Filtering assets in MDR Web Console

You can create and apply filters to the asset list.

To create a filter for the asset list:

1. In MDR Web Console, navigate to the Assets menu item.

   The asset list opens.

2. Click the funnel icon located above the asset list.

   The Filter menu appears.

   Parameters available for filtering are:

   • Last seen

     The moment when the asset was last seen in Console.

   • Asset name

     Available asset names.

     An asset name is the network name of a computer.

   • Tenant

     Available tenant names.

     You can select the Root tenant value to view assets that are not assigned to any of your tenants.

     You can select the Root tenant value in addition to specifying tenant names.

   • Status

     The status reflects the current asset state. For assets in the OK, Warning, or Critical statuses, the application additionally lists the problems (if any) for the last 72 hours.

     For assets with the Kaspersky Endpoint Security for Windows in the Endpoint Detection and Response Agent (EDR Agent) configuration, the Warning and Critical statuses for protection and control components may be displayed incorrectly.

     The assets have one of the following statuses:

     • OK (green)

       Telemetry is being sent, protection is fully operational.

     • Warning (yellow)

       Possible reasons of the Warning status:

       • Minor telemetry losses. Refer to this article: How to avoid loss of telemetry data from assets.
       • At least one of the following EPP application components on the asset is disabled or not installed:
         • Firewall—See how to enable or configure this component in Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Security for Linux, or Kaspersky Security for Virtualization Light Agent.
         • Network Threat Protection—See how to enable or configure this component in Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Security for Linux, or Kaspersky Endpoint Security for Mac.
         • Mail Threat Protection and Additional Microsoft Office Outlook Extension—See how to enable or configure these components in Kaspersky Endpoint Security for Windows.
         • Web Threat Protection—See how to enable or configure this component in Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Security for Linux, Kaspersky Endpoint Security for Mac, or Kaspersky Security for Virtualization Light Agent.
         • Product Self Defense—See how to enable or configure this component in Kaspersky Endpoint Security for Windows or Kaspersky Security for Virtualization Light Agent.
         • Anti-virus databases are outdated by more than 7 days.

         These components affect the fullness of sent telemetry. If a component is disabled or missing, Kaspersky Managed Detection and Response does not send the telemetry events related to this component. The installed EPP application may not include all of the listed components.

       • KPSN configuration file is expiring. The application displays the expiration date. Consider updating the KPSN configuration file. If you keep working with the current configuration file, the status changes to Critical few days before the expiration date.

       The Warning status is applicable for assets with Kaspersky Endpoint Security for Windows 11 or later, Kaspersky Endpoint Security for Linux 11.2 or later, Kaspersky Endpoint Security for Mac 11.2 or later, or Kaspersky Security for Virtualization Light Agent 5.2 or later installed. For assets with the Kaspersky Endpoint Security for Windows in the Endpoint Detection and Response Agent (EDR Agent) configuration, this status is not displayed.

     • Critical (red)

       Possible reasons of the Critical status:

       • Major telemetry losses, telemetry data is insufficient for analysis. Refer to this article: How to avoid loss of telemetry data from assets.
       • At least one of the following EPP application components on the asset is disabled or not installed:
         • System Watcher or Behavior Detection—See how to enable or configure these components in Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Security for Linux, or Kaspersky Security for Virtualization Light Agent.
         • File Threat Protection—See how to enable or configure this component in Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Security for Linux, Kaspersky Endpoint Security for Mac, or Kaspersky Security for Virtualization Light Agent.

         If any of these components are disabled or missing, Kaspersky Managed Detection and Response stops sending telemetry from the asset. The installed EPP application may not include all of the listed components.

       • KPSN configuration file is expiring soon or is already expired. The application displays the expiration date. Consider updating the KPSN configuration file.

       This status is applicable for assets with Kaspersky Endpoint Security for Windows 11 or later, Kaspersky Endpoint Security for Linux 11.2 or later, Kaspersky Endpoint Security for Mac 11.2 or later, or Kaspersky Security for Virtualization 5.2 Light Agent or later installed. For assets with the Kaspersky Endpoint Security for Windows in the Endpoint Detection and Response Agent (EDR Agent) configuration, this status is not displayed.

     • Offline (black)

       No telemetry for more than 7 days (default value). You can change the number of days of absence of telemetry, after which the Offline status is displayed for the asset, in the Settings section. The available range is 2–29 days.

       If you see the Offline status for your assets:

       • Make sure the EPP application components listed with Warning and Critical statuses are installed and enabled on the assets.
       • Make sure Kaspersky Managed Detection and Response is properly deployed in your infrastructure.

       Offline status is not applicable for VDI assets (temporary virtual machines).

     • Absent (black)

       No telemetry for more than 30 days for physical assets or for more than 24 hours for VDI assets (temporary virtual machines).

       If you see the Absent status for your assets:

       • Make sure the EPP application components with Warning and Critical statuses are installed and enabled on the assets.
       • Make sure Kaspersky Managed Detection and Response is properly deployed in your infrastructure.

       You can hide assets with the Absent status in the asset list, in the reports, and in the data received via the API interface.

   • Isolation

     Whether network isolation is enabled or not. The possible filter values are:

     • Isolated

       Network isolation is enabled.

     • Not isolated

       Network isolation is disabled.

3. Click Save to apply the created filter.

Only assets that meet the selected parameters of the filter are shown in the asset list after the filter is applied.

You can hide assets with the Absent status in the asset list by selecting the check box in the Settings.

Page top