Monitoring and reporting

This section describes the monitoring and reporting capabilities of Kaspersky Security Center. These capabilities give you an overview of your infrastructure, protection statuses, and statistics.

After Kaspersky Security Center deployment or during the operation, you can configure the monitoring and reporting features to best suit your needs.

Scenario: Monitoring and reporting

This section provides a scenario for configuring the monitoring and reporting feature in Kaspersky Security Center.

Prerequisites

After you deploy Kaspersky Security Center in an organization's network you can start to monitor it and generate reports on its functioning.

Monitoring and reporting in an organization's network proceeds in stages:

1. Configuring the switching of device statuses

   Get acquainted with the settings for device statuses depending on specific conditions. By changing these settings, you can change the number of events with Critical or Warning importance levels. When configuring the switching of device statuses, be sure of the following:

   • New settings do not conflict with the information security policies of your organization.
   • You are able to react to important security events in your organization's network in a timely manner.
2. Configuring notifications about events on client devices

   How-to instructions:

   Configure notification (by email, by SMS, or by running an executable file) of events on client devices

3. Changing the response of your security network to the Virus outbreak event

   You can change the specific thresholds in the Administration Server properties. You can also create a stricter policy that will be activated or create a task that will be run at the occurrence of this event.

4. Performing recommended actions for Critical and Warning notifications

   How-to instructions:

   Perform recommended actions for your organization's network

5. Reviewing the security status of your organization's network

   How-to instructions:

   • Review the Protection status widget
   • Generate and review the Report on protection status
   • Generate and review the Report on errors
6. Locating client devices that are not protected

   How-to instructions:

   • Review the New devices widget
   • Generate and review the Report on protection deployment
7. Checking protection of client devices

   How-to instructions:

   • Generate and review reports from the Protection status and Threat statistics categories
   • Start and review the Critical event selection
8. Evaluating and limiting the event load on the database

   Information about events that occur during operation of managed applications is transferred from a client device and registered in the Administration Server database. To reduce the load on the Administration Server, evaluate and limit the maximum number of events that can be stored in the database.

   How-to instructions:

   • Calculation of database space
   • Limiting the maximum number of events
9. Reviewing license information

   How-to instructions:

   • Add the License key usage widget to the dashboard and review it
   • Generate and review the Report on usage of license keys

Results

Upon completion of the scenario, you are informed about protection of your organization's network and, thus, can plan actions for further protection.

About types of monitoring and reporting

Information on security events in an organization's network is stored in the Administration Server database. Based on the events, Kaspersky Security Center 13.1 Web Console provides the following types of monitoring and reporting in your organization's network:

• Dashboard
• Reports
• Event selections
• Notifications

Dashboard

The dashboard allows you to monitor security trends on your organization's network by providing you with a graphical display of information.

Reports

The Reports feature allows you to get detailed numerical information about the security of your organization's network, save this information to a file, send it by email, and print it.

Event selections

Event selections provide an onscreen view of named sets of events that are selected from the Administration Server database. These sets of events are grouped according to the following categories:

• By importance level—Critical events, Functional failures, Warnings, and Info events
• By time—Recent events
• By type—User requests and Audit events

You can create and view user-defined event selections based on the settings available, in the Kaspersky Security Center 13.1 Web Console interface, for configuration.

Notifications

Notifications alert you about events and help you to speed up your responses to these events by performing recommended actions or actions you consider as appropriate.

Dashboard and widgets

This section contains information about the dashboard and the widgets that the dashboard provides. The section includes instructions on how to manage widgets and configure widget settings.

Using the dashboard

The dashboard allows you to monitor security trends on your organization's network by providing you with a graphical display of information.

The dashboard is available in the Kaspersky Security Center 13.1 Web Console, in the MONITORING & REPORTING section, by clicking DASHBOARD.

The dashboard provides widgets that can be customized. You can choose a large number of different widgets, presented as pie charts or donut charts, tables, graphs, bar charts, and lists. The information displayed in widgets is automatically updated, the update period is one to two minutes. The interval between updates varies for different widgets. You can refresh data on a widget manually at any time by means of the settings menu.

By default, widgets include information about all events stored in the database of Administration Server.

Kaspersky Security Center 13.1 Web Console has a default set of widgets for the following categories:

• Protection status
• Deployment
• Updating
• Threat statistics
• Other

Some widgets have text information with links. You can view detailed information by clicking a link.

When configuring the dashboard, you can add widgets that you need, hide widgets that you do not need, change the size or appearance of widgets, move widgets, and change their settings.

Adding widgets to the dashboard

To add widgets to the dashboard:

1. In the main menu, go to MONITORING & REPORTING → DASHBOARD.
2. Click the Add or restore web widget button.
3. In the list of available widgets, select the widgets that you want to add to the dashboard.

   Widgets are grouped by category. To view the list of widgets included in a category, click the chevron icon () next to the category name.

4. Click the Add button.

The selected widgets are added at the end of the dashboard.

You can now edit the representation and parameters of the added widgets.

Hiding a widget from the dashboard

To hide a displayed widget from the dashboard:

1. In the main menu, go to MONITORING & REPORTING → DASHBOARD.
2. Click the settings icon () next to the widget that you want to hide.
3. Select Hide web widget.
4. In the Warning window that opens, click OK.

The selected widget is hidden. Later, you can add this widget to the dashboard again.

Moving a widget on the dashboard

To move a widget on the dashboard:

1. In the main menu, go to MONITORING & REPORTING → DASHBOARD.
2. Click the settings icon () next to the widget that you want to move.
3. Select Move.
4. Click the place to which you want to move the widget. You can select only another widget.

The places of the selected widgets are swapped.

Changing the widget size or appearance

For widgets that display a graph, you can change its representation—a bar chart or a line chart. For some widgets, you can change their size: compact, medium, or maximum.

To change the widget representation:

1. In the main menu, go to MONITORING & REPORTING → DASHBOARD.
2. Click the settings icon () next to the widget that you want to edit.
3. Do one of the following:
   • To display the widget as a bar chart, select Chart type: Bars.
   • To display the widget as a line chart, select Chart type: Lines.
   • To change the area occupied by the widget, select one of the values:
     • Compact
     • Compact (bar only)
     • Medium (donut chart)
     • Medium (bar chart)
     • Maximum

The representation of the selected widget is changed.

