Monitoring Adaptive Anomaly Control operations
Adaptive Anomaly Control includes several monitoring tools. The main purpose of monitoring Adaptive Anomaly Control is to configure the component while training.
Adaptive Anomaly Control reports
Adaptive Anomaly Control uses the following reports:
- Report on Adaptive Anomaly Control rules state. The report contains information about the status of Adaptive Anomaly Control rules (Off, Smart Training, Smart Block, Notify, Block). This report allows analyzing the level of training of Adaptive Anomaly Control and evaluating the number of rules that have switched from Smart Training mode to normal operating mode (for example, Smart Block).
- Report on triggered Adaptive Anomaly Control rules. The report contains information about rule triggers. The report also shows the rule triggering mode: Block (including Smart Block) or Notify. This reports allows evaluating the activity of Adaptive Anomaly Control on user computers.
How to view Adaptive Anomaly Control reports in the Administration Console (MMC)
How to view Adaptive Anomaly Control reports in the Web Console
To generate reports in the Kaspersky Security Center console, you must enable data transfer to Administration Server. Data transfer is enabled by default.
How to enable data transfer for Adaptive Anomaly Control in the Administration Console (MMC)
How to enable data transfer for Adaptive Anomaly Control in the Web Console
Rule triggers in Smart Training state storage
In training mode, Adaptive Anomaly Control sends information about triggered rules to a separate storage, Rule triggers in Smart Training state. Information about triggered rules is represented in the storage as a list of events. To tune Adaptive Anomaly Control, you can either confirm the atypical behavior on the computer or add an exclusion from the rule.
Adaptive Anomaly Control events
Adaptive Anomaly Control logs rule trigger events in the Block (including Smart Block) and Notify modes. The following events are provided for this purpose:
Process action blocked
Process action skipped
Events contain information about the suspicious activity including file checksums, the users involved, the rule triggering time, and the computer name. After analyzing the event, you can immediately add exclusions from the rule if you find the activity to be legitimate.
Page top