Kaspersky Next XDR Expert
1.1.9

Contents

Detection and response widgets

On the Detection and response tab, you can add, configure, and delete widgets.

A selection of widgets used in the Detection and response tab is called a layout. All widgets must be placed in layouts. Kaspersky Next XDR Expert allows you to create, edit, and delete layouts. Preconfigured layouts are also available. You can edit widget settings in the preconfigured layouts as necessary. By default, the Alerts Overview layout is selected on the Detection and response tab.

The widget displays data for the period selected in the widget or layout settings only for the tenants that are selected in the widget or layout settings.

By clicking the link with the name of the widget about events, alerts, incidents, or active lists, you can go to the corresponding section of the Kaspersky Next XDR Expert interface. Note that this option is not available for some widgets.

The following widget groups and widgets are available on the Detection and response tab of the dashboard:

  • Events. Widget for creating analytics based on events.
  • Active lists. Widget for creating analytics based on active lists of correlators.
  • Alerts. Group for analytics related to alerts. Includes information about alerts and incidents that is provided by Kaspersky Next XDR Expert.

    The group includes the following widgets:

    • Active alerts. Number of alerts that have not been closed.
    • Active alerts by tenant. Number of unclosed alerts for each tenant.
    • Alerts by tenant. Number of alerts of all statuses for each tenant.
    • Unassigned alerts. Number of alerts that have the New status.
    • Alerts by status. Number of alerts that have the New, Opened, Assigned, or Escalated status. The grouping is by status.
    • Latest alerts. Table with information about the last 10 unclosed alerts belonging to the tenants selected in the layout.
    • Alerts distribution. Number of alerts created during the period configured for the widget.
    • Alerts by assignee. Number of alerts with the Assigned status. The grouping is by account name.
    • Alerts by severity. Number of unclosed alerts grouped by their severity.
    • Alerts by rule. Number of unclosed alerts grouped by correlation rule.
  • Assets. Group for analytics related to assets from processed events. This group includes the following widgets:
    • Affected assets in alerts. Table with the names of assets and related tenants, and the number of unclosed alerts that are associated with these assets. The moving from the widget to the section with the asset list is not available.
    • Affected asset categories. Categories of assets linked to unclosed alerts.
    • Number of assets. Number of assets that were added to Kaspersky Next XDR Expert.
    • Assets in incidents by tenant. Number of assets associated with unclosed incidents. The grouping is by tenant.
    • Assets in alerts by tenant. Number of assets associated with unclosed alerts, grouped by tenant.
  • Incidents. Group for analytics related to incidents.

    The group includes the following widgets:

    • Active incidents. Number of incidents that have not been closed.
    • Unassigned incidents. Number of incidents that have the Opened status.
    • Incidents distribution. Number of incidents created during the period configured for the widget.
    • Incidents by status. Number of incidents grouped by status.
    • Active incidents by tenant. Number of unclosed incidents grouped by tenant available to the user account.
    • All incidents. Number of incidents of all statuses.
    • All incidents by tenant. Number of incidents of all statuses, grouped by tenant.
    • Affected assets categories in incidents. Asset categories associated with unclosed incidents.
    • Latest incidents. Table with information about the last 10 unclosed incidents belonging to the tenants selected in the layout.
    • Incidents by assignee. Number of incidents with the Assigned status. The grouping is by user account name.
    • Incidents by severity. Number of unclosed incidents grouped by their severity.
    • Affected assets in incidents. Number of assets associated with unclosed incidents. The moving from the widget to the section with the asset list is not available.
    • Affected users in incidents. Users associated with incidents. The moving from the widget to the section with the user list is not available.
  • Event sources. Group for analytics related to sources of events. The group includes the following widgets:
    • Top event sources by alerts number. Number of unclosed alerts grouped by event source.
    • Top event sources by convention rate. Number of events associated with unclosed alerts. The grouping is by event source.

      In some cases, the number of alerts generated by sources may be inaccurate. To obtain accurate statistics, it is recommended to specify the Device Product event field as unique in the correlation rule, and enable storage of all base events in a correlation event. However, correlation rules with these settings consume more resources.

  • Users. Group for analytics related to users from processed events. The group includes the following widgets:
    • Affected users in alerts. Number of accounts related to unclosed alerts. The moving from the widget to the section with the user list is not available.
    • Number of AD users. Number of Active Directory accounts received via LDAP during the period configured for the widget.

In the events table, in the event details area, in the alert window, and in the widgets, the names of assets, accounts, and services are displayed instead of the IDs as the values of the SourceAssetID, DestinationAssetID, DeviceAssetID, SourceAccountID, DestinationAccountID, and ServiceID fields. When exporting events to a file, the IDs are saved, but columns with names are added to the file. The IDs are also displayed when you point the mouse over the names of assets, accounts, or services.
Searching for fields with IDs is only possible using IDs.

Page top
[Topic 264092]

Creating a widget

You can create a widget in a dashboard layout while creating or editing the layout.

To create a widget:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Create a layout or switch to editing mode for the selected layout.
  3. Click Add widget.
  4. Select a widget type from the drop-down list.

