Monitoring device users

Kaspersky Industrial CyberSecurity for Networks can monitor user accounts on devices it knows about. When monitoring users, it automatically receives information about accounts registered in the operating systems of these devices. The application uses these details to create user tables.

After receiving account details, the application uses this information to monitor all user accounts on the devices, with the exception of certain local system accounts that can only be used by operating system services. For example, the application does not control the LocalSystem and NetworkService accounts used on the devices with Windows operating systems.

To use the user monitoring feature, asset management methods for device activity detection and device information detection must be enabled. These methods must be enabled on all nodes where the application components from which information is received are installed.

User monitoring relies on data from the following source types:

1. OVAL scanning: software components that scan devices according to built-in OVAL rules, such as EPP applications that send extended device data on demand to Kaspersky Industrial CyberSecurity for Networks or nodes with installed application components that connect to devices remotely when scanning devices as part of a configuration monitoring job.
2. Telemetry (Endpoint Agent): EPP applications that send basic data on devices and running processes (telemetry data) to Kaspersky Industrial CyberSecurity for Networks.
3. Traffic: monitoring points where the incoming traffic is analyzed according to the rules for identifying information about devices and the protocols of communication between devices.
4. External source: applications that use the Kaspersky Industrial CyberSecurity for Networks API and send user details to Kaspersky Industrial CyberSecurity for Networks.

The sources are listed in the descending order of priority of data coming from them. When processing user details, the application follows data source priority. Users' details from a higher-priority source can overwrite information from other sources. The application also automatically deletes from the tables those user accounts whose details were previously received from the External source and OVAL scanning sources, but which are not present in the new data received from these sources.

If needed, users with the Administrator role can manually delete user accounts.

You can view information about the users in the Assets section of the Users tab. When viewing the users table, you can configure, filter, search, and sort records and navigate to the related items.

The all users table is limited to 200,000 items.

The application displays the following device user details in the table and details area for the selected user:

• User ID: the user identifier assigned in Kaspersky Industrial CyberSecurity for Networks
• User name: the user account name that does not specify the device domain or network name
• Full name: the user account name that specifies the device domain name or network name
• Groups: the names of user groups of which the user account is a member
• Device: device name and address
• Origin: user data source type
• SID: user security identifier
• Account status: status that reflects the received parameter value for enabling and disabling the account use
• Lock: status that reflects an account locked value received
• Change password at next logon: a flag that indicates whether the user will be required to reset their password next time they sign in
• Block password change by user: a flag that indicates whether the user is prohibited from changing their password
• Password validity period: status that reflects a password expiration enabled/disabled value received
• Data received: the date and time when account details were last received
• Description: the description set for the account

When monitoring users, the application uses the Asset Management technology for event logging. The events are registered using the system event type that is assigned the code 4000005600. Events are logged when user accounts on devices are automatically added, modified, or deleted.

You can configure the available settings for event types under Settings → Event types.

You can view information about registered events when connected to the Server through the web interface.

Page top