Monitoring Adaptive Anomaly Control operations
Adaptive Anomaly Control includes several monitoring tools. The main purpose of monitoring Adaptive Anomaly Control is to configure the component while training.
Adaptive Anomaly Control reports
Adaptive Anomaly Control uses the following reports:
- Report on Adaptive Anomaly Control rules state. The report contains information about the status of Adaptive Anomaly Control rules (Off, Smart Training, Smart Block, Notify, Block). This report allows analyzing the level of training of Adaptive Anomaly Control and evaluating the number of rules that have switched from Smart Training mode to normal operating mode (for example, Smart Block).
- Report on triggered Adaptive Anomaly Control rules. The report contains information about rule triggers. The report also shows the rule triggering mode: Block (including Smart Block) or Notify. This reports allows evaluating the activity of Adaptive Anomaly Control on user computers.
How to view Adaptive Anomaly Control reports in the Administration Console (MMC)
- Open the Kaspersky Security Center Administration Console.
- In the console tree, select Policies.
- Select the necessary policy and double-click to open the policy properties.
- In the policy window, select Security Controls → Adaptive Anomaly Control.
- Do one of the following:
- If you want to view the report on Adaptive Anomaly Control rules state, click the Report on Adaptive Anomaly Control rules state link.
- If you want to view the report on triggered Adaptive Anomaly Control rules, click the Report on triggered Adaptive Anomaly Control rules link.
- The report generation process starts.
The report is displayed in a new window.
How to view Adaptive Anomaly Control reports in the Web Console
- In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
- Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to Security Controls → Adaptive Anomaly Control.
- Do one of the following:
- If you want to view the report on Adaptive Anomaly Control rules state, click the Report on Adaptive Anomaly Control rules state link.
- If you want to view the report on triggered Adaptive Anomaly Control rules, click the Report on triggered Adaptive Anomaly Control rules link.
- The report generation process starts.
The report is displayed in a new window.
To generate reports in the Kaspersky Security Center console, you must enable data transfer to Administration Server. Data transfer is enabled by default.
How to enable data transfer for Adaptive Anomaly Control in the Administration Console (MMC)
- Open the Kaspersky Security Center Administration Console.
- In the console tree, select Policies.
- Select the necessary policy and double-click to open the policy properties.
- In the policy window, select General settings → Reports and Storage.
- In the Data transfer to Administration Server block, click the Settings button.
- Check the following boxes:
- Report on Adaptive Anomaly Control rules state.
- Report on triggered Adaptive Anomaly Control rules.
- Save your changes.
How to enable data transfer for Adaptive Anomaly Control in the Web Console
- In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
- Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to General settings → Reports and Storage.
- Under Data transfer to Administration Server, select the following check boxes:
- Report on Adaptive Anomaly Control rules state.
- Report on triggered Adaptive Anomaly Control rules.
- Save your changes.
Rule triggers in Smart Training state storage
In training mode, Adaptive Anomaly Control sends information about triggered rules to a separate storage, Rule triggers in Smart Training state. Information about triggered rules is represented in the storage as a list of events. To tune Adaptive Anomaly Control, you can either confirm the atypical behavior on the computer or add an exclusion from the rule.
Adaptive Anomaly Control events
Adaptive Anomaly Control logs rule trigger events in the Block (including Smart Block) and Notify modes. The following events are provided for this purpose:
Process action blocked
Process action skipped
Events contain information about the suspicious activity including file checksums, the users involved, the rule triggering time, and the computer name. After analyzing the event, you can immediately add exclusions from the rule if you find the activity to be legitimate.
Page top