Monitoring the performance of the application

You can monitor application operation using the widgets in the Dashboard section of the application web interface window. You can add, delete, and move widgets, configure the display scale of widgets, and select the data display period.

About widgets and layouts

You can use widgets to monitor application operation.

A layout is the appearance of the workspace of the application web interface window in the Dashboard section. You can add, delete, and move widgets in the layout, as well as configure the scale of widgets.

If you are using the

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy mode

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

By default, this section displays information only on alerts that were not processed by users. To also display information on processed alerts, enable the Show closed alerts toggle switch in the upper-right corner of the window.

The Dashboard section displays the following widgets:

• Alerts:
  • Alerts by status. Displays the alert status depending on the Kaspersky Anti Targeted Attack Platform user processing the alert and on whether or not this alert has been processed.
  • Alerts by technology. Displays the names of the application modules or components that generated the alert.
  • Alerts by attack vector. Displays detected objects based on the vector of the attack.
  • VIP alerts by importance. Displays the importance of alerts with VIP status depending on the impact that these alerts may have on the security of computers or the corporate LAN based on Kaspersky experience.
  • Alerts by importance. Displays the importance of alerts for users of the Kaspersky Anti Targeted Attack Platform depending on the impact that these alerts may have on the security of computers or the corporate LAN based on Kaspersky experience.

  The left part of each widget displays attack vectors, alert importance levels, alert states, and scanning technologies that generated the alerts. The right part of each widget displays the number of times the alerts were triggered during the selected period for data display in widgets.

  Clicking the link with the name of the attack vector, alert importance level, alert state, and the scanning technology that generated the alert takes you to the Alerts section of the application web interface where you can view related alerts. Alerts are filtered based on the selected element.

• Top 10:
  • Domains. 10 domains most frequently seen in alerts.
  • IP addresses. 10 IP addresses most frequently seen in alerts.
  • Sender's email addresses. 10 email senders most frequently seen in alerts.
  • Recipient's email addresses. 10 email recipients most frequently seen in alerts.
  • TAA hosts. 10 hosts that occur most frequently in events and alerts generated by the Targeted Attack Analyzer (TAA) technology.
  • TAA rules. 10 TAA (IOA) rules that occur most frequently in events and alerts generated by the Targeted Attack Analyzer (TAA) technology.
  • Sent to Sandbox by TAA rules. 10 TAA (IOA) rules that most frequently cause Kaspersky Anti Targeted Attack Platform to send files for scanning by the Sandbox component.

  The left part of each widget lists the domains, email addresses of recipients, IP addresses and email addresses of message senders, host names, and TAA (IOA) rule names. The right part of each widget displays the number of times the alerts were triggered during the selected period for data display in widgets.

  By clicking the link with the name of each domain, recipient address, IP address, and message sender address, you can go to the Alerts section of the application web interface and view related alerts.

  Click the link with the host name and the name of the TAA (IOA) rule to go to the Events section of the application web interface and view related events.

  Alerts and events are filtered based on the selected element.

• NDR:
  • Network traffic event scores. Bar graph of the distribution of events by their scores for the selected period. The bars correspond to integer values of scores. You can change the data display mode to a pie chart with the distribution of events by severity levels. Depending on its score, an event may have a Low (0.0–3.9), Medium (4.0–7.9), or High (8.0–10.0) severity.
  • Network traffic events by technology. How many events have been registered by which event registration technology during the selected period.
  • Device security status. Distribution of devices by their security states.
  • Frequent application users in network traffic events. User names most frequently registered in events based on information from EPP applications for the selected period.
  • Frequent applications in network traffic events. Third-party applications most frequently registered in events based on information from EPP applications for the selected period.
  • Frequent devices in network traffic events. The most frequently registered devices in events for the selected period.
  • Frequent devices by risk count. The most frequently registered devices in detected risks for the selected period.
  • Risk scores. Bar graph of the distribution of risks by their scores for the selected period. The bars correspond to integer values of scores. You can change the data display mode to a pie chart with the distribution of risks by severity levels. Depending on its score, a risk may have a Low (0.0–3.9), Medium (4.0–7.9), or High (8.0–10.0) severity.
  • Custom widget. You can create widgets with arbitrary content. For example, you can use custom widgets to logically separate groups of widgets in the Dashboard section.
  • Devices. Contains information about devices on the network (arranged by device category).
  • Network traffic events. Contains information about the NDR events and aggregate events that have the most recent last-seen date and time.
  • Situational awareness. Notifications about currently identified threats to system security (for example, Detected 10 unauthorized network interactions). The widget displays notifications in order of their importance.
  • Protection by EPP applications. Ratio of the number of computers protected by EPP applications to the number of computers not protected by EPP applications. The total number of protected and unprotected computers is displayed in the center of the pie chart.

