For the administrator: Getting started in the program web interface

The intended audience of this section are personnel who install and administer Kaspersky Anti Targeted Attack Platform and manage PCN and SCN servers and tenants in

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy mode

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Kaspersky Anti Targeted Attack Platform Interface

The program is managed through the web interface. Sections of the program web interface differ depending on the role of the user: Administrator or Senior security officer / Security officer/Security auditor.

The window of the program web interface contains the following items:

• Sections in the left part and in the lower part of the program web interface window.
• Tabs in the upper part of the program web interface window for certain sections of the program.
• The workspace in the lower part of the program web interface window.

Sections of the program web interface window

The program web interface for the Administrator role contains the following sections:

• Dashboard. Contains Kaspersky Anti Targeted Attack Platform Monitoring data.
• Operation mode. Contains information about PCN and SCN servers and about tenants in distributed solution and multitenancy mode.
• Endpoint Agents. Contains information about connected computers with Kaspersky Endpoint Agent program and their settings.
• Reports: Activity log. Contains information about the logging settings for user activity in the program web interface.
• Settings Contains the settings of the server with the Central Node component.
• Sensor servers. Contains information about connected Sensor components and their settings.
• Sandbox servers. Contains information about the connection of the Central Node component to Sandbox components.
• External systems. Contains information about program integration with mail sensors.

Workspace of the program web interface window

The workspace displays the information you choose to view in the sections and on the tabs of the program web interface window. It also contains control elements that you can use to configure how the information is displayed.

Users with the Security auditor role can also view these sections of the program web interface.

Monitoring program operation

You can monitor program operation using the widgets in the Dashboard section of the program web interface window. You can add, delete, and move widgets, configure the display scale of widgets, and select the data display period.

About widgets and layouts

You can use widgets to monitor program operation.

A layout is the appearance of the workspace of the program web interface window in the Dashboard section. You can add, delete, and move widgets in the layout.

The following widgets are available in the program:

• Processed. Displays the processing state for traffic coming from Sensor component and Kaspersky Endpoint Agent program to the server with the Central Node component.
• Queues. Displays information on the number and volume of objects waiting to be scanned by the program modules and components.
• Sandbox processing time. Displays the average time taken to receive the scan results after objects were scanned by the Sandbox component.

If you are using the distributed solution and multitenancy mode, the section displays information about the tenant and server that you chose.

Selecting a tenant and a server to manage in the Dashboard section

If you are using the distributed solution and multitenancy mode, before using the Dashboard section, you must select the tenant and server whose data you want to view.

To select a tenant and server for which you want to display data in the Dashboard section:

1. In the upper right part of the program web interface window, click the arrow next to the server name.
2. In the drop-down list, select the tenant and server from the list.

Data for the selected server is displayed. If you want to select a different tenant and server, repeat the steps to select a tenant and server.

Adding a widget to the current layout

To add a widget to the current layout:

1. Select the Dashboard section in the program web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Customize.
4. Click Widgets.
5. In the Manage widgets window that opens:
   • If you want to add the Queues widget, turn on the toggle switch next to the name of this widget.
   • If you want to add the Sandbox processing time widget, turn on the toggle switch next to the name of this widget.
   • If you want to add the Processed widget, click next to the name of this widget.

The selected widget is added to the current layout.

Moving a widget in the current layout

To move a widget in the current layout:

1. Select the Dashboard section in the program web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Customize.
4. Select the widget that you want to move within the layout.
5. Left-click and hold the upper part of the widget to drag and drop the widget to a different place in the layout.
6. Click Save.

The current layout is saved.

Removing a widget from the current layout

To remove a widget from the current layout:

1. Select the Dashboard section in the program web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Customize.
4. Click the icon in the upper right corner of the widget that you want to remove from the layout.

   The widget is removed from the workspace of the program web interface window.

5. Click Save.

The widget is removed from the current layout.

Saving a layout to PDF

To save a layout to PDF:

1. Select the Dashboard section in the program web interface window.
2. In the upper part of the window, click the button.
3. In the drop-down list, select Save as PDF.

   This opens the Saving as PDF window.

4. In the lower part of the window, in the Layout drop-down list, select the page orientation.
5. Click Download.

   The layout in PDF format is saved to the hard drive of your computer in the downloads folder of the browser.

6. Click Close.

Configuring the data display period in widgets

You can configure the display of data in widgets for the following periods:

• Day
• Week
• Month

To configure the display of data in widgets for a day (from 00:00 a.m. to 11:59 p.m.):

1. Select the Dashboard section in the program web interface window.
2. In the upper-right corner of the program web interface window, in the drop-down list of data display periods, select Day.
3. In the calendar to the right of the Day period name, select the date for which you want to display data in the widget.

All widgets on the Dashboard page display data for the period you selected.

To configure the display of data on widgets for a week (Monday through Sunday):

1. Select the Dashboard section in the program web interface window.
2. In the upper-right corner of the program web interface window, in the drop-down list of data display periods, select Week.
3. In the calendar to the right of the Week period name, select the week for which you want to display data in the widget.

All widgets on the Dashboard page display data for the period you selected.

To display data display in widgets for a month (calendar month):

1. Select the Dashboard section in the program web interface window.
2. In the upper-right corner of the program web interface window, in the drop-down list of data display periods, select Month.
3. In the calendar to the right of the Month period name, select the month for which you want to display data in the widget.

All widgets on the Dashboard page display data for the period you selected.

Monitoring the receipt and processing of incoming data

In the Processed widget, you can assess the processing status of data coming from the Sensor component and Kaspersky Endpoint Agent component to the server with the Central Node component, and track data processing errors.

To select the component (Sensor or Kaspersky Endpoint Agent) for which you want to assess incoming data, use the drop-down list to the right of the Processed widget name.

You can select the type of data display in the drop-down list to the right of the component name (Sensor or Kaspersky Endpoint Agent):

• Current load—The last 5 minutes.
• Selected period. In this case, you can also configure the period of data display on widgets.

The left part of each widget displays the legend for colors used in the widget itself.

If the Current load data display type is selected, the average data processing rate over the past 5 minutes is displayed to the right of the key.

If the Selected period data display type is selected, to the right of the key you will see the average rate of incoming traffic to the server with the Central Node component and the number of objects processed during the selected period.

Monitoring the queues for data processing by program modules and components

You can use the Queues widget to assess the status of data processing by the

Data transfer in the queue is measured in messages.

You can select the type of data display in the drop-down list to the right of the Queues widget name:

• Current load—The last 5 minutes.
• Selected period. In this case, you can also configure the period of data display on widgets.

The left part of the widget displays the legend for colors used in the widget.

The Queues widget displays the following data:

• Number of messages and Data volume processed by program modules and components:
  • YARA—blue.
  • Sandbox—violet.
  • AM Engine—green.
• Unprocessed—amount of unprocessed data indicated by vertical red lines.

When you hover the mouse cursor over a widget, you see a pop-up window that displays the status of data processing by the YARA and AM Engine program modules and the Sandbox component, as well as the amount of unprocessed data during a specific time period.

Monitoring the processing of data by the Sandbox component

The Sandbox processing time widget displays the average time elapsed from the moment data is sent to one or multiple Sandbox component servers (including the time spent in the queue before getting sent) to the moment when the Sandbox processing results are displayed in the web interface of Kaspersky Anti Targeted Attack Platform for the selected period.

You can increase the rate at which data is processed by the Sandbox component and the throughput of the Sandbox component by increasing the number of servers with the Sandbox component and by distributing the data to be processed among those servers.

Viewing the working condition of modules and components of the program

If modules or components of the program encounter errors that the administrator is advised to look at, a yellow warning box is displayed in the upper part of the Dashboard section of the program web interface.

Users with the Local administrator, Administrator, or Security auditor roles can gain access to information about the working condition of the Central Node, PCN, or SCN server that the user is currently managing.

Users with the Senior security officer, Security officer, or Security auditor roles can gain access to the following information about the working condition:

• If you are using a standalone Central Node server, the user can access information about the working condition of the Central Node server which the user is currently managing.
• If you are using the distributed solution and multitenancy mode, and the user is managing an SCN server, the user can gain access to information about the working condition of that SCN server for tenants to whose data the user has access.
• If you are using the distributed solution and multitenancy mode, and the user is managing the PCN server, the user can gain access to information about the working condition of the PCN server and all SCN servers connected to that server, for tenants to whose data the user has access.