Changing widget settings

To change settings of a widget:

1. In the main menu, go to MONITORING & REPORTING → DASHBOARD.
2. Click the settings icon () next to the widget that you want to change.
3. Select Show settings.
4. In the widget settings window that opens, change the widget settings as required.
5. Click Save to save the changes.

The settings of the selected widget are changed.

The set of settings depends on the specific widget. Below are some of the common settings:

• Web widget scope (the set of objects for which the widget displays information)—for example, an administration group or device selection.
• Select task (the task for which the widget displays information).
• Time interval (the time interval during which the information is displayed in the widget)—between the two specified dates; from the specified date to the current day; or from the current day minus the specified number of days to the current day.
• Set to Critical if these are specified and Set to Warning if these are specified (the rules that determine the color of a traffic light).

Reports

This section describes how to use reports, manage custom report templates, use report templates to generate new reports, and create report delivery tasks.

Using reports

The Reports feature allows you to get detailed numerical information about the security of your organization's network, save this information to a file, send it by email, and print it.

Reports are available in the Kaspersky Security Center 13.1 Web Console, in the MONITORING & REPORTING section, by clicking REPORTS.

By default, reports include information for the last 30 days.

Kaspersky Security Center has a default set of reports for the following categories:

• Protection status
• Deployment
• Updating
• Threat statistics
• Other

You can create custom report templates, edit report templates, and delete them.

You can create reports that are based on existing templates, export reports to files, and create tasks for report delivery.

Creating a report template

To create a report template:

1. In the main menu, go to MONITORING & REPORTING → REPORTS.
2. Click Add.

   The New Report Template Wizard starts. Proceed through the Wizard by using the Next button.

3. On the first page of the Wizard, enter the report name and select the report type.
4. On the Scope page of the Wizard, select the set of client devices (administration group, device selection, selected devices, or all networked devices) whose data will be displayed in reports that are based on this report template.
5. On the Reporting period page of the Wizard, specify the report period. Available values are as follows:
   • Between the two specified dates
   • From the specified date to the report creation date
   • From the report creation date, minus the specified number of days, to the report creation date

   This page may not appear for some reports.

6. Click OK to close the Wizard.
7. Do one of the following:
   • Click the Save and run button to save the new report template and to run a report based on it.

     The report template is saved. The report is generated.

   • Click the Save button to save the new report template.

     The report template is saved.

You can use the new template for generating and viewing reports.

Viewing and editing report template properties

Expand all | Collapse all

You can view and edit basic properties of a report template, for example, the report template name or the fields displayed in the report.

To view and edit properties of a report template:

1. In the main menu, go to MONITORING & REPORTING → REPORTS.
2. Select the check box next to the report template whose properties you want to view and edit.

   As an alternative, you can first generate the report, and then click the Edit button.

3. Click the Open report template properties button.

   The Editing report <Report name> window opens with the General tab selected.

4. Edit the report template properties:
   • General tab:
     • Report template name
     • Maximum number of entries to display

       If this option is enabled, the number of entries displayed in the table with detailed report data does not exceed the specified value.

       Report entries are first sorted according to the rules specified in the Fields → Details fields section of the report template properties, and then only the first of the resulting entries are kept. The heading of the table with detailed report data shows the displayed number of entries and the total available number of entries that match other report template settings.

       If this option is disabled, the table with detailed report data displays all available entries. We do not recommend that you disable this option. Limiting the number of displayed report entries reduces the load on the database management system (DBMS) and reduces the time required for generating and exporting the report. Some of the reports contain too many entries. If this is the case, you may find it difficult to read and analyze them all. Also, your device may run out of memory while generating such a report and, consequently, you will not be able to view the report.

       By default, this option is enabled. The default value is 1000.

     • Group

       Click the Settings button to change the set of client devices for which the report is created. For some types of the reports, the button may be unavailable. The actual settings depend on the settings specified during creation of the report template.

     • Time interval

       Click the Settings button to modify the report period. For some types of the reports, the button may be unavailable. Available values are as follows:

       • Between the two specified dates
       • From the specified date to the report creation date
       • From the report creation date, minus the specified number of days, to the report creation date
     • Include data from secondary and virtual Administration Servers

       If this option is enabled, the report includes the information from the secondary and virtual Administration Servers that are subordinate to the Administration Server for which the report template is created.

       Disable this option if you want to view data only from the current Administration Server.

       By default, this option is enabled.

     • Up to nesting level

       The report includes data from secondary and virtual Administration Servers that are located under the current Administration Server on a nesting level that is less than or equal to the specified value.

       The default value is 1. You may want to change this value if you have to retrieve information from secondary Administration Servers located at lower levels in the tree.

     • Data wait interval (min)

       Before generating the report, the Administration Server for which the report template is created waits for data from secondary Administration Servers during the specified number of minutes. If no data is received from a secondary Administration Server at the end of this period, the report runs anyway. Instead of the actual data, the report shows data taken from the cache (if the Cache data from secondary Administration Servers option is enabled), or N/A (not available) otherwise.

       The default value is 5 (minutes).

     • Cache data from secondary Administration Servers

       Secondary Administration Servers regularly transfer data to the Administration Server for which the report template is created. There, the transferred data is stored in the cache.

       If the current Administration Server cannot receive data from a secondary Administration Server while generating the report, the report shows data taken from the cache. The date when the data was transferred to the cache is also displayed.

       Enabling this option allows you to view the information from secondary Administration Servers even if the up-to-date data cannot be retrieved. However, the displayed data can be obsolete.

       By default, this option is disabled.

     • Cache update frequency (h)

       Secondary Administration Servers at regular intervals transfer data to the Administration Server for which the report template is created. You can specify this period in hours. If you specify 0 hours, data is transferred only when the report is generated.

       The default value is 0.

     • Transfer detailed information from secondary Administration Servers

       In the generated report, the table with detailed report data includes data from secondary Administration Servers of the Administration Server for which the report template is created.

       Enabling this option slows the report generation and increases traffic between Administration Servers. However, you can view all data in one report.

       Instead of enabling this option, you may want to analyze detailed report data to detect a faulty secondary Administration Server, and then generate the same report only for that faulty Administration Server.

       By default, this option is disabled.

