • Password only: this type of secret is used if only the password of a user with the relevant permissions is required for the access to device configuration data.
   • User name and password: this type of secret is used if a user name and password are required to receive data from the device.
   • User name and password, root password: this type of secret is used if a user name and password are required to receive data from the device, and the root password or the password for an account that processes requests with administrator privileges is additionally required for a connection with administrator (root) privileges.
   • User name and password, encryption password: this type of secret is used if a user name and password are required to receive data from the device, and an encryption password is additionally required to establish encrypted connections.
   • The Mixed secret type is used for the Remote connection method of device polling. You can specify the following settings for this type of secret:
     • User name to be used for remote connections to devices.

       The user name can contain Latin letters, numerals, periods, as well as special characters: _ and -. The name must begin with a letter and end with any supported character other than a period.

     • User password: if the user password will be used for authentication.

       The password may contain up to 256 ASCII characters.

     • Private key: if the private key of the certificate will be used for authentication.

       You can manually enter the sequence of characters comprising the key or upload the key from the certificate file by clicking Copy from file. You can upload private keys in CRT, PEM, and CER formats. If the private key file is protected by a passphrase, enter the passphrase in the Passphrase field before uploading the key.

       To use the private key of the certificate, you need to copy the public key of this certificate to all devices to which remote connections will be made using the secret. The steps for copying the public key to devices are performed without the involvement of Kaspersky Anti Targeted Attack Platform.

     • Root user password: if an additional password is required for connections to network equipment with administrator (root) privileges. In such cases, access is requested as root or as the user that is configured on network equipment for processing requests with administrator privileges.
6. Click Save.

Viewing table of secrets

The table of remote connection secrets is displayed in the Settings → Secrets section of the application web interface.

Information about secrets is displayed in the following columns of the table:

• Name of secret.

  The name that the application uses for the secret.

• Created.

  Date and time when the secret was added to the application.

• Changed.

  Date and time of the last modification of the secret in the application.

When viewing the table of secrets, you can use the configuration, filtering, searching, and sorting functionality.

Protecting against compromise of secrets when connected to remote devices

Identification and authentication details from secrets should be used only for remote connections to devices that are selected for active polling jobs. To protect this information against possible compromise in cases of device spoofing, the application verifies the public key received from the device before sending the information. The device uses the public key to establish SSH connections. A public key helps the application to verify that the SSH connection is being established with the correct device. Identification and authentication details are sent to the device after verifying that the received public key matches the public key saved in the application.

The saved public key of the device is displayed in the details area of the selected device on the General tab.

Receiving and saving public keys of devices in the application

By default, no public keys of devices are configured in Kaspersky Anti Targeted Attack Platform. A device's public key is received and saved when an SSH connection is established with this device for the first time for the purpose of scanning as part of an active polling job that uses a connector of the Active poll type. Identification and authentication details from the selected secret are sent to the device without checking the received public key. Therefore, before starting the active polling job for the first time for the selected device and establishing an SSH connection to it, make sure that there is no spoofed device on the network. To do this, you can run ifconfig to check that the IP addresses of the device configured in the application match the IP addresses on the network interfaces of the actual device.

Resetting saved device public keys

SSH connection keys on devices may change with time. Device users may generate new keys when their current private keys are at a risk of compromise.

When the private key is changed on the device, the public key is changed as well. After changing the public key, the application stops sending information from the secrets to this device because the new public key no longer matches the one saved in the application. Therefore, any subsequent device scans as part of active polling jobs finish with an error.

After changing the public key on the device, you must reset the currently saved public key for this device stored in the application. This will allow the secrets to be used again when connecting to the device remotely.

After resetting the saved public key, the application saves the newly received public key the next time an SSH connection is established with this device. Check that there is no spoofed device on the network, similarly to when initially receiving and storing a public key.

Only users with the Senior security officer role can reset saved public keys of devices.

To reset saved device public keys:

1. Use the web interface to connect to the Central Node with the Senior security officer role.
2. Select the Assets section.
3. On the Devices tab, select the devices for which you want to reset saved public keys.
4. Right-click one of the selected devices to open the context menu.
5. In the context menu, select Reset public key.

   This opens a confirmation prompt window.

6. In the prompt window, click OK.

Editing the settings of a secret

When editing the settings of a secret, you can change its type or set different credentials.

After secret settings, including the secret name, are modified, the new settings are applied in the active polling jobs in which the secret has been specified before. If you change the type of the secret, errors may occur the next time these jobs are started if the new type of the secret does not match connector settings.

To edit the settings of a secret:

1. Log in to the web interface with the application administrator account.
2. Select the Settings section, Secrets subsection.
3. Select the secret that you want to edit.

   The details area is displayed in the right part of the web interface window.

4. Click Edit.
5. Edit the settings as needed. You can edit the settings in the same way as when you adding a secret.

   Critical information of the secret (passwords and the private key of the certificate) is not openly displayed. You can only replace the critical information of the secret with new critical information using the links above the fields with credentials.

Deleting secrets

You can delete secrets from the Kaspersky Anti Targeted Attack Platform secret storage.

Before deleting a secret, we recommend specifying a different secret or a different polling method in the active polling jobs that use this secret. If the deleted secret is specified in an active polling job, errors will occur the next time the job is run.

