Kaspersky Security Center Cloud Console
English

Contents

Monitoring and reporting

This section describes the monitoring and reporting capabilities of Kaspersky Security Center Cloud Console. These capabilities give you an overview of your infrastructure, protection statuses, and statistics.

After Kaspersky Security Center Cloud Console deployment or during the operation, you can configure the monitoring and reporting features to best suit your needs.

In this section

Scenario: Monitoring and reporting

About types of monitoring and reporting

Dashboard and widgets

Reports

Events and event selections

Notifications and device statuses

Kaspersky announcements

Receiving license expiration warning

Cloud Discovery
Page top
[Topic 165803]

Scenario: Monitoring and reporting

This section provides a scenario for configuring the monitoring and reporting feature in Kaspersky Security Center Cloud Console.

Prerequisites

After you deploy Kaspersky Security Center Cloud Console on an organization's network you can start to monitor it and generate reports on its functioning.

Stages

Configuring monitoring and reporting on an organization's network proceeds in stages:

  1. Configuring the switching of device statuses

    Get acquainted with the settings for device statuses depending on specific conditions. By changing these settings, you can change the number of events with Critical or Warning importance levels. When configuring the switching of device statuses, be sure of the following:

    • New settings do not conflict with the information security policies of your organization.
    • You are able react to important security events on your organization's network in a timely manner.
  2. Configuring notifications about events on client devices

    How-to instructions: Configure notification (by email) of events on client devices

  3. Changing the response of your security network to the Virus outbreak event

    You can change the specific thresholds in the Administration Server properties. You can also create a stricter policy that will be activated or create a task that will be run at the occurrence of this event.

  4. Reviewing the security status of your organization's network

    How-to instructions:

  5. Locating client devices that are not protected

    How-to instructions:

  6. Checking protection of client devices

    How-to instructions:

  7. Reviewing license information

    How-to instructions:

Results

Upon completion of the scenario, you are informed about protection of your organization's network and, thus, can plan actions for further protection.

See also:

About types of monitoring and reporting

Dashboard and widgets

Reports

Events and event selections

Notifications and device statuses

Kaspersky announcements

Receiving license expiration warning

Cloud Discovery
Page top
[Topic 180118]

About types of monitoring and reporting

Information on security events on an organization's network is stored in the Administration Server database. Based on the events, Kaspersky Security Center Cloud Console provides the following types of monitoring and reporting on your organization's network:

  • Dashboard
  • Reports
  • Event selections

Dashboard

The dashboard allows you to monitor security trends on your organization's network by providing you with a graphical display of information.

Reports

The Reports feature allows you to get detailed numerical information about the security of your organization's network, save this information to a file, send it by email, and print it.

Event selections

Event selections provide an onscreen view of named sets of events that are selected from the Administration Server database. These sets of events are grouped according to the following categories:

  • By importance level—Critical events, Functional failures, Warnings, and Info events
  • By time—Recent events
  • By type—User requests and Audit events

You can create and view user-defined event selections based on the settings available, in the Kaspersky Security Center Cloud Console interface, for configuration.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 180005]

Dashboard and widgets

This section contains information about the dashboard and the widgets that the dashboard provides. The section includes instructions on how to manage widgets and configure widget settings.

In this section

Using the dashboard

Adding widgets to the dashboard

Hiding a widget from the dashboard

Moving a widget on the dashboard

Changing the widget size or appearance

Changing widget settings

About the Dashboard-only mode

Configuring the Dashboard-only mode
Page top
[Topic 233381]

Using the dashboard

The dashboard allows you to monitor security trends on your organization's network by providing you with a graphical display of information.

The dashboard is available in the Kaspersky Security Center Cloud Console, in the Monitoring & reporting section, by clicking Dashboard.

The dashboard provides widgets that can be customized. You can choose a large number of different widgets, presented as pie charts or donut charts, tables, graphs, bar charts, and lists. The information displayed in widgets is automatically updated, the update period is one to two minutes. The interval between updates varies for different widgets. You can refresh data on a widget manually at any time by means of the settings menu.

By default, widgets include information about all events stored in the database of Administration Server.

Kaspersky Security Center Cloud Console has a default set of widgets for the following categories:

  • Protection status
  • Deployment
  • Updating
  • Threat statistics
  • Other

Some widgets have text information with links. You can view detailed information by clicking a link.

When configuring the dashboard, you can add widgets that you need, hide widgets that you do not need, change the size or appearance of widgets, move widgets, and change their settings.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 166064]

Adding widgets to the dashboard

To add widgets to the dashboard:

  1. In the main menu, go to Monitoring & reporting Dashboard.
  2. Click the Add or restore web widget button.
  3. In the list of available widgets, select the widgets that you want to add to the dashboard.

    Widgets are grouped by category. To view the list of widgets included in a category, click the chevron icon () next to the category name.

  4. Click the Add button.

The selected widgets are added at the end of the dashboard.

You can now edit the representation and parameters of the added widgets.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 176350]

Hiding a widget from the dashboard

To hide a displayed widget from the dashboard:

  1. In the main menu, go to Monitoring & reporting → Dashboard.
  2. Click the settings icon () next to the widget that you want to hide.
  3. Select Hide web widget.
  4. In the Warning window that opens, click OK.

The selected widget is hidden. Later, you can add this widget to the dashboard again.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 176354]

Moving a widget on the dashboard

To move a widget on the dashboard:

  1. In the main menu, go to Monitoring & reporting → Dashboard.
  2. Click the settings icon () next to the widget that you want to move.
  3. Select Move.
  4. Click the place to which you want to move the widget. You can select only another widget.

The places of the selected widgets are swapped.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 176362]

Changing the widget size or appearance

For widgets that display a graph, you can change its representation—a bar chart or a line chart. For some widgets, you can change their size: compact, medium, or maximum.

To change the widget representation:

  1. In the main menu, go to Monitoring & reporting → Dashboard.
  2. Click the settings icon () next to the widget that you want to edit.
  3. Do one of the following:
    • To display the widget as a bar chart, select Chart type: Bars.
    • To display the widget as a line chart, select Chart type: Lines.
    • To change the area occupied by the widget, select one of the values:
      • Compact
      • Compact (bar only)
      • Medium (donut chart)
      • Medium (bar chart)
      • Maximum

The representation of the selected widget is changed.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 176369]

Changing widget settings

To change settings of a widget:

  1. In the main menu, go to Monitoring & reporting Dashboard.
  2. Click the settings icon () next to the widget that you want to change.
  3. Select Show settings.
  4. In the widget settings window that opens, change the widget settings as required.
  5. Click Save to save the changes.

The settings of the selected widget are changed.

The set of settings depends on the specific widget. Below are some of the common settings:

  • Web widget scope (the set of objects for which the widget displays information)—for example, an administration group or device selection.
  • Select task (the task for which the widget displays information).
  • Time interval (the time interval during which the information is displayed in the widget)—between the two specified dates; from the specified date to the current day; or from the current day minus the specified number of days to the current day.
  • Set to Critical if these are specified and Set to Warning if these are specified (the rules that determine the color of a traffic light).

After you change the widget settings, you can refresh data on the widget manually.

To refresh data on a widget:

  1. In the main menu, go to Monitoring & reporting → Dashboard.
  2. Click the settings icon () next to the widget that you want to move.
  3. Select Refresh.

The data on the widget is refreshed.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 176370]

About the Dashboard-only mode

You can configure the Dashboard-only mode for employees who do not manage the network but who want to view the network protection statistics in Kaspersky Security Center Cloud Console (for example, a top manager). When a user has this mode enabled, only a dashboard with a predefined set of widgets is displayed to the user. Thus, he or she can monitor the statistics specified in the widgets, for example, the protection status of all managed devices, the number of recently detected threats, or the list of the most frequent threats in the network.

When a user works in the Dashboard-only mode, the following restrictions are applied:

  • The main menu is not displayed to the user, so he or she cannot change the network protection settings.
  • The user cannot perform any actions with widgets, for example, add or hide them. Therefore, you need to put all widgets required for the user on the dashboard and configure them, for instance, set the rule of counting objects or specify the time interval.

You cannot assign the Dashboard-only mode to yourself. If you want to work in this mode, contact a system administrator, Managed Service Provider (MSP), or a user with the Modify object ACLs right in the General features: User permissions functional area.

See also:

Configuring the Dashboard-only mode
Page top
[Topic 229787]

Configuring the Dashboard-only mode

Before you begin to configure the Dashboard-only mode, make sure that the following prerequisites are met:

  • You have the Modify object ACLs right in the General features: User permissions functional area. If you do not have this right, the tab for configuring the mode will be missing.
  • The user has the Read right in the General features: Basic functionality functional area.

If a hierarchy of Administration Servers is arranged in your network, for configuring the Dashboard-only mode go to the Server where the user account is available on the Users tab of the Users & rolesUsers & groups section. It can be a primary server or physical secondary server. It is not possible to adjust the mode on a virtual server.

To configure the Dashboard-only mode:

  1. In the main menu, go to Users & rolesUsers & groups, and then select the Users tab.
  2. Click the user account name for which you want to adjust the dashboard with widgets.
  3. In the account settings window that opens, select the Dashboard tab.