    A computer is considered protected by an EPP application if Kaspersky Anti Targeted Attack Platform is aware of the following conditions being satisfied:

    • An EPP application is installed on the computer.
    • The Real-Time Protection task is running for the EPP application.
    • The connection of the EPP application to the integration server has the Active status.

    A computer is considered unprotected by an EPP application if at least one of the conditions is not satisfied. The check for the lack of EPP application protection is performed for all devices in Kaspersky Anti Targeted Attack Platform that contain the name of the Windows operating system (any version) as the installed operating system, or if the devices belong to one of the following categories:

    • Server
    • Workstation

  For correct information to be displayed in NDR widgets, you must configure the synchronization of date and time between Central Node and Sensor components.

  Widgets display only basic information that changes dynamically. If you need to view detailed information (for example, about devices with issues), you can navigate from the Dashboard section to other sections of the application web interface. You can navigate the web interface by clicking widgets.

Adding a widget to the current layout

To add a widget to the current layout:

1. Select the Dashboard section in the application web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Customize.
4. Click Widgets.
5. In the Manage widgets window that opens:
   • If you want to add a widget associated with alerts or rules, in the Alerts or Top 10 list, select the toggle switch next to the widget that you want to add.
   • If you want to add a widget related to the NDR functionality, click the button in the [NDR] list next to the name of the widget that you want to add.
6. Close the Manage widgets window and click Apply.

The widget is added to the current layout.

Moving a widget in the current layout

To move a widget in the current layout:

1. Select the Dashboard section in the application web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Customize.
4. Select the widget that you want to move within the layout.
5. Click and hold the upper part of the widget to drag and drop the widget to a different place in the layout.
6. Click Apply.

The current layout is saved.

Changing the display of information in NDR widgets

After an NDR widget is added, it displays information in accordance with the default settings. If necessary, you can edit the display settings.

To edit NDR widget display settings:

1. Select the Dashboard section in the application web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Customize.
4. In the upper-right corner of the NDR widget that you want to configure, click the button.

   This opens the display settings window.

5. Manage the settings of the widget.

   Depending on the selected NDR widget, the window may contain the following settings:

   • Change name – if the Change name check box is selected, you can define any name for the widget (different from the default name) in the Widget name field. The Change name setting is absent from custom widgets.
   • Widget name – field for entering a widget name different from the default name.
   • Edit description – if the Edit description check box is selected, you can provide any description for the widget (different from the default description) in the Widget description field. The Edit description setting is absent from custom widgets.
   • Widget description – field for entering a widget name different from the default name.
   • Refresh period – the time in seconds after which the displayed information is updated.
   • Defined background – defines the color of the background on the custom widget. You can choose a background color that corresponds to one of the severity levels (Info, Warning, or Critical) or select Neutral to disable background coloring.
   • Display mode – determines how data is displayed in the widget. You can configure the display of information as a bar chart or a pie chart.
   • Take into account events with Resolved status – if Take into account events with Resolved status is selected, the widget displays data for all events.
   • Include remediated and accepted risks – if Include remediated and accepted risks is selected, the widget displays data for all risks.
6. Click Apply.

