Importing rules from the Kaspersky Security Center report on blocked devices
October 25, 2023
You can import data on blocked device connections from the report generated in Kaspersky Security Center after completion of the Device Control task in Statistics only mode and use this data to generate a list of Device Control allowing rules in the policy being configured.
When generating the report on events occurring during the Device Control task, you can keep track of the devices whose connection is restricted.
To specify allowing rules for devices connection for a group of protected devices based on the Kaspersky Security Center report on blocked devices:
- In the policy properties, in the Event notification section, make sure that:
- For the Critical Events importance level the period of time for storing the task log for the Untrusted external device detected and restricted event exceeds the planned period of operation in Statistics only mode (the default value is 30 days).
- For the Warning importance level the period of time for storing the task log for the Statistics only: untrusted external device detected event exceeds the planned period of task operation in Statistics only mode (the default value is 30 days).
When the period for storing the events elapses, information about logged events is deleted and is not reflected in the report file. Before running the Device Control task in Statistics only mode, make sure that the task run time does not exceed the configured storage time for the specified events.
- Start the Device Control task in Statistics only mode.
- In the workspace of the Administration Server node in Kaspersky Security Center, select the Events tab.
- Click the Create selection button and create a selection of events based on the Untrusted external device detected and restricted criterion. View the connections of the devices blocked by the Device Control task.
- In the results pane of the selection, click the Export events to file link to save the report on restricted connections to a TXT file.
Before importing and applying the generated report in a policy, make sure that the report contains data only on those devices whose connection you want to allow.
- Import data about restricted devices connections into the Device Control task:
- Open the Device Control rules window.
- Click the Add button, and in the context menu of the button, select Import data of blocked devices from Kaspersky Security Center report.
- Select the principle for adding rules from the list created on the basis of the Kaspersky Security Center report to the list of previously configured Device Control rules:
- Merge with existing rules, if you want to add the imported rules to the list of existing rules. Rules with identical settings are not duplicated. If at least one rule setting is unique, the rule is added.
- Add to existing rules, if you want to add the imported rules to the list of existing rules. Rules with identical settings are duplicated.
- Replace existing rules, if you want to replace the existing rules with the imported rules.
- Click the OK button in the Device Control window.
Rules created on the basis of the Kaspersky Security Center report on restricted devices are added to the list of Device Control rules.