For details about the working condition of program modules and components,

click View details to open the System health window.

In the System health window, one of the following icons is displayed depending on the working condition of the program modules and components:

• if the modules and components of the program are working normally.
• An icon with the number of problems (for example, ) if problems are found that the administrator is recommended to pay attention to. In this case, detailed problem information is displayed in the right part of the System health window.

The System health window contains the following sections:

• Component health contains information on the operational status of program modules and components, Quarantine, and database update on all servers where the program is operating.

  Example: If the databases of one or more program components have not been updated in 24 hours, the icon is displayed next to the name of the server on which the program modules and components are installed. To resolve the problem, make sure that update servers are available. If you are using a proxy server to connect to update servers, make sure the proxy server has no errors pertaining to the connection to Kaspersky Anti Targeted Attack Platform servers.

• Processed—Status of receiving and processing incoming data. The status is generated based on the following criteria:
  • State of receiving data from servers with the Sensor component, from the server or virtual machine with the mail sensor, from Kaspersky Endpoint Agent hosts.
  • Information about exceeding the maximum allowed time that objects wait in the queue to be scanned by program modules and components.
• Connection with servers—Status of the connection between the PCN server and connected SCN servers (displayed if you are using the distributed solution and multitenancy mode).

If there are problems detected in the performance of program modules or components and you cannot resolve those problems on your own, you are advised to contact Kaspersky Technical Support.

Managing Central Node, PCN, or SCN servers using the program web interface

You can use the program web interface to perform the following actions with the server on which the Central Node component is installed:

• Configure the date and time on the server.
• Power off and restart the server.
• Generate or upload a server certificate that you can prepare on your own.
• Configure the network settings of the server.
• Monitor the disk space usage on the server.

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

Configuring the date and time on the server

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure the date and time on the server:

1. In the window of the program web interface, select the Settings section, Date and time subsection.
2. In the Time zone drop-down list, select the time zone of the physical location of the server with the Central Node component.

   You can specify the country and time zone by selecting the relevant region on the map under the drop-down lists.

3. In the NTP servers section:
   • If you want to add a new
     NTP server

     Precision time server using the Network Time Protocol.

     :
     1. Click Add.
     2. In the field that opens, enter the IP address or domain name of the NTP server.
     3. Click the button to the right of the field.
   • If you want to edit the IP address or domain name of the NTP server, click the button in the line containing the server.
   • If you want to delete an NTP server, click the button in the line containing the server.
4. Click Apply.

The date and time of the server will be configured.

Generating or uploading a TLS certificate of the server

If you are already using a server TLS certificate, generating or uploading a new certificate causes the currently used certificate to be removed and replaced with the new certificate.

You must enter the data of the new certificate everywhere the old certificate was used.

If you replace the TLS certificate, you will need to

• Reauthorize mail sensors (KSMG, KLMS) on Central Node.
• Reconfigure the connection of Central Node, PCN, and SCN to Sandbox.
• Reconfigure traffic forwarding from Endpoint Agent to Sensor and trusted connection with Endpoint Agent.
• Upload a new certificate to Active Directory (if you are using Active Directory).

Please delete all Endpoint Agent host isolation rules. Connection with the isolated hosts and control over them will be lost.

You can generate a new certificate in the web interface: of the Central Node server or upload a certificate that you have created independently.

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To generate a TLS certificate for a Central Node server:

1. Sign in to the Kaspersky Anti Targeted Attack Platform web interface with the administrator credentials.
2. In the window of the program web interface, select the Settings section, Certificates subsection.
3. In the Server certificate section, click Generate.

   This opens the action confirmation window.

4. Click Yes.

Kaspersky Anti Targeted Attack Platform generates a new TLS certificate. The page is automatically refreshed.

Communication with the mail sensors, the Sandbox component, and the Kaspersky Endpoint Agent program is interrupted until reauthorization.

You can choose to prepare the TLS certificate on your own and upload it using the Kaspersky Anti Targeted Attack Platform web interface.

The TLS certificate file prepared for upload must satisfy the following requirements:

• The file must contain the certificate itself and a private encryption key for the connection.
• The file must be in PEM format.
• The private key length must be 2048 bits or longer.

For more details on preparing TLS certificates for import, please refer to the documentation on Open SSL.

Upload the TLS certificate in the web interface of the PCN or SCN server to which you want to upload the certificate.

To upload an independently prepared TLS certificate using the Kaspersky Anti Targeted Attack Platform web interface:

1. Sign in to the Kaspersky Anti Targeted Attack Platform web interface with the administrator credentials.
2. In the window of the program web interface, select the Settings section, Certificates subsection.
3. In the Server certificate section, click Upload.

   This opens the file selection window.

4. Select a TLS certificate file to download and click the Open button.

   This closes the file selection window.

The TLS certificate is added to the Kaspersky Anti Targeted Attack Platform.

Communication with the mail sensors, the Sandbox component, and the Kaspersky Endpoint Agent program is interrupted until reauthorization.

Downloading the TLS certificate of the server

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To download the TLS certificate of the server:

1. In the window of the program web interface, select the Settings section, Certificates subsection.
2. In the Server certificate section, click Download.

The server certificate file will be saved in the downloads folder of the browser.

Assigning a server DNS name

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To assign the server name to be used by DNS servers:

1. In the window of the program web interface, select the Settings section, Network settings subsection.
2. Enter the full domain name of the server into the Server name (FQDN) field.

   Specify the server name in FQDN format (for example: host.domain.com or host.domain.subdomain.com).

3. Click Apply.

The server name will be assigned.

Configuring DNS settings

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure DNS:

1. In the window of the program web interface, select the Settings section, Network settings subsection.
2. In the DNS settings group, enter the IP addresses of the DNS servers in the Primary and Secondary DNS servers field.
3. Click Apply.

The DNS settings will be configured.

Configuring settings of the network interface

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure the network interface:

1. In the window of the program web interface, select the Settings section, Network settings subsection.
2. Select the network interface whose settings you want to configure.

   This opens the Edit network interface window.

3. In the State settings group, select one of the following options:
   • Disabled.
   • Enabled, using DHCP server if you want the settings received from the DHCP server to be used for the network interface.
   • Enabled, manual configuration if you want the manually configured network interface to be used.
4. If you selected Enabled, manual configuration, specify values for the following parameters:
   1. In the IP field, specify the IP address of the network interface.
   2. In the Subnet mask field, specify the subnet mask of the network interface.
   3. In the Gateway text box, enter the IP address of the gateway.
5. Click Save.

The settings of the network interface will be configured.

Configuring the default network route

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure the default network route:

1. In the window of the program web interface, select the Settings section, Network settings subsection.
2. In the Network route settings group, in the Network interface drop-down list, select the network interface for which you want to configure the network route.
3. In the Gateway text box, enter the IP address of the gateway.
4. Click Apply.

The default network route will be configured.

Configuring proxy server connection settings

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure the proxy server connection:

1. In the window of the program web interface, select the Settings section, General settings subsection.
2. In the Proxy server settings group, set the toggle switch to Enabled.
3. In the Host field, specify the URL of the proxy server.
4. In the Port field, specify the port for connecting to the proxy server.
5. In the User name field, specify the user name for authentication on the proxy server.
6. In the Password field, specify the password for authentication on the proxy server.
7. If you do not want to use a proxy server when connecting to local addresses, select the Bypass proxy server for local addresses check box.
8. Click Apply.

The proxy server connection settings will be configured.

Configuring the mail server connection

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

The program can send notifications about alerts and system performance. To do so, you must configure the settings of the server used for sending notifications.

To configure the server for sending notifications:

1. In the main window of the program web interface, select the Settings section, Notifications subsection.
2. Go to the Mail configuration tab.
3. In the Host field, specify the IP address of the mail server.
4. In the Port field, specify the port for connecting to the mail server.
5. In the Email from field, specify the email address from which the notifications will be sent.
6. If you want to enable authentication on the mail server, select the Use SMTP authentication of message recipients check box.
7. In the User name field, specify the user name for authentication on the server used for sending notifications.
8. In the Password field, specify the password for authentication on the server used for sending notifications.
9. If you want to use TLS encryption when sending notifications, select the Use TLS encryption check box.
10. If you want to validate the certificate of the mail server, select the Validate TLS encryption check box.

    The Certificate fingerprint field displays the fingerprint of the mail server certificate.

