Kaspersky Next XDR Expert

List of event sources

Sources of events are displayed in the table under Source status → List of event sources. One page can display up to 250 sources. You can sort the table by clicking the column heading of the relevant parameter and selecting Ascending or Descending.

You can use the Search field to search for event sources. The search is performed using regular expressions (RE2). You can also filter the table by the Status or Monitoring policy columns by clicking the heading of the relevant column and selecting the values that you want to display.

If necessary, you can configure the interval for updating data in the table. Available update periods: 1 minute, 5 minutes, 15 minutes, 30 minutes, 1 hour. The default value is No refresh. You may need to configure the update period to track changes made to the list of sources.

Viewing information about event sources

In the Source status → List of event sources section, information about event sources is displayed in the following columns:

• Status—status of the event source:
  • Green—events are being received within the limits of the assigned monitoring policies.
  • Red—the frequency or number of incoming events go beyond the boundaries defined in at least one assigned monitoring policy.
  • Gray—monitoring policies have not been assigned to the source of events.

  If the status is red, an event of the Monitoring type generated. The monitoring event is generated in the tenant that owns the event source and is sent to the storage of the Main tenant (the storage must already be deployed in the Main tenant). If you have access to the tenant of the event source and do not have access to the Main tenant, you can still search for monitoring events in the storage of the Main tenant; the monitoring events of the tenants available to you will be displayed for you. You can also configure notifications to be sent to an arbitrary email address.

  The table can be filtered by status.

• Name—name of the event source. The name is generated automatically from the values of fields configured in the event source identification settings.

  You can rename an event source in the table of event sources by hovering over its name and clicking the pencil icon. The name can contain no more than 128 Unicode characters.

• Host name or IP address—name or IP address of the host from which the events originate if the DeviceHostName or DeviceAddress fields are specified in the event source identification settings.
• Monitoring policy—list of the monitoring policies assigned to the event source.

  If you want to filter the list of event sources by applied monitoring policies, click the name of this column and select one or more monitoring policies. If necessary, you can find policies in the list using the Search field.

  You can view information about all monitoring policies assigned to an event source by clicking the row of the source. This opens a window that displays the settings of monitoring policies, as well as the status of the source according to each policy. If several monitoring policies are assigned to the source, the red status in the table of sources in this window lets you identify the policy that was triggered. You can also see which policies are enabled and which are disabled, and when the disabled policies will be enabled again.

• Stream—frequency at which events are received from the event source. If only monitoring policies of the byCount type or monitoring policies of different types are assigned to the source, this value is displayed as the number of events. If only monitoring policies of the byEPS type are assigned to the source, or no policies are assigned, the value is displayed as the number of events per second.
• Tenant—the tenant that owns the events received from the event source.

Managing event sources

You can select one or more event sources by selecting the check boxes in the first column of the table. You can select multiple event sources at once for performing group operations by selecting the check box in the heading of the first column and selecting Select all or Select all in page. The Select all in page option applies only to event sources displayed in the list: if only 500 out of 1500 sources are displayed in the list, then group actions to download, enable or disable policies, or delete event sources are applied only to the selected 500 sources. If you want to perform an action on all sources in the table, select Select all.

If you select sources of events, the following buttons become available:

• The Enable policy button enables the monitoring policy for event sources. You must select policies in the displayed window to apply them.
• You can use the Disable policy to disable the monitoring policy for event sources. When disabling a policy, you must specify if want to disable the policy temporarily or forever.
• The Update policy button applies the monitoring policies that are enabled for the event sources, or change the monitoring policies that are already assigned. When a policy is updated, a task is started in the task manager.

  This button becomes available after you change the monitoring policies assigned to event sources.

• You can click the Remove button to remove event sources from the table. The statistics on this source will also be removed. If a collector continues to receive data from the source, the event source will re-appear in the table but its old statistics will not be taken into account.

  If you want to delete all event sources, but some time has passed since the table was last refreshed, sources added during this time may not be displayed in the table, but they will be deleted regardless.

  If you delete more than 100,000 event sources to which a filter or search was applied, only the first 100,000 event sources will be deleted. You can select all filtered event sources again and delete them, and then repeat this until you have deleted all event sources that you intended to delete. You can delete over 100,000 event sources if no filters or searches are applied to them by selecting sources using the Select all button.

