Kaspersky Industrial CyberSecurity for Networks can monitor user accounts on devices it knows about. When monitoring users, it automatically receives information about accounts registered in the operating systems of these devices. The application uses these details to create user tables.
After receiving account details, the application uses this information to monitor all user accounts on the devices, with the exception of certain local system accounts that can only be used by operating system services. For example, the application does not control the LocalSystem and NetworkService accounts used on the devices with Windows operating systems.
To use the user monitoring feature, asset management methods for device activity detection and device information detection must be enabled. These methods must be enabled on all nodes where the application components from which information is received are installed.
User monitoring relies on data from the following source types:
The sources are listed in the descending order of priority of data coming from them. When processing user details, the application follows data source priority. Users' details from a higher-priority source can overwrite information from other sources. The application also automatically deletes from the tables those user accounts whose details were previously received from the External source and OVAL scanning sources, but which are not present in the new data received from these sources.
If needed, users with the Administrator role can manually delete user accounts.
You can view information about the users in the Assets section of the Users tab. When viewing the users table, you can configure, filter, search, and sort records and navigate to the related items.
The all users table is limited to 200,000 items.
The application displays the following device user details in the table and details area for the selected user:
When monitoring users, the application uses the Asset Management technology for event logging. The events are registered using the system event type that is assigned the code 4000005600. Events are logged when user accounts on devices are automatically added, modified, or deleted.
You can configure the available settings for event types under Settings → Event types.
You can view information about registered events when connected to the Server through the web interface.
Page top