    If the Validate TLS encryption check box is not selected, the program will consider any certificate of the mail server as trusted.

11. Click Apply.

The settings of the server used for sending notifications will be configured.

Selecting operating systems to use when scanning objects in Sandbox

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

You can select a set of operating systems that will be used to generate tasks for scanning objects using the Sandbox component. On the Sandbox server, you must install virtual machines with operating systems that match the configured set.

To select the set of operating systems:

1. Select the Sandbox servers section in the window of the program web interface.
2. Go to the Settings tab.
3. Under OS set, select one of the following options:
   • Windows XP, Windows 7, Windows 10.
   • CentOS 7.8, Windows XP, Windows 7, Windows 10.
   • Astra Linux 1.7, Windows XP, Windows 7, Windows 10.

Kaspersky Anti Targeted Attack Platform will create tasks for scanning objects in Sandbox in accordance with the selected set.

If the set of operating systems installed on the Sandbox server does not match the set selected on the Central Node server, objects are not sent to be scanned by that Sandbox server. If multiple Sandbox servers are connected to the Central Node server, the program sends objects to those Sandbox servers whose installed operating systems match the set selected on Central Node.

You can change the set of operating systems in the course of using the program. In this case, you need to make sure that the configuration of the Sandbox server satisfies hardware requirements.

In distributed solution and multitenancy mode, the settings of the operating system set configured on the PCN server are not applied to SCN servers connected to that PCN server. You can select the set of operating systems for each PCN and SCN server individually.

Managing the Sensor component

The Sensor component receives data from network traffic and mail traffic.

You can install the Sensor and Central Node components on the same server or on separate servers. If the Sensor component is installed on a standalone server, you must connect it to the server with the Central Node component.

If you are using the distributed solution and multitenancy mode, perform the necessary actions to connect to PCN or SCN servers.

Viewing the table of servers with the Sensor component

The table of servers with the Sensor component is located in the Sensor servers section of the program web interface window. The table contains the following information:

• IP/name—IP address or domain name of the server with the Sensor component.
• Type—Type of Sensor component. Possible values:
  • Central Node—The Sensor component is installed on the same server as the Central Node component.
  • Remote—The Sensor component is installed on a different server or a mail sensor is used as the Sensor component.
• Certificate fingerprint—Fingerprint of the TLS certificate used to establish an encrypted connection between servers with the Sensor and Central Node components.
• KSN/KPSN—Status of the connection to the KSN/KPSN reputation databases.
• SPAN—Status of SPAN traffic processing.
• SMTP—Status of integration with a mail server via SMTP.
• ICAP—Status of integration with a proxy server via ICAP.
• POP3—Status of integration with a mail server via POP3.
• State—Status of the connection request.

Processing a connection request from the Sensor component

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

You can accept, decline, or revoke a previously accepted connection request from the Sensor component.

To process a connection request from the Sensor component:

1. Select the Sensor servers section in the window of the program web interface.

   The Server list table displays the already connected Sensor components, and connection requests.

2. In the line containing the connection request of the Sensor component, perform one of the following actions:
   • If you want to connect the Sensor component, click the Accept button.
   • If you do not want to connect the Sensor component, click the Reject button.
3. In the confirmation window, click Yes.

The connection request from the Sensor component will be processed.

Configuring the maximum size of a scanned file

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure the maximum size of a scanned file:

1. Select the Sensor servers section in the window of the program web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure the maximum size of a scanned file.

   This opens the Sensor component settings page.

3. Select the General settings section.
4. If you want the program to scan files of any size, select the Unlimited check box.
5. If you want to set a maximum size for files that the program will scan:
   1. Clear the Unlimited check box.
   2. In the field under the check box, enter the maximum allowed size of a file.
   3. In the drop-down list to the right of the field, select the unit of measurement.
6. Click Apply.

The maximum size of a scanned file will be configured.

Configuring receipt of mirrored traffic from SPAN ports

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure receipt of mirrored traffic from SPAN ports:

1. Select the Sensor servers section in the window of the program web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure the receipt of mirrored traffic from SPAN ports.

   This opens the Sensor component settings page.

3. Select the SPAN traffic processing section.

   The Network interfaces table is displayed.

4. In the row of the network interface from which you want to configure the receipt of mirrored traffic, set the toggle switch in the SPAN traffic scanning column to Enabled.
5. In the Capture thread drop-down list, select the stream that will process this network interface.
6. In the Select CPU drop-down list, select the processor that will process the network traffic.
7. Click Apply.

The receipt of mirrored traffic from SPAN ports will be configured.

Configuring integration with a mail server via SMTP

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure integration with a mail server over SMTP:

1. Select the Sensor servers section in the window of the program web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure integration with the mail server via SMTP.

   This opens the Sensor component settings page.

3. Select the SMTP integration section.
4. In the State field, set the toggle switch to Enabled.
5. In the Destination domains field, specify the name of the mail domain or subdomain. The program will scan email messages sent to mailboxes of the specified domains.

   To disable a domain or subdomain, enclose it in the !domain.tld form.

   If you leave the mail domain name blank, the program will receive messages sent to any email address.

6. In the Clients field, specify the IP addresses of hosts and/or masks of subnets (in CIDR notation) with which the program is allowed to interact over the SMTP protocol.

   To disable a host or subnet, enclose the address in the !host form.

   If you leave this field blank, the program will receive the following messages:

   • From any email addresses if you specified email domains in the Destination domains field.
   • From a mail server in the same subnet as the server with the Sensor component if no domain is indicated in the Destination domains field.
7. If you want the program to receive messages of any size, in the Message size limit settings group, select the Unlimited check box.
8. If you want to set a maximum allowed size of incoming messages:
   1. Clear the Unlimited check box.
   2. In the field under the check box, enter the maximum allowed size of a message.
   3. In the drop-down list to the right of the field, select the unit of measurement.
9. Click Apply.

Integration with a mail server via SMTP will be configured. The program will scan email messages received over the SMTP protocol according to the defined settings.

If you have deployed the Central Node and Sensor components as a cluster, you can configure fault-tolerant integration with the mail server.

To configure fault-tolerant integration with the mail server:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the mail server settings.

Integration with the mail server will be configured based on the domain name. The mail server will communicate with a random server in the cluster. If this server fails, the mail server will communicate with another healthy server in the cluster.

Configuring TLS encryption of connections with a mail server via SMTP

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure TLS encryption of connections with the mail server over SMTP:

1. Select the Sensor servers section in the window of the program web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure TLS encryption of connections with the mail server over the SMTP protocol.

   This opens the Sensor component settings page.

3. Select the SMTP integration section.
4. In the State field, set the toggle switch to Enabled if it is disabled.
5. In the Client TLS security level settings group, select one of the following options:
   • No TLS encryption.

     The program will not employ TLS encryption of connections with a mail server.

   • Attempt TLS encryption for incoming messages.

     The program will support TLS encryption of the connection, but encryption will not be mandatory.

   • Require TLS encryption for incoming messages.

     The program will receive messages only over encrypted channels.

6. Click the Download TLS certificate button to save the TLS certificate of the server with the Sensor component on the computer in the browser's downloads folder.

   This certificate is required for authentication on the mail server.

7. In the Requesting Client TLS certificate settings group, select one of the following options:
   • Do not request.

     The program will not verify the TLS certificate of the mail server.

   • Request.

     The program will request a TLS certificate from the mail server, if one is available.

   • Require.

     The program will receive messages only from those mail servers that have a TLS certificate.

8. Click Apply.

TLS encryption of connections with the mail server over the SMTP protocol will be configured.

Enabling integration with a proxy server via ICAP

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

When a standalone proxy server is used, Kaspersky Anti Targeted Attack Platform does not provide encryption of ICAP traffic or authentication of ICAP clients by default. The program administrator must independently ensure a secure network connection between your proxy server and Kaspersky Anti Targeted Attack Platform by using traffic tunneling or iptables.

To enable integration with a proxy server over ICAP:

1. Select the Sensor servers section in the window of the program web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure integration with a proxy server over the ICAP protocol.

   This opens the Sensor component settings page.

3. Select the ICAP integration with proxy server section.
4. In the State field, set the toggle switch to Enabled.

   The Host field displays the URL of the Response Modification (RESPMOD) service that processes inbound traffic.

   Use this URL to configure integration with Kaspersky Anti Targeted Attack Platform via ICAP on a proxy server that is used in your organization.