   • Fields tab

     Select the fields that will be displayed in the report, and use the Move up button and Move down button to change the order of these fields. Use the Add button or Edit button to specify whether the information in the report must be sorted and filtered by each of the fields.

     In the Filters of Details fields section, you can also click the Convert filters button to start using the extended filtering format. This format enables you to combine filtering conditions specified in various fields by using the logical OR operation. After you click the button, the Convert filters panel opens on the right. Click the Convert filters button to confirm conversion. You can now define a converted filter with conditions from the Details fields section that are applied by using the logical OR operation.

     Conversion of a report to the format supporting complex filtering conditions will make the report incompatible with the previous versions of Kaspersky Security Center (11 and earlier). Also, the converted report will not contain any data from secondary Administration Servers running such incompatible versions.

5. Click Save to save the changes.
6. Close the Editing report <Report name> window.

The updated report template appears in the list of report templates.

Exporting a report to a file

You can export a report to an XML, HTML, or PDF file.

To export a report to a file:

1. In the main menu, go to MONITORING & REPORTING → REPORTS.
2. Select the check box next to the report that you want to export to a file.
3. Click the Export report button.
4. In the window that opens, change the report file name in the Name field. By default, the file name coincides with the name of the selected report template.
5. Select the report file type: XML, HTML, or PDF.
6. Click the Export report button.

   The report in selected format will be downloaded to your device—to the default folder of your device—or a standard Save as window in your browser will open to let you save the file where you want.

The report is saved to the file.

Generating and viewing a report

To create and view a report:

1. In the main menu, go to MONITORING & REPORTING → REPORTS.
2. Click the name of the report template that you want to use to create a report.

A report using the selected template is generated and displayed.

Report data is displayed according to the localization set for the Administration Server.

The report displays the following data:

• On the Summary tab:
  • The name and type of report, a brief description and the reporting period, as well as information about the group of devices for which the report is generated.
  • Graph chart showing the most representative report data.
  • Consolidated table with calculated report indicators.
• On the Details tab, a table with detailed report data is displayed.

Creating a report delivery task

You can create a task that will deliver selected reports.

To create a report delivery task:

1. In the main menu, go to MONITORING & REPORTING → REPORTS.
2. [Optional] Select the check boxes next to the report templates for which you want to create a report delivery task.
3. Click the New report delivery task button.
4. The Add Task Wizard starts. Proceed through the Wizard by using the Next button.
5. On the first page of the Wizard, enter the task name. The default name is Deliver reports (<N>), where <N> is the sequence number of the task.
6. On the task settings page of the Wizard, specify the following settings:
   1. Report templates to be delivered by the task. If you selected them at step 2, skip this step.
   2. The report format: HTML, XLS, or PDF.
   3. Whether the reports are to be sent by email, together with email notification settings.
   4. Whether the reports are to be saved to a folder, whether previously saved reports in this folder are to be overwritten, and whether a specific account is to be used to access the folder (for a shared folder).
7. If you want to modify other task settings after the task is created, on the Finish task creation page of the Wizard enable the Open task details when creation is complete option.
8. Click the Create button to create the task and close the Wizard.

   The report delivery task is created. If you enabled the Open task details when creation is complete option, the task settings window opens.

Deleting report templates

To delete one or several report templates:

1. In the main menu, go to MONITORING & REPORTING → REPORTS.
2. Select check boxes next to the report templates that you want to delete.
3. Click the Delete button.
4. In the window that opens, click OK to confirm your selection.

The selected report templates are deleted. If these report templates were included in the report delivery tasks, they are also removed from the tasks.

Events and event selections

This section provides information about events and event selections, about the types of events that occur in Kaspersky Security Center components, and about managing frequent events blocking.

Using event selections

Event selections provide an onscreen view of named sets of events that are selected from the Administration Server database. These sets of events are grouped according to the following categories:

• By importance level—Critical events, Functional failures, Warnings, and Info events
• By time—Recent events
• By type—User requests and Audit events

You can create and view user-defined event selections based on the settings available, in the Kaspersky Security Center 13.1 Web Console interface, for configuration.

Event selections are available in the Kaspersky Security Center 13.1 Web Console, in the MONITORING & REPORTING section, by clicking EVENT SELECTIONS.

By default, event selections include information for the last seven days.

Kaspersky Security Center has a default set of event (predefined) selections:

• Events with different importance levels:
  • Critical events
  • Functional failures
  • Warnings
  • Informational messages
• User requests (events of managed applications)
• Recent events (over the last week)
• Audit events.

You can also create and configure additional user-defined selections. In user-defined selections, you can filter events by the properties of the devices they originated from (device names, IP ranges, and administration groups), by event types and severity levels, by application and component name, and by time interval. It is also possible to include task results in the search scope. You can also use a simple search field where a word or several words can be typed. All events that contain any of the typed words anywhere in their attributes (such as event name, description, component name) are displayed.

Both for predefined and user-defined selections, you can limit the number of displayed events or the number of records to search. Both options affect the time it takes Kaspersky Security Center to display the events. The larger the database is, the more time-consuming the process can be.

You can do the following:

• Edit properties of event selections
• Generate event selections
• View details of event selections
• Delete event selections
• Delete events from the Administration Server database

Creating an event selection

To create an event selection:

1. In the main menu, go to MONITORING & REPORTING → EVENT SELECTIONS.
2. Click Add.
3. In the New event selection window that opens, specify the settings of the new event selection. Do this in one or more of the sections in the window.
4. Click Save to save the changes.

   The confirmation window opens.

5. To view the event selection result, keep the Go to selection result check box selected.
6. Click Save to confirm the event selection creation.

If you kept the Go to selection result check box selected, the event selection result is displayed. Otherwise, the new event selection appears in the list of event selections.

Editing an event selection

To edit an event selection:

1. In the main menu, go to MONITORING & REPORTING → EVENT SELECTIONS.
2. Select the check box next to the event selection that you want to edit.
3. Click the Properties button.

   An event selection settings window opens.

4. Edit the properties of the event selection.

   For predefined event selections, you can edit only the properties on the following tabs: General (except for the selection name), Time, and Access rights.

   For user-defined selections, you can edit all properties.

5. Click Save to save the changes.

The edited event selection is shown in the list.

