Contents
- Managing reports
- Managing common reports
- Viewing the table of templates and reports
- Creating a template
- Creating a report based on a template
- Viewing a report
- Downloading a report to a local computer
- Editing a template
- Filtering templates by name
- Filtering templates based on the name of the user that created the template
- Filtering templates by creation time
- Clearing a template filter
- Deleting a template
- Filtering reports by creation time
- Filtering reports by name
- Filtering reports by the name of the server with the Central Node component
- Filtering reports based on the name of the user that created the report
- Clearing a report filter
- Deleting a report
- Managing NDR reports
- Viewing the table of NDR report templates
- Viewing NDR report template details
- Viewing the table of NDR reports
- Manually generating an NDR report based on a template
- Duplicating an NDR report template
- Editing an NDR report template
- Exporting an NDR report to a file
- Deleting an NDR report template
- Deleting an NDR report
- Canceling NDR report generation
- Managing the settings for storing report files
- Managing common reports
Managing reports
Users with the Senior security officer role can use Kaspersky Anti Targeted Attack Platform to manage reports about application alerts: create report templates, create reports based on a template, view, and delete reports and report templates.
Users with the Security auditor role can view reports and report templates and create reports from templates.
The following types of reports are available:
- General reports. Templates for these reports are available in the Reports section, Templates subsection. You can manage the generated reports in the Reports section, Generated reports subsection.
You can manage report templates and reports in all modes of the application in accordance with your license. Reports are generated based on a selection of alerts for a specified period. If you are using
and mode, the selection can also be based on the tenant and this tenant's servers. - NDR functionality reports. Available in the Reports section, Reports (NDR) subsection.
You can manage report templates and reports if you add a KATA + NDR license key. Reports are generated based on a selection of alerts for the specified period in accordance with the data of the node on which the report is generated.
Managing common reports
When managing the application web interface, users with the Senior security officer role can manage KATA reports about application alerts: create report templates, create reports based on a template, view, and delete reports and report templates.
Users with the Security auditor role can view KATA reports and report templates and create reports from templates.
To create a KATA report:
Viewing the table of templates and reports
Templates and reports are displayed in the Reports section of the application web interface window.
The Generated reports subsection contains a report table. The table contains the following information:
- Time created—Date and time of report creation.
- Report name—Name of the report created based on the template.
- Period—Period for which the report was generated.
- Servers is the name of the server with the PCN or SCN role to which the rule applies.
This column is displayed if you are using the distributed solution and multitenancy mode.
- Created by—Name of the user that created report.
- State—Report state (whether the file can be downloaded).
The Templates subsection displays the table of templates. The table contains the following information:
- Time created—Date and time when the template was created.
- Time updated—Date and time of last modification of the template.
- Report name—Name of the template.
- Created by—Name of the user that created the template.
Creating a template
When creating a report template, you need to specify all the information that you want to display in the report: report name, its description, availability of a table, graph or image. You can also select the data that you want to display in the report and define the position of report elements.
When creating a report in the Reports section, Generated reports subsection of the interface, you can only select the template for creating the report and the data display period.
A new report template is created for each data sample.
To create a template:
- In the application web interface window, select the Reports section, Templates tab.
This opens the table of templates.
- Click Add.
This opens the template creation window. This window contains the body of the report and the report builder in a floating window. You can move the report builder over the workspace of the web interface window.
- In the Template name field in the upper-right corner of the window, type the name that you want to assign to reports that are created from this template. For example, Alerts by technology.
This name is displayed in the table in the Reports section, Generated reports subsection when creating all reports in this template.
- In place of the Report title text, type the report name that will be displayed in a report after the report is created. If you do not want to add a report name, you can delete the Report title text and leave this report section blank.
You can format text using the buttons in the Text section in the template builder.
- In place of the Report description text, type the report description that will be displayed in a report after the report is created. If you do not want to add a report description, you can delete the Report description text and leave this report section blank.
You can format text using the buttons in the Text section in the template designer.
- Using the report builder, add one or more report elements:
- Table.
- Pie chart.
- Image.
