Kaspersky Next XDR Expert
1.2

Contents

Using the dashboard

The dashboard allows you to monitor security trends on your organization's network by providing you with a graphical display of information.

The dashboard is available in the OSMP Console, in the Monitoring & reportingDashboard section.

The dashboard provides widgets that can be customized. You can choose a large number of different widgets, presented as pie charts or donut charts, tables, graphs, bar charts, and lists. The information displayed in the widgets is automatically updated, the update period is from one to two minutes. The interval between updates varies for different widgets. You can refresh data on a widget manually at any time by using the settings menu.

The dashboard includes the Administration and protection and Detection and response tabs, to which you can add widgets.

The Administration and protection tab

The Administration and protection tab can contain widgets that display information about all events stored in the database of Administration Server.

In the Administration and protection tab, the widgets of the following groups are available:

  • Protection status
  • Deployment
  • Updating
  • Threat statistics
  • Other

The Detection and response tab

The Detection and response tab can contain widgets that display information about detected and registered alerts and incidents, and the response actions to them. You can view data only for those tenants to which you have access.

In the Detection and response tab, the widgets of the following groups are available:

  • Events
  • Active lists
  • Alerts
  • Assets
  • Incidents
  • Event sources
  • Users
  • Playbooks

See also:

Scenario: Monitoring and reporting

In this section

Administration and protection widgets

Detection and response widgets
Page top
[Topic 166064]

Administration and protection widgets

When configuring the Administration and protection tab of the dashboard, you can add widgets, hide widgets, change the size or appearance of widgets, move widgets, and change their settings.

Some widgets have text information with links. You can view detailed information by clicking the link.

The following widget groups and widgets are available on the Administration and protection tab of the dashboard:

  • Protection status

    The group includes the following widgets:

    • History of software vulnerabilities
    • Number of vulnerable devices
    • Distribution of devices by severity level of vulnerabilities
    • Status of selected device
    • Protection status
  • Deployment

    This group includes the New devices widget.

  • Updating

    This group includes the following widgets:

    • Statistics about Windows Update updates
    • Distribution of anti-virus databases
    • Active alerts
    • Statistics of update installation results by update category
    • Statistics of update installation statuses by update category
    • Statistics of update installation statuses
  • Threat statistics

    This group includes the following widgets:

    • Detection of threats by a specified application component distributed by disinfection result
    • Detection of threats by application components
    • Prohibited applications
    • Types of network attacks
    • Types of detected viruses and disinfection results
    • Quarantine history
    • History of detection of probably infected objects
    • History of network attacks
    • History of threat activity sorted by application type
    • Threat activity
    • Users of the 10 most heavily infected devices
    • Most heavily infected devices
    • Virtual Administration Servers infected most frequently
    • Most frequent threats
    • Windows domains infected most frequently
    • Groups infected most frequently
    • Alerts
  • Other

    This group includes the following widgets:

    • License key usage
    • Notifications by selected severity level
    • Top 10 most frequent events in database
    • Current status of selected Administration Server task
    • Task history
Page top
[Topic 264091]

Adding widgets to the dashboard

To add widgets to the dashboard:

  1. In the main menu, go to Monitoring & reporting Dashboard.
  2. Click the Add or restore web widget button.
  3. In the list of available widgets, select the widgets that you want to add to the dashboard.

    Widgets are grouped by category. To view the list of widgets included in a category, click the chevron icon () next to the category name.

  4. Click the Add button.

The selected widgets are added at the end of the dashboard.

You can now edit the representation and parameters of the added widgets.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 176350]

Hiding a widget from the dashboard

To hide a displayed widget from the dashboard:

  1. In the main menu, go to Monitoring & reporting → Dashboard.
  2. Click the settings icon () next to the widget that you want to hide.
  3. Select Hide web widget.
  4. In the Warning window that opens, click OK.

The selected widget is hidden. Later, you can add this widget to the dashboard again.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 176354]

Moving a widget on the dashboard

To move a widget on the dashboard:

  1. In the main menu, go to Monitoring & reporting → Dashboard.
  2. Click the settings icon () next to the widget that you want to move.
  3. Select Move.
  4. Click the place to which you want to move the widget. You can select only another widget.

The places of the selected widgets are swapped.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 176362]

Changing the widget size or appearance

For widgets that display a graph, you can change its representation—a bar chart or a line chart. For some widgets, you can change their size: compact, medium, or maximum.