    On the tab that opens, the same dashboard is displayed for you as for the user.

  4. If the Display the console in Dashboard-only mode option is enabled, switch the toggle button to disable it.

    When this option is enabled, you are also unable to change the dashboard. After you disable the option, you can manage widgets.

  5. Configure the dashboard appearance. The set of widgets prepared on the Dashboard tab is available for the user with the customizable account. He or she cannot change any settings or size of the widgets, add, or remove any widgets from the dashboard. Therefore, adjust them for the user, so he or she can view the network protection statistics. For this purpose, on the Dashboard tab you can perform the same actions with widgets as in the Monitoring & reporting → Dashboard section:
  6. Switch the toggle button to enable the Display the console in Dashboard-only mode option.

    After that, only the dashboard is available for the user. He or she can monitor statistics but cannot change the network protection settings and dashboard appearance. As the same dashboard is displayed for you as for the user, you are also unable to change the dashboard.

    If you keep the option disabled, the main menu is displayed for the user, so he or she can perform various actions in Kaspersky Security Center Cloud Console, including changing security settings and widgets.

  7. Click the Save button when you finish configuring the Dashboard-only mode. Only after that will the prepared dashboard be displayed to the user.
  8. If the user wants to view statistics of supported Kaspersky applications and needs access rights to do so, configure the rights for the user. After that, Kaspersky applications data is displayed for the user in the widgets of these applications.

Now the user can log in to Kaspersky Security Center Cloud Console under the customized account and monitor the network protection statistics in the Dashboard-only mode.

Page top
[Topic 229700]

Reports

This section describes how to use reports, manage custom report templates, use report templates to generate new reports, and create report delivery tasks.

In this section

Using reports

Creating a report template

Viewing and editing report template properties

Exporting a report to a file

Generating and viewing a report

Creating a report delivery task

Deleting report templates
Page top
[Topic 233382]

Using reports

The Reports feature allows you to get detailed numerical information about the security of your organization's network, save this information to a file, send it by email, and print it.

Reports are available in the Kaspersky Security Center Cloud Console, in the Monitoring & reporting section, by clicking Reports.

By default, reports include information for the last 30 days.

Kaspersky Security Center Cloud Console has a default set of reports for the following categories:

  • Protection status
  • Deployment
  • Updating
  • Threat statistics
  • Other

You can create custom report templates, edit report templates, and delete them.

You can create reports that are based on existing templates, export reports to files, and create tasks for report delivery.

See also:

Scenario: Migration without a hierarchy of Administration Servers

Scenario: Monitoring and reporting
Page top
[Topic 166065]

Creating a report template

To create a report template:

  1. In the main menu, go to Monitoring & reporting Reports.
  2. Click Add.

    The New report template wizard starts. Proceed through the wizard by using the Next button.

  3. Enter the report name and select the report type.
  4. On the Scope step of the wizard, select the set of client devices (administration group, device selection, selected devices, or all networked devices) whose data will be displayed in reports that are based on this report template.
  5. On the Reporting period step of the wizard, specify the report period. Available values are as follows:
    • Between the two specified dates
    • From the specified date to the report creation date
    • From the report creation date, minus the specified number of days, to the report creation date

    This page may not appear for some reports.

  6. Click OK to close the wizard.
  7. Do one of the following:
    • Click the Save and run button to save the new report template and to run a report based on it.

      The report template is saved. The report is generated.

    • Click the Save button to save the new report template.

      The report template is saved.

You can use the new template for generating and viewing reports.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 176425]

Viewing and editing report template properties

Expand all | Collapse all

You can view and edit basic properties of a report template, for example, the report template name or the fields displayed in the report.

To view and edit properties of a report template:

  1. In the main menu, go to Monitoring & reporting → Reports.
  2. Select the check box next to the report template whose properties you want to view and edit.

    As an alternative, you can first generate the report, and then click the Edit button.

  3. Click the Open report template properties button.

    The Editing report <Report name> window opens with the General tab selected.

  4. Edit the report template properties:
    • General tab:
      • Report template name
      • Maximum number of entries to display

        If this option is enabled, the number of entries displayed in the table with detailed report data does not exceed the specified value. Note that this option does not affect the maximum number of events that you can include in the report when you export the report to a file.

        Report entries are first sorted according to the rules specified in the FieldsDetails fields section of the report template properties, and then only the first of the resulting entries are kept. The heading of the table with detailed report data shows the displayed number of entries and the total available number of entries that match other report template settings.

        If this option is disabled, the table with detailed report data displays all available entries. We do not recommend that you disable this option. Limiting the number of displayed report entries reduces the load on the database management system (DBMS) and reduces the time required for generating and exporting the report. Some of the reports contain too many entries. If this is the case, you may find it difficult to read and analyze them all. Also, your device may run out of memory while generating such a report and, consequently, you will not be able to view the report.

        By default, this option is enabled. The default value is 1000.

        Note that the Kaspersky Security Center Cloud Console interface can display a maximum of 2500 entries. If you need to view a greater number of events, use the report export feature.

      • Group

        Click the Settings button to change the set of client devices for which the report is created. For some types of the reports, the button may be unavailable. The actual settings depend on the settings specified during creation of the report template.

      • Time interval

        Click the Settings button to modify the report period. For some types of the reports, the button may be unavailable. Available values are as follows:

        • Between the two specified dates
        • From the specified date to the report creation date
        • From the report creation date, minus the specified number of days, to the report creation date
      • Include data from secondary and virtual Administration Servers

        If this option is enabled, the report includes the information from the secondary and virtual Administration Servers that are subordinate to the Administration Server for which the report template is created.

        Disable this option if you want to view data only from the current Administration Server.

        By default, this option is enabled.

      • Up to nesting level

        The report includes data from secondary and virtual Administration Servers that are located under the current Administration Server on a nesting level that is less than or equal to the specified value.

        The default value is 1. You may want to change this value if you have to retrieve information from secondary Administration Servers located at lower levels in the tree.

      • Data wait interval (min)

        Before generating the report, the Administration Server for which the report template is created waits for data from secondary Administration Servers during the specified number of minutes. If no data is received from a secondary Administration Server at the end of this period, the report runs anyway. Instead of the actual data, the report shows data taken from the cache (if the Cache data from secondary Administration Servers option is enabled), or N/A (not available) otherwise.

        The default value is 5 (minutes).

      • Cache data from secondary Administration Servers

        Secondary Administration Servers regularly transfer data to the Administration Server for which the report template is created. There, the transferred data is stored in the cache.

        If the current Administration Server cannot receive data from a secondary Administration Server while generating the report, the report shows data taken from the cache. The date when the data was transferred to the cache is also displayed.

        Enabling this option allows you to view the information from secondary Administration Servers even if the up-to-date data cannot be retrieved. However, the displayed data can be obsolete.

        By default, this option is disabled.

      • Cache update frequency (h)

        Secondary Administration Servers at regular intervals transfer data to the Administration Server for which the report template is created. You can specify this period in hours. If you specify 0 hours, data is transferred only when the report is generated.

        The default value is 0.

      • Transfer detailed information from secondary Administration Servers

        In the generated report, the table with detailed report data includes data from secondary Administration Servers of the Administration Server for which the report template is created.

        Enabling this option slows the report generation and increases traffic between Administration Servers. However, you can view all data in one report.

        Instead of enabling this option, you may want to analyze detailed report data to detect a faulty secondary Administration Server, and then generate the same report only for that faulty Administration Server.

        By default, this option is disabled.

    • Fields tab

      Select the fields that will be displayed in the report, and use the Move up button and Move down button to change the order of these fields. Use the Add button or Edit button to specify whether the information in the report must be sorted and filtered by each of the fields.

      In the Filters of Details fields section, you can also click the Convert filters button to start using the extended filtering format. This format enables you to combine filtering conditions specified in various fields by using the logical OR operation. After you click the button, the Convert filters panel opens on the right. Click the Convert filters button to confirm conversion. You can now define a converted filter with conditions from the Details fields section that are applied by using the logical OR operation.

      Conversion of a report to the format supporting complex filtering conditions will make the report incompatible with the previous versions of Kaspersky Security Center (11 and earlier). Also, the converted report will not contain any data from secondary Administration Servers running such incompatible versions.

  5. Click Save to save the changes.
  6. Close the Editing report <Report name> window.

The updated report template appears in the list of report templates.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 176428]

Exporting a report to a file

You can save one or multiple reports as XML, HTML, or as a PDF. Kaspersky Security Center Cloud Console allows you to export up to 10 reports to files of the specified format at the same time.

To export a report to a file:

  1. In the main menu, go to Monitoring & reporting → Reports.
  2. Choose the reports that you want to export.

    If you choose more than 10 reports, the Export report button will be disabled.

  3. Click the Export report button.
  4. In the opened window, specify the following export parameters:
    • File name.

      If you select one report to export, specify the report file name.

      If you select more than one report, the report file names will coincide with the name of the selected report templates.

    • Maximum number of entries.

      Specify the maximum number of entries included in the report file. The default value is 10,000.

    • File format.

      Select the report file format: XML, HTML, or PDF. If you export multiple reports, all selected reports are saved in the specified format as separate files.