- If you chose to add an image, the Image window opens. Do the following:
- Click Upload.
- Upload the image. For example, you can upload your company logo.
- In the list on the right of the upload button, select the alignment of the image on the report page: Left, Right or Center.
- Click Apply.
- If you chose to add a pie chart, the Pie chart of alert attributes window opens. Do the following:
- In the Name field, type the name of the pie chart. For example, Top 5 alerts by technology. You can also leave the field blank.
- In the Data source list, select the alert property for which you want to create a pie chart. For example, Technologies.
- In the Number of slices field, specify the maximum number of sectors of the pie chart.
When a report is created, the application selects the most frequently encountered data. For example, if you specified 5 sectors and want to create a pie chart by technology, the application displays a chart for the 5 technologies that generated the greatest number of alerts. Technologies that generated fewer alerts are not included in the chart.
- Click Apply.
- If you chose to add a table, the Alerts table window opens. Do the following:
- In the Available columns field, double-click to select the alert properties that you want to add to the report table.
The selected properties are moved to the Selected columns field. You can drag the names of columns between the Available columns and Selected columns fields, and change the order of columns in the report table.
For example, if you move the Technologies, Detected, and Time created properties to the Selected columns field, the table of the created report displays technologies that generated alerts, a list of detected objects, and the time when the alerts were generated.
- If you want to filter alerts by the State property, select the check boxes next to the processing statuses of alerts whose data you want to display in the report.
- If you want to filter alerts by the Technologies property, select the check boxes next to the names of application modules and components whose data you want to display in the report.
- If you want to filter alerts by the Importance property, select the check boxes next to the importance levels of alerts whose data you want to display in the report.
- If you want to filter alerts by the VIP status, select VIP in the list. Only alerts with the VIP status are displayed in the report.
- Click Apply.
- In the Available columns field, double-click to select the alert properties that you want to add to the report table.
- Click the Save button in the upper-right corner of the window.
A new template will be created.
Users with the Security auditor and Security officer roles cannot create report templates.
Creating a report based on a template
To create a report based on a template:
- In the window of the program web interface, select the Reports section, Generated reports subsection.
This opens the table of reports.
- Click Add.
This opens the New report window.
- Do the following:
- In the Template drop-down list, select one of the templates for creating a report.
- Under Period, select one of the following options:
- Last hour if you want the report to contain information about application operation during the last hour.
- Last day if you want the report to contain information about application operation during the last day.
- Last 7 days if you want the report to contain information about application operation during the last week.
- Last 30 days, if you want the report to contain information about system operation during the last month.
- Custom, if you want the report to contain information about system operation during the period you specify.
- If you have selected the Custom display period for information about application operation:
- In the calendar that opens, specify the start and end dates of the period for which the report will be generated.
- Click Apply.
- If you are using distributed solution and multitenancy mode, in the Servers settings group, select the check boxes next to the tenants and servers whose data you want to include in the report.
- Click Create.
The created report is displayed in the table of reports. You can download the report for viewing on your computer.
Users with the Security officer role cannot create report templates.
Viewing a report
To view a report:
- In the window of the program web interface, select the Reports section, Generated reports subsection.
This opens the table of reports.
- Select the report that you want to view.
The report opens in a new tab in your browser.
Downloading a report to a local computer
To download a report to your computer:
- In the window of the program web interface, select the Reports section, Generated reports subsection.
This opens the table of reports.
- In the line containing the report that you want to view, click the
icon.
The report is saved in HTML format to your local computer in the browser's downloads folder.
To view a report, you can use any application that lets you view HTML files (for example, a browser).
Editing a template
To edit a template:
- In the application web interface window, select the Reports section, Templates tab.
- This opens the table of templates. Select the template that you want to edit.
This opens the template editing window.
- You can edit the following settings:
- Template name is the report name that is displayed in the table in the Reports section, Generated reports subsection when creating all reports based on this template.
- Report title is the report name that is displayed in the report after the report is created.
You can format text using the buttons in the Text section in the template builder.
- Report description is the report description that is displayed in a report after the report is created.
You can format text using the buttons in the Text section in the template builder.
