Configuring predefined task rules

Perform the following actions to configure the predefined rules for the Log Inspection task:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
2. Select the administration group for which you want to configure application settings.
3. Perform one of the following actions in the details pane of the selected administration group:
   • To configure application settings for a group of protected devices, select the Policies tab and open the Properties: <Policy name> window.
   • To configure the settings of a task or application for an individual protected device, select the Devices tab and go to local task settings or application settings.
4. In the System inspection section, click the Log Inspection button in the Settings subsection.

   The Log Inspection window opens.

5. Select the Predefined rules tab.
6. Select or clear the Apply predefined rules for log inspection check box.
   

   If this check box is selected, Kaspersky Embedded Systems Security for Windows uses the heuristic analyzer to detect abnormal activity on the protected device.

   If this check box is cleared the heuristic analyzer is not used and Kaspersky Embedded Systems Security for Windows applies preset or custom rules to detect abnormal activity.

   By default, the check box is cleared.

   For the task to run, at least one Log Inspection rule must be selected.

7. Select the rules you want to apply from the list of predefined rules:
   • There are patterns of a possible brute-force attack in the system.
   • There are patterns of a possible Windows Event log abuse.
   • Atypical actions detected on behalf of a new service installed.
   • Atypical logon that uses explicit credentials detected.
   • There are patterns of a possible Kerberos forged PAC (MS14-068) attack in the system.
   • Atypical actions detected directed at a privileged built-in group Administrators.
   • There is an atypical activity detected during a network logon session.
8. To configure the selected rules, click the Advanced settings button.

   The Log Inspection window opens.

9. In the Brute-force attack detection section, set the number of attempts and time frame used as triggers by the heuristic analyzer.
10. In the Network logon detection section, specify the start and end of the time interval. Kaspersky Embedded Systems Security for Windows considers logon attempts made during this interval to be as anomalous activity.
11. Select the Exclusions tab.
12. Perform the following actions to add trusted users:
    1. Click the Browse button.
    2. Select a user.
    3. Click the OK button.

       The selected user is added to the list of trusted users.

13. Perform the following actions to add trusted IP addresses:
    1. Enter the IP address.
    2. Click the Add button.
14. The entered IP address is added to the list of trusted IP addresses.
15. On the Task management tab, configure the task start schedule.
16. Click the OK button in the Log Inspection window.

The Log Inspection task configuration is saved.