  5. Click the Export report button.

The report is saved to a file in the specified format.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 176429]

Generating and viewing a report

To create and view a report:

  1. In the main menu, go to Monitoring & reporting → Reports.
  2. Click the name of the report template that you want to use to create a report.

A report using the selected template is generated and displayed.

Report data is displayed only in English, other localizations are not available.

The report displays the following data:

  • On the Summary tab:
    • The name and type of report, a brief description and the reporting period, as well as information about the group of devices for which the report is generated.
    • Graph chart showing the most representative report data.
    • Consolidated table with calculated report indicators.
  • On the Details tab, a table with detailed report data is displayed.

See also:

Scenario: Updating third-party software

Scenario: Monitoring and reporting
Page top
[Topic 176423]

Creating a report delivery task

Expand all | Collapse all

You can create a task that will deliver selected reports.

To create a report delivery task:

  1. In the main menu, go to Monitoring & reporting → Reports.
  2. Select the check boxes next to the report templates for which you want to create a report delivery task.
  3. Click the Create delivery task button.

    The New task wizard starts. Proceed through the wizard by using the Next button.

  4. At the New task settings step of the wizard, enter the task name.

    The default name is Deliver reports. If a task with this name already exists, a sequence number (<N>) is added to the task name.

  5. At the Report configuration step of the wizard, specify the following settings:
    1. Report templates to be delivered by the task.
    2. The report format: HTML, XLS, or PDF.

      The wkhtmltopdf tool is required to convert a report to PDF. When you select the PDF option, Administration Server checks whether the wkhtmltopdf tool is installed on the device. If the tool is not installed, the application displays a message about the necessity to install the tool on the Administration Server device. Install the tool manually, and then proceed to the next step.

    3. Whether the reports are to be sent by email, together with email notification settings.

      You can specify up to 20 email addresses. To separate email addresses, press Enter. You can also paste a comma-separated list of email addresses, and then press Enter.

  6. At the Configure task schedule step of the wizard, select the task start schedule.

    The following task schedule options are available:

    • Manually

      The task does not run automatically. You can only start it manually.

      By default, this option is selected.

    • Every N minutes

      The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

      By default, the task runs every 30 minutes, starting from the current system time.

    • Every N hours

      The task runs regularly, with the specified interval in hours, starting from the specified date and time.

      By default, the task runs every 6 hours, starting from the current system date and time.

    • Every N days

      The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

      By default, the task runs every day, starting from the current system date and time.

    • Every N weeks

      The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

      By default, the task runs every Monday at the current system time.

    • Monthly

      The task runs regularly, on the specified day of the month, at the specified time.

      In months that lack the specified day, the task runs on the last day.

      By default, the task runs on the first day of each month, at the current system time.

    • On specified days

      The task runs regularly, on the specified days of each month, at the specified time.

      By default, no days of month are selected. The default start time is 18:00.

    • On virus outbreak

      The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

      • Anti-virus for workstations and file servers
      • Anti-virus for perimeter defense
      • Anti-virus for mail systems

      By default, all application types are selected.

      You may want to run different tasks depending on the security application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

    • On completing another task

      The current task starts after another task completes. This parameter only works if both tasks are assigned to the same devices. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task as a triggering task.

      You have to select the triggering task from the table and the status with which this task must complete (Completed successfully or Failed).

      If necessary, you can search, sort, and filter the tasks in the table as follows:

      • Enter the task name in the search field, to search the task by its name.
      • Click the sort icon to sort the tasks by name.

        By default, the tasks are sorted in alphabetical ascending order.

      • Click the filter icon, and in the window that opens, filter the tasks by group, and then click the Apply button.
  7. At this step of the wizard, configure other task schedule settings:
    • In the Task schedule section, check or reconfigure the previously selected schedule and set the time interval, days of the month or week, set the virus outbreak condition or completing another task as a trigger to start the task. A start time can also be specified in this section if an applicable schedule is selected.
    • In the Additional settings section, specify the following settings:
      • Run missed tasks

        This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

        If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

        If this option is disabled, only scheduled tasks run on client devices. For Manually, Once and Immediately schedule, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

        By default, this option is disabled.

      • Use automatically randomized delay for task starts

        If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

        The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

        If this option is disabled, the task starts on client devices according to the schedule.

      • Use automatically randomized delay for task starts within an interval of

        If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

        If this option is disabled, the task starts on client devices according to the schedule.

        By default, this option is disabled. The default time interval is one minute.

      • Stop the task if it runs longer than

        After the specified time period expires, the task is stopped automatically, whether it is completed or not.

        Enable this option if you want to interrupt (or stop) tasks that take too long to execute.

        By default, this option is disabled. The default task execution time is 120 minutes.

  8. At the Selecting an account to run the task step of the wizard, specify the credentials of the user account that is used to run the task.
  9. If you want to modify other task settings after the task is created, at the Finish task creation step of the wizard, enable the Open task details when creation is complete option (by default, this option is enabled).
  10. Click the Finish button to create the task and close the wizard.

    The report delivery task is created. If the Open task details when creation is complete option is enabled, the task settings window opens.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 176430]

Deleting report templates

To delete one or several report templates:

  1. In the main menu, go to Monitoring & reporting → Reports.
  2. Select check boxes next to the report templates that you want to delete.
  3. Click the Delete button.
  4. In the window that opens, click OK to confirm your selection.

The selected report templates are deleted. If these report templates were included in the report delivery tasks, they are also removed from the tasks.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 176417][Topic 233383]

About events in Kaspersky Security Center Cloud Console

Kaspersky Security Center Cloud Console allows you to receive information about events that occur during the operation of Administration Server and Kaspersky applications installed on managed devices. Information about events is saved in the Administration Server database. You can export this information to external SIEM systems. Exporting event information to external SIEM systems enables administrators of SIEM systems to promptly respond to security system events that occur on managed devices or groups of devices.

Events by type

In Kaspersky Security Center Cloud Console, there are the following types of events:

  • General events. These events occur in all managed Kaspersky applications. An example of a general event is Virus outbreak. General events have strictly defined syntax and semantics. General events are used, for instance, in reports and dashboards.
  • Managed Kaspersky applications-specific events. Each managed Kaspersky application has its own set of events.

Events by source

You can view the full list of the events that can be generated by an application on the Event configuration tab in the application policy. For Administration Server, you can additionally view the event list in the Administration Server properties.

Events can be generated by the following applications:

  • Kaspersky Security Center Cloud Console components:
  • Managed Kaspersky applications

    For details about the events generated by Kaspersky managed applications, please refer to the documentation of the corresponding application.

Events by importance level

Each event has its own importance level. Depending on the conditions of its occurrence, an event can be assigned various importance levels. There are four importance levels of events:

  • A critical event is an event that indicates the occurrence of a critical problem that may lead to data loss, an operational malfunction, or a critical error.
  • A functional failure is an event that indicates the occurrence of a serious problem, error or malfunction that occurred during operation of the application or while performing a procedure.
  • A warning is an event that is not necessarily serious, but nevertheless indicates a potential problem in the future. Most events are designated as warnings if the application can be restored without loss of data or functional capabilities after such events occur.
  • An info event is an event that occurs for the purpose of informing about successful completion of an operation, proper functioning of the application, or completion of a procedure.

Each event has a defined storage term, during which you can view or modify it in Kaspersky Security Center Cloud Console. Some events are not saved in the Administration Server database by default because their defined storage term is zero. Only events that will be stored in the Administration Server database for at least one day can be exported to external systems.

See also:

Events of Kaspersky Security Center Cloud Console components

Configuring event export to SIEM systems
Page top
[Topic 151331]

Events of Kaspersky Security Center Cloud Console components

Each Kaspersky Security Center Cloud Console component has its own set of event types. This section lists types of events that occur in Kaspersky Security Center Cloud Console Administration Server and Network Agent. Types of events that occur in Kaspersky applications are not listed in this section.

For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. For Administration Server, you can additionally view and configure the event list in the Administration Server properties. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.

In this section

Data structure of event type description

Administration Server events

Network Agent events

See also:

Scenario: Monitoring and reporting
Page top
[Topic 151336]

Data structure of event type description

For each event type, its display name, identifier (ID), alphabetic code, description, and the default storage term are provided.

  • Event type display name. This text is displayed in Kaspersky Security Center Cloud Console when you configure events and when they occur.
  • Event type ID. This numerical code is used when you process events by using third-party tools for event analysis.
  • Event type (alphabetic code). This code is used when you browse and process events by using public views that are provided in the Kaspersky Security Center Cloud Console database.
  • Description. This text contains the situations when an event occurs and what you can do in such a case.
  • Default storage term. This is the number of days during which the event is stored in the Administration Server database and is displayed in the list of events on Administration Server. After this period elapses, the event is deleted. If the event storage term value is 0, such events are detected but are not displayed in the list of events on Administration Server.

See also:

Events of Kaspersky Security Center Cloud Console components
Page top
[Topic 181756][Topic 184666]

Administration Server critical events

The table below shows the events of Kaspersky Security Center Cloud Console Administration Server that have the Critical importance level.

For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. For Administration Server, you can additionally view and configure the event list in the Administration Server properties. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.