- Image. You can upload or delete an image.
- Pie chart. You can change the following pie chart settings:
- Name.
- Data source.
- Number of slices.
Click Apply.
- Table. You can change the following table settings:
- Selected columns. You can drag the names of columns between the Available columns and Selected columns fields, and change the order of columns in the report table.
- State.
- Technologies.
- Importance.
- VIP status.
- Select one of the following methods to save the template:
- If you want to apply changes to the current template, click the Save button.
The template is modified.
- If you want to create a new template, enter a name for the template and click Save as.
The name of the new template must not be the same as the name of an already existing template.
The new template will be saved.
- If you want to apply changes to the current template, click the Save button.
Users with the Security auditor and Security officer roles cannot edit templates.
Filtering templates by name
To filter templates by name:
- In the application web interface window, select the Reports section, Templates tab.
- This opens the table of templates. Click the Report name link to open the template filtering menu.
- In the drop-down list, select one of the following template filtering operators:
- Contain
- Not contain
- Enter one or several characters of the template name.
- If you want to add a filtering criterion to the filter, click the
button under the list of filtering operators and repeat the sequence for specifying filtering criteria.
- Click Apply.
The table of templates will display only templates that match the filter criteria you have set.
Filtering templates based on the name of the user that created the template
To filter templates by the name of the user that created the template:
- In the application web interface window, select the Reports section, Templates tab.
- This opens the table of templates. Click the Created by link to open the menu for filtering templates.
- In the drop-down list, select one of the following template filtering operators:
- Contain
- Not contain
- Enter one or several characters of the user name.
- If you want to add a filtering criterion to the filter, click the
button under the list of filtering operators and repeat the sequence for specifying filtering criteria.
- Click Apply.
The table of templates will display only templates that match the filter criteria you have set.
Filtering templates by creation time
To filter report templates by creation time:
- In the application web interface window, select the Reports section, Templates tab.
- This opens the table of templates. Click the Time created link to open the menu for filtering templates.
- Select one of the following template display periods:
- All if you want the application to display all created templates in the table.
- Last hour if you want the application to display the templates that were created during the last hour in the table.
- Last day if you want the application to display the templates that were created during the last day in the table.
- Custom range if you want the application to display templates that were created during the period you specify in the table.
- If you have selected the Custom range template display period:
- This opens the calendar; in the calendar, specify the start and end dates of the template display period.
- Click Apply.
The table of templates will display only templates that match the filter criteria you have set.
Clearing a template filter
To clear the template filter for one or more filtering criteria:
- In the application web interface window, select the Reports section, Templates tab.
- This opens the table of templates. Click
to the right of the header of the column of the template table for which you want to clear the filter conditions.
If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.
The selected filters are cleared.
The table of templates will display only templates that match the filter criteria you have set.
Deleting a template
To delete a template:
- In the application web interface window, select the Reports section, Templates tab.
- This opens the table of templates. Select the check box in the line containing the template that you want to delete.
- Click Delete.
This opens the action confirmation window.
- Click Yes.
The template that you selected will be deleted.
Users with the Security auditor and Security officer roles cannot delete templates.
Filtering reports by creation time
To filter reports by creation time:
- In the window of the program web interface, select the Reports section, Generated reports subsection.
This opens the table of reports.
- Click the Time created link to open the report filtering menu.
- Select one of the following report display periods:
- All if you want the application to display all created reports in the table.
- Last hour if you want the application to display the reports that were created during the last hour in the table.
- Last day if you want the application to display the reports that were created during the last day in the table.
- Custom range if you want the application to display reports that were created during the period you specify in the table.
- If you have selected the Custom range report display period:
- In the calendar that opens, specify the start and end dates of the report display period.
- Click Apply.
The table of reports will display only reports that match the filter criteria you have set.
Filtering reports by name
To filter reports by name:
- In the window of the program web interface, select the Reports section, Generated reports subsection.
This opens the table of reports.
- Click the Report name link to open the report filtering menu.
- In the drop-down list, select one of the following report filtering operators:
- Contain
- Not contain
- In the text box, enter one or more characters of the report name.