    This opens the widget settings window.

  5. Edit the widget settings.
  6. If you want to see how the data will be displayed in the widget, click Preview.
  7. Click Add.

The widget appears in the dashboard layout.

Page top
[Topic 264166]

Editing a widget

To edit widget:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Expand the list in the upper right corner of the window.
  3. Hover the mouse cursor over the relevant layout.
  4. Click the edit button (EditResource).

    The Customizing layout window opens.

  5. In the widget you want to edit, click the settings icon (GearGrey).
  6. Select Edit.

    This opens the widget settings window.

  7. Edit the widget settings.
  8. Click Save in the widget settings window.
  9. Click Save in the Customizing layout window.

The widget is edited.

Page top
[Topic 264167]

Deleting a widget

To delete a widget:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Expand the list in the upper right corner of the window.
  3. Hover the mouse cursor over the relevant layout.
  4. Click the edit button (EditResource).

    The Customizing layout window opens.

  5. In the widget you want to delete, click the settings icon (GearGrey).
  6. Select Delete.
  7. In the opened confirmation window, click OK.
  8. Click the Save button.

The widget is deleted.

Page top
[Topic 264168]

Creating a dashboard layout

To create a layout:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Open the drop-down list in the top right corner of the window and select Create layout.

    The New layout window opens.

  3. In the Tenants drop-down list, select the tenants that will own the created layout and whose data will be used to fill the widgets of the layout.

    The selection of tenants in this drop-down list does not matter if you want to create a universal layout (see below).

  4. In the Time period drop-down list, select the time period from which you require analytics:
    • 1 hour
    • 1 day (this value is selected by default)
    • 7 days
    • 30 days
    • In period—receive analytics for the custom time period. The time period is set using the calendar that is displayed when this option is selected.

      The upper boundary of the period is not included in the time slice defined by it. In other words, to receive analytics for a 24-hour period, you should configure the period as Day 1, 00:00:00 – Day 2, 00:00:00 instead of Day 1, 00:00:00 – Day 1, 23:59:59.

  5. In the Refresh every drop-down list, select how often data should be updated in layout widgets:
    • 1 minute
    • 5 minutes
    • 15 minutes
    • 1 hour (this value is selected by default)
    • 24 hours
  6. In the Add widget drop-down list, select the required widget and configure its settings.

    You can add multiple widgets to the layout.

    You can also drag widgets around the window and resize them using the DashboardResize button that appears when you hover the mouse over a widget.

    You can edit or delete widgets added to the layout. To do this, click the settings icon (gear) and select Edit to change their configuration or Delete to delete them from the layout.

    To add a widget:

    1. Click the Add widget drop-down list and select required widget.

      The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.

    2. Configure widget parameters and click the Add button.

    To add a widget:

    1. Click the Add widget drop-down list and select required widget.

      The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.

    2. Configure the widget parameters and click the Add button.
  7. In the Layout name field, enter a unique name for this layout. Must contain 1 to 128 Unicode characters.
  8. If necessary, click the settings icon (gear) on the right of the layout name field and select the check boxes next to the additional layout settings:
    • Universal—if you select this check box, layout widgets display data from tenants that you select in the Selected tenants section in the menu on the left. This means that the data in the layout widgets will change based on your selected tenants without having to edit the layout settings. For universal layouts, tenants selected in the Tenants drop-down list are not taken into account.

      If this check box is cleared, layout widgets display data from the tenants that are selected in the Tenants drop-down list in the layout settings. If any of the tenants selected in the layout are not available to you, their data will not be displayed in the layout widgets.

      You cannot use the Active Lists widget in universal layouts.

      Universal layouts can only be created and edited by a user who has been assigned the Main administrator role. Such layouts can be viewed by all users.

    • Show CII-related data—if you select this check box, layout widgets will also show data on assets, alerts, and incidents related to critical information infrastructure (CII). In this case, these layouts will be available for viewing only by users whose settings have the Access to CII facilities check box selected.

      If this check box is cleared, layout widgets will not display data on CII-related assets, alerts, and incidents, even if the user has access to CII objects.

  9. Click Save.

The new layout is created and is displayed on the Detection and response tab of the dashboard.

Page top
[Topic 263971]

Selecting a dashboard layout

To select a dashboard layout:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Expand the list in the upper right corner of the window.
  3. Select the relevant layout.

The selected layout is displayed on the Detection and response tab of the dashboard.

Page top
[Topic 264145]

Selecting a dashboard layout as the default

To set a dashboard layout as the default:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Expand the list in the upper right corner of the window.
  3. Hover the mouse cursor over the relevant layout.
  4. Click the star icon (StarOffIcon).

The selected layout is displayed on the Detection and response tab of the dashboard by default.

Page top
[Topic 264146]

Editing a dashboard layout

To edit a dashboard layout:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Expand the list in the upper right corner of the window.
  3. Hover the mouse cursor over the relevant layout.
  4. Click the edit icon (EditResource).

    The Customizing layout window opens.