Administration Server critical events

Event type display name

Event type ID

Event type

Description

Default storage term

License limit has been exceeded

4099

KLSRV_EV_LICENSE_CHECK_MORE_110

Once a day Kaspersky Security Center Cloud Console checks whether a license limit is exceeded.

Events of this type occur when Administration Server detects that some licensing limits are exceeded by Kaspersky applications installed on client devices and if the number of currently used licensing units covered by a single license exceeds 110% of the total number of units covered by the license.

Even when this event occurs, client devices are protected.

You can respond to the event in the following ways:

  • Look through the managed devices list. Delete devices that are not in use.
  • Provide a license for more devices (add a valid activation code or a key file to Administration Server).

Kaspersky Security Center Cloud Console determines the rules to generate events when a license limit is exceeded.

180 days

Virus outbreak

26 (for File Threat Protection)

GNRL_EV_VIRUS_OUTBREAK

Events of this type occur when the number of malicious objects detected on several managed devices exceeds the threshold within a short period.

You can respond to the event in the following ways:

  • Configure the threshold in the Administration Server properties.
  • Create a stricter policy that will be activated, or create a task that will be run, at the occurrence of this event.

180 days

Virus outbreak

27 (for Mail Threat Protection)

GNRL_EV_VIRUS_OUTBREAK

Events of this type occur when the number of malicious objects detected on several managed devices exceeds the threshold within a short period.

You can respond to the event in the following ways:

  • Configure the threshold in the Administration Server properties.
  • Create a stricter policy that will be activated, or create a task that will be run, at the occurrence of this event.

180 days

Virus outbreak

28 (for firewall)

GNRL_EV_VIRUS_OUTBREAK

Events of this type occur when the number of malicious objects detected on several managed devices exceeds the threshold within a short period.

You can respond to the event in the following ways:

  • Configure the threshold in the Administration Server properties.
  • Create a stricter policy that will be activated, or create a task that will be run, at the occurrence of this event.

180 days

Device has become unmanaged

4111

KLSRV_HOST_OUT_CONTROL

Events of this type occur if a managed device is visible on the network but has not connected to Administration Server for a specific period.

Find out what prevents the proper functioning of Network Agent on the device. Possible causes include network issues and removal of Network Agent from the device.

180 days

Device status is Critical

4113

KLSRV_HOST_STATUS_CRITICAL

Events of this type occur when a managed device is assigned the Critical status. You can configure the conditions under which the device status is changed to Critical.

180 days

Limited functionality mode

4130

KLSRV_EV_LICENSE_SRV_LIMITED_MODE

Events of this type occur when Kaspersky Security Center Cloud Console starts to operate with basic functionality, without Vulnerability and patch management and without Mobile Device Management features.

Following are causes of, and appropriate responses to, the event:

  • License term has expired. Provide a license to use the full functionality mode of Kaspersky Security Center Cloud Console (add a valid activation code or a key file to Administration Server).
  • Administration Server manages more devices than specified by the license limit. Move devices from the administration groups of an Administration Server to those of another Administration Server (if the license limit of the other Administration Server allows).

180 days

License expires soon

4129

KLSRV_EV_LICENSE_SRV_EXPIRE_SOON

Events of this type occur when the commercial license expiration date is approaching.

Once a day Kaspersky Security Center checks whether a license expiration date is approaching. Events of this type are published 30 days, 15 days, 5 days and 1 day before the license expiration date. This number of days cannot be changed. If the Administration Server is turned off on the specified day before the license expiration date, the event will not be published until the next day.

When the commercial license expires, Kaspersky Security Center Cloud Console provides only basic functionality.

You can respond to the event in the following ways:

180 days

MDM certificate has expired

4132

KLSRV_CERTIFICATE_EXPIRED

Events of this type occur when the Administration Server certificate for Mobile Device Management expires.

You need to update the expired certificate.

180 days

Updates for Kaspersky application modules have been revoked

4142

KLSRV_SEAMLESS_UPDATE_REVOKED

Events of this type occur if seamless updates have been revoked (Revoked status is displayed for these updates) by Kaspersky technical specialists; for example, they must be updated to a newer version. The event concerns Kaspersky Security Center Cloud Console patches and does not concern modules of Kaspersky managed applications. The event provides the reason that the seamless updates are not installed.

180 days

Audit: Export to SIEM failed

5130

KLAUD_EV_SIEM_EXPORT_ERROR

Events of this type occur when exporting events to the SIEM system failed due to a connection error with the SIEM system.

180 days

See also:

Administration Server events

About events in Kaspersky Security Center Cloud Console

Administration Server functional failure events

Administration Server informational events

Administration Server warning events
Page top
[Topic 177080]

Administration Server functional failure events

The table below shows the events of Kaspersky Security Center Cloud Console Administration Server that have the Functional failure importance level.

For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. For Administration Server, you can additionally view and configure the event list in the Administration Server properties. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.

Administration Server functional failure events

Event type display name

Event type ID

Event type

Description

Default storage term

Limit of installations has been exceeded for one of the licensed applications groups

4126

KLSRV_INVLICPROD_EXCEDED

Administration Server generates events of this type periodically (every hour). Events of this type occur if in Kaspersky Security Center Cloud Console you manage license keys of third-party applications and if the number of installations has exceeded the limit set by the license key of the third-party application.

You can respond to the event in the following ways:

  • Look through the managed devices list. Delete the third-party application from devices on which the application is not in use.
  • Use a third-party license for more devices.

You can manage license keys of third-party applications using the functionality of licensed applications groups. A licensed applications group includes third-party applications that meet criteria set by you.

180 days

Failed to poll the cloud segment

4143

KLSRV_KLCLOUD_SCAN_ERROR

Events of this type occur when Administration Server fails to poll a network segment in a cloud environment. Read the details in the event description and respond accordingly.

Not stored

See also:

Administration Server events

Administration Server critical events

Administration Server informational events

Administration Server warning events

About events in Kaspersky Security Center Cloud Console
Page top
[Topic 177081]

Administration Server warning events

The table below shows the events of Kaspersky Security Center Cloud Console Administration Server that have the Warning importance level.

For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. For Administration Server, you can additionally view and configure the event list in the Administration Server properties. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.

Administration Server warning events

Event type display name

Event type ID

Event type

Description

Default storage term

License limit has been exceeded

4098

KLSRV_EV_LICENSE_CHECK_100_110

Once a day Kaspersky Security Center Cloud Console checks whether a license limit is exceeded.

Events of this type occur when Administration Server detects that some licensing limits are exceeded by Kaspersky applications installed on client devices and if the number of currently used licensing units covered by a single license constitute 100% to 110% of the total number of units covered by the license.

Even when this event occurs, client devices are protected.

You can respond to the event in the following ways:

  • Look through the managed devices list. Delete devices that are not in use.
  • Provide a license for more devices (add a valid activation code or a key file to Administration Server).

Kaspersky Security Center Cloud Console determines the rules to generate events when a license limit is exceeded.

90 days

Device has remained inactive on the network for a long time

4103

KLSRV_EVENT_HOSTS_NOT_VISIBLE

Events of this type occur when a managed device shows inactivity for some time.

Most often, this happens when a managed device is decommissioned.

You can respond to the event in the following ways:

90 days

Conflict of device names

4102

KLSRV_EVENT_HOSTS_CONFLICT

Events of this type occur when Administration Server considers two or more managed devices as a single device.

Although cloning is not supported in Kaspersky Security Center Cloud Console, this event may occur if you perform cloning using a third-party tool. To avoid the event, when copying the image of a device with Network Agent installed, you have to meet the following recommendations:

  • On the reference device, stop the Network Agent service and run the klmover utility with the -dupfix key. Avoid any subsequent runs of Network Agent service until the image capturing operation completes.
  • Make sure that the klmover utility will be run with the -dupfix key before (mandatory requirement) the first run of the Network Agent service on target devices, at the first launch of the operating system after the image deployment.

The klmover utility is included in the installation package of Network Agent.

If you capture the image of a device without Network Agent installed, perform image deployment on target devices and then deploy Network Agent. You have to provide access to the network folder with stand-alone installation packages from a device.

90 days

Device status is Warning

4114

KLSRV_HOST_STATUS_WARNING

Events of this type occur when a managed device is assigned the Warning status. You can configure the conditions under which the device status is changed to Warning.

90 days

Limit of installations will soon be reached for one of the licensed applications groups

4127

KLSRV_INVLICPROD_FILLED

Events of this type occur when the number of installations for third-party applications included in a licensed applications group reaches 90% of the maximum allowed value specified in the license key properties.

You can respond to the event in the following ways:

  • If the third-party application is not in use on some of the managed devices, delete the application from these devices.
  • If you expect that the number of installations for the third-party application will exceed the allowed maximum in the near future, consider obtaining a third-party license for a greater number of devices in advance.

You can manage license keys of third-party applications using the functionality of licensed applications groups.

90 days

Certificate has been requested

4133

KLSRV_CERTIFICATE_REQUESTED

Events of this type occur when a certificate for Mobile Device Management fails to be automatically reissued.