5. Click Apply.

Integration with a proxy server over the ICAP protocol will be enabled.

If you have deployed the Central Node and Sensor components as a cluster, you can configure fault-tolerant integration with a proxy server.

To configure the fault-tolerant integration with the proxy server:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the proxy server settings.

Integration with the proxy server will be configured based on the domain name. The proxy server will communicate with a random server in the cluster. If this server fails, the proxy server will communicate with another healthy server in the cluster.

Configuring integration with a mail server via POP3

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure integration with a mail server over POP3:

1. Select the Sensor servers section in the window of the program web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure integration with the mail server via POP3.

   This opens the Sensor component settings page.

3. Select the POP3 integration section.
4. Set the toggle switch next to the State parameter to Enabled.
5. In the Mail server field, specify the IP address of the mail server with which you want to configure integration.
6. In the Port field, specify the port for connecting to the mail server.
7. In the Receive every field, specify the mail server connection frequency (in seconds).
8. If you want to use TLS encryption of connections with the mail server via POP3, select the Use TLS encryption check box.
9. In the User name field, specify the account name used for accessing the mail server.
10. In the Password field, specify the password for accessing the mail server.

    The mail server must support Basic Authentication.

11. In the TLS certificate drop-down list, select one of the following options:
    • Accept any.
    • Accept untrusted self-signed.
    • Accept only trusted.

    When establishing a connection with an external mail server, it is recommended to configure the acceptance of only trusted TLS certificates. If you accept untrusted TLS certificates, protection of the connection against

    MITM attacks

    Man in The Middle. An attack on the IT infrastructure of an organization in which a hacker hijacks the communication link between two access points, relays it, and modifies the connection between these access points if necessary.

    cannot be guaranteed. Even though the acceptance of trusted TLS certificates also cannot guarantee protection of the connection against MITM attacks, it is the most secure of the supported methods for integration with a mail server over the POP3 protocol.

12. If necessary, in the Cipher suite field, modify the OpenSSL settings used when establishing a connection with the mail server via POP3.

    You can view reference information on OpenSSL by clicking the Help link.

13. Click Apply.

Integration with the mail server via POP3 will be configured.

If you have deployed the Central Node and Sensor components as a cluster, you can configure fault-tolerant integration with the mail server.

To configure fault-tolerant integration with the mail server:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the mail server settings.

Integration with the mail server will be configured based on the domain name. The mail server will communicate with a random server in the cluster. If this server fails, the mail server will communicate with another healthy server in the cluster.

Managing the cluster

This section contains information about managing the cluster servers.

Viewing the table of servers of the cluster

To view the table of cluster servers:

1. Log in to the web interface for sizing management.
2. Go to the Cluster section.

A window with a table will open.

The table contains the following information:

• Server type—server type depending on its role in the cluster.

  The following values can be displayed:

  • Storage.
  • Processing.
• Status—server status.

  The following values can be displayed:

  • Connected.
  • Not connected.
• Host name—server name.
• IP— IP address of the server.
• RAM—RAM load level of the server.
• CPU—CPU load level of the server.
• Action—Actions that you can perform with the server.

  The following action is available: Delete.

Adding a server to a cluster

To add a server to the cluster, you need to start the installation of Kaspersky Anti Targeted Attack Platform on this server and follow the steps to install the components. The added server is displayed in the cluster server list.

Increasing the disk space on the storage server

You can increase the disk space on an operational storage server by installing an additional disk.

To increase the disk space of the storage server by means of an additional disk, you need to contact Technical Support.

The server is configured in Technical Support Mode.

Decommissioning servers

To decommission an operational server, you need to contact Technical Support.

If a server fails, you can decommission it on your own.

To decommission an inoperable processing server:

1. Remove the server from the cluster.
2. Configure the sizing settings of the program for the new configuration.

The processing server will be decommissioned.

To decommission an inoperable storage server:

1. Add a new storage server to the cluster.
2. Remove the inoperable storage server from the cluster.

The storage server will be decommissioned.

Removing a server from a cluster

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

A removed server cannot be restored. Make sure that the selected server is not operational.

To remove a server from the cluster:

1. Log in to the web interface for sizing management.
2. Go to the Cluster section.
3. In the Action column, click the Delete link opposite the server that you want to remove.
4. Click Proceed.

The removal process will start. Removal may take about a day. Information about the removed server will not be displayed in the table of servers.

After removing the server, you can reconfigure the cluster servers or add a server with the same role to maintain the same level of program performance.

Starting up and shutting down the cluster

If you want to power off the healthy servers in the cluster, you must first shut down the cluster to avoid data loss.

To shut down a cluster:

1. Log in to the web interface for sizing management.
2. Go to the Cluster section.
3. Click the Shut down button.

The operation of the program's main components will be stopped. You can now power off the cluster servers.

To start up the cluster servers:

1. Disconnect power to the servers if it has not been previously disconnected.
2. Power on the storage server.
3. Power up the remaining servers.

The cluster servers will start up.

The scaling management web interface becomes available when more than half of the cluster servers are started. For example, if there are 7 servers in the cluster, the web interface will be available when 4 servers of the cluster are powered on.

Notifications about the maximum allowed CPU and RAM load for the Central Node and Sensor servers

Maintaining a high load on the CPU and RAM of the Central Node and Sensor servers may result in the inoperability of the program components.

You can configure maximum values for the CPU and RAM loads on Central Node and Sensor servers; if these are exceeded, the upper part of the Dashboard section of the program web interface for users with the Senior security officer, Security officer, Administrator, or Local administrator roles displays a yellow box with a warning. You can also configure notifications to be sent to one or more email addresses and an SNMP protocol connection for sending information about the CPU and RAM load to external systems that support this protocol.

If you have deployed the Central Node and Sensor components as a cluster, warnings are displayed separately for each server in the cluster.

Users with the Senior security officer or Security officer role can also create rules for sending notifications. In this case, sending notifications correctly requires configuring maximum allowed load values for the CPU and RAM of servers, as well as notification settings on the server.

In existing rules for sending notifications about the program components, the CPU load and RAM load notifications are enabled automatically if the All check box is selected under Components when the rule is created.

Configuring the maximum allowable CPU and RAM load of the Central Node and Sensor servers

In the distributed solution and multitenancy mode, you need to set the maximum allowed load values for the CPU and RAM load of each Central Node server from which you want to receive notifications. If you use a Central Node cluster, you can configure these settings on any cluster server.

To configure the maximum allowed load on the CPU and RAM of the Central Node and Sensor servers:

1. In the window of the program web interface, select the Settings section, General settings subsection.
2. Under Monitoring:
   • In the Warning of CPU usage above N % for M minutes field, enter the maximum allowed CPU usage and time period for which the maximum load can be maintained.

     By default, the maximum CPU load is 95% for 5 minutes.

   • In the Warning of RAM usage above N % for M minutes field, enter the maximum allowed RAM usage and time period for which the maximum usage can be maintained.

     By default, the maximum RAM usage is 95% for 5 minutes.

3. Click Apply.

The maximum allowed load of server CPU and RAM will be configured. If one of the values is exceeded on the Central Node and/or Sensor server, in the upper part of the Dashboard section of the program web interface for users with Senior security officer, Security officer, Administrator, or Local administrator role, a yellow warning box is displayed.

Configuring the SNMP protocol connection

You can send information about the CPU and RAM load on Central Node and Sensor servers to external systems that support the SNMP protocol. To do so, you must configure the connection for the protocol.

If the Central Node component is deployed as a cluster, data about the CPU and RAM load of each server in the cluster is sent to external systems.

To configure the SNMP protocol connection on the Central Node server:

1. In the window of the program web interface, select the Settings section, General settings subsection.
2. Under SNMP, select the Use SNMP check box.
3. In the Protocol version field, select a protocol version:
   • v2c.
   • v3.
4. If you selected the v2c protocol version, in the Community string field, enter the password that will be used for connecting to Kaspersky Anti Targeted Attack Platform.
5. If you selected v3:
   1. In the Authentication protocol field, select one of the following options for checking the accuracy and integrity of data sent to the external system:
      • MD5.
      • SHA256.
   2. In the User name field, enter the user name.
   3. In the Password field, enter the password for authentication.

      User name and password configured in the User name and Password fields must match the user name and password configured when creating the account in the external system. If the credentials do not match, the connection cannot be established.