Removing a widget from the current layout

To remove a widget from the current layout:

1. Select the Dashboard section in the application web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Customize.
4. Click the icon in the upper right corner of the widget that you want to remove from the layout.

   The widget is removed from the workspace of the application web interface window.

5. Click Apply.

The widget is removed from the current layout.

Saving a layout to PDF

NDR widgets in the layout are not saved to PDF.

To save a layout to PDF:

1. Select the Dashboard section in the application web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Save as PDF.

   This opens the Saving as PDF window.

4. In the lower part of the window, in the Layout drop-down list, select the page orientation.
5. Click Download.

   The layout in PDF format is saved to the hard drive of your computer in the downloads folder of the browser.

6. Click Close.

Configuring the data display period in widgets

You can configure the display of data in widgets for the following periods:

• Day.
• Week.
• Month.

For NDR widgets, you can use the following periods:

• 1h
• 12h
• 24h
• 7d

You can configure a data display period for each individual NDR widget.

Changing the display of information in widgets

To configure the display of data in widgets for a day (from 00:00 a.m. to 11:59 p.m.):

1. Select the Dashboard section in the application web interface window.
2. In the upper-right corner of the application web interface window, in the drop-down list of data display periods, select Day.
3. In the calendar to the right of the Day period name, select the date for which you want to display data in the widget.

All widgets on the Dashboard page display data for the period you selected.

To configure the display of data on widgets for a week (Monday through Sunday):

1. Select the Dashboard section in the application web interface window.
2. In the upper-right corner of the application web interface window, in the drop-down list of data display periods, select Week.
3. In the calendar to the right of the Week period name, select the week for which you want to display data in the widget.

All widgets on the Dashboard page display data for the period you selected.

To display data display in widgets for a month (calendar month):

1. Select the Dashboard section in the application web interface window.
2. In the upper-right corner of the application web interface window, in the drop-down list of data display periods, select Month.
3. In the calendar to the right of the Month period name, select the month for which you want to display data in the widget.

All widgets on the Dashboard page display data for the period you selected.

Changing the display of information in widgets

To configure the display of information in an NDR widget:

1. Select the Dashboard section in the application web interface window.
2. In the upper-right corner of the NDR widget that you want to configure, click the button that stands for the time interval that you need.

The NDR widget displays information for the selected period.

Configuring the widget display scale

You can configure the display scale for "Alerts" type widgets. The icon in the upper right corner of a widget means you can configure the scale for that widget.

To configure the display scale for widgets:

1. Select the Dashboard section in the application web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Customize.
4. Click in the upper right corner of the widget.
5. In the drop-down list, select one of the following widget display sizes:
   • 1x1.
   • 2x1.
   • 3x1.

   The display scale of the selected widget is modified.

6. Repeat the steps for all widgets for which you want to set the display scale.
7. Click Save.

The display scale of widgets is configured.

Basics of managing "Alerts" type widgets

You can configure the display scale for all "Alerts" type widgets.

The left part of each widget displays the legend for colors used in widgets.

To the right of the legend, the number of alerts of each type for the selected period for displaying data in widgets is displayed.

By clicking the link with the type of each alert, you can go to the Alerts section of the application web interface and view all alerts of this type. Alerts are filtered based on the specific type.

The right part of each widget displays data columns. The vertical axis shows the number of events, and the horizontal axis shows the date and time of the alert creation. You can edit the period of data display in widgets and select the tenant for which information is displayed in the widget.

Position your mouse cursor on each data column to display the number of alerts counted for the period represented by the specific column. The number of unprocessed alerts is displayed by default. You can enable the display of processed alerts by selecting the Processed check box in the upper-right corner of the window. In this case, the total number of all alerts will be displayed.

Information in the Devices widget

The Devices widget in the Dashboard section belongs to the NDR functionality and displays information about devices in the list of devices known to the application.