Following might be the causes and appropriate responses to the event:

  • Automatic reissue was initiated for a certificate for which the Certificate has been requested option is disabled. This might be due to an error that occurred during creation of the certificate. Manual reissue of the certificate might be required.
  • If you use an integration with a public key infrastructure, the cause might be a missing SAM-Account-Name attribute of the account used for integration with PKI and for issuance of the certificate. Review the account properties.

90 days

Certificate has been removed

4134

KLSRV_CERTIFICATE_REMOVED

Events of this type occur when an administrator removes any type of certificate (General, Mail, VPN) for Mobile Device Management.

After removing a certificate, mobile devices connected via this certificate will fail to connect to Administration Server.

This event might be helpful when investigating malfunctions associated with the management of mobile devices.

90 days

APNs certificate has expired

4135

KLSRV_APN_CERTIFICATE_EXPIRED

Events of this type occur when an APNs certificate expires.

You need to manually renew the APNs certificate and install it on an iOS MDM Server.

90 days

APNs certificate expires soon

4136

KLSRV_APN_CERTIFICATE_EXPIRES_SOON

Events of this type occur when there are fewer than 14 days left before the APNs certificate expires.

When the APNs certificate expires, you need to manually renew the APNs certificate and install it on an iOS MDM Server.

We recommend that you schedule the APNs certificate renewal in advance of the expiration date.

90 days

Failed to send the FCM message to the mobile device

4138

KLSRV_GCM_DEVICE_ERROR

Events of this type occur when Mobile Device Management is configured to use Google Firebase Cloud Messaging (FCM) for connecting to managed mobile devices with an Android operating system and FCM Server fails to handle some of the requests received from Administration Server. It means that some of the managed mobile devices will not receive a push notification.

Read the HTTP code in the details of the event description and respond accordingly. For more information on the HTTP codes received from FCM Server and related errors, please refer to the Google Firebase service documentation (see chapter "Downstream message error response codes").

90 days

HTTP error sending the FCM message to the FCM server

4139

KLSRV_GCM_HTTP_ERROR

Events of this type occur when Mobile Device Management is configured to use Google Firebase Cloud Messaging (FCM) for connecting managed mobile devices with the Android operating system and FCM Server reverts to the Administration Server a request with a HTTP code other than 200 (OK).

Following might be the causes and appropriate responses to the event:

  • Problems on the FCM server side. Read the HTTP code in the details of the event description and respond accordingly. For more information on the HTTP codes received from FCM Server and related errors, please refer to the Google Firebase service documentation (see chapter "Downstream message error response codes").
  • Problems on the proxy server side (if you use proxy server). Read the HTTP code in the details of the event and respond accordingly.

90 days

Failed to send the FCM message to the FCM server

4140

KLSRV_GCM_GENERAL_ERROR

Events of this type occur due to unexpected errors on the Administration Server side when working with the Google Firebase Cloud Messaging HTTP protocol.

Read the details in the event description and respond accordingly.

If you cannot find the solution to an issue on your own, we recommend that you contact Kaspersky Technical Support.

90 days

Connection to the secondary Administration Server has been interrupted

4116

KLSRV_EV_SLAVE_SRV_DISCONNECTED

Events of this type occur when a connection to the secondary Administration Server is interrupted.

Read the operating system log on the device where the secondary Administration Server is installed and respond accordingly.

90 days

Connection to the primary Administration Server has been interrupted

4118

KLSRV_EV_MASTER_SRV_DISCONNECTED

Events of this type occur when a connection to the primary Administration Server is interrupted.

Read the operating system log on the device where the primary Administration Server is installed and respond accordingly.

90 days

Audit: Test connection to SIEM server failed

5120

KLAUD_EV_SIEM_TEST_FAILED

Events of this type occur when an automatic connection test to the SIEM server failed.

90 days

See also:

Administration Server events

About events in Kaspersky Security Center Cloud Console

Administration Server critical events

Administration Server functional failure events

Administration Server informational events
Page top
[Topic 177082]

Administration Server informational events

The table below shows the events of Kaspersky Security Center Cloud Console Administration Server that have the Info importance level.

For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. For Administration Server, you can additionally view and configure the event list in the Administration Server properties. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.

Administration Server informational events

Event type display name

Event type ID

Event type

Description

Default storage term

Over 90% of the license key is used up

4097

KLSRV_EV_LICENSE_CHECK_90

Events of this type occur when Administration Server detects that some licensing limits are close to being exceeded by Kaspersky applications installed on client devices and if the number of currently used licensing units covered by a single license constitute over 90% of the total number of units covered by the license.

Even when a licensing limit is exceeded, client devices are protected.

You can respond to the event in the following ways:

  • Look through the managed devices list. Delete devices that are not in use.
  • Provide a license for more devices (add a valid activation code or a key file to Administration Server).

Kaspersky Security Center Cloud Console determines the rules to generate events when a licensing limit is exceeded.

30 days

New device has been detected

4100

KLSRV_EVENT_HOSTS_NEW_DETECTED

Events of this type occur when new networked devices have been discovered.

30 days

Device has been automatically moved according to a rule

4101

KLSRV_EVENT_HOSTS_NEW_REDIRECTED

Events of this type occur when devices have been assigned to a group according to device moving rules.

30 days

Device has been removed from the group: inactive on the network for a long time

4104

KLSRV_INVISIBLE_HOSTS_REMOVED

Events of this type occur when devices have been automatically removed from a group for inactivity.

30 days

Limit of installations will soon be exceeded (more than 95% is used up) for one of the licensed applications groups

4128

KLSRV_INVLICPROD_EXPIRED_SOON

Events of this type occur when the number of installations for third-party applications included in a licensed applications group reaches 90% of the maximum allowed value specified in the license key properties.

You can respond to the event in the following ways:

  • If the third-party application is not in use on some of the managed devices, delete the application from these devices.
  • If you expect that the number of installations for the third-party application will exceed the allowed maximum in the near future, consider obtaining a third-party license for a greater number of devices in advance.

You can manage license keys of third-party applications using the functionality of licensed applications groups.

30 days

Files have been found to send to Kaspersky for analysis

4131

KLSRV_APS_FILE_APPEARED

 

30 days

FCM Instance ID has changed on this mobile device

4137

KLSRV_GCM_DEVICE_REGID_CHANGED

Events of this type occur when the Firebase Cloud Messaging token has changed on the device.

For information on the FCM token rotation, please refer to the Firebase service documentation.

30 days

Updates have been successfully copied to the specified folder

4122

KLSRV_UPD_REPL_OK

Events of this type occur when the Download updates to the Administration Server repository task finishes copying files to a specified folder.

30 days

Connection to the secondary Administration Server has been established

4115

KLSRV_EV_SLAVE_SRV_CONNECTED

Refer to the following topic for details: Creating a hierarchy of Administration Servers: adding a secondary Administration Server.

30 days

Connection to the primary Administration Server has been established

4117

KLSRV_EV_MASTER_SRV_CONNECTED

 

30 days

Databases have been updated

(In Kaspersky Security Center Cloud Console, this event type is available only for a secondary Administration Server.)

4144

KLSRV_UPD_BASES_UPDATED

Events of this type occur when the Download updates to the Administration Server repository task finishes updating databases.

30 days

KSN Proxy has started. KSN availability check has completed successfully

7718

KSNPROXY_STARTED_CON_CHK_OK

 

30 days

KSN Proxy has stopped

7720

KSNPROXY_STOPPED

 

30 days

Audit: Connection to the Administration Server has been established

4147

KLAUD_EV_SERVERCONNECT

 

30 days

Audit: Object has been modified

4148

KLAUD_EV_OBJECTMODIFY

This event tracks changes in the following objects:

  • Administration group
  • Security group
  • User
  • Package
  • Task
  • Policy
  • Server
  • Virtual Server

30 days

Audit: Object status has changed

4150

KLAUD_EV_TASK_STATE_CHANGED

For example, this event occurs when a task has failed with an error.

30 days

Audit: Group settings have been modified

4149

KLAUD_EV_ADMGROUP_CHANGED

Events of this type occur when a security group has been edited.

30 days

Audit: Encryption keys have been imported or exported from Administration Server

5100

KLAUD_EV_DPEKEYSEXPORT

 

30 days

Audit: Test connection to SIEM server succeeded

5110

KLAUD_EV_SIEM_TEST_SUCCESS

 

30 days

See also:

Administration Server events
Page top
[Topic 177083]

Network Agent events

This section contains information about the events related to Network Agent.

In this section

Network Agent functional failure events

Network Agent warning events

Network Agent informational events

See also:

Events of Kaspersky Security Center Cloud Console components
Page top
[Topic 184667]

Network Agent functional failure events

The table below shows the events of Kaspersky Security Center Network Agent that have the Functional failure severity level.

For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.

Network Agent functional failure events

Event type display name

Event type ID

Event type

Description

Default storage term

Update installation error

7702

KLNAG_EV_PATCH_INSTALL_ERROR

Events of this type occur if automatic updating and patching for Kaspersky Security Center Cloud Console components was not successful. The event does not concern updates of the managed Kaspersky applications.

Read the event description. A Windows issue on the Administration Server might be a reason for this event. If the description mentions any issue of Windows configuration, resolve this issue.