   4. In the Privacy protocol field, select an encryption type:
      • DES.
      • AES.
   5. In the Password field, enter the encryption password.

      The password configured in this field must match the password configured in the external system.

Protocol connection on the Central Node server is configured. If the request for data is successfully processed, the server of the external system displays information about CPU and RAM load of the Central Node server.

To configure the SNMP protocol connection on the Sensor server:

1. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
2. When the system prompts you, enter the administrator user name and the password that was specified during installation of the program.

   The program component administrator menu is displayed.

3. Follow steps 2 through 5 of the instructions above.

Protocol connection on the Sensor server is configured. If the request is successfully processed, the server of the external system displays information about CPU and RAM load of the Sensor server.

In distributed solution and multitenancy mode, SNMP connection settings for each PCN, SCN, and Sensor server must be configured separately.

Description of MIB objects of Kaspersky Anti Targeted Attack Platform

The tables below provide information about

Information about hard drive, CPU, and RAM load of Central Node and Sensor servers

Information about hard drive, CPU, and RAM load of Central Node and Sensor servers

Page top

Managing Kaspersky Endpoint Agent host information

Kaspersky Endpoint Agent is installed on individual computers (hereinafter also referred to as "hosts") in the IT infrastructure of the organization. The program continuously monitors processes running on those hosts, active network connections, and files that are being modified.

Users with the Senior security officer, Security officer, Security auditor, Local administrator, or Administrator role can assess how regularly data is received from hosts on which Kaspersky Endpoint Agent is installed, on the Endpoint Agents tab of the program web interface window for tenants to whose data the user has access. If you are using the distributed solution and multitenancy mode, the web interface of the PCN server displays the list of hosts with Kaspersky Endpoint Agent program for the PCN and all connected SCNs.

Users with the Local administrator and Administrator roles can configure the display of how regularly data is received from hosts with Kaspersky Endpoint Agent installed, for tenants to whose data they have access.

If suspicious network activity is detected, users with the Senior security officer role can isolate from the network any host with Kaspersky Endpoint Agent, for tenants to whose data the user has access. In this case, the connection between the server with the Central Node component and a host with Kaspersky Endpoint Agent is not interrupted.

To provide support in case of problems with Kaspersky Endpoint Agent, Technical Support staff may ask you to perform the following actions for debugging purposes (including in Technical Support Mode):

• Activate collection of extended diagnostic information.
• Modify the settings of individual program components.
• Modify the settings for storing and sending the obtained diagnostic information.
• Configure network traffic to be intercepted and saved to a file.

Technical Support staff will provide all the information needed to perform these operations (description of the sequence of steps, settings to be modified, configuration files, scripts, additional command line functionality, debugging modules, special-purpose utilities, and other resources) and inform you about the scope of data obtained for debugging purposes. The retrieved diagnostic information is saved on the user's computer. The retrieved data is not automatically sent to Kaspersky.

The operations listed above should be performed only when instructed by and under the supervision of Technical Support experts. Unsupervised changes to program settings performed in ways other than those described in this manual or according to the instructions of Technical Support experts can slow down or crash the operating system, reduce computer security, or compromise the availability and integrity of data being processed.

Selecting a tenant to manage in the Endpoint Agents section

If you are using the distributed solution and multitenancy mode, prior to using the Endpoint Agents section, you must select the tenant whose data you want to view.

To select a tenant to manage in the Endpoint Agents section:

1. In the upper part of the program web interface menu, click the arrow next to the name of the tenant.
2. In the drop-down list, select a tenant.

Data for the selected tenant is displayed. If you want to select a different tenant, repeat the steps to select the tenant.

Viewing the Kaspersky Endpoint Agent host table on a standalone Central Node server

The table of Kaspersky Endpoint Agent hosts is located in the Endpoint Agents section of the program web interface window.

If you are using a standalone Central Node server, but not using the distributed solution and multitenancy mode, the host table of Kaspersky Endpoint Agent can display the following information:

• Number of hosts and activity indicators of Kaspersky Endpoint Agent:
  • Critical inactivity is the number of hosts from which latest data was received a very long time ago.
  • Warning is the number hosts from which latest data was received a long time ago.
  • Normal activity is the number of hosts from which latest data was recently received.
• Host—Name of the host with Kaspersky Endpoint Agent.
• IP—IP address of the computer where Kaspersky Endpoint Agent is installed.
• OS—Version of the operating system that is installed on the computer with Kaspersky Endpoint Agent.
• Version—Version of Kaspersky Endpoint Agent installed.
• Activity—Activity indicator of Kaspersky Endpoint Agent. Possible values:
  • Normal activity for hosts from which latest data was recently received.
  • Warning for hosts from which latest data was received a long time ago.
  • Critical inactivity for hosts from which latest data was received an extremely long time ago.

Clicking a link in a column of the table opens a list in which you can select one of the following actions:

• Add to filter.
• Exclude from filter.
• Copy value to clipboard.

Viewing the Kaspersky Endpoint Agent host table in distributed solution and multitenancy mode

The table of Kaspersky Endpoint Agent hosts is located in the Endpoint Agents section of the program web interface window.

If you are using the distributed solution and multitenancy mode, the table contains information about Kaspersky Endpoint Agent hosts connected to the PCN and all SCN servers. The table can display the following data:

• Number of hosts and activity indicators of Kaspersky Endpoint Agent:
  • Critical inactivity is the number of hosts from which latest data was received a very long time ago.
  • Warning is the number hosts from which latest data was received a long time ago.
  • Normal activity is the number of hosts from which latest data was recently received.
• Host—Name of the host with Kaspersky Endpoint Agent.
• Servers—Names of servers to which the Kaspersky Endpoint Agent host is connected.
• IP—IP address of the computer where Kaspersky Endpoint Agent is installed.
• OS—Version of the operating system that is installed on the host with Kaspersky Endpoint Agent.
• Version—Version of Kaspersky Endpoint Agent installed.
• Activity—Activity indicator of a host with Kaspersky Endpoint Agent. Possible values:
  • Normal activity for hosts from which latest data was recently received.
  • Warning for hosts from which latest data was received a long time ago.
  • Critical inactivity for hosts from which latest data was received an extremely long time ago.

Clicking a link in a column of the table opens a list in which you can select one of the following actions:

• Add to filter.
• Exclude from filter.
• Copy value to clipboard.

Viewing information about a host

To view information about a Kaspersky Endpoint Agent host:

1. Select the Endpoint Agents section in the window of the program web interface.
2. Select the host for which you want to view information.

This opens a window containing information about the host.

The window contains the following information:

• In the Host section:
  • Name—Name of the host with Kaspersky Endpoint Agent.
  • IP—IP address of the host where Kaspersky Endpoint Agent is installed.
  • OS—Version of the operating system on the host with the Kaspersky Endpoint Agent program installed.
  • Server—Name of the SCN or PCN server. Only displayed in distributed solution and multitenancy mode.
  • Server name—Name of the Central Node server.
• In the Endpoint Agent section:
  • Version—Version of Kaspersky Endpoint Agent installed.
  • Activity—Activity indicator of Kaspersky Endpoint Agent. Possible values:
    • Normal activity for hosts from which latest data was recently received.
    • Warning for hosts from which latest data was received a long time ago.
    • Critical inactivity for hosts from which latest data was received an extremely long time ago.
  • Connected to server—Name of the Central Node, SCN, or PCN server to which the host is connected.
  • Last connection—time of the last connection to the Central Node, SCN, or PCN server.
  • License key status—Status of the Kaspersky Endpoint Agent program license key.

Filtering and searching hosts with Kaspersky Endpoint Agent by host name

To filter or search for Kaspersky Endpoint Agent hosts by host name:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Click the Host link to open the filter configuration window.
3. If you want to display only isolated hosts, select the Show isolated Endpoint Agents only check box.
4. In the drop-down list, select one of the following filtering operators:
   • Contains
   • Does not contain
5. In the entry field, specify one or several characters of the host name.
6. To add a filter condition using a different criterion, click and specify the filter condition.
7. If you want to delete the filter condition, click the button to the right of the field.
8. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with Kaspersky Endpoint Agent that have been isolated from the network

To filter or search for Kaspersky Endpoint Agent hosts that are isolated from the network:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Click the Host link to open the filter configuration window.
3. Select the Show isolated Endpoint Agents only check box.
4. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with Kaspersky Endpoint Agent by PCN and SCN server names

If you are using the distributed solution and multitenancy mode, you can filter or find hosts with the Kaspersky Endpoint Agent program based on the names of PCN and SCN servers to which those hosts are connected.

