Configuring events

In the Console, you can configure the types of registered events of Kaspersky Industrial CyberSecurity for Networks. When configuring them, you can create, modify, or remove event types, and configure the transmission of events to recipient systems.

The list of types of registered events is displayed in the Kaspersky Industrial CyberSecurity for Networks Console on the Configure events tab. Each event type corresponds to one of the technologies used by the application.

When you connect to the Kaspersky Industrial CyberSecurity for Networks Server through a web browser, you cannot work with the list of event types.

The list of event types is part of the security policy. Only users with the Administrator role can apply the current security policy on the Server. However, users with the Administrator role and users with the Operator role can both make changes and save the security policy to a folder (including with changed settings for event types).

The list of event types contains system event types and custom event types. System event types are created by the application during installation and cannot be deleted from the list. The application uses system event types to register primary events based on Deep Packet Inspection technology and to register any events based on other technologies. You can create additional event types for Deep Packet Inspection and External technologies. These event types are called custom event types.

For custom event types, you can delete and modify settings, and select recipients. For system event types, you can select recipients and modify individual registration settings.

You can use custom event types to configure receipt of events from external systems. To do so, in the Console, you need to specifically create event types to be received from an external system. When an event type is created, it is assigned a unique number (this number is saved as the value of the Code setting). Then, in the external system, you need to configure the transmission of events to the application using Kaspersky Industrial CyberSecurity for Networks API methods. When sending an event to Kaspersky Industrial CyberSecurity for Networks, the external system will specify the event type identifier defined by the Code setting. Using this identifier, the Kaspersky Industrial CyberSecurity for Networks Server will determine the event type and register it as an event based on External technology.

The following settings are available for event types:

• Code – unique event type number that will be displayed in the list of event types on the Configure events tab. In the table of registered events, the event type identifier is displayed in the Event type column. The event type identifier is automatically assigned by the application when the event type is created. This setting cannot be changed.
• Severity – importance level that will be specified for the event when it is registered: Critical, Warning, or Informational. This setting can be changed only for custom event types.
• Technology – technology used for event registration. This setting is accessible only for custom event types. You can specify Deep Packet Inspection or External technology.
• Title – text of the event title. It is displayed in the list of event types on the Configure events tab. In the table of registered events, the title of the event type is displayed in the Title column. The titles of event types are also displayed in the Events block in the Dashboard section of the application web interface. This setting can be changed only for custom event types.
• Description – additional text that will be displayed in the table of registered events in the Description column. This setting can be changed only for custom event types.
• Keep traffic – check box that lets you enable or disable automatic saving of traffic that was registered in the system before and after registration of the event. Traffic is saved in the application database. If the automatic saving of traffic is enabled, you can configure the settings for saving traffic by clicking the Configure link.

  If automatic saving of traffic is disabled, you can manually load traffic some time after registration of an event of this type. When the application receives a request to load traffic, it searches network packets in traffic dump files that were temporarily created by the application. If relevant network packets are found in the traffic dump files, they are loaded after first being saved in the database.

• Event regenerate timeout – maximum period of time after which an event is allowed to be registered again. If the conditions for event registration are repeated again before the specified time period elapses, the new event is not registered but the counter for the number of repeats of the previously registered event is increased and the date and time of the last occurrence of the event is updated. After this period elapses, the application will register a new event of this type when the event registration conditions are repeated. The repeat event timeout period begins when an event of this type is last registered. For example, if the defined time period is 8 hours and the conditions for registering this type of event are detected two hours after the previous event, a new event will not be registered. A new event will be registered when the event registration conditions are detected after 8 or more hours.

  For registered events, the event regenerate timeout may occur earlier than the specified period. Re-registration of an event is allowed if the Resolved status was assigned to the event, and if the computer performing Server functions was restarted.

The texts of titles and descriptions in the settings of event types may contain variables. When registering events, the Server inserts the current values of the variables.

You can view the registered events when connected to the Server through a web browser.

In this section: Grouping event types Searching for event types Creating event types Changing event types Configuring automatic saving of traffic during event registration Deleting event types About transmission of events to recipient systems Adding a recipient Changing the recipient settings Configuring the transmission of events to recipient systems Removing a recipient Kaspersky Industrial CyberSecurity for Networks event configuration variables

Page top