Detection and response widgets

On the Detection and response tab, you can add, configure, and delete widgets.

A selection of widgets used in the Detection and response tab is called a layout. All widgets must be placed in layouts. Kaspersky Next XDR Expert allows you to create, edit, and delete layouts. Preconfigured layouts are also available. You can edit widget settings in the preconfigured layouts as necessary. By default, the Alerts Overview layout is selected on the Detection and response tab.

The widget displays data for the period selected in the widget or layout settings only for the tenants that are selected in the widget or layout settings.

By clicking the link with the name of the widget about events, alerts, incidents, or active lists, you can go to the corresponding section of the Kaspersky Next XDR Expert interface. Note that this option is not available for some widgets.

The following widget groups and widgets are available on the Detection and response tab of the dashboard:

• Events. Widget for creating analytics based on events.
• Active lists. Widget for creating analytics based on active lists of correlators.
• Alerts. Group for analytics related to alerts. Includes information about alerts and incidents that is provided by Kaspersky Next XDR Expert.

  The group includes the following widgets:

  • Active alerts. Number of alerts that have not been closed.
  • Active alerts by tenant. Number of unclosed alerts for each tenant.
  • Alerts by tenant. Number of alerts of all statuses for each tenant.
  • Unassigned alerts. Number of alerts that have the New status.
  • Alerts by status. Number of alerts that have the New, Opened, Assigned, or Escalated status. The grouping is by status.
  • Latest alerts. Table with information about the last 10 unclosed alerts belonging to the tenants selected in the layout.
  • Alerts distribution. Number of alerts created during the period configured for the widget.
  • Alerts by assignee. Number of alerts with the Assigned status. The grouping is by account name.
  • Alerts by severity. Number of unclosed alerts grouped by their severity.
  • Alerts by rule. Number of unclosed alerts grouped by correlation rule.
• Assets. Group for analytics related to assets from processed events. This group includes the following widgets:
  • Affected assets in alerts. Table with the names of assets and related tenants, and the number of unclosed alerts that are associated with these assets. The moving from the widget to the section with the asset list is not available.
  • Affected asset categories. Categories of assets linked to unclosed alerts.
  • Number of assets. Number of assets that were added to Kaspersky Next XDR Expert.
  • Assets in incidents by tenant. Number of assets associated with unclosed incidents. The grouping is by tenant.
  • Assets in alerts by tenant. Number of assets associated with unclosed alerts, grouped by tenant.
• Incidents. Group for analytics related to incidents.

  The group includes the following widgets:

  • Active incidents. Number of incidents that have not been closed.
  • Unassigned incidents. Number of incidents that have the Opened status.
  • Incidents distribution. Number of incidents created during the period configured for the widget.
  • Incidents by status. Number of incidents grouped by status.
  • Active incidents by tenant. Number of unclosed incidents grouped by tenant available to the user account.
  • All incidents. Number of incidents of all statuses.
  • All incidents by tenant. Number of incidents of all statuses, grouped by tenant.
  • Affected assets categories in incidents. Asset categories associated with unclosed incidents.
  • Latest incidents. Table with information about the last 10 unclosed incidents belonging to the tenants selected in the layout.
  • Incidents by assignee. Number of incidents with the Assigned status. The grouping is by user account name.
  • Incidents by severity. Number of unclosed incidents grouped by their severity.
  • Affected assets in incidents. Number of assets associated with unclosed incidents. The moving from the widget to the section with the asset list is not available.
  • Affected users in incidents. Users associated with incidents. The moving from the widget to the section with the user list is not available.
• Event sources. Group for analytics related to sources of events. The group includes the following widgets:
  • Top event sources by alerts number. Number of unclosed alerts grouped by event source.
  • Top event sources by convention rate. Number of events associated with unclosed alerts. The grouping is by event source.

    In some cases, the number of alerts generated by sources may be inaccurate. To obtain accurate statistics, it is recommended to specify the Device Product event field as unique in the correlation rule, and enable storage of all base events in a correlation event. However, correlation rules with these settings consume more resources.

• Users. Group for analytics related to users from processed events. The group includes the following widgets:
  • Affected users in alerts. Number of accounts related to unclosed alerts. The moving from the widget to the section with the user list is not available.
  • Number of AD users. Number of Active Directory accounts received via LDAP during the period configured for the widget.

In the events table, in the event details area, in the alert window, and in the widgets, the names of assets, accounts, and services are displayed instead of the IDs as the values of the SourceAssetID, DestinationAssetID, DeviceAssetID, SourceAccountID, DestinationAccountID, and ServiceID fields. When exporting events to a file, the IDs are saved, but columns with names are added to the file. The IDs are also displayed when you point the mouse over the names of assets, accounts, or services.
Searching for fields with IDs is only possible using IDs.

Page top