I would like to see better reporting implemented in KSC. For example reports about HIPS activity (apps placed in Low Restricted and Restricted groups, blocked activities etc). Currently you need to manually go through the logs in KSC for that. It would be neat to have something similar to App Control Blocked runs report that shows the blocked executables.
There should also be a report on File Integrity Monitoring and System Inspection that would cover all the created and modified files, who modified them and at what time. The same goes with System Inspection where it would be good to have option to check what rules or events are reported on.
Am I correct that the Software Registry report shows all the detected executables? Is it possible to get info only on new executables detected during a certain time period?
And also, alerts also need to have more data in them. Especially for Kaspersky for File Server. For example, currently we use alerts for some custom Windows Event ID’s but the alert just contains data about it being triggered and not much else.
That is kind of useless as every time I have to log into KSC to actually see what rule was triggered. It should contain the actual rule name set in Security for File server, event ID and the event contents. For example if a scheduled task is created, I would like to see which one, because Windows Update creates a bunch of false alerts which I would not investigate. But if I see a process created or new user added or whatever event ID’s I have defined, then I would probably want to investigate immediately.