  5. Edit the dashboard layout. The settings that are available for editing are the same as the settings available when creating a layout.
  6. Click Save.

The dashboard layout is edited and displayed on the Detection and response tab.

If the layout is deleted or assigned to a different tenant while you are editing it, an error is displayed when you click Save. The layout is not saved. Refresh the Kaspersky Next XDR Expert interface page to see the list of available layouts in the drop-down list.

Page top
[Topic 264147]

Deleting a dashboard layout

To delete layout:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Expand the list in the upper right corner of the window.
  3. Hover the mouse cursor over the relevant layout.
  4. Click the delete icon (delete-icon) and confirm this action.

The layout is deleted.

Page top
[Topic 263769]

Enabling and disabling TV mode

For convenient information presentation of the Detection and response tab, you can enable TV mode. This mode lets you view the Detection and response tab of the dashboard in full-screen mode in FullHD resolution. In TV mode, you can also configure a slide show display for the selected layouts.

It is recommended to create a separate user with the minimum required set of right to display analytics in TV mode.

To enable TV mode:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Click the settings icon (GearGrey) in the upper-right corner.

    The Settings window opens.

  3. Move the TV mode toggle switch to the Enabled position.
  4. To configure the slideshow display of the layouts, do the following:
    1. Move the Slideshow toggle switch to the Enabled position.
    2. In the Timeout field, specify how many seconds to wait before switching layouts.
    3. In the Queue drop-down list, select the layouts to view. If no layout is selected, the slideshow mode displays all layouts available to the user one after another.
    4. If necessary, change the order in which the layouts are displayed using the button DragIcon to drag and drop them.
  5. Click Save.

TV mode will be enabled. To return to working with the Kaspersky Next XDR Expert interface, disable TV mode.

To disable TV mode:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Click the settings icon (GearGrey) in the upper-right corner.

    The Settings window opens.

  3. Move the TV mode toggle switch to the Disabled position.
  4. Click Save.

TV mode will be disabled. The left part of the screen shows a pane containing sections of the Kaspersky Next XDR Expert interface.

When you make changes to the layouts selected for the slideshow, those changes will automatically be applied to the active slideshow sessions.

Page top
[Topic 264148]

Preconfigured dashboard layouts

Kaspersky Next XDR Expert includes a set of predefined layouts that contain the following widgets:

  • Alerts Overview layout (Alert overview):
    • Active alerts—number of alerts that have not been closed.
    • Unassigned alerts—number of alerts that have no assignee.
    • Latest alerts—table with information about the last 10 unclosed alerts belonging to the tenants selected in the layout.
    • Alerts distribution—number of alerts created during the period configured for the widget.
    • Alerts by priority—number of unclosed alerts grouped by their priority.
    • Alerts by assignee—number of alerts with the Assigned status. The grouping is by account name.
    • Alerts by status—number of alerts that have the New, Opened, Assigned, or Escalated status. The grouping is by status.
    • Affected users in alerts—number of users associated with alerts that have the New, Assigned, or Escalated status. The grouping is by account name.
    • Affected assets—table with information about the level of importance of assets and the number of unclosed alerts they are associated with.
    • Affected assets categories—categories of assets associated with unclosed alerts.
    • Top event source by alerts number—number of alerts with the New, Assigned, or Escalated status, grouped by alert source (DeviceProduct event field).

      The widget displays up to 10 event sources.

    • Alerts by rule—number of alerts with the New, Assigned, or Escalated status, grouped by correlation rules.
  • Incidents Overview layout (Incidents overview):
    • Active incidents—number of incidents that have not been closed.
    • Unassigned incidents—number of incidents that have the Opened status.
    • Latest incidents—table with information about the last 10 unclosed incidents belonging to the tenants selected in the layout.
    • Incidents distribution—number of incidents created during the period configured for the widget.
    • Incidents by priority—number of unclosed incidents grouped by their priority.
    • Incidents by assignee—number of incidents with the Assigned status. The grouping is by user account name.
    • Incidents by status—number of incidents grouped by their status.
    • Affected assets in incidents—number of assets associated with unclosed incidents.
    • Affected users in incidents—users associated with incidents.
    • Affected asset categories in incidents—categories of assets associated with unclosed incidents.
    • Active incidents by tenant—number of incidents of all statuses, grouped by tenant.
  • Network Overview layout (Network activity overview):
    • Netflow top internal IPs—total volume of netflow traffic received by the asset, in bytes. The data is grouped by internal IP addresses of assets.

      The widget displays up to 10 IP addresses.

    • Netflow top external IPs—total volume of netflow traffic received by the asset, in bytes. The data is grouped by external IP addresses of assets.
    • Netflow top hosts for remote control—number of events associated with access attempts to one of the following ports: 3389, 22, 135. The data is grouped by asset name.
    • Netflow total bytes by internal ports—number of bytes sent to internal ports of assets. The data is grouped by port number.
    • Top Log Sources by Events count—top 10 sources from which the greatest number of events was received.

The default refresh period for predefined layouts is Never. You can edit these layouts as needed.

Page top
[Topic 264150]