- If you want to add a filtering criterion to the filter, click the
button under the list of filtering operators and repeat the sequence for specifying filtering criteria.
- Click Apply.
The table of reports will display only reports that match the filter criteria you have set.
Filtering reports by the name of the server with the Central Node component
To filter reports by the name of the server with the Central Node component:
- In the window of the program web interface, select the Reports section, Generated reports subsection.
This opens the table of reports.
- Click the Servers link to open the report filtering menu.
- Select the check boxes opposite those servers by which you want to filter reports.
- Click Apply.
The table of reports will display only reports that match the filter criteria you have set.
Filtering reports based on the name of the user that created the report
To filter reports by the name of the user that created the report:
- In the window of the program web interface, select the Reports section, Generated reports subsection.
This opens the table of reports.
- Click the Created by link to open the report filtering menu.
- In the drop-down list, select one of the following report filtering operators:
- Contain
- Not contain
- Enter one or several characters of the user name.
- If you want to add a filtering criterion to the filter, click the
button under the list of filtering operators and repeat the sequence for specifying filtering criteria.
The table of reports will display only reports that match the filter criteria you have set.
Clearing a report filter
To clear the report filter for one or more filtering criteria:
- In the window of the program web interface, select the Reports section, Generated reports subsection.
This opens the table of reports.
- Click
to the right of the header of the column of the reports table for which you want to clear the filter conditions.
If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.
The selected filters are cleared.
The table of reports will display only reports that match the filter criteria you have set.
Deleting a report
To delete an application operation report:
- In the window of the program web interface, select the Reports section, Generated reports subsection.
This opens the table of reports.
- Select the check box in the line containing the report that you want to delete.
- Click Delete.
This opens the action confirmation window.
- Click Yes.
The selected report will be deleted.
Users with the Security auditor and Security officer roles cannot delete reports.
Managing NDR reports
You can use Kaspersky Anti Targeted Attack Platform to get reports with various information saved by the application. Kaspersky Anti Targeted Attack Platform generates reports as PDF files. The application can send report files to email addresses.
You can view information about generated reports and export them to files in the Reports section, Reports (NDR) subsection, Generated reports tab.
The following types of NDR report templates are possible:
- System templates, created automatically during application installation. In the table of report templates, system templates are displayed with the
icon. You cannot delete system templates.
Kaspersky Anti Targeted Attack Platform supports the following system report templates:
- Inventory report.
Contains information about devices and system commands, as well as protocols used and detected risks on devices.
- System security report.
Contains information about the security status of devices, registered events, detected risks, and interactions with devices on external networks.
- Executive summary.
Contains brief information about devices and the security status of the system.
- Full report.
Contains complete information about devices and the security status of the system.
- Inventory report.
- Custom templates, created manually by duplicating templates. You can duplicate system or custom templates. Only users with the Senior security officer role can duplicate report templates.
Information in reports is presented as separate information blocks. Each Kaspersky Anti Targeted Attack Platform report includes a fixed set of information blocks, which are arranged in a fixed order. Information blocks used in reports and their descriptions are listed in the table below.
Using information blocks in reports
Name of the information block |
Inventory report |
System security report |
Executive summary |
Full report |
---|---|---|---|---|
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
Viewing the table of NDR report templates
You can view the table of report templates in the web interface of the application, in the Reports section, Reports (NDR) subsection, on the Report templates tab.
Report template settings are displayed in the following columns of the table:
- Name.
Report template name. The
icon is displayed next to the names of system report templates.
- Schedule.
Information about the schedule used by Kaspersky Anti Targeted Attack Platform to automatically generate a report based on the template. Schedule information is displayed if a user with the Senior security officer role configured a schedule in the report template. If the schedule is not configured, the column displays Disabled.
- Type/use.
Name of the user who last modified the report template. System is displayed for system templates that have default settings.
- Last report.
Time when the last report was generated based on the report template.
- Destinations.
Icon signifying that email report recipients are configured. The following icons have the following meanings:
– report recipients are defined.
– report recipients are not defined.