To filter or search for Kaspersky Endpoint Agent hosts by the names of PCN and SCN servers:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Click the Servers link to open the filter configuration window.
3. Select check boxes next to names of servers by which you want to filter or search for hosts with the Kaspersky Endpoint Agent program.
4. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with Kaspersky Endpoint Agent by computer IP address

To filter or search for Kaspersky Endpoint Agent hosts by IP address:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Click the IP link to open the filter configuration window.
3. In the drop-down list, select one of the following filtering operators:
   • Contains
   • Does not contain
4. In the entry field, specify one or several characters of the computer IP address. You can enter the IP address or subnet mask in IPv4 format (for example, 192.0.0.1 or 192.0.0.0/16).
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. If you want to delete the filter condition, click the button to the right of the field.
7. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with Kaspersky Endpoint Agent by operating system version on the computer

To filter or search for Kaspersky Endpoint Agent hosts by operating system version:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Click the OS link to open the filter settings window.
3. In the drop-down list, select one of the following filtering operators:
   • Contains
   • Does not contain
4. In the entry field, specify one or several characters of the operating system version.
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. If you want to delete the filter condition, click the button to the right of the field.
7. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with Kaspersky Endpoint Agent by Kaspersky Endpoint Agent version

To filter or search for Kaspersky Endpoint Agent hosts by Kaspersky Endpoint Agent version:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Click the Version link to open the filter settings window.
3. In the drop-down list, select one of the following filtering operators:
   • Contains
   • Does not contain
4. In the entry field, specify one or several characters of the version of the Kaspersky Endpoint Agent program.
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. If you want to delete the filter condition, click the button to the right of the field.
7. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering and searching hosts with Kaspersky Endpoint Agent based on their activity

To filter or search for Kaspersky Endpoint Agent hosts by their activity:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Click the Activity link to open the filter configuration window.
3. Select the check boxes next to one or more Kaspersky Endpoint Agent program activity indicators:
   • Normal activity, if you want to find hosts from which the last data was recently received.
   • Warning, if you want to find hosts from which the last data was received a long time ago.
   • Critical inactivity, if you want to find hosts from which the last data was received an extremely long time ago.
4. Click Apply.

The filter configuration window closes.

The table displays only those hosts that match the filter criteria you have set.

You can use multiple filters at the same time.

Quickly creating a filter for hosts with Kaspersky Endpoint Agent

To quickly create a filter for hosts with the Kaspersky Endpoint Agent program:

1. Select the Endpoint Agents section in the window of the program web interface.

   This opens the table of hosts.

2. Do the following to quickly add filter conditions to the filter being created:
   1. Position the mouse cursor on the link containing the table column value that you want to add as a filter condition.
   2. Left-click it.

      This opens a list of actions to perform on the value.

   3. In the list that opens, select one of the following actions:
      • Add to filter, if you want to include this value in the filter condition.
      • Exclude from filter, if you want to exclude the value from the filter condition.

3. If you want to add several filter conditions to the filter being created, perform the actions to quickly add each filter condition to the filter being created.

The table displays only those hosts that match the filter criteria you have set.

Resetting the hosts with Kaspersky Endpoint Agent filter

To clear the Kaspersky Endpoint Agent host filter for one or more filtering criteria:

1. Select the Endpoint Agents section in the window of the program web interface.
2. Click to the right of the header of the table column for which you want to clear the filter conditions.

   If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.

The selected filters are cleared.

The table displays only those hosts that match the filter criteria you have set.

Configuring activity indicators of Kaspersky Endpoint Agent

Users with the Local administrator and Administrator permissions can define what durations of inactivity of computers with Kaspersky Endpoint Agent correspond to normal, low, or very low activity, and can configure the activity indicators for Kaspersky Endpoint Agent program. Users with the Security auditor role can view the settings of activity indicators of Kaspersky Endpoint Agent. Users with the Senior security officer or Security officer role can see activity indicators that you configured for Kaspersky Endpoint Agent in the Activity field of the Kaspersky Endpoint Agent host table in the Endpoint Agents section of the program web interface.

To configure activity indicators for Kaspersky Endpoint Agent program:

1. Sign in to the program web interface under the Local administrator, Administrator or Senior security officer account.
2. In the window of the program web interface, select the Settings section, Endpoint Agents subsection.
3. In the fields under the section name, enter the number of days of inactivity of hosts with Kaspersky Endpoint Agent that you want to display as Warning and Critical inactivity.
4. Click Apply.

Activity indicators of Kaspersky Endpoint Agent will be configured.

Supported interpreters and processes

Kaspersky Endpoint Agent program monitors the execution of scripts by the following interpreters:

• cmd.exe
• reg.exe
• regedit.exe
• regedt32.exe
• cscript.exe
• wscript.exe
• mmc.exe
• msiexec.exe
• mshta.exe
• rundll32.exe
• runlegacycplelevated.exe
• control.exe
• explorer.exe
• regsvr32.exe
• wwahost.exe
• powershell.exe
• java.exe and javaw.exe (only if started with the –jar option)
• InstallUtil.exe
• msdt.exe
• python.exe
• ruby.exe
• rubyw.exe

Information about the processes monitored by Kaspersky Endpoint Agent program is presented in the table below.

Processes and the file extensions that they open

Configuring integration with the Sandbox component

You can connect one Sandbox component to multiple Central Node components.

The following procedure is used to configure the Sandbox component connection with the Central Node component:

1. Creating a request to connect to the Sandbox component

   You can create a request in the program web interface under an administrator account. If you have several Central Node components installed on the server, you need to create a request for each server with the Central Node component that you want to connect to the Sandbox component. If the Central Node component is deployed as a cluster, you can create a request for connection from any server in the cluster.

2. Processing a connection request in the Sandbox web interface

   You can accept or reject each request.

Viewing the table of servers with the Sandbox component

The table of servers with the Sandbox component is located on the Sandbox servers tab of the program web interface window.

The table contains the following information:

• IP and name—IP address or fully qualified domain name of the server with the Sandbox component.
• Certificate fingerprint—Certificate fingerprint of the server with the Sandbox component.
• Authorization—Status of the request to connect to the Sandbox component.
• Status—Status of the connection to the Sandbox component.

Creating a request to connect to the server with the Sandbox component

To create a request to connect to the server with the Sandbox component through the program web interface:

1. Select the Sandbox servers section in the window of the program web interface.
2. In the upper-right corner of the window, click the Add button.

   This opens the Sandbox server connection window.

3. In the IP field, specify the IP address of the server with the Sandbox component to which you want to connect.
4. Click Get certificate fingerprint.

   The workspace displays the fingerprint of the certificate of the server with the Sandbox component.

5. Compare the obtained certificate fingerprint with the fingerprint indicated in the Sandbox web interface in the KATA Authorization section in the Certificate fingerprint field.

   If the certificate fingerprints match, perform the next steps of the instructions.

   If certificate fingerprints do not match, confirming the connection is not recommended. Make sure the data you entered is correct.

6. In the Name field, specify the Sandbox component name that will be displayed in the web interface of the Central Node component.

   This name is not related to the name of the host where the Sandbox is installed.

7. If you want to activate a connection with Sandbox immediately after connecting, select the Enable check box.
8. Click Add.

The connection request is displayed in the web interface of the Sandbox component.

Enabling and disabling a connection with the Sandbox component

To make a connection with the Sandbox component active or to disable it:

1. Select the Sandbox servers section in the window of the program web interface.

   The table of servers with Sandbox components is displayed.

2. In the row containing the relevant server in the Status column, perform one of the following actions:
   • If you want to activate a connection with the Sandbox component, set the toggle switch to Enabled.
   • If you want to disable a connection with the Sandbox component, set the toggle switch to Disabled.
3. Click Apply.

The connection with the Sandbox component will become active or will be disabled.

Deleting a connection with the Sandbox component

To delete a connection with the Sandbox component:

1. Select the Sandbox servers section in the window of the program web interface.

   This displays the table of computers on which the Sandbox component is installed.

2. Select the check box in the line containing the Sandbox component whose connection you want to delete.
3. In the upper-right corner of the window, click the Delete button.
4. In the confirmation window, click Yes.