30 days

Failed to install the third-party software update

7697

KLNAG_EV_3P_PATCH_INSTALL_ERROR

Events of this type occur if Vulnerability and patch management and Mobile Device Management features are in use, and if update of third-party software was not successful.

Check whether the link to the third-party software is valid. Read the event description.

30 days

Failed to install the Windows Update updates

7717

KLNAG_EV_WUA_INSTALL_ERROR

Events of this type occur if Windows Updates were not successful. Configure Windows Updates in a Network Agent policy.

Read the event description. Look for the error in the Microsoft Knowledge Base. Contact Microsoft Technical Support if you cannot resolve the issue yourself.

30 days

See also:

Network Agent warning events

Network Agent informational events
Page top
[Topic 165484]

Network Agent warning events

The table below shows the events of Kaspersky Security Center Network Agent that have the Warning severity level.

For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.

Network Agent warning events

Event type display name

Event type ID

Event type

Default storage term

Warning has been returned during installation of the software module update

7701

KLNAG_EV_PATCH_INSTALL_WARNING

30 days

Third-party software update installation has completed with a warning

7696

KLNAG_EV_3P_PATCH_INSTALL_WARNING

30 days

Third-party software update installation has been postponed

7698

KLNAG_EV_3P_PATCH_INSTALL_SLIPPED

30 days

Security issue has occurred

549

GNRL_EV_APP_INCIDENT_OCCURED

30 days

KSN Proxy has started. Failed to check KSN for availability

7718

KSNPROXY_STARTED_CON_CHK_FAILED

30 days

See also:

Network Agent functional failure events

Network Agent informational events
Page top
[Topic 173538]

Network Agent informational events

The table below shows the events of Kaspersky Security Center Network Agent that have the Info severity level.

For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.

Network Agent informational events

Event type display name

Event type ID

Event type

Default storage term

Update for software modules has been installed successfully

7699

KLNAG_EV_PATCH_INSTALLED_SUCCESSFULLY

30 days

Installation of update for software modules has started

7700

KLNAG_EV_PATCH_INSTALL_STARTING

30 days

Application has been installed

7703

KLNAG_EV_INV_APP_INSTALLED

30 days

Application has been uninstalled

7704

KLNAG_EV_INV_APP_UNINSTALLED

30 days

Monitored application has been installed

7705

KLNAG_EV_INV_OBS_APP_INSTALLED

30 days

Monitored application has been uninstalled

7706

KLNAG_EV_INV_OBS_APP_UNINSTALLED

30 days

Third-party application has been installed

7707

KLNAG_EV_INV_CMPTR_APP_INSTALLED

30 days

New device has been added

7708

KLNAG_EV_DEVICE_ARRIVAL

30 days

Device has been removed

7709

KLNAG_EV_DEVICE_REMOVE

30 days

Device has been detected

7710

KLNAG_EV_NAC_DEVICE_DISCOVERED

30 days

Device has been authorized

7711

KLNAG_EV_NAC_HOST_AUTHORIZED

30 days

Windows Desktop Sharing: File has been read

7712

KLUSRLOG_EV_FILE_READ

30 days

Windows Desktop Sharing: File has been modified

7713

KLUSRLOG_EV_FILE_MODIFIED

30 days

Windows Desktop Sharing: Application has been started

7714

KLUSRLOG_EV_PROCESS_LAUNCHED

30 days

Windows Desktop Sharing: Started

7715

KLUSRLOG_EV_WDS_BEGIN

30 days

Windows Desktop Sharing: Stopped

7716

KLUSRLOG_EV_WDS_END

30 days

Third-party software update has been installed successfully

7694

KLNAG_EV_3P_PATCH_INSTALLED_SUCCESSFULLY

30 days

Third-party software update installation has started

7695

KLNAG_EV_3P_PATCH_INSTALL_STARTING

30 days

KSN Proxy has started. KSN availability check has completed successfully

7719

KSNPROXY_STARTED_CON_CHK_OK

30 days

KSN Proxy has stopped

7720

KSNPROXY_STOPPED

30 days

See also:

Network Agent functional failure events

Network Agent warning events
Page top
[Topic 173727]

Using event selections

Event selections provide an onscreen view of named sets of events that are selected from the Administration Server database. These sets of events are grouped according to the following categories:

  • By importance level—Critical events, Functional failures, Warnings, and Info events
  • By time—Recent events
  • By type—User requests and Audit events

You can create and view user-defined event selections based on the settings available, in the Kaspersky Security Center Cloud Console interface, for configuration.

Event selections are available in the Kaspersky Security Center Cloud Console, in the Monitoring & reporting section, by clicking Event selections.

By default, event selections include information for the last seven days.

Kaspersky Security Center Cloud Console has a default set of event (predefined) selections:

  • Events with different importance levels:
    • Critical events
    • Functional failures
    • Warnings
    • Informational messages
  • User requests (events of managed applications)
  • Recent events (over the last week)
  • Audit events

    In Kaspersky Security Center Cloud Console, audit events related to service operations in your workspace are displayed. These events are conditioned by actions of Kaspersky specialists. These events, for example include the following: Administration Server ports changing; Administration Server database backup; creation, modification, and deletion of user accounts.

You can also create and configure additional user-defined selections. In user-defined selections, you can filter events by the properties of the devices they originated from (device names, IP ranges, and administration groups), by event types and severity levels, by application and component name, and by time interval. It is also possible to include task results in the search scope. You can also use a simple search field where a word or several words can be typed. All events that contain any of the typed words anywhere in their attributes (such as event name, description, component name) are displayed.

Both for predefined and user-defined selections, you can limit the number of displayed events or the number of records to search. Both options affect the time it takes Kaspersky Security Center Cloud Console to display the events. The larger the database is, the more time-consuming the process can be.

You can do the following:

See also:

Device selections

Scenario: Monitoring and reporting
Page top
[Topic 166234]

Creating an event selection

To create an event selection:

  1. In the main menu, go to Monitoring & reporting Event selections.
  2. Click Add.
  3. In the New event selection window that opens, specify the settings of the new event selection. Do this in one or more of the sections in the window.
  4. Click Save to save the changes.

    The confirmation window opens.

  5. To view the event selection result, keep the Go to selection result check box selected.
  6. Click Save to confirm the event selection creation.

If you kept the Go to selection result check box selected, the event selection result is displayed. Otherwise, the new event selection appears in the list of event selections.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 176385]

Editing an event selection

To edit an event selection:

  1. In the main menu, go to Monitoring & reporting → Event selections.
  2. Select the check box next to the event selection that you want to edit.
  3. Click the Properties button.

    An event selection settings window opens.

  4. Edit the properties of the event selection.

    For predefined event selections, you can edit only the properties on the following tabs: General (except for the selection name), Time, and Access rights.

    For user-defined selections, you can edit all properties.

  5. Click Save to save the changes.

The edited event selection is shown in the list.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 177708]

Viewing a list of an event selection

To view an event selection:

  1. In the main menu, go to Monitoring & reporting → Event selections.
  2. Select the check box next to the event selection that you want to start.
  3. Do one of the following:
    • If you want to configure sorting in the event selection result, do the following:
      1. Click the Reconfigure sorting and start button.
      2. In the displayed Reconfigure sorting for event selection window, specify the sorting settings.
      3. Click the name of the selection.
    • Otherwise, if you want to view the list of events as they are sorted on the Administration Server, click the name of the selection.

The event selection result is displayed.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 176415]

Exporting an event selection

Kaspersky Security Center Cloud Console allows you to save an event selection and its settings to a KLO file. You can use this KLO file to import the saved event selection both to Kaspersky Security Center Windows and Kaspersky Security Center Linux.

Note that you can export only user-defined event selections. Event selections from the default set of Kaspersky Security Center Cloud Console (predefined selections) cannot be saved to a file.

To export an event selection:

  1. In the main menu, go to Monitoring & reporting → Event selections.
  2. Select the check box next to the event selection that you want to export.

    You cannot export multiple event selections at the same time. If you select more than one selection, the Export button will be disabled.

  3. Click the Export button.
  4. In the opened Save as window, specify the event selection file name and path, and then click the Save button.

    The Save as window is displayed only if you use Google Chrome, Microsoft Edge, or Opera. If you use another browser, the event selection file is automatically saved in the Downloads folder.

Page top
[Topic 236067]

Importing an event selection

Kaspersky Security Center Cloud Console allows you to import an event selection from a KLO file. The KLO file contains the exported event selection and its settings.

To import an event selection:

  1. In the main menu, go to Monitoring & reporting → Event selections.
  2. Click the Import button, and then choose an event selection file that you want to import.
  3. In the opened window, specify the path to the KLO file, and then click the Open button. Note that you can select only one event selection file.

    The event selection processing starts.

The notification with the import results appears. If the event selection is imported successfully, you can click the View import details link to view the event selection properties.

After a successful import, the event selection is displayed in the selection list. The settings of the event selection are also imported.

If the newly imported event selection has a name identical to that of an existing event selection, the name of the imported selection is expanded with the (<next sequence number>) index, for example: (1), (2).

Page top
[Topic 236654]

Viewing details of an event


To view details of an event:

  1. Start an event selection.
  2. Click the time of the required event.

    The Event properties window opens.