To change the widget representation:

  1. In the main menu, go to Monitoring & reporting → Dashboard.
  2. Click the settings icon () next to the widget that you want to edit.
  3. Do one of the following:
    • To display the widget as a bar chart, select Chart type: Bars.
    • To display the widget as a line chart, select Chart type: Lines.
    • To change the area occupied by the widget, select one of the values:
      • Compact
      • Compact (bar only)
      • Medium (donut chart)
      • Medium (bar chart)
      • Maximum

The representation of the selected widget is changed.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 176369]

Changing widget settings

To change settings of a widget:

  1. In the main menu, go to Monitoring & reporting Dashboard.
  2. Click the settings icon () next to the widget that you want to change.
  3. Select Show settings.
  4. In the widget settings window that opens, change the widget settings as required.
  5. Click Save to save the changes.

The settings of the selected widget are changed.

The set of settings depends on the specific widget. Below are some of the common settings:

  • Web widget scope (the set of objects for which the widget displays information)—for example, an administration group or device selection.
  • Select task (the task for which the widget displays information).
  • Time interval (the time interval during which the information is displayed in the widget)—between the two specified dates; from the specified date to the current day; or from the current day minus the specified number of days to the current day.
  • Set to Critical if these are specified and Set to Warning if these are specified (the rules that determine the color of a traffic light).

After you change the widget settings, you can refresh data on the widget manually.

To refresh data on a widget:

  1. In the main menu, go to Monitoring & reporting → Dashboard.
  2. Click the settings icon () next to the widget that you want to move.
  3. Select Refresh.

The data on the widget is refreshed.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 176370]

Detection and response widgets

On the Detection and response tab, you can add, configure, and delete widgets.

A selection of widgets used in the Detection and response tab is called a layout. All widgets must be placed in layouts. Kaspersky Next XDR Expert allows you to create, edit, and delete layouts. Preconfigured layouts are also available. You can edit widget settings in the preconfigured layouts as necessary. By default, the Alerts Overview layout is selected on the Detection and response tab.

The widget displays data for the period selected in the widget or layout settings only for the tenants that are selected in the widget or layout settings.

By clicking the link with the name of the widget about events, alerts, incidents, or active lists, you can go to the corresponding section of the Kaspersky Next XDR Expert interface. Note that this option is not available for some widgets.

The following widget groups and widgets are available on the Detection and response tab of the dashboard:

  • Events. Widget for creating analytics based on events.
  • Active lists. Widget for creating analytics based on active lists of correlators.
  • Alerts. Group for analytics related to alerts. Includes information about alerts and incidents that is provided by Kaspersky Next XDR Expert.

    The group includes the following widgets:

    • Active alerts. Number of alerts that have not been closed.
    • Active alerts by tenant. Number of unclosed alerts for each tenant.
    • Alerts by tenant. Number of alerts of all statuses for each tenant.
    • Unassigned alerts. Number of alerts that have no assignee.
    • Alerts by status. Number of alerts that have the New, Opened, Assigned, or Escalated status. The grouping is by status.
    • Latest alerts. Table with information about the last 10 unclosed alerts belonging to the tenants selected in the layout.
    • Alerts distribution. Number of alerts created during the period configured for the widget.
    • Alerts by assignee. Number of alerts with the Assigned status. The grouping is by account name.
    • Alerts by severity. Number of unclosed alerts grouped by their severity.
    • Alerts by rule. Number of unclosed alerts grouped by correlation rule.
  • Assets. Group for analytics related to assets from processed events. This group includes the following widgets:
    • Affected assets in alerts. Table with the names of assets and related tenants, and the number of unclosed alerts that are associated with these assets. The moving from the widget to the section with the asset list is not available.
    • Affected asset categories. Categories of assets linked to unclosed alerts.
    • Number of assets. Number of assets that were added to Kaspersky Next XDR Expert.
    • Assets in incidents by tenant. Number of assets associated with unclosed incidents. The grouping is by tenant.
    • Assets in alerts by tenant. Number of assets associated with unclosed alerts, grouped by tenant.
  • Incidents. Group for analytics related to incidents.

    The group includes the following widgets:

    • Active incidents. Number of incidents that have not been closed.
    • Unassigned incidents. Number of incidents that have the Opened status.
    • Incidents distribution. Number of incidents created during the period configured for the widget.
    • Incidents by status. Number of incidents grouped by status.
    • Incidents by type. Number of incidents in any status grouped by type.
    • Active incidents by tenant. Number of unclosed incidents grouped by tenant available to the user account.
    • All incidents. Number of incidents of all statuses.
    • All incidents by tenant. Number of incidents of all statuses, grouped by tenant.
    • Affected assets categories in incidents. Asset categories associated with unclosed incidents.
    • Latest incidents. Table with information about the last 10 unclosed incidents belonging to the tenants selected in the layout.
    • Incidents by assignee. Number of incidents with the Assigned status. The grouping is by user account name.
    • Incidents by severity. Number of unclosed incidents grouped by their severity.
    • Affected assets in incidents. Number of assets associated with unclosed incidents. The moving from the widget to the section with the asset list is not available.
    • Affected users in incidents. Users associated with incidents. The moving from the widget to the section with the user list is not available.
  • Event sources. Group for analytics related to sources of events. The group includes the following widgets:
    • Top event sources by alerts number. Number of unclosed alerts grouped by event source.
    • Top event sources by convention rate. Number of events associated with unclosed alerts. The grouping is by event source.