Viewing a list of an event selection

To view an event selection:

1. In the main menu, go to MONITORING & REPORTING → EVENT SELECTIONS.
2. Select the check box next to the event selection that you want to start.
3. Do one of the following:
   • If you want to configure sorting in the event selection result, do the following:
     1. Click the Reconfigure sorting and start button.
     2. In the displayed Reconfigure sorting for event selection window, specify the sorting settings.
     3. Click the name of the selection.
   • Otherwise, if you want to view the list of events as they are sorted on the Administration Server, click the name of the selection.

The event selection result is displayed.

Viewing details of an event

To view details of an event:

1. Start an event selection.
2. Click the time of the required event.

   The Event properties window opens.

3. In the displayed window, you can do the following:
   • View the information about the selected event
   • Go to the next event and the previous event in the event selection result
   • Go to the device on which the event occurred
   • Go to the administration group that includes the device on which the event occurred
   • For an event related to a task, go to the task properties

Exporting events to a file

To export events to a file:

1. Start an event selection.
2. Select the check box next to the required event.
3. Click the Export to file button.

The selected event is exported to a file.

Viewing an object history from an event

From an event of creation or modification of an object that supports revision management, you can switch to the revision history of the object.

To view an object history from an event:

1. Start an event selection.
2. Select the check box next to the required event.
3. Click the Revision history button.

The revision history of the object is opened.

Deleting events

To delete one or several events:

1. Start an event selection.
2. Select the check boxes next to the required events.
3. Click the Delete button.

The selected events are deleted and cannot be restored.

Deleting event selections

You can delete only user-defined event selections. Predefined event selections cannot be deleted.

To delete one or several event selections:

1. In the main menu, go to MONITORING & REPORTING → EVENT SELECTIONS.
2. Select the check boxes next to the event selections that you want to delete.
3. Click Delete.
4. In the window that opens, click OK.

The event selection is deleted.

Setting the storage term for an event

Kaspersky Security Center allows you to receive information about events that occur during the operation of Administration Server and Kaspersky applications installed on managed devices. Information about events is saved in the Administration Server database. You might need to store some events for a longer or shorter period of time than specified by default values. You can change the default settings of the storage term for an event.

If you are not interested in storing some events in the database of Administration Server, you can disable the appropriate setting in the Administration Server policy and Kaspersky application policy, or in the Administration Server properties (only for Administration Server events). This will reduce the number of event types in the database.

The longer the storage term for an event, the faster the database reaches its maximum capacity. However, a longer storage term for an event lets you perform monitoring and reporting tasks for a longer period of time.

To set the storage term for an event in the database of Administration Server:

1. Select DEVICES → POLICIES & PROFILES.
2. Do one of the following:
   • To configure the storage term of the events of Network Agent or of a managed Kaspersky application, click the name of the corresponding policy.

     The policy properties page opens.

   • To configure Administration Server events, at the top of the screen, click the settings icon () next to the name of the required Administration Server.

     If you have a policy for the Administration Server, you can click the name of this policy instead.

     The Administration Server properties page (or the Administration Server policy properties page) opens.

3. Select the Event configuration tab.

   A list of event types related to the Critical section is displayed.

4. Select the Functional failure, Warning, or Info section.
5. In the list of event types in the right pane, click the link for the event whose storage term you want to change.

   In the Event registration section of the window that opens, the Store in the Administration Server database for (days) option is enabled.

6. In the edit box below this toggle button, enter the number of days to store the event.
7. If you do not want to store an event in the Administration Server database, disable the Store in the Administration Server database for (days) option.

   If you configure Administration Server events in Administration Server properties window and if event settings are locked in the Kaspersky Security Center Administration Server policy, you cannot redefine the storage term value for an event.

8. Click OK.

   The properties window of the policy is closed.

From now on, when Administration Server receives and stores the events of the selected type, they will have the changed storage term. Administration Server does not change the storage term of previously received events.

Event types

Each Kaspersky Security Center component has its own set of event types. This section lists types of events that occur in Kaspersky Security Center Administration Server, Network Agent, iOS MDM Server, and Exchange Mobile Device Server. Types of events that occur in Kaspersky applications are not listed in this section.

Data structure of event type description

For each event type, its display name, identifier (ID), alphabetic code, description, and the default storage term are provided.

• Event type display name. This text is displayed in Kaspersky Security Center when you configure events and when they occur.
• Event type ID. This numerical code is used when you process events by using third-party tools for event analysis.
• Event type (alphabetic code). This code is used when you browse and process events by using public views that are provided in the Kaspersky Security Center database and when events are exported to a SIEM system.
• Description. This text contains the situations when an event occurs and what you can do in such a case.
• Default storage term. This is the number of days during which the event is stored in the Administration Server database and is displayed in the list of events on Administration Server. After this period elapses, the event is deleted. If the event storage term value is 0, such events are detected but are not displayed in the list of events on Administration Server. If you configured to save such events to the operating system event log, you can find them there.

  You can change the storage term for events:

  • Administration Console: Setting the storage term for an event
  • Kaspersky Security Center 13.1 Web Console: Setting the storage term for an event

Other data may include the following fields:

• event_id: unique number of the event in the database, generated and assigned automatically; not to be confused with Event type ID.
• task_id: the ID of the task that caused the event (if any)
• severity: one of the following severity levels (in the ascending order of severity):

  0) Invalid severity level

  1) Info

  2) Warning

  3) Error

  4) Critical

Administration Server events

This section contains information about the events related to the Administration Server.

Administration Server critical events

The table below shows the event types of Kaspersky Security Center Administration Server that have the Critical importance level.

Administration Server critical events

Administration Server functional failure events

The table below shows the event types of Kaspersky Security Center Administration Server that have the Functional failure importance level.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy. For Administration Server, you can additionally view the event list in the Administration Server properties.

Administration Server functional failure events

Administration Server warning events

The table below shows the events of Kaspersky Security Center Administration Server that have the Warning importance level.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy. For Administration Server, you can additionally view the event list in the Administration Server properties.

Administration Server warning events

Administration Server informational events

The table below shows the events of Kaspersky Security Center Administration Server that have the Info importance level.

Administration Server informational events

Page top

Network Agent events

This section contains information about the events related to Network Agent.

Network Agent functional failure events

The table below shows the event types of Kaspersky Security Center Network Agent that have the Functional failure severity level.