  3. In the displayed window, you can do the following:
    • View the information about the selected event
    • Go to the next event and the previous event in the event selection result
    • Go to the device on which the event occurred
    • Go to the administration group that includes the device on which the event occurred
    • For an event related to a task, go to the task properties

See also:

Scenario: Monitoring and reporting
Page top
[Topic 171287]

Exporting events to a file

To export events to a file:

  1. Start an event selection.
  2. Select the check box next to the required event.
  3. Click the Export to file button.

The selected event is exported to a file.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 178646]

Viewing an object history from an event

From an event of creation or modification of an object that supports revision management, you can switch to the revision history of the object.

To view an object history from an event:

  1. Start an event selection.
  2. Select the check box next to the required event.
  3. Click the Revision history button.

The revision history of the object is opened.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 177727]

Logging information about events for tasks and policies

This section offers recommendations on how to minimize the number of events for tasks and policies stored in the database of Kaspersky Security Center Cloud Console. By default, every 1000 devices have 100,000 events. If this limit is exceeded, new events overwrite old ones. As a result, critical events may disappear. Also, the Administration Server warning event named The limit on the number of events in the database is exceeded, the events have been deleted may occur. In these cases, we recommend that you follow the instructions in this section.

As a result, you will increase the speed of executing scenarios associated with the analysis of the events. Also, these recommendations help you lower the risk that critical events will be overwritten by a large number of events.

By default, the properties of each task and policy provide for storing all events related to task execution and policy enforcement. However, if a task is run frequently (for example, more than once per week), the number of events may turn out to be too large and the events may flood the database. In this case, we recommend selecting one of two options in the task settings:

  • Save events related to task progress. In this case, Kaspersky Security Center Cloud Console stores only information about task launch, progress, and completion (successful, with a warning, or with an error) from each device on which the task is run.
  • Save only task execution results. In this case, Kaspersky Security Center Cloud Console stores only information about task completion (successful, with a warning, or with an error) from each device on which the task is run.

If a policy has been defined for a fairly large number of devices (for example, more than 10,000), the number of events may also turn out to be large, and the events may flood the database. In this case, we recommend selecting only the most critical events in the policy settings and enabling their logging. You are advised to disable the logging of all other events.

You can also reduce the storage term for events associated with a task or a policy. The default period is 7 days for task-related events and 30 days for policy-related events. When changing the event storage term, consider the work procedures in place at your organization and the amount of time that the system administrator can devote to analyzing each event.

It is advisable to modify the event storage settings if events about changes in the intermediate statuses of group tasks and events about applying policies occupy a large share of all events in the Kaspersky Security Center Cloud Console database.

Page top
[Topic 159815]

Deleting events

To delete one or several events:

  1. Start an event selection.
  2. Select the check boxes next to the required events.
  3. Click the Delete button.

The selected events are deleted and cannot be restored.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 178626]

Deleting event selections

You can delete only user-defined event selections. Predefined event selections cannot be deleted.

To delete one or several event selections:

  1. In the main menu, go to Monitoring & reporting → Event selections.
  2. Select the check boxes next to the event selections that you want to delete.
  3. Click Delete.
  4. In the window that opens, click OK.

The event selection is deleted.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 176418]

Notifications and device statuses

This section contains information on how to view notifications, configure notification delivery, use device statuses, and enable changing device statuses.

In this section

About notifications

Configuring the switching of device statuses

Configuring notification delivery
Page top
[Topic 233384]

About notifications

Kaspersky Security Center Cloud Console provides the capability to monitor your organization's network by sending notifications about any event that you consider important. For any event you can configure notifications by email.

Upon receiving notifications by email, you can decide on your response to an event. This response has to be one that is the most appropriate for your organization's network.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 179103]

Configuring the switching of device statuses

You can change conditions to assign the Critical or Warning status to a device.

To enable changing the device status to Critical:

  1. In the main menu, go to Assets (Devices)Hierarchy of groups.
  2. In the list of groups that opens, click the link with the name of a group for which you want to change switching the device statuses.
  3. In the properties window that opens, select the Device status tab.
  4. In the left pane, select Critical.
  5. In the right pane, in the Set to Critical if these are specified section, enable the condition to switch a device to the Critical status.

    You can change only settings that are not locked in the parent policy.

  6. Select the radio button next to the condition in the list.
  7. In the upper-left corner of the list, click the Edit button.
  8. Set the required value for the selected condition.

    Values cannot be set for every condition.

  9. Click OK.

When specified conditions are met, the managed device is assigned the Critical status.

To enable changing the device status to Warning:

  1. In the main menu, go to Assets (Devices)Hierarchy of groups.
  2. In the list of groups that opens, click the link with the name of a group for which you want to change switching the device statuses.
  3. In the properties window that opens, select the Device status tab.
  4. In the left pane, select Warning.
  5. In the right pane, in the Set to Warning if these are specified section, enable the condition to switch a device to the Warning status.

    You can change only settings that are not locked in the parent policy.

  6. Select the radio button next to the condition in the list.
  7. In the upper-left corner of the list, click the Edit button.
  8. Set the required value for the selected condition.

    Values cannot be set for every condition.

  9. Click OK.

When specified conditions are met, the managed device is assigned the Warning status.

See also:

Notifications and device statuses

About device statuses

Scenario: Monitoring and reporting

Scenario: Configuring network protection
Page top
[Topic 181770_1]

Configuring notification delivery

You can configure email notification about events occurring in Kaspersky Security Center Cloud Console.

To configure notification delivery of events occurring in Kaspersky Security Center Cloud Console:

  1. In the main menu, click the settings icon () next to the name of the required Administration Server.

    The Administration Server properties window opens with the General tab selected.

  2. Click the Notification section, and in the right pane define the email notification settings:

    Recipients (email addresses)

    The email addresses to which the Kaspersky Security Center Cloud Console will send notifications. You can specify multiple addresses in this field, by separating them with semicolons.

    You can specify no more than 24 email addresses.

  3. Click the Send test message button to check whether you configured notifications properly: the application sends a test notification to the email addresses that you specified.
  4. Click the OK button to close Administration Server properties window.

The saved notification delivery settings are applied to all events that occur in Kaspersky Security Center Cloud Console.

You can override notification delivery settings for certain events in the Event configuration section of the Administration Server settings, of a policy's settings, or of an application's settings.

See also:

Scenario: Monitoring and reporting
Page top
[Topic 180968]

Kaspersky announcements

This section describes how to use, configure, and disable Kaspersky announcements.

In this section

About Kaspersky announcements

Disabling Kaspersky announcements
Page top
[Topic 233385]

About Kaspersky announcements

The Kaspersky announcements section (Monitoring & reporting → Kaspersky announcements) keeps you informed by providing information related to Kaspersky Security Center Cloud Console and the managed applications installed on the managed devices. Kaspersky Security Center Cloud Console periodically updates the information in the section by removing outdated announcements and adding new information.

Kaspersky Security Center Cloud Console shows only those Kaspersky announcements that are related to the currently connected Administration Server and the Kaspersky applications installed on the managed devices of this Administration Server. The announcements are shown individually for any type of Administration Server—primary, secondary, or virtual.

If several administrators use Kaspersky Security Center Cloud Console and they set different interface languages, Kaspersky Security Center Cloud Console displays Kaspersky announcements in every language used by the administrators. When you change the interface language, Kaspersky announcements in the selected language are added to the section automatically after you sign out of the console and then sign in again.

The announcements include information of the following types:

  • Security-related announcements

    Security-related announcements are intended to keep the Kaspersky applications installed in your network up-to-date and fully functional. The announcements may include information about critical updates for Kaspersky applications, fixes for found vulnerabilities, and ways to fix other issues in Kaspersky applications. Security-related announcements are enabled by default. If you do not want to receive the announcements, you can disable this feature.

    You cannot disable the security-related announcements in the trial mode of Kaspersky Security Center Cloud Console.

    To show you the information that corresponds to your network protection configuration, Kaspersky Security Center Cloud Console sends data to Kaspersky cloud servers and receives only those announcements that relate to the Kaspersky applications installed in your network. The data set that can be sent to the servers is described in the Kaspersky Security Center Cloud Console Agreement that you accept when you create a company workspace.

  • Marketing announcements

    Marketing announcements include information about special offers for your Kaspersky applications, advertisements, and news from Kaspersky. Marketing announcements are disabled by default. You receive this type of announcements only if you enabled Kaspersky Security Network (KSN). You can disable marketing announcements by disabling KSN.

    To show you only relevant information that might be helpful in protecting your network devices and in your everyday tasks, Kaspersky Security Center Cloud Console sends data to Kaspersky cloud servers and receives the appropriate announcements. The data set that can be sent to the servers is described in the Processed Data section of the KSN Statement.

New information is divided into the following categories, according to importance:

  1. Critical info
  2. Important news
  3. Warning
  4. Info

When new information appears in the Kaspersky announcements section, Kaspersky Security Center Cloud Console displays a notification label that corresponds to the importance level of the announcements. You can click the label to view this announcement in the Kaspersky announcements section.