Viewing NDR report template details
To view report template information:
In the Reports section, Reports (NDR) subsection, on the Report templates tab, select the relevant template.
The details area is displayed in the right part of the web interface window. The details area displays all specified details.
Details of the report template include the following fields:
- Name is the name of the report template.
- Type/user is the name of the user that last modified the report template. System is displayed for system templates that have default settings.
- Period is the time period covered by the report that Kaspersky Anti Targeted Attack Platform generates based on the template.
- Modified is the time when the most recent change to the template was made.
- Last report is the time when the last report was generated based on the template.
- Next start (local time) is the time when the next report generation based on the template will start. This setting is displayed if a schedule is configured for the report template.
- Schedule displays information about the schedule used by Kaspersky Anti Targeted Attack Platform to automatically generate a report based on the template. This setting is displayed if a schedule is configured for the report template.
Recipient addresses are email addresses to which Kaspersky Anti Targeted Attack Platform sends the generated reports. This setting is displayed if recipient addresses are configured for the report template.
Page topViewing the table of NDR reports
You can view the table of reports in the web interface of the application, in the Reports section, Reports (NDR) subsection, on the Generated reports tab.
Report settings are displayed in the following columns of the table:
- ID.
Unique ID of the report.
- Report name.
Name of the generated report.
- Template name.
Name of the template used to generate the report.
- Start.
Date and time when the report generation started.
- Status.
Status of the report. A report can have one of the following statuses:
Pending. The report is queued for generation. A report can have the Pending status when multiple reports are generated at the same time.
In progress. The report is being generated.
Error. An error occurred while generating the report.
Done. The report is successfully generated.
Canceling. Report generation is being canceled.
Canceled. Report generation has been canceled.
- User.
Name of the user that initiated the generation of the report or configured the schedule for running the report based on a template.
- Run type.
Report generation type: manual or scheduled.
- Completed.
Date and time when the report generation ended.
Manually generating an NDR report based on a template
You can manually start generating a report based on a template.
To start report generation:
- Select the Reports section, then the Reports (NDR) subsection.
- On the Report templates tab, select one or more templates that you want to use to generate reports.
When multiple templates are selected, the application generates reports based on these templates simultaneously. You can select up to 10 templates.
- In the toolbar above the table of report templates, click Get reports.
Kaspersky Anti Targeted Attack Platform starts generating the report.
You will be taken to the Generated reports tab, which displays the status of the reports being generated. After the reports are generated, Kaspersky Anti Targeted Attack Platform sends report files in PDF format to the email addresses specified in the report template. If an email address is not defined in the report template, you can individually export generated reports to files manually on the Generated reports tab. The maximum size of a report file is 10 MB.
If necessary, you can cancel the generation of the report.
Page topDuplicating an NDR report template
You can create custom templates by duplicating existing report templates. You can duplicate system templates or custom templates. When duplicating a template, you cannot choose which information blocks to include in the report or rearrange them.
The maximum number of templates in the application is 5000.
To duplicate a report template:
- Select the Reports section, then the Reports (NDR) subsection.
- On the Report templates tab, select the relevant template.
The details area is displayed in the right part of the web interface window.
- Click Create new template.
- In the Name field, edit the name of the report template.
You can use Latin and Cyrillic letters, numerals, the space character, as well as -, –, _ characters.
The name of the report template must satisfy the following requirements:
- Does not reuse the name of another report template (case-insensitive).
- Contains up to 100 characters.
Names of reports generated from the updated template will reflect the new name of the template.
- In the Data period drop-down list, select the time period for which you want to get system information in the report.
You can generate reports with information received by the application within the last 24 hours, 7 days, 30 days, the last year, or a manually configured time frame.
- If you need to generate reports on a schedule, turn on the Generate report by schedule toggle switch and set up a schedule:
- In the Frequency drop-down list, select how often you want to generate the report: Hourly, Daily, Weekly, or Monthly.
- Depending on the selected option, specify the values for the settings to refine the report generation start time.
- If necessary, use the Recipient addresses field to enter the email address to which you want to send the generated reports. If you need to specify additional recipients of the report, click Add recipient address and enter the email address.
