Configuring predefined task rules

Perform the following actions to configure the predefined rules for the Log Inspection task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
2. Select the administration group for which you want to configure application settings.
3. Perform one of the following actions in the details pane of the selected administration group:
   • To configure application settings for a group of protected devices, select the Policies tab and open the Properties: <Policy name> window.
   • To configure the application for a single protected device, select the Devices tab and open the Application settings window.

     If an active Kaspersky Security Center policy is applied to a device and blocks changes to application settings, then these settings cannot be edited in the Application settings window.

4. In the System inspection section, click the Settings button in the Log Inspection subsection.

   The Log Inspection window opens.

5. Select the Predefined rules tab.
6. Select or clear the Apply predefined rules for log inspection check box.
   

   If this check box is selected, Kaspersky Security for Windows Server uses the heuristic analyzer to detect abnormal activity on the protected device.

   If this check box is cleared the heuristic analyzer is not used and Kaspersky Security for Windows Server applies preset or custom rules to detect abnormal activity.

   The check box is selected by default.

   For the task to run, at least one Log Inspection rule must be selected.

7. Select the rules you want to apply from the list of predefined rules:
   • There are patterns of a possible brute-force attack in the system.
   • There are patterns of a possible Windows Event log abuse.
   • Atypical actions detected on behalf of a new service installed.
   • Atypical logon that uses explicit credentials detected.
   • There are patterns of a possible Kerberos forged PAC (MS14-068) attack in the system.
   • Atypical actions detected directed at a privileged built-in group Administrators.
   • There is an atypical activity detected during a network logon session.
8. To configure the selected rules, click the Advanced settings button.

   The Log Inspection window opens.

9. In the Brute-force attack detection section, set the number of attempts and time frame used as triggers by the heuristic analyzer.
10. In the Network logon detection section, indicate the start and end of the time interval during which Kaspersky Security for Windows Server treats sign-in attempts as abnormal activity.
11. Select the Exclusions tab.
12. Perform the following actions to add trusted users:
    1. Click the Browse button.
    2. Select a user.
    3. Click OK.

       The selected user is added to the list of trusted users.

13. Perform the following actions to add trusted IP addresses:
    1. Enter the IP address.
    2. Click the Add button.
14. The entered IP address is added to the list of trusted IP addresses.
15. On the Task management tab, configure the task start schedule.
16. Click OK in the Log Inspection window.

The Log Inspection task configuration is saved.