      In some cases, the number of alerts generated by sources may be inaccurate. To obtain accurate statistics, it is recommended to specify the Device Product event field as unique in the correlation rule, and enable storage of all base events in a correlation event. However, correlation rules with these settings consume more resources.

  • Users. Group for analytics related to users from processed events. The group includes the following widgets:
    • Affected users in alerts. Number of accounts related to unclosed alerts. The moving from the widget to the section with the user list is not available.
    • Number of AD users. Number of Active Directory accounts received via LDAP during the period configured for the widget.

      In the events table, in the event details area, in the alert window, and in the widgets, the names of assets, accounts, and services are displayed instead of the IDs as the values of the SourceAssetID, DestinationAssetID, DeviceAssetID, SourceAccountID, DestinationAccountID, and ServiceID fields. When exporting events to a file, the IDs are saved, but columns with names are added to the file. The IDs are also displayed when you point the mouse over the names of assets, accounts, or services.
      Searching for fields with IDs is only possible using IDs.

  • Playbooks. Group for analytics related to playbooks.

    To view widgets in this group, you must have one of the following XDR roles: Main administrator, Tenant Administrator, SOC Administrator, SOC Manager, Junior analyst, Tier 1 analyst, Tier 2 analyst, Approver, Observer.

    The group includes the following widgets:

    • Statistics MTTR. Changes of the time to first response to alerts and incidents for the specified period of time (by default for 30 days). The widget displays a column chart.

      The following configuration parameters of the Statistics MTTR widget are available:

      • MTTR type:
        • Mean. Changes of the mean time to first response to alerts and incidents.
        • Minimum. Changes of the minimum time to first response to alerts and incidents.
        • Maximum. Changes of the maximum time to first response to alerts and incidents.
      • Response mode:
        • Manual. Changes of the time only to manual first responses.
        • Automatic. Changes of the time only to automatic first responses.
        • All. Changes of the time to all first responses.
      • Scope:
        • Alerts. Changes of the time to first response only to alerts.
        • Incidents. Changes of the time to first response only to incidents.
        • All. Changes of the time to first response to alerts and incidents.
    • Automatic and manual launches of playbooks. The total number of automatic and manual launches of playbooks for a certain period. The widget displays a column chart.

      The Launch type parameter of the widget specifies whether to show only the number of automatic, only the number of manual, or the total number of playbook launches for a certain period.

      For the Statistics MTTR and Automatic and manual launches of playbooks widgets, you can also set the Period segments length parameter. This parameter specifies a time interval within which data will be grouped. You can group data for every hour, every 4 hours, or every 24 hours. On the column chart, the Period segments length parameter specifies the column width.

    • Coverage of alerts and incidents with playbooks. Number of active alerts and incidents. You can select what components to display: incidents, alerts or all.

      The donut chart displays alerts/incidents in the following sectors:

      • Alerts/incidents for which a playbook in Auto operation mode was launched.
      • Alerts/incidents for which a playbook in Training operation mode was launched.
      • All other alerts/incidents.
    • Time saved by using playbooks. Time saved by launching all the playbooks that have Success or Warning action status.

      The widget is not displayed by default.

    You can view the full playbook list by clicking the name of any playbook widget.

Page top
[Topic 264092]

Creating a widget

You can create a widget in a dashboard layout while creating or editing the layout.

To create a widget:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Create a layout or switch to editing mode for the selected layout.
  3. Click Add widget.
  4. Select a widget type from the drop-down list.

    This opens the widget settings window.

  5. Edit the widget settings.
  6. If you want to see how the data will be displayed in the widget, click Preview.
  7. Click Add.

The widget appears in the dashboard layout.

Page top
[Topic 264166]

Editing a widget

To edit widget:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Expand the list in the upper right corner of the window.
  3. Hover the mouse cursor over the relevant layout.
  4. Click the edit button (EditResource).

    The Customizing layout window opens.

  5. In the widget you want to edit, click the settings icon (GearGrey).
  6. Select Edit.

    This opens the widget settings window.