The widget provides the following information:

• Information about how many devices the application knows for each category. This information is displayed in the upper part of the widgets as category icons. Under each category icon, the number of devices of that category is displayed. If the list of devices known to the application contains devices with issues, the icons of the corresponding categories have a warning badge.
• List of categories with devices with issues. This information is displayed in the middle part of the widget if such devices exist. The space for displaying graphics is limited by the size of the widget.

Devices with issues

The application considers that a device has issues in any of the following cases:

• The device has a status of Authorized and a security state other than OK.
• The device has a status of Unauthorized.

If any devices have issues, the following information is displayed for each category in the list:

• A line with the category icon, a text description, and a link with the number of devices with issues.
• A line with graphical representations of devices. This line is displayed if the widget has sufficient free space. The number of graphics in the line depends on the current size of the web browser window. If there are more devices with issues than represented in the line, the number of hidden devices is displayed on the right, in the + <number of devices> format.

Device graphics

Graphical representations of devices include the following information:

• Device name.
• Device status. This is displayed as an icon if the device has a status of Unauthorized.
• Device security status. Displayed as a colored line on the left border of the graphic. The color of the line corresponds to the OK, Warning, or Critical states.

The graphics are displayed in the following order:

1. Devices assigned a status of Unauthorized.
2. Devices with a Critical security state.
3. Devices with a Warning security state.

Navigating to other sections from the widget

You can use elements of the Devices widget interface to navigate to the devices table and display detailed information about devices. The following options are available to achieve this.

Navigating to the table of devices and filtering the table

To navigate to the table of devices and view information about all devices in the selected category:

In the upper part of the Devices widget, click the icon of the relevant category.

This opens the Assets section containing the devices table. Filtering by the selected device category is applied to the table.

To navigate to the table of devices and view information about devices with issues that belong to a certain category:

In the list of categories of devices with issues, click the link with the number of devices of the relevant category. The link is displayed at the end of the line with the category icon and the text comment with issues.

This opens the Assets section containing the devices table. Filtering is applied in the table by IDs of devices with issues that belong to a certain category.

The devices table is filtered based on the IDs of those devices that were displayed in the Devices widget when you proceeded to the devices table. After navigating to the table of devices, the filtering conditions are not updated. If you want to view the current number of devices with issues, you can go to the Dashboard section again.

To go to the table of devices and view information about a device with issues:

In the Devices widget, click the graphical element that represents the relevant device.

This opens the Assets section containing the devices table. Filtering by device ID is applied to the table.

To go to the table of devices without changing the current table filtering conditions:

Click the Show all devices in the Devices widget.

This opens the Assets section containing the devices table. The table displays devices that match filtering conditions that have been configured for the table of devices.

Navigating to the table of devices and searching the table

To go to the devices table and find devices in the table:

1. In the Devices widget, enter your search query into the Search devices field.
2. Click Search.

This opens the Assets section containing the devices table. The table displays devices that match your search criteria.

Information in the Events widget

The Network traffic events widget in the Dashboard section displays general information about the NDR events and aggregate events that have the most recent last-seen date and time.

The widget displays the following elements:

• A histogram of NDR events and aggregate events for the selected period. This information is displayed in the upper part of the widget. The histogram displays the distribution of NDR events and aggregate events by severity level.
• A list of information about registered NDR events and aggregate events, sorted by their last-seen date and time. This information is displayed in the middle part of the widget.

Statistics of NDR events and aggregate events

On the distribution histogram of NDR and aggregate events, the bars correspond to the total number of events for each time interval. Inside the bars, the colors stand for severity levels of events. The following colors correspond to the severity levels:

• Blue. This color is used for Low-severity NDR events and aggregate events.
• Yellow. This color is used for Medium-severity NDR events and aggregate events.
• Red. This color is used for High-severity NDR events and aggregate events.

You can hover over a bar to view information about it. The pop-up window displays information about the date and time of the interval, as well as the number of NDR events and aggregate events by severity level.

