Network attack report

The network attack report contains information about registered network attacks targeting the protected virtual machines and about suspicious network activity detection that may be a sign of an intrusion into the protected infrastructure.

By default, the template of the network attack report is not included in the list of report templates on the Reports tab. Use the Report Template Wizard to add a network attack report template to the list of templates (see the Kaspersky Security Center documentation for details). After the Wizard finishes, the newly created report template will be added to the list on the Reports tab.

The Period field displays the period of time covered by the data included in the report.

It contains the following consolidated information:

• Attack. The type of network attack or suspicious network activity.
• Attacks count. The number of registered network attacks or suspicious network activities of this type.
• Attacking addresses. The number of IP addresses from which network attacks have been registered or which showed the suspicious network activity of this type.
• Devices attacked. Depends on the infrastructure where Kaspersky Security is deployed:
  • In the infrastructure managed by VMware NSX-T Manager – number of SVMs that detected activity typical for network attacks or suspicious network activity of this type.
  • In the infrastructure managed by VMware NSX-V Manager – number of protected virtual machines in whose traffic the activity typical for network attacks or suspicious network activity of this type is detected.
• Groups attacked. Depends on the infrastructure where Kaspersky Security is deployed:
  • In the infrastructure managed by VMware NSX-T Manager – number of administration groups containing SVMs that detected a network attack or suspicious network activity of this type.
  • In the infrastructure managed by VMware NSX-V Manager – the field displays 1, since all protected virtual machines are assigned to the same "pseudohosts" conditional group. The "pseudohosts" group does not belong to administration groups and is not displayed in the Kaspersky Security Center Administration Console. Protected virtual machines cannot belong to administration groups, because they are not considered as client devices of Kaspersky Security Center.
• First attempted run blocked. The date and time of the first detection of the activity typical of network attacks or suspicious network activity of this type.
• Last attempted run blocked. The date and time of the last detection of the activity typical of network attacks or suspicious network activity of this type.

  The row below contains the following consolidated information:

  • Attacks count. The number of registered network attacks or suspicious network activities of all types.
  • Various attacks. The number of types of registered network attacks or suspicious network activities.
  • Attack IPs. The total number of IP addresses from which network attacks have been registered or which showed the suspicious network activity.
  • Devices attacked. Depends on the infrastructure where Kaspersky Security is deployed:
    • In the infrastructure managed by VMware NSX-T Manager – number of SVMs that detected activity typical for network attacks or suspicious network activity.
    • In the infrastructure managed by VMware NSX-V Manager – number of protected virtual machines in whose traffic the activity typical for network attacks or suspicious network activity is detected.
  • Groups attacked. Depends on the infrastructure where Kaspersky Security is deployed:
    • In the infrastructure managed by VMware NSX-T Manager – number of administration groups containing SVMs that detected a network attack or suspicious network activity.
    • In the infrastructure managed by VMware NSX-V Manager – the field displays 1, since all protected virtual machines are assigned to the same "pseudohosts" conditional group. The "pseudohosts" group does not belong to administration groups and is not displayed in the Kaspersky Security Center Administration Console. Protected virtual machines cannot belong to administration groups, because they are not considered as client devices of Kaspersky Security Center.
  • First attempted run blocked. The date and time of the first detection of the activity typical of network attacks or suspicious network activity of all types.
  • Last attempted run blocked. The date and time of the last detection of the activity typical of network attacks or suspicious network activity of all types.

The report contains the following detailed information on each detection of the activity typical of network attacks or suspicious network activity:

• Group. Depends on the infrastructure where Kaspersky Security is deployed:
  • In the infrastructure managed by VMware NSX-T Manager – administration group containing the SVM that detected a network attack or suspicious network activity.
  • In the infrastructure managed by VMware NSX-V Manager – the field displays the pseudohosts value, since all protected virtual machines are assigned to the same "pseudohosts" conditional group. Protected virtual machines cannot belong to administration groups, because they are not considered as client devices of Kaspersky Security Center.
• Device. Depends on the infrastructure where Kaspersky Security is deployed:
  • In the infrastructure managed by VMware NSX-T Manager – name of the SVM that detected a network attack or suspicious network activity.
  • In the infrastructure managed by VMware NSX-V Manager – name of the protected virtual machine in whose traffic the network attack or suspicious network activity is detected.
• Attacking address. The number of the IP address from which the network attack have been registered or which showed the suspicious network activity.
• Attack time. The date and time of the network attack or suspicious network activity detection.
• Attack. The type of network attack or suspicious network activity.
• Protocol. Connection protocol, in which network attack or suspicious network activity was detected.
• Port. The number of the port targeted by the network attack or which showed the suspicious network activity.
• Last visible. The date and time of the last event associated with the protected virtual machine in whose traffic the network attack or suspicious network activity was registered.
• IP address. Depends on the infrastructure where Kaspersky Security is deployed:
  • In the infrastructure managed by VMware NSX-T Manager – IP address of the SVM that detected a network attack or suspicious network activity.
  • In the infrastructure managed by VMware NSX-V Manager – IP address of the protected virtual machine in whose traffic the network attack or suspicious network activity is detected.
• NetBIOS name. Depends on the infrastructure where Kaspersky Security is deployed:
  • In the infrastructure managed by VMware NSX-T Manager this field is left blank.
  • In the infrastructure managed by VMware NSX-V Manager – name of the protected virtual machine in whose traffic the network attack or suspicious network activity is detected, and the path to the virtual machine in the virtual infrastructure.
• DNS name. Depends on the infrastructure where Kaspersky Security is deployed:
  • In the infrastructure managed by VMware NSX-T Manager – name of the SVM that detected activity typical for network attacks or suspicious network activity, and the path to the SVM in the virtual infrastructure.
  • In the infrastructure managed by VMware NSX-V Manager – name of the protected virtual machine in whose traffic the network attack or suspicious network activity is detected, and the path to the virtual machine in the virtual infrastructure.
• Version number. The version number of the Network Threat Protection component of Kaspersky Security.
• Attacked interface address. The IP address on which the network attack was attempted.