Network Agent functional failure events

Network Agent warning events

The table below shows the events of Kaspersky Security Center Network Agent that have the Warning severity level.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy.

Network Agent warning events

Network Agent informational events

The table below shows the events of Kaspersky Security Center Network Agent that have the Info severity level.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy.

Network Agent informational events

iOS MDM Server events

This section contains information about the events related to iOS MDM Server.

iOS MDM Server functional failure events

The table below shows the events of Kaspersky Security Center iOS MDM Server that have the Functional failure severity level.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy.

iOS MDM Server functional failure events

Page top

iOS MDM Server warning events

The table below shows the events of Kaspersky Security Center iOS MDM Server that have the Warning severity level.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy.

iOS MDM Server warning events

Page top

iOS MDM Server informational events

The table below shows the events of Kaspersky Security Center iOS MDM Server that have the Info severity level.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy.

iOS MDM Server informational events

Page top

Exchange Mobile Device Server events

This section contains information about the events related to an Exchange Mobile Device Server.

Exchange Mobile Device Server functional failure events

The table below shows the events of Kaspersky Security Center Exchange Mobile Device Server that have the Functional failure severity level.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy.

Exchange Mobile Device Server functional failure events

Page top

Exchange Mobile Device Server informational events

The table below shows the events of Kaspersky Security Center Exchange Mobile Device Server that have the Info severity level.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy.

Exchange Mobile Device Server informational events

Page top

Blocking frequent events

This section provides information about managing frequent events blocking and about removing blocking of frequent events.

About blocking frequent events

A managed application, for example, Kaspersky Endpoint Security for Windows, installed on a single or several managed devices can send a lot of events of the same type to the Administration Server. Receiving frequent events may overload the Administration Server database and overwrite other events. Administration Server starts blocking the most frequent events when the number of all the received events exceeds the specified limit for the database.

Administration Server blocks the frequent events from receiving automatically. You cannot block the frequent events yourself, or choose which events to block.

If you want to find out if an event is blocked, you can view the notification list or you can check if this event is present in the Blocking frequent events section of the Administration Server properties. If the event is blocked, you can do the following:

• If you want to prevent overwriting the database, you can continue blocking such type of events from receiving.
• If you want, for example, to find the reason of sending the frequent events to the Administration Server, you can unblock frequent events and continue receiving the events of this type anyway.
• If you want to continue receiving the frequent events until they become blocked again, you can remove from blocking the frequent events.

Managing frequent events blocking

Administration Server blocks the automatic receiving of frequent events, but you can unblock and continue to receive frequent events. You can also block receiving frequent events that you unblocked before.

To manage frequent events blocking:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the Blocking frequent events section.
3. In the Blocking frequent events section:
   • If you want to unblock the receiving of frequent events:
     1. Select the frequent events you want to unblock, and then click the Exclude button.
     2. Click the Save button.
   • If you want to block receiving frequent events:
     1. Select the frequent events you want to block, and then click the Block button.
     2. Click the Save button.

Administration Server receives the unblocked frequent events and does not receive the blocked frequent events.

Removing blocking of frequent events

You can remove blocking for frequent events and start receiving them until Administration Server blocks these frequent events again.

To remove blocking for frequent events:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the Blocking frequent events section.
3. In the Blocking frequent events section, select the frequent event types for which you want to remove blocking.
4. Click the Remove from blocking button.

The frequent event is removed from the list of frequent events. Administration Server will receive events of this type.

Notifications and device statuses

This section contains information on how to view notifications, configure notification delivery, use device statuses, and enable changing device statuses.

Using notifications

Notifications alert you about events and help you to speed up your responses to these events by performing recommended actions or actions you consider as appropriate.

Depending on the notification method chosen, the following types of notifications are available:

• Onscreen notifications
• Notifications by SMS
• Notifications by email
• Notifications by executable file or script

Onscreen notifications

Onscreen notifications alert you to events grouped by importance levels (Critical, Warning, and Informational).

Onscreen notification can have one of two statuses:

• Reviewed. It means you have performed recommended action for the notification or you have assigned this status for the notification manually.
• Not Reviewed. It means you have not performed recommended action for the notification or you have not assigned this status for the notification manually.

By default, the list of notifications include notifications in the Not Reviewed status.

You can monitor your organization's network viewing onscreen notifications and responding to them in a real time.

Notifications by email, by SMS, and by executable file or a script

Kaspersky Security Center provides the capability to monitor your organization's network by sending notifications about any event that you consider important. For any event you can configure notifications by email, by SMS, or by running an executable file or a script.

Upon receiving notifications by email or by SMS, you can decide on your response to an event. This response should be the most appropriate for your organization's network. By running an executable file or a script, you predefine a response to an event. You can also consider running an executable file or a script as a primary response to an event. After the executable file runs, you can take other steps to respond to the event.

Viewing onscreen notifications

You can view notifications onscreen in three ways:

• In the MONITORING & REPORTING → NOTIFICATIONS section. Here you can view notifications relating to predefined categories.
• In a separate window that can be opened no matter which section you are using at the moment. In this case you can mark notifications as reviewed.
• In the Notifications by selected severity level widget on the MONITORING & REPORTING → DASHBOARD section. In the widget, you can view only notifications of events that are at the Critical and Warning importance levels.

You can perform actions, for example, you can response to an event.

To view notifications from predefined categories:

1. In the main menu, go to MONITORING & REPORTING → NOTIFICATIONS.

   The All notifications category is selected in the left pane, and in the right pane all the notifications are displayed.

2. In the left pane, select one of the categories:
   • Deployment
   • Devices
   • Protection
   • Updates (this includes notifications about Kaspersky applications available for download and notifications about anti-virus database updates that have been downloaded)
   • Exploit Prevention
   • Administration Server (this includes events concerning only Administration Server)
   • Useful links (this includes links to Kaspersky resources, for example, Kaspersky Technical Support, Kaspersky forum, license renewal page, or the Kaspersky IT Encyclopedia)
   • Kaspersky news (this includes information about releases of Kaspersky applications)

A list of notifications of the selected category is displayed. The list contains the following:

• Icon related to the topic of the notification: deployment (), protection (), updates (), device management (), Exploit Prevention (), Administration Server ().
• Notification importance level. Notifications of the following importance levels are displayed: Critical notifications (), Warning notifications (), Info notifications. Notifications in the list are grouped by importance levels.
• Notification. This contains a description of the notification.
• Action. This contains a link to a quick action that we recommend you perform. For example, by clicking this link, you can proceed to the repository and install security applications on devices, or view a list of devices or a list of events. After you perform the recommended action for the notification, this notification is assigned the Reviewed status.
• Status registered. This contains the number of days or hours that have passed from the moment when the notification was registered on the Administration Server.