The length of the time intervals depends on the selected display period. You can select a period for the histogram with the following buttons:

• 1h: one-hour period, subdivided into one-minute intervals.
• 12h: 12-hour period, subdivided into one-hour intervals.
• 24h: 24-hour period, subdivided into one-hour intervals.
• 7d: seven-day period, subdivided into one-day intervals.

List of NDR events and aggregate events

The list of NDR events and aggregate events in the Network traffic events widget is updated in on-line mode. NDR events and aggregate events with the most recent last-seen date and time are placed at the top of the list.

The number of displayed items in the list of NDR events and aggregate events is limited by the size of the widget.

For each event in the list, the following information is provided:

• Title of the NDR event or aggregate event.
• Last-seen date and time.
• Icon that stands for the severity of the NDR event or aggregate event:
  •  – Low severity level
  •  – Medium severity level
  •  – High severity level

Aggregate events in the list are marked with .

Navigating to other sections from the widget

You can use the controls of the Network traffic events interface to go to the events table and display detailed information about NDR events and aggregate events. The following options are available to achieve this.

Navigating to the table of network traffic events and filtering the table

You can view detailed information about an NDR event or aggregate event by clicking the event in the list of the Network traffic events widget. Doing so opens the Network traffic events section in which the table will be filtered based on the ID of the selected NDR event or aggregate event. The filtering criteria also include the period from the date and time of registration of an NDR event or aggregate event to the current moment (without specifying the right bound of the period).

If you want to go to the table of network traffic events without changing the current filtering conditions of the table in the Network traffic events section, click the Show all events link in the Network traffic events widget.

Navigating to the table of events and searching the table

To go to the devices table and find devices in the table:

1. In the Network traffic events widget, enter your search query into the Search events field.
2. Click Search.

This opens the Network traffic events section. The table of events displays NDR events and aggregate events that match the search criteria.

Viewing the working condition of modules and components of the application

If modules or components of the application encounter errors that the administrator is advised to look at, a yellow warning box is displayed in the upper part of the Dashboard section of the application web interface.

Users with the Administrator or Security auditor role can gain access to information about the working condition of the Central Node, PCN, or SCN server that the user is currently managing.

Users with the Senior security officer, Security officer, or Security auditor role can gain access to the following information about the working condition:

• If you are using a standalone Central Node server, the user can access information about the working condition of the Central Node server which the user is currently managing.
• If you are using the distributed solution and multitenancy mode, and the user is managing an SCN server, the user can gain access to information about the working condition of that SCN server for tenants to whose data the user has access.
• If you are using the distributed solution and multitenancy mode, and the user is managing the PCN server, the user can gain access to information about the working condition of the PCN server and all SCN servers connected to that server, for tenants to whose data the user has access.

For details about the working condition of application modules and components,

click View details to open the System health window.

In the System health window, one of the following icons is displayed depending on the working condition of the application modules and components:

• if the modules and components of the application are working normally.
• An icon with the number of problems (for example, ) if problems are found that the administrator is recommended to pay attention to. In this case, detailed problem information is displayed in the right part of the System health window.

The System health window contains the following sections:

• Component health contains information on the operational status of application modules and components, quarantine, and database update on all servers where the application is running.

  Example: If the databases of one or more application components have not been updated in 24 hours, the icon is displayed next to the name of the server on which the application modules and components are installed. To resolve the problem, make sure that update servers are accessible. If you are using a proxy server to connect to update servers, make sure the proxy server has no errors pertaining to the connection to Kaspersky Anti Targeted Attack Platform servers.

• Processed—Status of receiving and processing incoming data. The status is generated based on the following criteria:
  • State of receiving data from servers with the Sensor component, from the server or virtual machine with the mail sensor, from hosts with the Endpoint Agent component.
  • Information about exceeding the maximum allowed time that objects wait in the queue to be scanned by application modules and components.
• Connection with servers—Status of the connection between the PCN server and connected SCN servers (displayed if you are using the distributed solution and multitenancy mode).

If problems are detected with the performance of application modules or components and you cannot resolve those problems on your own, please contact Kaspersky Technical Support.