  7. Edit the widget settings.
  8. Click Save in the widget settings window.
  9. Click Save in the Customizing layout window.

The widget is edited.

Page top
[Topic 264167]

Deleting a widget

To delete a widget:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Expand the list in the upper right corner of the window.
  3. Hover the mouse cursor over the relevant layout.
  4. Click the edit button (EditResource).

    The Customizing layout window opens.

  5. In the widget you want to delete, click the settings icon (GearGrey).
  6. Select Delete.
  7. In the opened confirmation window, click OK.
  8. Click the Save button.

The widget is deleted.

Page top
[Topic 264168]

Creating a dashboard layout

To create a layout:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Open the drop-down list in the top right corner of the window and select Create layout.

    The New layout window opens.

  3. In the Tenants drop-down list, select the tenants that will own the created layout and whose data will be used to fill the widgets of the layout.

    The selection of tenants in this drop-down list does not matter if you want to create a universal layout (step 8).

  4. In the Time period drop-down list, select the time period from which you require analytics:
    • 1 hour
    • 1 day (this value is selected by default)
    • 7 days
    • 30 days
    • In period—receive analytics for the custom time period. The time period is set using the calendar that is displayed when this option is selected.

      The upper boundary of the period is not included in the time slice defined by it. In other words, to receive analytics for a 24-hour period, you should configure the period as Day 1, 00:00:00 – Day 2, 00:00:00 instead of Day 1, 00:00:00 – Day 1, 23:59:59.

  5. In the Refresh every drop-down list, select how often data should be updated in layout widgets:
    • 1 minute
    • 5 minutes
    • 15 minutes
    • 1 hour (this value is selected by default)
    • 24 hours
  6. In the Add widget drop-down list, select the required widget and configure its settings.

    You can add multiple widgets to the layout.

    You can also drag widgets around the window and resize them using the DashboardResize button that appears when you hover the mouse over a widget.

    You can edit or delete widgets added to the layout. To do this, click the settings icon (gear) and select Edit to change their configuration or Delete to delete them from the layout.

    To add a widget:

    1. Click the Add widget drop-down list and select required widget.

      The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.

    2. Configure widget parameters and click the Add button.

    To add a widget:

    1. Click the Add widget drop-down list and select required widget.

      The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.

    2. Configure the widget parameters and click the Add button.
  7. In the Layout name field, enter a unique name for this layout. Must contain 1 to 128 Unicode characters.
  8. If necessary, click the settings icon (gear) on the right of the layout name field, and then select the check box next to the Universal setting.

    The layout widgets display data from tenants that you select in the Selected tenants section in the menu on the left. This means that the data in the layout widgets will change based on your selected tenants without having to edit the layout settings. For universal layouts, tenants selected in the Tenants drop-down list are not taken into account.

    If the check box is cleared, layout widgets display data from the tenants that are selected in the Tenants drop-down list in the layout settings. If any of the tenants selected in the layout are not available to you, their data will not be displayed in the layout widgets.

    You cannot use the Active Lists widget in universal layouts.
    Universal layouts can only be created and edited by a user who has been assigned the Main administrator role. Such layouts can be viewed by all users.

  9. Click Save.

The new layout is created and is displayed on the Detection and response tab of the dashboard.

Page top
[Topic 263971]

Selecting a dashboard layout

To select a dashboard layout:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Expand the list in the upper right corner of the window.
  3. Select the relevant layout.

The selected layout is displayed on the Detection and response tab of the dashboard.

Page top
[Topic 264145]

Selecting a dashboard layout as the default

To set a dashboard layout as the default:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Expand the list in the upper right corner of the window.
  3. Hover the mouse cursor over the relevant layout.
  4. Click the star icon (StarOffIcon).

The selected layout is displayed on the Detection and response tab of the dashboard by default.

Page top
[Topic 264146]

Editing a dashboard layout

To edit a dashboard layout:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Expand the list in the upper right corner of the window.
  3. Hover the mouse cursor over the relevant layout.
  4. Click the edit icon (EditResource).

    The Customizing layout window opens.

  5. Edit the dashboard layout. The settings that are available for editing are the same as the settings available when creating a layout.
  6. Click Save.

The dashboard layout is edited and displayed on the Detection and response tab.

If the layout is deleted or assigned to a different tenant while you are editing it, an error is displayed when you click Save. The layout is not saved. Refresh the Kaspersky Next XDR Expert interface page to see the list of available layouts in the drop-down list.

Page top
[Topic 264147]

Deleting a dashboard layout

To delete layout:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Expand the list in the upper right corner of the window.
  3. Hover the mouse cursor over the relevant layout.
  4. Click the delete icon (delete-icon) and confirm this action.