To view onscreen notifications in a separate window by importance level:

1. In the upper-right corner of Kaspersky Security Center 13.1 Web Console, click the flag icon ().

   If the flag icon has a red dot, there are notifications that have not been reviewed.

   A window opens listing the notifications. By default, the All notifications tab is selected and the notifications are grouped by importance level: Critical, Warning, and Info.

2. Select the System tab.

   The list of Critical () and Warning () importance levels notifications is displayed. The notification list includes the following:

   • Color marker. Critical notifications are marked in red. Warning notifications are marked in yellow.
   • Icon indicating the topic of the notification: deployment (), protection (), updates (), device management (), Exploit Prevention (), Administration Server ().
   • Description of the notification.
   • Flag icon. The flag icon is gray if notifications have been assigned the Not Reviewed status. When you select the gray flag icon and assign the Reviewed status to a notification, the icon changes color to white.
   • Link to the recommended action. When you perform the recommended action after clicking the link, the notification gets the Reviewed status.
   • Number of days that have passed since the date when the notification was registered on the Administration Server.
3. Select the More tab.

   The list of Info importance level notifications is displayed.

   The organization of the list is the same as for the list on the System tab (see the description above). The only difference is the absence of a color marker.

You can filter notifications by the date interval when they were registered on Administration Server. Use the Show filter check box to manage the filter.

To view onscreen notifications in the widget:

1. In the DASHBOARD section, select Add or restore web widget.
2. In the window that opens, click the Other category, select the Notifications by selected severity level widget, and click Add.

   The widget now appears on the DASHBOARD tab. By default, the notifications of Critical importance level are displayed on the widget.

   You can click the Settings button on the widget and change the widget settings to view notifications of the Warning importance level. Or, you can add another widget: Notifications by selected severity level, with a Warning importance level.

   The list of notifications on the widget is limited by its size and includes two notifications. These two notifications relate to the latest events.

The notification list in the widget includes the following:

• Icon related to the topic of the notification: deployment (), protection (), updates (), device management (), Exploit Prevention (), Administration Server ().
• Description of the notification with a link to the recommended action. When you perform a recommended action after clicking the link, the notification gets the Reviewed status.
• Number of days or number of hours that have passed since the date when the notification was registered on the Administration Server.
• Link to other notifications. Upon clicking this link, you are transferred to the view of notifications in the NOTIFICATIONS section of the MONITORING & REPORTING section.

About device statuses

Kaspersky Security Center assigns a status to each managed device. The particular status depends on whether the conditions defined by the user are met. In some cases, when assigning a status to a device, Kaspersky Security Center takes into consideration the device's visibility flag on the network (see the table below). If Kaspersky Security Center does not find a device on the network within two hours, the visibility flag of the device is set to Not Visible.

The statuses are the following:

• Critical or Critical / Visible
• Warning or Warning / Visible
• OK or OK / Visible

The table below lists the default conditions that must be met to assign the Critical or Warning status to a device, with all possible values.

Conditions for assigning a status to a device

Kaspersky Security Center allows you to set up automatic switching of the status of a device in an administration group when specified conditions are met. When specified conditions are met, the client device is assigned one of the following statuses: Critical or Warning. When specified conditions are not met, the client device is assigned the OK status.

Different statuses may correspond to different values of one condition. For example, by default, if the Databases are outdated condition has the More than 3 days value, the client device is assigned the Warning status; if the value is More than 7 days, the Critical status is assigned.

If you upgrade the Kaspersky Security Center from the previous version, the values of the Databases are outdated condition for assigning the status to Critical or Warning do not change.

When Kaspersky Security Center assigns a status to a device, for some conditions (see the Condition description column) the visibility flag is taken into consideration. For example, if a managed device was assigned the Critical status because the Databases are outdated condition was met, and later the visibility flag was set for the device, then the device is assigned the OK status.

Configuring the switching of device statuses

You can change conditions to assign the Critical or Warning status to a device.

To enable changing the device status to Critical:

1. In the main menu, go to DEVICES → HIERARCHY OF GROUPS.
2. In the list of groups that opens, click the link with the name of a group for which you want to change switching the device statuses.
3. In the properties window that opens, select the Device status tab.
4. In the left pane, select Critical.
5. In the right pane, in the Set to Critical if these are specified section, enable the condition to switch a device to the Critical status.

   You can change only settings that are not locked in the parent policy.

6. Select the radio button next to the condition in the list.
7. In the upper-left corner of the list, click the Edit button.
8. Set the required value for the selected condition.

   Values cannot be set for every condition.

9. Click OK.

When specified conditions are met, the managed device is assigned the Critical status.

To enable changing the device status to Warning:

1. In the main menu, go to DEVICES → HIERARCHY OF GROUPS.
2. In the list of groups that opens, click the link with the name of a group for which you want to change switching the device statuses.
3. In the properties window that opens, select the Device status tab.
4. In the left pane, select Warning.
5. In the right pane, in the Set to Warning if these are specified section, enable the condition to switch a device to the Warning status.

   You can change only settings that are not locked in the parent policy.

6. Select the radio button next to the condition in the list.
7. In the upper-left corner of the list, click the Edit button.
8. Set the required value for the selected condition.

   Values cannot be set for every condition.

9. Click OK.

When specified conditions are met, the managed device is assigned the Warning status.

Configuring notification delivery

Expand all | Collapse all

You can configure notification about events occurring in Kaspersky Security Center. Depending on the notification method chosen, the following types of notifications are available:

• Email—When an event occurs, Kaspersky Security Center sends a notification to the email addresses specified.
• SMS—When an event occurs, Kaspersky Security Center sends a notification to the phone numbers specified.
• Executable file—When an event occurs, the executable file is run on the Administration Server.

