About the Log Inspection task
October 25, 2023
When the Log Inspection task runs, Kaspersky Embedded Systems Security for Windows monitors the integrity of the protected environment based on the results of an inspection of Windows event logs. The application notifies the administrator upon detecting abnormal behavior that may indicate attempted cyberattacks.
Kaspersky Embedded Systems Security for Windows analyzes the Windows event logs and identifies breaches based on the rules specified by the user or by the settings of the heuristic analyzer, which the task uses to inspect logs.
Predefined rules and heuristic analysis
You can use the Log Inspection task to monitor the state of the protected system by applying predefined rules based on existing heuristics. The heuristic analyzer identifies abnormal activity on the protected device, which may be evidence of an attempted attack. Templates to identify abnormal behavior are included in the available rules in the predefined rules settings.
Seven rules are included in the rule list for the Log Inspection task. You can enable or disable any of the rules. You cannot delete existing rules or create new rules.
You can configure the triggering criteria for rules that monitor events for the following operations:
- Password brute-force detection
- Network login detection
You can also configure exclusions in the task settings. The heuristic analyzer is not activated when a login is conducted by a trusted user or from a trusted IP address.
Kaspersky Embedded Systems Security for Windows does not use heuristics to inspect Windows logs if the heuristic analyzer is not used by the task. By default, the heuristic analyzer is enabled.
When the rules are applied, the application records a Critical event in the Log Inspection task log.
Custom rules for the Log Inspection task
You can use the rule settings to specify and change the criteria for triggering rules upon detecting the selected events in the specified Windows log. By default, the list of Log Inspection rules has four rules. You can enable and disable these rules, remove rules, and edit rule settings.
You can configure the following rule triggering criteria for each rule:
- List of record identifiers in the Windows Event Log.
The rule is triggered when a new record is created in the Windows Event Log, if the event properties includes an event identifier specified in the rule. You can also add and remove identifiers for each specified rule.
- Event source.
For each rule, you can specify a log within the Windows Event Log. The application will search for records with the specified event identifiers only in this log. You can select one of the standard logs (Application, Security, or System), or specify a custom log by entering the name in the source selection field.
The application does not verify that the specified log actually exists in the Windows Event Log.
When the rule is triggered, Kaspersky Embedded Systems Security for Windows records a Critical event in the Log Inspection task log.
By default, the Log Inspection task applies custom rules.
Before starting the Log Inspection task make sure the system audit policy is set up correctly. Refer to the Microsoft article for details.