• You can click CSV to download the data of the selected event sources to a CSV file.
• You can click the Chart button to plot a chart of incoming events for the last seven days for the selected event sources. You can select up to five event sources

  .

Downloading event source information to a CSV file

You can download information about one or more event sources and the monitoring policies applied to them to a CSV file in UTF-8 encoding. If multiple monitoring policies are applied to a source, in the file for that source, each monitoring policy and its parameters starts on a new line. For each monitoring policy applied to a source, the following parameters are exported to the file: Status, Name, Monitoring policy, Lower limit, Upper limit, Stream, Tenant.

To download event source information to a CSV file:

1. In the KUMA Console, in the Source status → List of event sources section, select one or more event sources in the table by selecting the check boxes in the first column next to the relevant sources.

   In the lower left part of the table, you can find the number of selected sources and the total number of sources in the table. You can select up to 150,000 event sources.

   You can select several event sources by clicking the check box in the heading of the first column selecting one of the following options:

   • Select all to select all event sources on all pages of the table. If you have used search to filter sources, this will select all sources that match the search query.
   • Select all in page to select all event sources on the currently displayed page. If you have used search to filter sources, this will select all sources on the currently displayed page that match the search query.
2. Click the CSV button in the upper part of the table.

   Depending on the size of your browser window, the CSV button may be found in the additional menu that you can open by clicking on the icon with the three dots .

   A new event source export task is created in the task manager.

3. Go to the Task manager section and find the created task.

   When the file is ready, the Status column of the task displays the Completed status.

4. Click the task type name and select Download from the drop-down list.

The CSV file with event source information is downloaded in accordance with your browser settings. The default file name is event-source-list.csv.

Viewing the dynamics of incoming events

You can examine the dynamics of events received from a source over the last seven days, taking into account the applied monitoring policies, in one of the following ways:

• View the graph for an individual event source.
• Plot a chart based on graphs for several (up to five) sources.

You can view the graph for a single event source in the KUMA Console in the Source status → List of event sources section by clicking the arrow icon in the row of the relevant event source. The graph of incoming events is displayed under the row of the source.

The data in the graph is displayed as follows:

• The data is displayed for the days on which the events were received. The maximum period is seven days.

  In the upper left corner above the graph, you can see the number of days, and in the upper right corner, the data display period. You can click the Events for <number> days button to go to the Events section and view the list of events for the selected source.

• The X-axis represents days, and the Y-axis represents the frequency of events (EPS).
• The lines represent the average, maximum, and minimum number of events for every 15-minute period during the last seven days.

  If you want to view the number of events at a specific time, hover over a point on the graph. A tooltip is displayed with the average, maximum, and minimum event count at a specific date and time.

You can also plot a chart of incoming events based on graphs for several event sources, for example, if you need to compare the activity of event sources of the same type that should behave in a similar way, but in fact behave in different ways.

To plot a chart based on graphs for multiple event sources:

1. In the KUMA Console, in the Source status → List of event sources section, select one or more event sources in the table by selecting the check boxes in the first column next to the relevant sources.

   You can plot a chart for up to 5 event sources at the same time.

2. Click the Chart button in the upper part of the table.

   Depending on the size of your browser window, the Chart button may be found in the additional menu that you can open by clicking on the icon with the three dots .

   The displayed Chart pane contains a chart of incoming events for all selected sources as well as a table that displays the current number of events, the maximum number of events, and the average number of events for each source, calculated based on the data from the chart. You can compare how the data for the selected sources relates to each other over time.

   The data in the chart is displayed as follows:

   • The data is displayed for the days on which the events were received. The maximum period is seven days.

     In the upper right corner above the chart, you can see the data display period.

   • The X-axis represents days, and the Y-axis represents the frequency of events (EPS).
   • The lines in the chart represent the average number of incoming events from the selected event sources for every 15-minute interval during the last seven days.

   You can hover over the chart to view the average number of events for each source at a specific time.

3. If necessary, clear the check boxes in the table below the chart next to the event sources that you want to hide in the chart.
4. If you want to display the diagram in more detail, click the two arrows icon to open the panel in full screen mode and zoom in on the diagram.