The maximum number of report recipients is 20.
- Click Save.
The new report is added to the table of report templates.
Page topEditing an NDR report template
To edit the settings of a report template:
- Select the Reports section, then the Reports (NDR) subsection.
- On the Report templates tab, select the relevant template.
The details area is displayed in the right part of the web interface window.
- Click Edit.
- In the Name field, edit the name of the report template.
You can use Latin and Cyrillic letters, numerals, the space character, as well as -, –, _ characters.
The name of the report template must satisfy the following requirements:
- Does not reuse the name of another report template (case-insensitive).
- Contains up to 100 characters.
Names of reports generated from the updated template will reflect the new name of the template.
- In the Data period drop-down list, select the time period for which you want to get system information in the report.
You can generate reports with information received by the application within the last 24 hours, 7 days, 30 days, the last year, or a manually configured time frame.
- If you need to generate reports on a schedule, turn on the Generate report by schedule toggle switch and set up a schedule:
- In the Frequency drop-down list, select how often you want to generate the report: Hourly, Daily, Weekly, or Monthly.
- Depending on the selected option, specify the values for the settings to refine the report generation start time.
- If necessary, use the Recipient addresses field to enter the email address to which you want to send the generated reports. If you need to specify additional recipients of the report, click Add recipient address and enter the email address.
The maximum number of report recipients is 20.
- Click Save.
The changes are displayed in the corresponding columns of the table of report templates.
Page topExporting an NDR report to a file
You can export the generated report to a PDF file.
To export a report to a file:
- In the Reports section, select the Reports (NDR) subsection.
- On the Generated reports tab, select the relevant report.
The reports are filtered by the IDs of the reports that were started last in the current Server connection session. To display all generated reports, reset the filter settings by clicking Default filter. If necessary, you can configure filtering by a time period of your choice.
The details area is displayed in the right part of the web interface window.
- Click Export.
The browser save the report file. By default, the report file has a name in the <report name>_<date and time when the report was generated>
format. Depending on your browser's settings, a window may be displayed on your screen in which you can specify the path and name of the downloaded file.
Deleting an NDR report template
Only custom report templates can be deleted.
To delete a report template:
- Select the Reports section, then the Reports (NDR) subsection.
- On the Report templates tab, select one or more report templates that you want to delete.
- Click Delete.
System templates cannot be deleted. In the table of report templates, system templates are displayed with the
icon.
- In the displayed prompt window, confirm the deletion of report templates.
Deleting an NDR report
To delete a report:
- Select the Reports section, then the Reports (NDR) subsection.
- On the Generated reports tab, select one or more reports that you want to delete.
The reports in the table of reports are filtered by the IDs of the reports that were started last in the current Server connection session. To display all generated reports, reset the filter settings by clicking Default filter. If necessary, you can configure filtering by a time period of your choice.
The details area is displayed in the right part of the web interface window.
- Click Delete.
- In the displayed prompt window, confirm the deletion of the report.
Canceling NDR report generation
You can cancel report generation only for a report with the In progress status.
To cancel report generation:
- Select the Reports section, then the Reports (NDR) subsection.
- On the Generated reports tab, select the report with the In progress status that you want to cancel.
The details area is displayed in the right part of the web interface window.
- Click Cancel.
- In the displayed prompt window, confirm the cancellation of the report.
After this request is completed, the report status changes to Canceled.
Managing the settings for storing report files
You can change the maximum total size limit for stored report files.
To edit report file storage settings:
- Log in to the web interface with the application administrator account.
- Select the Sensor servers section.
- Select the card of the local host (IP address 0.0.0.0).
The details area is displayed in the right part of the web interface window.
- Click Edit.
In the details area, tabs are displayed, on which you can manage the settings of the server.
- On the General tab, under Reports, use the Max volume setting to set a size limit for the stored report files.
You can select the unit of measure for the size limit: MB or GB.
When editing the value, you also need to take into account that the sum total of all size limits may not exceed the specified maximum storage capacity for the node.
- If necessary, use the Storage time (days) setting to limit the storage duration of report files, and specify the duration in days.
- Click Save.