Managing response actions in Kaspersky Industrial CyberSecurity for Networks
If joint operation with EPP applications is configured in Kaspersky Industrial CyberSecurity for Networks, you can manually trigger the following response actions on devices:
Response actions allow preventing or minimizing the consequences of detected threats from devices in an industrial network.
The capability to trigger response actions is available for devices with Kaspersky Endpoint Agent installed. When a response action is triggered, Kaspersky Industrial CyberSecurity for Networks transmits the information about it to Kaspersky Endpoint Agent installed on the device. Kaspersky Endpoint Agent executes the received command and sends a completion notification to Kaspersky Industrial CyberSecurity for Networks.
Once the triggered response action is completed and the threat from the device is eliminated, you can trigger the corresponding reverse action. For the listed response actions, the following reverse actions are available:
- Disable network isolation.
- Disable run prevention.
- Restore from quarantine.
Kaspersky Industrial CyberSecurity for Networks registers triggered response actions and the corresponding reverse actions. The registered actions are displayed in the Events section on the Response actions tab.
You can trigger response actions by selecting the relevant events, devices or previous response actions that were registered and completed. The actions available to you depend on the selected object. For example, if you selected a device with Kaspersky Endpoint Agent installed, you only can manage the network isolation for this device. Other response actions (Prevent run and Move to quarantine) are available when selecting the event associated with this device and if a threat development chain is built for the event in Kaspersky Endpoint Agent.
Only the users with the Administrator role can trigger response actions and corresponding reverse actions.