See also:

Disabling Kaspersky announcements

About KSN
Page top
[Topic 210552]

Disabling Kaspersky announcements

The Kaspersky announcements section (Monitoring & reporting → Kaspersky announcements) keeps you informed by providing information related to your version of Kaspersky Security Center Cloud Console and managed applications installed on the managed devices. If you do not want to receive Kaspersky announcements, you can disable this feature.

The Kaspersky announcements include two types of information: security-related announcements and marketing announcements. You can disable the announcements of each type separately.

You cannot disable the security-related announcements in the trial mode of Kaspersky Security Center Cloud Console.

To disable security-related announcements:

  1. In the main menu, click the settings icon () next to the name of the Administration Server.

    The Administration Server properties window opens.

  2. On the General tab, select the Kaspersky announcements section.
  3. Switch the toggle button to the Security-related announcements Disabled position.
  4. Click the Save button.

    Kaspersky announcements are disabled.

Marketing announcements are disabled by default. You receive marketing announcements only if you enabled Kaspersky Security Network (KSN). You can disable this type of announcement by disabling KSN.

To disable marketing announcements:

  1. In the main menu, click the settings icon () next to the name of the Administration Server.

    The Administration Server properties window opens.

  2. On the General tab, select the KSN settings section.
  3. Disable the I agree to use Kaspersky Security Network option.
  4. Click the Save button.

    Marketing announcements are disabled.

See also:

About Kaspersky announcements
Page top
[Topic 210639]

Receiving license expiration warning

To add a Kaspersky Endpoint Security for Business Select license key to the Administration Server:

  1. In the main menu, click the settings icon () next to the name of the Administration Server.

    The Administration Server properties window opens.

  2. On the General tab, select the License keys section.
  3. Click Select.
  4. In the window that opens, select your license and click OK.

    Alternatively, if no license is displayed, you can click Add new license key and use your activation code.

The license is added to the Administration Server repository. This makes the Administration Server generate a critical event License expires soon one day before the license term expires and a critical event Limited functionality mode after the license term expires. If you want, you can configure notification delivery.

If you add a Kaspersky Endpoint Security for Business Select license key to the Administration Server repository, then the license is considered used on one device.

See also:

Application licensing

Scenario: Monitoring and reporting
Page top
[Topic 195503]

Cloud Discovery

Kaspersky Security Center Cloud Console allows you to monitor the use of cloud services on managed devices running Windows and to block access to cloud services that you consider unwanted. Cloud Discovery tracks user attempts to gain access to these services through both browsers and desktop applications. It also tracks user attempts to gain access to cloud services over unencrypted connections (for example, using the HTTP protocol). This feature helps you to detect and halt the use of cloud services by shadow IT.

The Cloud Discovery feature is only available if you have purchased a Kaspersky Next license. For details, refer to Licenses and the minimum number of devices for each license.

You can enable the Cloud Discovery feature and select the security policies or profiles for which you want to enable the feature. You can also enable or disable the feature separately in each security policy or profile. You can block access to cloud services that you do not want users to access.

To be able to block access to unwanted cloud services, make sure that the following prerequisites are met:

  • You use Kaspersky Endpoint Security 11.2 for Windows or later. Earlier versions of the security application only allow you to monitor the use of cloud services.
  • You have purchased a Kaspersky Next license, which provides the ability to block access to unwanted cloud services. For details, refer to Kaspersky Next Help.

The Cloud Discovery widget and the Cloud Discovery reports display information about successful and blocked attempts to gain access to cloud services. The widget also displays the risk level of each cloud service. Kaspersky Security Center Cloud Console gets information about the use of cloud services from all of the managed devices that are protected only by the security policies or profiles that have the feature enabled.

In this section

Enabling Cloud Discovery by using the widget

Adding the Cloud Discovery widget to the dashboard

Viewing information about the use of cloud services

Risk level of a cloud service

Blocking access to unwanted cloud services
Page top
[Topic 126963]

Enabling Cloud Discovery by using the widget

The Cloud Discovery feature allows you to get information about the use of cloud services from all of the managed devices that are protected only by the security policies that have the feature enabled. You can enable or disable Cloud Discovery for the Kaspersky Endpoint Security for Windows policy only.

There are two ways to enable the Cloud Discovery feature:

  • By using the Cloud Discovery widget.
  • In the properties of the Kaspersky Endpoint Security for Windows policy.

    For details on how to enable the Cloud Discovery feature in the Kaspersky Endpoint Security for Windows policy properties, refer to the Cloud Discovery section of Kaspersky Endpoint Security for Windows Help.

Note that you can disable the Cloud Discovery feature in the Kaspersky Endpoint Security for Windows policy parameters only.

To enable Cloud Discovery, you must have the Write right in the General features: Basic functionality functional area.

To enable the Cloud Discovery feature by using the Cloud Discovery widget:

  1. Go to Kaspersky Security Center Cloud Console.
  2. In the main menu, go to Monitoring & reporting Dashboard.
  3. On the Cloud Discovery widget, click the Enable button.
  4. In the Enable Cloud Discovery window that opens, select the security policies for which you want to enable the feature, and then click the Enable button.

    The following policy settings will be enabled automatically: Inject script into web traffic to interact with web pages, Web Session monitor, and Encrypted connections scan.

The Cloud Discovery feature is enabled and the widget is added to the dashboard.

Page top
[Topic 138009]

Adding the Cloud Discovery widget to the dashboard

You can add the Cloud Discovery widget to the dashboard to monitor the use of cloud services on managed devices.

To add the Cloud Discovery widget to the dashboard, you must have the Write right in the General features: Basic functionality functional area.

To add the Cloud Discovery widget to the dashboard:

  1. Go to Kaspersky Security Center Cloud Console.
  2. In the main menu, go to Monitoring & reporting Dashboard.
  3. Click the Add or restore web widget button.
  4. In the list of available widgets, click the chevron icon () next to the Other category.
  5. Select the Cloud Discovery widget, and then click the Add button.

    If the Cloud Discovery feature is disabled, follow the instructions in the Enabling Cloud Discovery by using the widget section.

The selected widget is added at the end of the dashboard.

Page top
[Topic 274418]

Viewing information about the use of cloud services

You can view the Cloud Discovery widget that shows information about attempts to gain access to cloud services. The widget also displays the risk level of each cloud service. Kaspersky Security Center Cloud Console gets information about the use of cloud services from all of the managed devices that are protected only by the security policies that have the feature enabled.

Before viewing, make sure that:

To view the Cloud Discovery widget:

  1. Go to Kaspersky Security Center Cloud Console.
  2. In the main menu, go to Monitoring & reporting Dashboard.

    The Cloud Discovery widget is displayed on the dashboard.

  3. On the left side of the Cloud Discovery widget, select a category of cloud services.

    The table on the right side of the widget displays up to five services from the selected category, to which users most often try to gain access. Both successful and blocked attempts are counted.

  4. On the right side of the widget, select a specific service.

    The table below displays up to ten devices that most often attempt to gain access to the service. In this table, you can generate two types of reports: report on successful access attempts and report on blocked access attempts.

    In addition, in this table you can block access to the cloud service for a specific device.

The widget displays the requested information.

From the displayed widget, you can do the following:

  • Proceed to the Monitoring & reporting Reports section, to view the Cloud Discovery reports.
  • Block or allow access to the selected cloud service.

The Cloud Discovery feature is only available if you have purchased a Kaspersky Next license. For details, refer to Licenses and the minimum number of devices for each license.

Page top
[Topic 123382]

Risk level of a cloud service

For each cloud service, Cloud Discovery provides you with a risk level. The risk level helps you determine which services do not fit the security requirements of your organization. For example, you may want to take the risk level into account when deciding whether to block access to a certain service.

The risk level is an estimated index and does not say anything about the quality of a cloud service or about the service manufacturer. The risk level is simply a recommendation from Kaspersky experts.

Risk levels of cloud services are displayed in the Cloud Discovery widget and in the list of all monitored cloud services.

Page top
[Topic 222985]

Blocking access to unwanted cloud services

You can block access to cloud services that you do not want users to access. You can also allow access to cloud services that were previously blocked.

Among other considerations, you may want to take the risk level into account when deciding whether to block access to a certain service.

You can block or allow access to cloud services for a security policy or profile.

There are two ways to block access to unwanted cloud services:

  • By using the Cloud Discovery widget.

    In this case, you can block access to the services one by one.

  • In the properties of the Kaspersky Endpoint Security for Windows policy.

    In this case, you can block access to the services one by one or block an entire category at once.

    For details on how to enable the Cloud Discovery feature in the Kaspersky Endpoint Security for Windows policy properties, refer to the Cloud Discovery section of Kaspersky Endpoint Security for Windows Help.

To block or allow access to a cloud service by using the widget:

  1. Open the Cloud Discovery widget, and then select the required cloud service.
  2. In the Top 10 devices that use the service pane, find the security policy or profile for which you want to block or allow the service.
  3. On the required line, in the Access status in policy or profile column, do any of the following:
    • To block the service, select Blocked in the drop-down list.
    • To allow the service, select Allowed in the drop-down list.
  4. Click the Save button.

Access to the selected service is blocked or allowed for the security policy or profile.

Page top
[Topic 139384]