Predefined rules include templates of abnormal activity on the protected computer. Abnormal activity can signify an attempted attack. Predefined rules are powered by heuristic analysis. Seven predefined rules are available for Log Inspection. You can enable or disable any of the rules. Predefined rules cannot be deleted.
You can configure the triggering criteria for rules that monitor events for the following operations:
Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Security Controls → Log Inspection.
Make sure the Log Inspection check box is selected.
In the Predefined rules block, click the Settings button.
Select or clear check boxes to configure predefined rules:
There are patterns of a possible brute-force attack in the system.
There is an atypical activity detected during a network logon session.
There are patterns of a possible Windows Event Log abuse.
Atypical actions detected on behalf of a new service installed.
Atypical logon that uses explicit credentials detected.
There are patterns of a possible Kerberos forged PAC (MS14-068) attack in the system.
Suspicious changes detected in the privileged built-in Administrators group.
If necessary, configure the There are patterns of a possible brute-force attack in the system rule:
Click the Settings button below the rule.
In the window that opens, specify the number of attempts and a time period within which attempts to enter a password must be performed for the rule to trigger.
Click ОК.
If you selected the There is an atypical activity detected during a network logon session rule, you need to configure its settings:
Click the Settings button below the rule.
In the Network logon detection block, specify the start and the end of the time interval.
Kaspersky Endpoint Security considers logon attempts performed during the defined interval as abnormal activity.
By default, the interval is not set and the application does not monitor logon attempts. For the application to continuously monitor logon attempts, set the interval to 12:00 AM - 11:59 PM. The start and the end of the interval must not coincide. If they are the same, the application does not monitor logon attempts.
Create the list of trusted users and trusted IP addresses (IPv4 and IPv6).
Kaspersky Endpoint Security does not monitor logon attempts for these users and computers.
In the main window of the Web Console, select Devices → Policies & Profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to Security Controls → Log Inspection.
Make sure the Log Inspection toggle switch is turned on.
In the Predefined rules block, enable or disable the predefined rules using the toggles:
There are patterns of a possible brute-force attack in the system.
There is an atypical activity detected during a network logon session.
There are patterns of a possible Windows Event Log abuse.
Atypical actions detected on behalf of a new service installed.
Atypical logon that uses explicit credentials detected.
There are patterns of a possible Kerberos forged PAC (MS14-068) attack in the system.
Suspicious changes detected in the privileged built-in Administrators group.
If necessary, configure the There are patterns of a possible brute-force attack in the system rule:
Click Settings under the rule.
In the window that opens, specify the number of attempts and a time period within which attempts to enter a password must be performed for the rule to trigger.
Click ОК.
If you selected the There is an atypical activity detected during a network logon session rule, you need to configure its settings:
Click Settings under the rule.
In the Network logon detection block, specify the start and the end of the time interval.
Kaspersky Endpoint Security considers logon attempts performed during the defined interval as abnormal activity.
By default, the interval is not set and the application does not monitor logon attempts. For the application to continuously monitor logon attempts, set the interval to 12:00 AM - 11:59 PM. The start and the end of the interval must not coincide. If they are the same, the application does not monitor logon attempts.
In the Exclusions block, add trusted users and trusted IP addresses (IPv4 and IPv6).
Kaspersky Endpoint Security does not monitor logon attempts for these users and computers.
In the application settings window, select Security Controls → Log Inspection.
Make sure the Log Inspection toggle switch is turned on.
In the Predefined rules block, click the Configure button.
Select or clear check boxes to configure predefined rules:
There are patterns of a possible brute-force attack in the system.
There is an atypical activity detected during a network logon session.
There are patterns of a possible Windows Event Log abuse.
Atypical actions detected on behalf of a new service installed.
Atypical logon that uses explicit credentials detected.
There are patterns of a possible Kerberos forged PAC (MS14-068) attack in the system.
Suspicious changes detected in the privileged built-in Administrators group.
If necessary, configure the There are patterns of a possible brute-force attack in the system rule:
Click Settings under the rule.
In the window that opens, specify the number of attempts and a time period within which attempts to enter a password must be performed for the rule to trigger.
If you selected the There is an atypical activity detected during a network logon session rule, you need to configure its settings:
Click Settings under the rule.
In the Network logon detection block, specify the start and the end of the time interval.
Kaspersky Endpoint Security considers logon attempts performed during the defined interval as abnormal activity.
By default, the interval is not set and the application does not monitor logon attempts. For the application to continuously monitor logon attempts, set the interval to 12:00 AM - 11:59 PM. The start and the end of the interval must not coincide. If they are the same, the application does not monitor logon attempts.
In the Exclusions block, add trusted users and trusted IP addresses (IPv4 and IPv6).
Kaspersky Endpoint Security does not monitor logon attempts for these users and computers.
Save your changes.
As a result, when the rule triggers, Kaspersky Endpoint Security creates Critical event.