To delete secrets:

1. Log in to the web interface with the application administrator account.
2. Select the Settings section, Secrets subsection.
3. Select the secrets that you want to delete.
4. Click Delete.

   This opens a confirmation prompt window.

5. In the confirmation prompt window, confirm the deletion of the secrets.

Updating application databases

Application databases (hereinafter also referred to as "databases") are files with records used by the application components and modules to detect events occurring in your organization's IT infrastructure.

Virus analysts at Kaspersky detect hundreds of new threats daily (including "zero-day" exploits), create records to identify them, and include them in database updates packages ("update packages"). Update packages consist of one or more files containing records to identify threats that were detected since the previous update package was released. We recommend that you regularly receive update packages. When the application is installed, the database release date is the same as the application release date, and therefore you must update the databases immediately after installing the application.

The application automatically looks for new update packages on Kaspersky update servers once every 30 minutes. By default, if for some reason application databases are not updated for 24 hours, Kaspersky Anti Targeted Attack Platform displays this information in the Dashboard section of the window of the application web interface.

If the version of Kaspersky Anti Targeted Attack Platform is not supported, the application databases are not updated, and the Dashboard section in the System health window of the application web interface, displays the This version of Kaspersky Anti Targeted Attack Platform is no longer supported. Please upgrade the application to a supported version warning.

You can see which versions of the application are currently supported on the application lifecycle page.

The update functionality (including anti-virus signature updates and code base updates), as well as the KSN functionality may be unavailable in the territory of the USA.

Selecting a database update source

You can select the source from which the application will download database updates. The update source may be the Kaspersky server, or a network folder or local folder on one of the computers of your organization.

To select a database update source:

1. In the window of the application web interface, select the Settings section, General settings subsection.
2. In the Database update section, in the Update source drop-down list, select one of the following values:
   • Kaspersky update server.

     The application connects to Kaspersky update server over HTTP and downloads up-to-date databases.

   • Kaspersky update server (secure connection).

     The application connects to Kaspersky update server over HTTPS and downloads up-to-date databases. It is recommended to use HTTPS for database updates.

   • Custom server.

     The application connects to your FTP or HTTP server or to the folder with application databases on your computer to download up-to-date databases.

3. If you have selected Custom server, in the field under the name of this setting, enter the URL of the update package on your HTTP server or the full path to the folder on your computer containing the application database update package.
4. Click Apply.

The application database update source is applied.

Updating databases manually

To start the database update manually:

1. In the window of the application web interface, select the Settings section, General settings subsection.
2. In the Database update section, click the Start button.
3. Click Apply.

The application database update is started. The progress of the update will be displayed to the right of the button.

Creating a list of passwords for archives

The application does not scan password-protected archives. You can create a list of the most frequently encountered passwords for archives that are used when exchanging files within your organization. If you do so, the application will try passwords from the list when scanning an archive. If one of the passwords match, the archive will be unlocked and scanned.

The list of passwords set in application settings is also transmitted to the server with the Sandbox component.

To create a list of archive passwords:

1. In the window of the application web interface, select the Settings section, Passwords for archives subsection.
2. In the Passwords for archives field, enter the passwords that the application will use for password-protected archives.

   Enter each password on a new line. You can enter up to 50 passwords.

3. Click Apply.

The list of passwords for archives will be created. When scanning PDF files and files of Microsoft Word, Excel, and PowerPoint that are password protected, the application will use the passwords from the defined list.

Users with the Security auditor role can view the list of passwords for archives, but cannot edit it.

Configuring integration with ArtX TLSproxy

You can configure the integration of Kaspersky Anti Targeted Attack Platform with ArtX TLSproxy to unwrap encrypted SSL/TLS traffic. Integrating Kaspersky Anti Targeted Attack Platform with ArtX TLSProxy improves the security and performance of infrastructure. For integration, you only need to configure the ArtX TLSProxy application.

Compatibility is guaranteed with ArtX TLSProxy 1.9.1

To configure the integration of Kaspersky Anti Targeted Attack Platform with ArtX TLSproxy:

1. Specify and edit integration settings in ArtX TLSproxy.

   For more details on specifying and editing integration settings in ArtX TLSproxy, see the ArtX TLSproxy User Manual on the ArtX website.

2. Create the erspan.netdev file in the /etc/systemd/network directory with the following contents:

   [NetDev]

   Name=<name of the ERSPAN interface>

   Kind=erspan

   [Tunnel]

   Independent=true

   ERSPANIndex=<index or port number associated with the ERSPAN traffic source port>

   Local = <local fixed IP address of the network interface on which you are configuring ERSPAN traffic transmission>

   Remote = <IP address of the server hosting the Kaspersky Anti Targeted Attack Platform application on which you want to process ERSPAN traffic>

   Key = <Sequential number or key of the GRE header>. If not used, enter 0 as the value.

   SerializeTunneledPackets=true

3. Create the erspan.network file in the /etc/systemd/network directory with the following contents:

   [Match]

   Name=<name of the ERSPAN interface>

   [Network]

   Address = <local IP address of the network interface/network interface mask>

4. Restart the server with the Kaspersky Anti Targeted Attack Platform application on which you are configuring the integration with ArtX TLSproxy.
5. Go to the ArtX TLSproxy application and specify the network interfaces that you configured.

The settings in the erspan.netdev and erspan.network files must match the settings that you specified in ArtX TLSproxy.

Integration with ArtX TLSproxy is configured.