Configuring predefined task rules
August 3, 2023
Perform the following actions to configure the heuristic analyzer for the Log Inspection task:
- In the Application Console tree, expand the System Inspection node.
- Select the Log Inspection child node.
- Click the Log Inspection link in the results pane of the Properties node.
The Task settings window appears.
- Select the Predefined rules tab.
- Select or clear the Apply predefined rules for log inspection check box.
For the task to run, at least one Log Inspection rule must be selected.
- Select the rules you want to apply from the list of predefined rules:
- There are patterns of a possible brute-force attack in the system.
- There are patterns of a possible Windows Event log abuse.
- Atypical actions detected on behalf of a new service installed.
- Atypical logon that uses explicit credentials detected.
- There are patterns of a possible Kerberos forged PAC (MS14-068) attack in the system.
- Atypical actions detected directed at a privileged built-in group Administrators.
- There is an atypical activity detected during a network logon session.
- To configure the selected rules, go to the Extended tab.
- In the Brute-force attack detection section, set the number of attempts and time frame used as triggers by the heuristic analyzer.
- In the Network logon section, specify the start and end of the time interval. Kaspersky Industrial CyberSecurity for Nodes considers logon attempts made during this interval to be as anomalous activity.
- Select the Exclusions tab.
- Perform the following actions to add trusted users:
- Click the Browse button.
- Select a user.
- Click the OK button.
The selected user is added to the list of trusted users.
- Perform the following actions to add trusted IP addresses:
- Enter the IP address.
- Click the Add button.
The entered IP address is added to the list of trusted IP addresses.
- Select the Schedule and Advanced tabs to configure the task start schedule.
- Click the OK button in the Task settings window.
The Log Inspection task configuration is saved.