Log Inspection

This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Windows for servers. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that runs on Windows for workstations.

Kaspersky Endpoint Security for Windows 11.11.0 includes the Log Inspection component. Log Inspection monitors the integrity of the protected environment based on the results of Windows event log analysis. When the application detects signs of atypical behavior in the system, it informs the administrator, as this behavior may indicate an attempted cyber attack.

Kaspersky Endpoint Security analyzes Windows event logs and detects violation in accordance with rules. The component includes predefined rules. Predefined rules are powered by heuristic analysis. You can also add your own rules (custom rules). When a rule triggers, the application creates an event with the Critical status (see figure below).

If you want to use Log Inspection, make sure security the audit policy is configured and the system is logging the relevant events (for details, see the Microsoft technical support website.).

Log Inspection notification

Log Inspection settings

Parameter

Description

Predefined rules

List of Log Inspection rules. Predefined rules include templates of abnormal activity on the protected computer. Abnormal activity can signify an attempted attack.

Custom rules

List of Log Inspection rules added by the user. You can set your own Log Inspection rule triggering criteria. To do so, you must enter an event ID and select an event source.

You can select an event source from among the standard logs: Application, Security or System. You can also specify the log of a third-party application.

See also: Managing the application via the local interface

Configuring predefined rules

Adding custom rules

Page top