The connection with the Sandbox component will be deleted.

Configuring integration with external systems

You can configure integration of Kaspersky Anti Targeted Attack Platform with external systems to scan files stored in those systems. Their scan results will be displayed in the alerts table.

The role of an external system can be served by a mail sensor, such as Kaspersky Secure Mail Gateway or Kaspersky Security for Linux Mail Server. The mail sensor sends email messages to Kaspersky Anti Targeted Attack Platform for processing. Based on the results of processing of email messages in Kaspersky Anti Targeted Attack Platform, the mail sensor may block the transfer of messages.

Integration of Kaspersky Anti Targeted Attack Platform with external systems involves the following procedure:

1. Enter the integration settings and create an integration request from the external system.

   For more details about entering integration settings for the mail sensor, please refer to the Kaspersky Secure Mail Gateway Help or the Kaspersky Security for Linux Mail Server Help.

   To integrate other external systems, use the REST API.

2. Confirm integration for Kaspersky Anti Targeted Attack Platform

   External systems may use identical IDs and certificates for authorization on the server with the Central Node component. If this is the case, a single integration request will be displayed in the interface of Kaspersky Anti Targeted Attack Platform.

3. Check the connection between the external system and Kaspersky Anti Targeted Attack Platform

Viewing the table of external systems

The table of external systems is in the External systems section of the program web interface window. The table contains the following information:

• Sensor—IP address or domain name of the external system server.
• Type—Type of external system (mail sensor or other system).
• Name—Name of the integrated external system that is not a mail sensor.

  A dash is displayed in this column for a mail sensor.

• ID—ID of the external system.
• Certificate fingerprint—Fingerprint of the TLS certificate of the server with the external system used to establish an encrypted connection with the server hosting the Central Node component.

  The certificate fingerprint of the server with the Central Node component is displayed in the upper part of the window in the Certificate fingerprint field.

• State—State of the integration request.

Processing a request from an external system

To process an integration request from an external system:

1. Select the External systems section in the window of the program web interface.

   The Server list table displays the already connected external systems, and requests for integration with Kaspersky Anti Targeted Attack Platform from external systems.

2. In the line containing the integration request, perform one of the following actions:
   • If you want to configure integration with the external system, click the Accept button.
   • If you do not want to configure integration with the external system, click the Reject button.
3. In the confirmation window, click Yes.

The integration request from the external system will be processed.

Removing an external system from the list of those allowed to integrate

After you have accepted an integration request from an external system, you can remove it from the list of those allowed to integrate. If this is the case, the connection between Kaspersky Anti Targeted Attack Platform and the external system will be terminated.

To remove an external system from the list of systems allowed to integrate:

1. Select the External systems section in the window of the program web interface.

   The Server list displays the already added external systems and the requests to integrate with Kaspersky Anti Targeted Attack Platform from external systems.

2. Click the Delete button in the line containing the integration request from the external system that you want to remove.
3. In the confirmation window, click Yes.

The external system will be removed from the list of those allowed to integrate.

Configuring the priority for processing traffic from mail sensors

You can enable or disable the maximum priority for processing traffic from mail sensors.

To enable or disable the maximum priority for processing traffic from mail sensors:

1. Select the External systems section in the window of the program web interface.
2. Do one of the following:
   • Turn on the toggle switch next to the name of the Maximum scan priority parameter if you want to enable the maximum priority for processing traffic from mail sensors.
   • Turn off the toggle switch next to the name of the Maximum scan priority parameter if you want to disable the maximum priority for processing traffic from mail sensors.

The priority for processing traffic from mail sensors will be configured.

Configuring integration with Kaspersky Managed Detection and Response

Kaspersky Managed Detection and Response (hereinafter also "MDR") detects and prevents fraud in the client's infrastructure. MDR provides continuous managed protection and allows organizations to automatically discover hard-to-detect threats while freeing up IT security personnel to work on issues requiring their participation.

Kaspersky Anti Targeted Attack Platform obtains data and sends it to Kaspersky Managed Detection and Response using a Kaspersky Security Network stream. Therefore, participation in KSN is necessary for configuring integration with MDR.

Integration with MDR is only available if at least one KATA or EDR license is active. If only one license key (only KATA or only EDR) is added in the program, statistics is limited to the functionality provided by that license. If both license keys are added in the program, complete statistics is sent.

Before configuring the integration of Kaspersky Anti Targeted Attack Platform with the MDR program, you must download an archive with the configuration file from the MDR portal.

Only Local Administrator and Web Interface Administrator can configure the integration with MDR.

Enabling the MDR integration

Make sure that an active license key is added and participation in KSN is configured in the program. Otherwise the MDR integration is unavailable.

To enable integration with MDR:

1. Log in to the program web interface with the administrator account.
2. Select the Settings section, KSN/KPSN and MDR subsection.
3. Under MDR integration, click Upload to upload the configuration file.

   This opens the file selection window.

4. Select the archive you downloaded during registration at the MDR portal and click Open.

   The following information about the MDR license is displayed in the window:

   • Serial number.
   • Expiration date.
   • Days remaining.

Integration with MDR is enabled. Integration settings configured in the configuration file are applied to all connected Sensor components. MDR starts using alert statistics sent via the KSN stream.

Disabling the MDR integration

To disable integration with MDR:

1. Log in to the program web interface with the administrator account.
2. Select the Settings section, KSN/KPSN and MDR subsection.
3. Under MDR integration, click Delete file.
4. In the confirmation window, click Yes.

The configuration file is deleted and the MDR integration is disabled. Statistics is still sent to KSN servers but this information is not used by MDR.

Replacing the MDR configuration file

To replace the MDR configuration file:

1. Log in to the program web interface with the administrator account.
2. Select the Settings section, KSN/KPSN and MDR subsection.
3. Under MDR integration, click Replace file.

   This opens the file selection window.

4. Select a new archive containing a configuration file and click Open.

   MDR license information is updated in the program web interface.

The configuration file is replaced. New integration settings are applied to all connected Sensor components.

Configuring integration with an SIEM system

Kaspersky Anti Targeted Attack Platform can publish information about user actions in the program web interface as well as alerts to a

You can use

If you have deployed the Central Node and Sensor components as a cluster, you can configure fault-tolerant integration with an external system using one of the following options:

• Using the Round Robin function.
• Configure the settings of the external system so that the external system switches between the IP addresses of the cluster servers if a network error occurs.

To configure the fault-tolerant integration with the external system:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the mail server settings.

Integration with the mail server will be configured based on the domain name. The mail server will communicate with a random server in the cluster. If this server fails, the mail server will communicate with another healthy server in the cluster.

Enabling and disabling information logging to a remote log

You can configure the logging of information about user actions in the web interface and alerts to a remote log. The log file is stored on the server on which the SIEM system is installed. To write to the remote log, you must configure the integration with the SIEM system.

To enable or disable the logging of information about user actions in the web interface and alerts to the remote log:

1. In the window of the program web interface, select the Settings section, SIEM system subsection.
2. If you want to enable / disable the recording of information about user actions in the web interface to the remote log, do one of the following:
   • If you want to enable recording of information about user actions in the web interface, select the Activity log check box.
   • If you want to disable the recording of information about user actions in the web interface, clear the Activity log check box.
3. If you want to enable / disable the recording of information about alerts to the remote log, do one of the following:
   • If you want to enable recording of alert information, select the Alerts check box.
   • If you want to disable recording of alert information, clear the Alerts check box.

   You can select both check boxes simultaneously.

4. Click Apply in the lower part of the window.

Information logging in the remote log is enabled or disabled.

Users with the Security auditor role can only view information about remote logging settings.

Configuring the main settings for SIEM system integration

To configure the main settings for SIEM system integration:

1. In the window of the program web interface, select the Settings section, SIEM system subsection.
2. Select the Activity log and/or Alerts check boxes.

   You can select one check box or both check boxes.

3. In the Host/IP field, enter the IP address or host name of the server of your SIEM system.
4. In the Port field, enter the port number used for connecting to your SIEM system.
5. In the Protocol field, select TCP or UDP.
6. In the Host ID field, enter the host ID. The host with that ID is specified as the alert source in the log of the SIEM system.
7. In the Heartbeat field, enter the interval for sending messages to the SIEM system.
8. Click Apply in the lower part of the window.

The main settings of integration with the SIEM system will be configured.

Users with the Security auditor role can only view information about the SIEM system integration settings.

