Retrospective traffic analysis

Retrospective analysis of traffic allows analyzing previously collected network data, taking into account new signatures, indicators, and rules.

Kaspersky Anti Targeted Attack Platform provides the results of retrospective analysis of traffic in the following form:

• Alerts.
• NDR events.
• Network sessions.
• Network interactions map.
• Topology map.
• List of devices.
• List of executable files on devices.
• List of users on devices.

When working with the received data, keep in mind the following:

• Traffic analysis results are displayed immediately after replay is started.
• The time when the data was recorded is taken from the network packet.
• When the traffic is replayed, data may be displayed incorrectly (if less than 10 minutes have passed since the first replay) or data duplication (if more than 10 minutes have passed since the first replay). To avoid this, you need to clear the analysis results before replaying again.

For retrospective analysis, you need to deploy a standalone Central Node component in Retrospective analysis mode. The hardware requirements for the component are given in the Calculations for the Central Node component → Hardware requirements for the Central Node server that performs retrospective analysis of traffic section. This component is used only for retrospective analysis of traffic. You cannot change the role of a server after installation. You can connect Sandbox to this component.

The following limitations apply to a component that is used for retrospective traffic analysis:

• The maximum rate of automatic download of PCAP files must not exceed 200 Mbps.

  You can find the command for automating the download of files at the specified rate in the Scenarios for running retrospective analysis of traffic section.

• The maximum traffic replay rate is 200 Mbps.
• If you want to use Sandbox for retrospective analysis of traffic, this component must be connected only to the Central Node that is performing the analysis.
• In automatic analysis mode, files must arrive in Kaspersky Anti Targeted Attack Platform in the order they were recorded and with network segments taken into account, otherwise the analysis results may be distorted.
• Simultaneous replay of traffic from different PCAP files by multiple users is not allowed.
• The following application functionality is not available:
  • Adding a new Sensor component
  • Removing the Embedded Sensor
  • Distributed solution and multitenancy mode
  • Deploying the component as a cluster
  • Configuring integrations:
    • With a mail server via SMTP and POP3
    • With a proxy server via ICAP
    • With the Endpoint Agent component
    • With mail sensors
    • With Kaspersky Managed Detection and Response

Before starting to use this functionality, we recommend learning about the scenarios for running retrospective analysis of traffic.

Users with the Senior security officer role can manually upload PCAP files to the system, delete PCAP files, view the table of PCAP files, view information about the selected PCAP file, start traffic replay, clear analysis results, enable or disable automatic analysis of traffic.

Users with the Administrator role can manage the PCAP file storage settings.

Users with the Security officer and Security auditor roles can view the table of PCAP files, information about the selected PCAP file, and the settings for automatic traffic analysis.

This functionality is available if a current KATA+NDR license key is present. After the license key expires, the traffic analysis results remain available for viewing. Traffic replay does not start. Activation is possible only with a key file.

If necessary, you can create a backup copy of the application. The procedure for backing up and restoring is the same as for a Central Node component deployed in standard mode.

Page top