Importing rules from the Kaspersky Security Center report on blocked devices

You can import data on blocked device connections from the report generated in Kaspersky Security Center after completion of the Device Control task in Statistics only mode and use this data to generate a list of Device Control allowing rules in the policy being configured.

When generating the report on events occurring during the Device Control task, you can keep track of the devices whose connection is restricted.

To specify allowing rules for devices connection for a group of protected devices based on the Kaspersky Security Center report on blocked devices:

1. In the policy properties, in the Event notification section, make sure that:
   • For the Critical Events importance level the period of time for storing the task log for the Untrusted external device detected and restricted event exceeds the planned period of operation in the Statistics only mode (the default value is 30 days).
   • For the Warning importance level the period of time for storing the task log for the Statistics only: untrusted external device detected event exceeds the planned period of task operation in the Statistics only mode (the default value is 30 days).

     When the period for storing the events elapses, information about logged events is deleted and is not reflected in the report file. Before running the Device Control task in Statistics only mode, make sure that the task run time does not exceed the configured storage time for the specified events.

2. Start the Device Control task in the Statistics only mode.
   1. In the workspace of the Administration Server node in Kaspersky Security Center, select the Events tab.
   2. Click the Create a selection button and create a selection of events based on the Untrusted external device detected and restricted criterion to view the devices whose connections will be restricted by the Device Control task.
   3. In the results pane of the selection, click the Export events to file link to save the report on restricted connections to a TXT file.

   Before importing and applying the generated report in a policy, make sure that the report contains data only on those devices whose connection you want to allow.

3. Import data about restricted devices connections into the Device Control task:
   1. Open the Device Control rules window.
   2. Click the Add button and in the context menu of the button select Import data of blocked devices from Kaspersky Security Center report.
   3. Select the principle for adding rules from the list created on the basis of the Kaspersky Security Center report to the list of previously configured Device Control rules:
      • Add to existing rules if you want to add the imported rules to the list of existing rules. Rules with identical settings are duplicated.
      • Replace existing rules if you want to replace the existing rules with the imported rules.
      • Merge with existing rules if you want to add the imported rules to the list of existing rules. Rules with identical settings are not added; the rule is added if at least one rule parameter is unique.
   4. In the standard window of Microsoft Windows that opens, select the TXT file to which events from the report about restricted devices have been exported.
   5. Click the Save button in the Device Control rules window.
4. Click OK the Device Control window.

Rules created on the basis of the Kaspersky Security Center report on restricted devices are added to the list of Device Control rules.