Kaspersky Endpoint Security 12.6 for Windows
12.6
English

Contents

Adding custom rules

You can set your own Log Inspection rule triggering criteria. To do so, you must enter an event ID and select an event source. You can look up the event ID on the Microsoft technical support website. You can select an event source from among the standard logs: Application, Security or System. You can also specify the log of a third-party application. You can find out the name of the third-party application log using the Event Viewer tool. Third-party application logs are kept in the Application and Services Logs folder (for example, the Windows PowerShell log).

The application does not check if the specified log is actually present in the Windows event log. If there is a mistake in the name of the log, the application does not monitor events from that log.

The list of custom rules already includes three rules created by Kaspersky experts.

How to add a custom rule in the Administration Console (MMC)

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select Policies.
  3. Select the necessary policy and double-click to open the policy properties.
  4. In the policy window, select Security ControlsLog Inspection.
  5. Make sure the Log Inspection check box is selected.
  6. In the Custom rules block, click the Settings button.
  7. In the window that opens, select the check boxes next to the custom rules that you want to enable.
  8. If necessary, click Add to create your own custom rules.
  9. This opens a window; in that window, configure the custom rule:
    • Rule name.
    • Log name. Windows Event Logs. The following logs are available: Application, Security, System.
    • Source. Third-party application logs. You can find out the name of the third-party application log using the Event Viewer tool. Third-party application logs are kept in the Application and Services Logs folder (for example, the Windows PowerShell log).
    • Event identifiers. Event IDs in the Windows Event Log. You can look up the event ID in the Microsoft technical documentation.
  10. Save your changes.

How to add a custom rule in the Web Console and Cloud Console

  1. In the main window of the Web Console, select DevicesPolicies & profiles.
  2. Click the name of the Kaspersky Endpoint Security policy.

    The policy properties window opens.

  3. Select the Application settings tab.
  4. Go to Security ControlsLog Inspection.
  5. Make sure the Log Inspection toggle switch is turned on.
  6. In the Custom rules block, select custom rules that you want to enable.
  7. If necessary, click Add to create your own custom rules.
  8. This opens a window; in that window, configure the custom rule:
    • Rule name.
    • Windows Event Log name. Windows Event Logs. The following logs are available: Application, Security, System.
    • Source. Third-party application logs. You can find out the name of the third-party application log using the Event Viewer tool. Third-party application logs are kept in the Application and Services Logs folder (for example, the Windows PowerShell log).
    • Windows Event Log identifier. Event IDs in the Windows Event Log. You can look up the event ID in the Microsoft technical documentation.
  9. Save your changes.

How to add a custom rule in the application interface

  1. In the main application window, click the Application settings icon in the form of a gear wheel. button.
  2. In the application settings window, select Security ControlsLog Inspection.
  3. Make sure the Log Inspection toggle switch is turned on.
  4. In the Custom rules block, click the Configure button.
  5. In the window that opens, select the check boxes next to the custom rules that you want to enable.
  6. If necessary, click Add to create your own custom rules.
  7. This opens a window; in that window, configure the custom rule:
    • Rule name.
    • Log name. Windows Event Logs. The following logs are available: Application, Security, System.
    • Source. Third-party application logs. You can find out the name of the third-party application log using the Event Viewer tool. Third-party application logs are kept in the Application and Services Logs folder (for example, the Windows PowerShell log).
    • Event identifier. Event IDs in the Windows Event Log. You can look up the event ID in the Microsoft technical documentation.
  8. Save your changes.

As a result, when the rule triggers, Kaspersky Endpoint Security creates Critical event.

Page top
[Topic 235321]