To configure notification delivery of events occurring in Kaspersky Security Center:

1. At the top of the screen, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens with the General tab is selected.

2. Click the Notification section, and in the right pane select the tab for the notification method you want:
   • Email

     The Email tab allows you to configure event notification by email.

     In the Recipients (email addresses) field, specify the email addresses to which the application will send notifications. You can specify multiple addresses in this field, by separating them with semicolons.

     In the SMTP servers field, specify mail server addresses, separating them with semicolons. You can use the IP address or the Windows network name (NetBIOS name) of the device as the address.

     In the SMTP server port field, specify the number of an SMTP server communication port. The default port number is 25.

     If you enable the Use DNS MX lookup option, you can use several MX records of the IP addresses for the same DNS name of the SMTP server. The same DNS name may have several MX records with different values of priority of receiving email messages. Administration Server attempts to send email notifications to the SMTP server in ascending order of MX records priority.

     If you enable the Use DNS MX lookup option and do not enable usage of TLS settings, we recommend that you use the DNSSEC settings on your server device as an additional measure of protection for sending email notifications.

     If you enable the Use ESMTP authentication option, you can specify the ESMTP authentication settings in the User name and Password fields. By default, the option is disabled, and the ESMTP authentication settings are not available.

     You can specify TLS settings of connection with an SMTP server:

     • Do not use TLS

     You can select this option if you want to disable encryption of email messages.

     • Use TLS if supported by SMTP server

     You can select this option if you want to use a TLS connection to an SMTP server. If the SMTP server does not support TLS, Administration Server connects the SMTP server without using TLS.

     • Always use TLS, check the server certificate for validity

     You can select this option if you want to use TLS authentication settings. If the SMTP server does not support TLS, Administration Server cannot connect the SMTP server.

     We recommend that you use this option for better protection of the connection with an SMTP server. If you select this option, you can set authentication settings for a TLS connection.

     If you select Always use TLS, check the server certificate for validity value, you can specify a certificate for authentication of the SMTP server and choose whether you want to enable communication through any version of TLS or only through TLS 1.2 or later versions. Also, you can specify a certificate for client authentication on the SMTP server.

     You can specify certificates for a TLS connection by clicking the Specify certificate link:

     • Browse for an SMTP server certificate file:

     You can receive a file with the list of certificates from a trusted certification authority and upload the file to Administration Server. Kaspersky Security Center checks whether the certificate of an SMTP server is also signed by a trusted certification authority. Kaspersky Security Center cannot connect to an SMTP server if the certificate of the SMTP server is not received from a trusted certification authority.

     • Browse for a client certificate file:

     You can use a certificate that you received from any source, for example, from any trusted certification authority. You must specify the certificate and its private key by using one of the following certificate types:

     • X-509 certificate:

     You must specify a file with the certificate and a file with the private key. Both files do not depend on each other and the order of loading of the files is not significant. When both files are loaded, you must specify the password for decoding the private key. The password can have an empty value if the private key is not encoded.

     • pkcs12 container:

     You must upload a single file that contains the certificate and its private key. When the file is loaded, you must then specify the password for decoding the private key. The password can have an empty value if the private key is not encoded.

     In the Subject field, specify the email subject. You can leave this field empty.

     In the Subject template drop-down list, select the template for your subject. A variable determined by the selected template is placed automatically in the Subject field. You can construct an email subject selecting several subject templates.

     In the Sender email address: If this setting is not specified, the recipient address will be used instead. Warning: We do not recommend using a fictitious email address field, specify the sender email address. If you leave this field empty, by default, the recipient address is used. It is not recommended to use fictitious email addresses.

     The Notification message field contains standard text with information about the event that the application sends when an event occurs. This text includes substitute parameters, such as event name, device name, and domain name. You can edit the message text by adding other substitute parameters with more relevant details about the event.

     If the notification text contains a percent sign (%), you have to type it twice in a row to allow message sending. For example, "CPU load is 100%%".

     Clicking the Configure numeric limit of notifications link allows you to specify the maximum number of notifications that the application can send over the specified time interval.

     Clicking the Send test message button allows you to check whether you configured notifications properly: the application sends a test notification to the email addresses that you specified.

   • SMS

     The SMS tab allows you to configure the transmission of SMS notifications about various events to a cell phone. SMS messages are sent through a mail gateway.

     In the SMTP servers field, specify mail server addresses, separating them with semicolons. You can use the IP address or the Windows network name (NetBIOS name) of the device as the address.

     In the SMTP server port field, specify the number of an SMTP server communication port. The default port number is 25.

     If the Use ESMTP authentication option is enabled, you can specify the ESMTP authentication settings in the User name and Password fields. By default, the option is disabled, and the ESMTP authentication settings are not available.

     You can specify TLS settings of connection with an SMTP server:

     • Do not use TLS

     You can select this option if you want to disable encryption of email messages.

     • Use TLS if supported by SMTP server

     You can select this option if you want to use a TLS connection to an SMTP server. If the SMTP server does not support TLS, Administration Server connects the SMTP server without using TLS.

     • Always use TLS, check the server certificate for validity

     You can select this option if you want to use TLS authentication settings. If the SMTP server does not support TLS, Administration Server cannot connect the SMTP server.

     We recommend that you use this option for better protection of the connection with an SMTP server. If you select this option, you can set authentication settings for a TLS connection.

     If you select Always use TLS, check the server certificate for validity value, you can specify a certificate for authentication of the SMTP server and choose whether you want to enable communication through any version of TLS or only through TLS 1.2 or later versions. Also, you can specify a certificate for client authentication on the SMTP server.

     You can specify SMTP server certificate file by clicking the Specify certificate link:

     You can receive a file with the list of certificates from a trusted certification authority and upload the file to Administration Server. Kaspersky Security Center checks whether the certificate of an SMTP server is also signed by a trusted certification authority. Kaspersky Security Center cannot connect to an SMTP server if the certificate of the SMTP server is not received from a trusted certification authority.

     In the Recipients (email addresses) field, specify the email addresses to which the application will send notifications. You can specify multiple addresses in this field, by separating them with semicolons. The notifications will be delivered to the phone numbers associated with the specified email addresses.

     In the Subject field, specify the email subject.

     In the Subject template drop-down list, select the template for your subject. A variable according to the selected template is put in the Subject field. You can construct an email subject selecting several subject templates.