Uploading a TLS certificate

To upload a TLS certificate for encrypting the connection with the SIEM system:

1. In the window of the program web interface, select the Settings section, SIEM system subsection.
2. In the TLS encryption section, click the Upload button.

   This opens the file selection window.

3. Select a TLS certificate file to download and click the Open button.

   This closes the file selection window.

   The TLS certificate will be added to the program.

4. Click Apply in the lower part of the window.

The uploaded TLS certificate will be used to encrypt the connection with the SIEM system.

Enabling and disabling TLS encryption of the connection with the SIEM system

To enable or disable TLS encryption of the connection with the SIEM system:

1. In the window of the program web interface, select the Settings section, SIEM system subsection.
2. Select the Activity log and/or Alerts check boxes.

   You can select one check box or both check boxes.

3. In the TLS encryption section, perform one of the following actions:
   • Turn on the toggle switch next to the name of the TLS encryption parameter if you want to enable TLS encryption of the connection with the SIEM system.
   • Turn off the toggle switch next to the name of the TLS encryption parameter if you want to disable TLS encryption of the connection with the SIEM system.

   The toggle switch next to the name of the TLS encryption setting can be used only if a TLS certificate is loaded.

4. Click Apply in the lower part of the window.

TLS encryption of the connection with the SIEM system will be enabled or disabled.

Content and properties of syslog messages about alerts

Information about each alert is transmitted in a separate syslog category (syslog facility) that is not used by the system to deliver messages from other sources. Information about each alert is transmitted as a separate syslog message in CEF format. If the alert was generated by the Targeted Attack Analyzer module, information about that alert is transmitted as multiple separate syslog messages in CEF format.

The default maximum size of a syslog message about an alert is 32 KB. Messages that exceed the maximum size are truncated at the end.

The header of each syslog message about an alert contains the following information:

• Format version.

  Current version number: 0. Current field value: CEF:0.

• Vendor.

  Current field value: AO Kaspersky Lab.

• Program name.

  Current field value: Kaspersky Anti Targeted Attack Platform.

• Program version.

  The current value of the field is 5.0.0-5201.

• Alert type.

  See the table below.

• Event name.

  See the table below.

• Alert importance.

  Allowed field values: Low, Medium, High or 0 (for heartbeat messages).

• Additional information.

  Example: CEF:0|AO Kaspersky Lab| Kaspersky Anti Targeted Attack Platform |5.0.0-5201|url_web| URL from web detected|Low|

The body of a syslog message about an alert matches the information about that alert that is displayed in the program web interface. All fields are presented in the format "<key>=<value>". Depending on whether the alert occurred in network traffic or mail traffic, and depending on the technology that generated the alert, various keys may be transmitted in the body of a syslog message. If the value is empty, the key is not transmitted.

The keys, as well as their values contained in a message, are presented in the table below.

Information about an alert in syslog messages

Page top

Managing the activity log

Some user actions in the program web interface can cause errors in the operation of Kaspersky Anti Targeted Attack Platform. You can enable logging of user action information in the program web interface and if necessary, view the information by downloading log files.

Enabling and disabling the recording of information in the activity log

To enable or disable the logging of information about user actions in the Kaspersky Anti Targeted Attack Platform web interface to the activity log:

1. Select the Reports section, Activity log subsection in the window of the program web interface.
2. Do one of the following:
   • Set the Activity log toggle switch to the Enabled position if you want to enable the logging of information about user actions in the program web interface.
   • Set the Activity log toggle switch to the Disabled position if you want to disable the logging of information about user actions in the program web interface.

     This function is enabled by default.

Information is logged for 30 days in the user_actions.log file. After 30 days, the user_actions.log file is saved on the Central Node server in the /var/log/kaspersky/apt-base/ directory with the name user_actions.log<month>. A new file named user_actions.log is created to record information for the current month. Each file is retained for 90 days and then deleted.

To view activity log files, you must download them.

You can configure the logging of information about user actions in the program web interface to a remote log. The remote log is saved on the server on which a SIEM system is installed. The settings of integration with the SIEM system must be configured to write to the remote log.

In distributed solution mode, information about user actions in the application web interface is recorded in the log of the same server for which the users are managing the web interface. Information about the actions of PCN server users that affect the settings of SCN servers is recorded in the PCN server log.

Users with the Security auditor role can only view the settings for logging information to the activity log.

Downloading the activity log file

To download the activity log file:

1. Select the Reports section, Activity log subsection in the window of the program web interface.
2. Click Download.

Log files are saved on your local computer in your browser's downloads folder. The files are downloaded as a ZIP archive.

In distributed solution mode, you can download log files only for the server for which you are managing the web interface.

Content and properties of CEF messages about user activity in the web interface

The header of each message contains the following information:

• Format version.

  Current version number: 0. Current field value: CEF:0.

• Vendor.

  Current field value: AO Kaspersky Lab.

• Program name.

  Current field value: Kaspersky Anti Targeted Attack Platform.

• Program version.

  The current value of the field is 5.0.0-5201.

• Event type.

  See the table below.

• Event name.

  See the table below.

• Event importance.

  Current field value: Low.

  Example: CEF:0|AO Kaspersky Lab|Kaspersky Anti Targeted Attack Platform|5.0.0-5201|tasks|Managing tasks|Low|

All fields of the CEF message have the "<key>=<value>" format. The keys, as well as their values contained in a message, are presented in the table below.

Event information in CEF messages

If an operation is performed on over 30 objects simultaneously, only one entry is logged for this operation. The entry includes the information about the operation and the number of objects on which it was performed.

Database Update

Program databases ("databases") are files with records used by the program components and modules to detect events occurring in your organization's IT infrastructure.

Virus analysts at Kaspersky detect hundreds of new threats daily (including "zero-day" exploits), create records to identify them, and include them in database updates packages ("update packages"). Update packages consist of one or more files containing records to identify threats that were detected since the previous update package was released. We recommend that you regularly receive update packages. When the program is installed, the database release date is the same as the program release date, and therefore you must update the databases immediately after installing the program.

The program periodically automatically checks for new update packages on the Kaspersky update servers (once every 30 minutes). By default, if for some reason program databases are not updated for 24 hours, Kaspersky Anti Targeted Attack Platform displays this information in the Dashboard section of the window of the program web interface.

The update functionality (including anti-virus signature updates and code base updates), as well as the KSN functionality may be unavailable in the territory of the USA.

Selecting a database update source

You can select the source from which the program will download database updates. The update source may be the Kaspersky server, or a network folder or local folder on one of the computers of your organization.

To select a database update source:

1. In the window of the program web interface, select the Settings section, General settings subsection.
2. In the Database update section, in the Update source drop-down list, select one of the following values:
   • Kaspersky update server.

     The program connects to Kaspersky update server over HTTP and downloads up-to-date databases.

   • Kaspersky update server (secure connection).

     The program connects to Kaspersky update server over HTTPS and downloads up-to-date databases. It is recommended to use HTTPS for database updates.

   • Custom server.

     The program connects to your FTP or HTTP server or to the folder with program databases on your computer to download up-to-date databases.

3. If you have selected Custom server, in the field under the name of this setting, enter the URL of the update package on your HTTP server or the full path to the folder on your computer containing the program database update package.
4. Click Apply.

The program database update source will be applied.

Updating databases manually

To start the database update manually:

1. In the window of the program web interface, select the Settings section, General settings subsection.
2. In the Database update section, click the Start button.
3. Click Apply.

The program database update will be started. The progress of the update will be displayed to the right of the button.

Creating a list of passwords for archives

The program does not scan password-protected archives. You can create a list of the most frequently encountered passwords for archives that are used when exchanging files within your organization. If you do so, the program will try the passwords from the list when scanning an archive. If one of the passwords match, the archive will be unlocked and scanned.

The list of passwords defined in the program settings is also transmitted to the server with the Sandbox component.

To create a list of archive passwords:

1. In the window of the program web interface, select the Settings section, Passwords for archives subsection.
2. In the Passwords for archives field, enter the passwords that the program will use for password-protected archives.

   Enter each password on a new line. You can enter up to 50 passwords.

3. Click Apply.

The list of passwords for archives will be created. When scanning PDF files and files of Microsoft Word, Excel, and PowerPoint that are password protected, the program will use the passwords from the defined list.

Users with the Security auditor role can view the list of passwords for archives, but cannot edit it.