The layout is deleted.

Page top
[Topic 263769]

Enabling and disabling TV mode

For convenient information presentation of the Detection and response tab, you can enable TV mode. This mode lets you view the Detection and response tab of the dashboard in full-screen mode in FullHD resolution. In TV mode, you can also configure a slide show display for the selected layouts.

It is recommended to create a separate user with the minimum required set of right to display analytics in TV mode.

To enable TV mode:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Click the settings icon (GearGrey) in the upper-right corner.

    The Settings window opens.

  3. Move the TV mode toggle switch to the Enabled position.
  4. To configure the slideshow display of the layouts, do the following:
    1. Move the Slideshow toggle switch to the Enabled position.
    2. In the Timeout field, specify how many seconds to wait before switching layouts.
    3. In the Queue drop-down list, select the layouts to view. If no layout is selected, the slideshow mode displays all layouts available to the user one after another.
    4. If necessary, change the order in which the layouts are displayed using the button DragIcon to drag and drop them.
  5. Click Save.

TV mode will be enabled. To return to working with the Kaspersky Next XDR Expert interface, disable TV mode.

To disable TV mode:

  1. In the main menu, go to Monitoring & reportingDashboard, and the select the Detection and response tab.
  2. Click the settings icon (GearGrey) in the upper-right corner.

    The Settings window opens.

  3. Move the TV mode toggle switch to the Disabled position.
  4. Click Save.

TV mode will be disabled. The left part of the screen shows a pane containing sections of the Kaspersky Next XDR Expert interface.

When you make changes to the layouts selected for the slideshow, those changes will automatically be applied to the active slideshow sessions.

Page top
[Topic 264148]

Preconfigured dashboard layouts

Kaspersky Next XDR Expert includes a set of predefined layouts that contain the following widgets:

  • Alerts Overview layout (Alert overview):
    • Active alerts—number of alerts that have not been closed.
    • Unassigned alerts—number of alerts that have no assignee.
    • Latest alerts—table with information about the last 10 unclosed alerts belonging to the tenants selected in the layout.
    • Alerts distribution—number of alerts created during the period configured for the widget.
    • Alerts by priority—number of unclosed alerts grouped by their priority.
    • Alerts by assignee—number of alerts with the Assigned status. The grouping is by account name.
    • Alerts by status—number of alerts that have the New, Opened, Assigned, or Escalated status. The grouping is by status.
    • Affected users in alerts—number of users associated with alerts that have the New, Assigned, or Escalated status. The grouping is by account name.
    • Affected assets—table with information about the level of importance of assets and the number of unclosed alerts they are associated with.
    • Affected assets categories—categories of assets associated with unclosed alerts.
    • Top event source by alerts number—number of alerts with the New, Assigned, or Escalated status, grouped by alert source (DeviceProduct event field).

      The widget displays up to 10 event sources.

    • Alerts by rule—number of alerts with the New, Assigned, or Escalated status, grouped by correlation rules.
  • Incidents Overview layout (Incidents overview):
    • Active incidents—number of incidents that have not been closed.
    • Unassigned incidents—number of incidents that have the Opened status.
    • Latest incidents—table with information about the last 10 unclosed incidents belonging to the tenants selected in the layout.
    • Incidents distribution—number of incidents created during the period configured for the widget.
    • Incidents by priority—number of unclosed incidents grouped by their priority.
    • Incidents by assignee—number of incidents with the Assigned status. The grouping is by user account name.
    • Incidents by status—number of incidents grouped by their status.
    • Affected assets in incidents—number of assets associated with unclosed incidents.
    • Affected users in incidents—users associated with incidents.
    • Affected asset categories in incidents—categories of assets associated with unclosed incidents.
    • Active incidents by tenant—number of incidents of all statuses, grouped by tenant.
  • Network Overview layout (Network activity overview):
    • Netflow top internal IPs—total volume of netflow traffic received by the asset, in bytes. The data is grouped by internal IP addresses of assets.

      The widget displays up to 10 IP addresses.

    • Netflow top external IPs—total volume of netflow traffic received by the asset, in bytes. The data is grouped by external IP addresses of assets.
    • Netflow top hosts for remote control—number of events associated with access attempts to one of the following ports: 3389, 22, 135. The data is grouped by asset name.
    • Netflow total bytes by internal ports—number of bytes sent to internal ports of assets. The data is grouped by port number.
    • Top Log Sources by Events count—top 10 sources from which the greatest number of events was received.

The default refresh period for predefined layouts is Never. You can edit these layouts as needed.

Page top
[Topic 264150]