Configuring predefined task rules

Perform the following actions to configure the heuristic analyzer for the Log Inspection task:

1. In the Application Console tree, expand the System Inspection node.
2. Select the Log Inspection child node.
3. Click the Properties link in the results pane of the Log Inspection node.

   The Task settings window opens.

4. Select the Predefined rules tab.
5. Select or clear the Apply predefined rules for log inspection check box.
   

   If this check box is selected, Kaspersky Security for Windows Server uses the heuristic analyzer to detect abnormal activity on the protected device.

   If this check box is cleared the heuristic analyzer is not used and Kaspersky Security for Windows Server applies preset or custom rules to detect abnormal activity.

   The check box is selected by default.

   For the task to run, at least one Log Inspection rule must be selected.

6. Select the rules you want to apply from the list of predefined rules:
   • There are patterns of a possible brute-force attack in the system.
   • There are patterns of a possible Windows Event log abuse.
   • Atypical actions detected on behalf of a new service installed.
   • Atypical logon that uses explicit credentials detected.
   • There are patterns of a possible Kerberos forged PAC (MS14-068) attack in the system.
   • Atypical actions detected directed at a privileged built-in group Administrators.
   • There is an atypical activity detected during a network logon session.
7. To configure the selected rules, go to the Extended tab.
8. In the Brute-force attack detection section, set the number of attempts and time frame used as triggers by the heuristic analyzer.
9. In the Network logon section, indicate the start and end of the time interval during which Kaspersky Security for Windows Server treats sign-in attempts as abnormal activity.
10. Select the Exclusions tab.
11. Perform the following actions to add trusted users:
    1. Click the Browse button.
    2. Select a user.
    3. Click OK.

       The selected user is added to the list of trusted users.

12. Perform the following actions to add trusted IP addresses:
    1. Enter the IP address.
    2. Click the Add button.

       The entered IP address is added to the list of trusted IP addresses.

13. Select the Schedule and Advanced tabs to configure the task start schedule.
14. Click OK in the Task settings window.

    The Log Inspection task configuration is saved.