     In the Sender email address: If this setting is not specified, the recipient address will be used instead. Warning: We do not recommend using a fictitious email address field, specify the sender email address. If you leave this field empty, by default, the recipient address is used. It is not recommended to use fictitious email addresses.

     In the Phone numbers of SMS message recipients field, specify the cell phone numbers of the SMS notification recipients.

     In the Notification message field, specify a text with information about the event that the application sends when an event occurs. This text can include substitute parameters, such as event name, device name, and domain name.

     If the notification text contains a percent sign (%), you have to type it twice in a row to allow message sending. For example, "CPU load is 100%%".

     Click the Configure numeric limit of notifications link to specify the maximum number of notifications that the application can send during the specified time interval.

     Click the Send test message to check whether you configured notifications properly: the application sends a test notification to the recipient that you specified.

   • Executable file to be run

     If this notification method is selected, in the entry field you can specify the application that will start when an event occurs.

     In the Executable file to be run on the Administration Server when an event occurs field, specify the folder and the name of the file to be run. Before specifying the file, prepare the file and specify the placeholders that define the event details to be sent in the notification message. The folder and the file that you specify must be located on the Administration Server.

     Clicking the Configure numeric limit of notifications link allows you to specify the maximum number of notifications that the application can send during the specified time interval.

3. On the tab, define the notification settings.
4. Click the OK button to close the Administration Server properties window.

The saved notification delivery settings are applied to all events that occur in Kaspersky Security Center.

You can override notification delivery settings for certain events in the Event configuration section of the Administration Server settings, of a policy's settings, or of an application's settings.

Event notifications displayed by running an executable file

Kaspersky Security Center can notify the administrator about events on client devices by running an executable file. The executable file must contain another executable file with placeholders of the event to be relayed to the administrator.

Placeholders for describing an event

Page top

Kaspersky announcements

This section describes how to use, configure, and disable Kaspersky announcements.

About Kaspersky announcements

The Kaspersky announcements section (MONITORING & REPORTING → Kaspersky announcements) keeps you informed by providing information related to your version of Kaspersky Security Center and the managed applications installed on the managed devices. Kaspersky Security Center periodically updates the information in the section by removing outdated announcements and adding new information.

Administration Server must have an internet connection to receive Kaspersky announcements.

The announcements include information of the following types:

• Security-related announcements

  Security-related announcements are intended to keep the Kaspersky applications installed in your network up-to-date and fully functional. The announcements may include information about critical updates for Kaspersky applications, fixes for found vulnerabilities, and ways to fix other issues in Kaspersky applications. Security-related announcements are enabled by default. If you do not want to receive the announcements, you can disable this feature.

  To show you the information that corresponds to your network protection configuration, Kaspersky Security Center sends data to Kaspersky cloud servers and receives only those announcements that relate to the Kaspersky applications installed in your network. The data set that can be sent to the servers is described in the End User License Agreement that you accept when you install Kaspersky Security Center Administration Server.

• Marketing announcements

  Marketing announcements include information about special offers for your Kaspersky applications, advertisements, and news from Kaspersky. Marketing announcements are disabled by default. You receive this type of announcements only if you enabled Kaspersky Security Network (KSN). You can disable marketing announcements by disabling KSN.

  To show you only relevant information that might be helpful in protecting your network devices and in your everyday tasks, Kaspersky Security Center sends data to Kaspersky cloud servers and receives the appropriate announcements. The data set that can be sent to the servers is described in the Processed Data section of the KSN Statement.

New information is divided into the following categories, according to importance:

1. Critical info
2. Important news
3. Warning
4. Info

When new information appears in the Kaspersky announcements section, Kaspersky Security Center 13.1 Web Console displays a notification label that corresponds to the importance level of the announcements. You can click the label to view this announcement in the Kaspersky announcements section.

You can specify the Kaspersky announcements settings, including the announcement categories that you want to view and where to display the notification label.

Specifying Kaspersky announcements settings

In the Kaspersky announcements section, you can specify the Kaspersky announcements settings, including the categories of the announcements that you want to view and where to display the notification label.

To configure Kaspersky announcements:

1. In the main menu, go to MONITORING & REPORTING → KASPERSKY ANNOUNCEMENTS.
2. Click the Settings link.

   The Kaspersky announcement settings window opens.

3. Specify the following settings:
   • Select the importance level of the announcements that you want to view. The announcements of other categories will not be displayed.
   • Select where you want to see the notification label. The label can be displayed in all console sections, or in the MONITORING & REPORTING section and its subsections.
4. Click the OK button.

   The Kaspersky announcement settings are specified.

Disabling Kaspersky announcements

The Kaspersky announcements section (MONITORING & REPORTING → Kaspersky announcements) keeps you informed by providing information related to your version of Kaspersky Security Center and managed applications installed on the managed devices. If you do not want to receive Kaspersky announcements, you can disable this feature.

The Kaspersky announcements include two types of information: security-related announcements and marketing announcements. You can disable the announcements of each type separately.

To disable security-related announcements:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the Kaspersky announcements section.
3. Switch the toggle button to the Security-related announcements DISABLED position.
4. Click the Save button.

   Kaspersky announcements are disabled.

Marketing announcements are disabled by default. You receive marketing announcements only if you enabled Kaspersky Security Network (KSN). You can disable this type of announcement by disabling KSN.

To disable marketing announcements:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the KSN Proxy settings section.
3. Disable the Use Kaspersky Security Network ENABLED option.
4. Click the Save button.

   Marketing announcements are disabled.

Viewing information about the detects of threats

You can enable or disable displaying information about alerts.

To enable or disable displaying the ALERTS section in the main menu:

1. In the main menu, go to your account settings and select Interface options.
2. In the Interface options window that opens, enable or disable the Show EDR alerts option.
3. Click Save.

The console displays the ALERTS subsection in the MONITORING & REPORTING section of the main menu. In the ALERTS subsection, you can view information about the detects of threats on the endpoint devices. If you add a license key for EDR Optimum, then Kaspersky Security Center 13.1 Web Console automatically displays ALERTS subsection in the MONITORING & REPORTING section of the main menu. Also, you can add a widget that displays information about alerts. Also, if you installed the plug-in EDR Optimum, you can view detailed information about detected threats by clicking more details link.