Triggering event response actions
You can trigger response actions on a device using a registered event that is associated with such device. To trigger a response action, an event must be associated with a device with Kaspersky Endpoint Agent prepared according to the scenario for preparing to receive data from EPP applications.
When working with events, you can trigger the following response actions:
- Isolate device from the network — for any event associated with a device with Kaspersky Endpoint Agent installed.
- Prevent run, Move to quarantine — for an event based on EPP technology if a threat development chain is built for this event in Kaspersky Endpoint Agent and includes an activity event with a threat detection object and the File creation or Starting a process type. You can also trigger the Isolate device from the network action for such events.
For events that are EDR incidents, you can trigger the Prevent run and Move to quarantine actions both for the threat detection object and for objects specified in other activity events with the File creation or Starting a process type.
To isolate a device associated with an event from the network:
- Connect to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface using the Administrator account.
- Select the event on the Events and incidents tab in the Events section.
You can select an EDR incident or any event associated with the device with Kaspersky Endpoint Agent installed.
The details area appears in the right part of the web interface window.
- In the details area, open the Threat response drop-down list and select Isolate device from the network.
A window with a confirmation prompt opens.
- In the request window, confirm the start of the response action.
The application will register a new response action. You can view information about this action in the Events section on the Response actions tab.
To prevent execution or move to quarantine a threat detection object:
- Connect to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface using the Administrator account.
- Select the event on the Events and incidents tab in the Events section.
You can select an EDR incident if the threat development chain includes an activity event with a threat detection object and the File creation or Starting a process type.
The details area appears in the right part of the web interface window.
- In the details area, open the Threat response drop-down list and select the appropriate item:
- Prevent run — if you want to prevent the threat detection object from execution.
- Move to quarantine — if you want to move the threat detection object to quarantine.
A window with a confirmation prompt opens.
- In the request window, confirm the start of the response action.
The application will register a new response action. You can view information about this action in the Events section on the Response actions tab.
To prevent execution or move to quarantine an object specified in any activity event with the File creation or Starting a process type in the threat development chain:
- Connect to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface using the Administrator account.
- Select the event on the Events and incidents tab in the Events section.
You can select an EDR incident.
The details area appears in the right part of the web interface window.
- In the details area, go to the All activity events tab and select the appropriate activity event.
You can select any activity event with the File creation or Starting a process type. A key activity event (with a threat detection object) is marked with the Detection icon.
- In the activity event details window that opens, click the appropriate button:
- Prevent run — if you want to prevent the object from the selected activity event from execution.
- Move to quarantine — if you want to move the object from the selected activity event to quarantine.
A window with a confirmation prompt opens.
- In the request window, confirm the start of the response action.
The application will register a new response action. You can view information about this action in the Events section on the Response actions tab.
