Support

Support for business applications

Kaspersky XDR Expert

Monitoring, reporting, and audit

Dashboard and widgets

Using the dashboard

Detection and response widgets

Kaspersky Next XDR Expert
Online Help
FAQ Forum Contact support Recovery tools

Detection and response widgets

May 15, 2024

ID 264092

Get as PDF

On the Detection and response tab, you can add, configure, and delete widgets.

A selection of widgets used in the Detection and response tab is called a layout. All widgets must be placed in layouts. Kaspersky Next XDR Expert allows you to create, edit, and delete layouts. Preconfigured layouts are also available. You can edit widget settings in the preconfigured layouts as necessary. By default, the Alerts Overview layout is selected on the Detection and response tab.

The widget displays data for the period selected in the widget or layout settings only for the tenants that are selected in the widget or layout settings.

By clicking the link with the name of the widget about events, alerts, incidents, or active lists, you can go to the corresponding section of the Kaspersky Next XDR Expert interface. Note that this option is not available for some widgets.

The following widget groups and widgets are available on the Detection and response tab of the dashboard:

  • Events. Widget for creating analytics based on events.
  • Active lists. Widget for creating analytics based on active lists of correlators.
  • Alerts. Group for analytics related to alerts. Includes information about alerts and incidents that is provided by Kaspersky Next XDR Expert.

    The group includes the following widgets:

    • Active alerts. Number of alerts that have not been closed.
    • Active alerts by tenant. Number of unclosed alerts for each tenant.
    • Alerts by tenant. Number of alerts of all statuses for each tenant.
    • Unassigned alerts. Number of alerts that have no assignee.
    • Alerts by status. Number of alerts that have the New, Opened, Assigned, or Escalated status. The grouping is by status.
    • Latest alerts. Table with information about the last 10 unclosed alerts belonging to the tenants selected in the layout.
    • Alerts distribution. Number of alerts created during the period configured for the widget.
    • Alerts by assignee. Number of alerts with the Assigned status. The grouping is by account name.
    • Alerts by severity. Number of unclosed alerts grouped by their severity.
    • Alerts by rule. Number of unclosed alerts grouped by correlation rule.
  • Assets. Group for analytics related to assets from processed events. This group includes the following widgets:
    • Affected assets in alerts. Table with the names of assets and related tenants, and the number of unclosed alerts that are associated with these assets. The moving from the widget to the section with the asset list is not available.
    • Affected asset categories. Categories of assets linked to unclosed alerts.
    • Number of assets. Number of assets that were added to Kaspersky Next XDR Expert.
    • Assets in incidents by tenant. Number of assets associated with unclosed incidents. The grouping is by tenant.
    • Assets in alerts by tenant. Number of assets associated with unclosed alerts, grouped by tenant.
  • Incidents. Group for analytics related to incidents.

    The group includes the following widgets:

    • Active incidents. Number of incidents that have not been closed.
    • Unassigned incidents. Number of incidents that have the Opened status.
    • Incidents distribution. Number of incidents created during the period configured for the widget.
    • Incidents by status. Number of incidents grouped by status.
    • Active incidents by tenant. Number of unclosed incidents grouped by tenant available to the user account.
    • All incidents. Number of incidents of all statuses.
    • All incidents by tenant. Number of incidents of all statuses, grouped by tenant.
    • Affected assets categories in incidents. Asset categories associated with unclosed incidents.
    • Latest incidents. Table with information about the last 10 unclosed incidents belonging to the tenants selected in the layout.
    • Incidents by assignee. Number of incidents with the Assigned status. The grouping is by user account name.
    • Incidents by severity. Number of unclosed incidents grouped by their severity.
    • Affected assets in incidents. Number of assets associated with unclosed incidents. The moving from the widget to the section with the asset list is not available.
    • Affected users in incidents. Users associated with incidents. The moving from the widget to the section with the user list is not available.
  • Event sources. Group for analytics related to sources of events. The group includes the following widgets:
    • Top event sources by alerts number. Number of unclosed alerts grouped by event source.
    • Top event sources by convention rate. Number of events associated with unclosed alerts. The grouping is by event source.

      In some cases, the number of alerts generated by sources may be inaccurate. To obtain accurate statistics, it is recommended to specify the Device Product event field as unique in the correlation rule, and enable storage of all base events in a correlation event. However, correlation rules with these settings consume more resources.

  • Users. Group for analytics related to users from processed events. The group includes the following widgets:
    • Affected users in alerts. Number of accounts related to unclosed alerts. The moving from the widget to the section with the user list is not available.
    • Number of AD users. Number of Active Directory accounts received via LDAP during the period configured for the widget.

      In the events table, in the event details area, in the alert window, and in the widgets, the names of assets, accounts, and services are displayed instead of the IDs as the values of the SourceAssetID, DestinationAssetID, DeviceAssetID, SourceAccountID, DestinationAccountID, and ServiceID fields. When exporting events to a file, the IDs are saved, but columns with names are added to the file. The IDs are also displayed when you point the mouse over the names of assets, accounts, or services.
      Searching for fields with IDs is only possible using IDs.

  • Playbooks. Group for analytics related to playbooks.

    To view widgets in this group, you must have one of the following XDR roles: Main administrator, Tenant Administrator, SOC Administrator, SOC Manager, Junior analyst, Tier 1 analyst, Tier 2 analyst, Approver, Observer.

    The group includes the following widgets:

    • Statistics MTTR. Changes of the time to first response to alerts and incidents for the specified period of time (by default for 30 days). The widget displays a column chart.

      The following configuration parameters of the Statistics MTTR widget are available:

      • MTTR type
        • Mean. Changes of the mean time to first response to alerts and incidents.
        • Minimum. Changes of the minimum time to first response to alerts and incidents.
        • Maximum. Changes of the maximum time to first response to alerts and incidents.
      • Response mode
        • Manual. Changes of the time only to manual first responses.
        • Automatic. Changes of the time only to automatic first responses.
        • All. Changes of the time to all first responses.
      • Scope
        • Alerts. Changes of the time to first response only to alerts.
        • Incidents. Changes of the time to first response only to incidents.
        • All. Changes of the time to first response to alerts and incidents.
    • Automatic and manual launches of playbooks. The total number of automatic and manual launches of playbooks for a certain period. The widget displays a column chart.

      The Launch type parameter of the widget specifies whether to show only the number of automatic, only the number of manual, or the total number of playbook launches for a certain period.

      For the Statistics MTTR and Automatic and manual launches of playbooks widgets, you can also set the Period segments length parameter. This parameter specifies a time interval within which data will be grouped. You can group data for every hour, every 4 hours, or every 24 hours. On the column chart, the Period segments length parameter specifies the column width.

    • Coverage of alerts and incidents with playbooks. Number of active alerts and incidents. You can select what components to display: incidents, alerts or all.

      The donut chart displays alerts/incidents in the following sectors:

      • Alerts/incidents for which a playbook in Auto operation mode was launched.
      • Alerts/incidents for which a playbook in Training operation mode was launched.
      • All other alerts/incidents.
    • Time saved by using playbooks. Time saved by launching all the playbooks that have Success or Warning action status.

      The widget is not displayed by default.

    You can view the full playbook list by clicking the name of any playbook widget.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.