Monitoring of observables

When analyzing SPAN traffic, Kaspersky Anti Targeted Attack Platform generates a list of observables. Observables are files and URLs to which access attempts from the organization's internal network have been registered.

The application extracts information from the following protocols:

• File information: HTTP, FTP-Data, SMTP, SMB, NFS.
• URL information: HTTP, SMTP, DNS.

Users with the Administrator role can manage the observables storage settings.

Users with the Senior security officer role can view the table of observables, object information, related alerts, and manage exclusion rules for observables.

Users with the Security officer role can view the table of observables, object information, related alerts, and exclusion rules for observables.

Users with the Security auditor role can view the table of observables, object information, related alerts, exclusion rules for observables, and observable storage settings.

This functionality is available if a current KATA+NDR license key is present. After the license key expires, the list of observables in the table is no longer updated, and management of exclusions and storage settings for observables becomes unavailable.

In the distributed solution and multitenancy mode, a list of observables is generated for each PCN and SCN server. If an alert is created on an SCN, when viewing this alert on the PCN, drilling down to observables is not possible. When searching for alerts related to observables on the PCN, the search results include alerts generated on the PCN and SCNs.

Page top