If you need to disable registration of events with specific indicators (for example, all events from a monitoring point), you can create allow rules for events.
Only users with the Administrator role can create allow rules for events.
You can use the following capabilities to create allow rules for events:
To create a rule with initially empty values of settings or with the values from a template:
Connect to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface using the Administrator account.
In the Allow rules section, open the details area by clicking the Add rule link.
If you want to define the values of settings from a template, in the details area click the Use template button, select the necessary template in the opened window and click Apply.
In the details area, click EVT.
In the Protocol field, specify the protocol that will be indicated in events.
When the Protocol field is selected, a window opens showing the table of supported protocols displayed as a protocol stack tree. You can manage how tree elements are displayed by using the + and - buttons next to the names of protocols that contain protocols of subsequent layers.
If necessary, use the search field above the table to find relevant protocols.
To specify the protocol:
In the protocols table, select the protocol that you want to specify for the rule. To select the relevant protocol, click the button that is displayed in the left column of the protocols table.
Click OK.
If you select a protocol that can be identified by the application based on the contents of network packets, a notification about this appears under the Protocol field.
If necessary, enter additional information about the rule in the Comment field.
In the Side 1 and Side 2 settings groups, specify the editable address information for the participants (sides) of network interaction. Depending on the selected protocol (or set of protocols), address information may contain a MAC address, IP address, and/or port number.
To autofill the address information of a side of network interaction, you can select devices that are known to the application. To do so:
Open the device selection window by clicking the Specify device addresses link.
In the device selection window, select the check boxes next to the devices that you want to use.
The device selection window contains a table in which you can configure the layout and order of columns, and filter, search, and sort similarly to the devices table in the Assets section.
Click OK in the device selection window.
In the Event type field, specify the event type whose numerical code is indicated in events.
Selecting the Event type field opens a window containing a list of event types that may be indicated in allow rules. If necessary, use the search field above the list to find the relevant event type. To specify the event type, select it in the list and click Apply.
In the Monitoring point field, specify the monitoring point name that is indicated in events.
Selecting the Monitoring point field opens a window containing a list of all monitoring points on all nodes that have application components installed. If necessary, use the search field above the list to find the name of the relevant monitoring point. To specify the monitoring point name, select it in the list and click Apply.
In the Rule in event field, enter the name (or part of the name) that is indicated as the triggered rule in events.
In the details area, click Save.
The new rule will be added to the allow rules table.
To create a new allow rule for events based on an existing rule:
Connect to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface using the Administrator account.
In the Allow rules section, select the rule that you want to use as the basis for creating a new rule.
Right-click to open the context menu.
In the context menu, select Create rule based on the selected rule.
The details area in rule editing mode will appear in the right part of the web interface window. The settings of the new rule will take the values obtained from settings of the selected rule.
Change the settings as necessary. To do so, complete steps 4–11 described in the procedure for creating a rule with initially empty values of settings.
To create a new allow rule for events based on a registered event:
Connect to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface using the Administrator account.
Select the Events section.
In the table of registered events, select the event that you want to use as the basis for creating the allow rule for events.
The details area appears in the right part of the web interface window.
In the details area, click the Create allow rule button.
The Allow rules section opens in the browser window. The details area in rule editing mode will appear in the right part of the web interface window. The new rule's settings will take the values received from the saved information about the event.
If necessary, edit the settings of the new rule. To do so, complete steps 4–11 described in the procedure for creating a rule with initially empty values of settings. If you do not need to change the settings of the new rule, save the rule by clicking the Save button.