Responding through KATA/KEDR

Expand all | Collapse all

After you configure integration between Kaspersky Next XDR Expert and Kaspersky Anti Targeted Attack Platform, you can perform response actions on a device or with a file hash in one of the following ways:

• From the alert or incident details
• From the device details
• From the event details

  This option is available for the Add prevention rule response action. 

• From an investigation graph

You can also configure the response action to run automatically when creating or editing a playbook.

To perform response actions through Kaspersky Anti Targeted Attack Platform, you must have one of the following XDR roles: Main administrator, Tenant administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst.

Performing response actions from alert or incident details

To perform a response action from the alert or incident details:

1. Do one of the following:
   • In the main menu, go to Monitoring & reporting → Alerts. In the ID column, click the ID of the alert that includes the required device.
   • In the main menu, go to Monitoring & reporting → Incidents section. In the ID column, click the ID of the incident that includes the required device.
2. In the window that opens, go to the Assets tab.
3. Select the select check box next to the required device.

   You can select several devices, if necessary.

4. In the Select response actions drop-down list, select the response action that you want to perform:
   • Enable network isolation

     If you select this response action for a device on which network isolation is already enabled, the parameters are overwritten with new values.

     After you select this response action, you must configure the necessary settings in the window that opens on the right side of the screen.

   • Disable network isolation

     You can select this response action for devices on which network isolation is enabled.

   • Run executable file

     The executable file is always run on behalf of the system and must be available on the device before you start the response action.

     After you select this response action, you must configure the necessary settings in the window that opens on the right side of the screen.

   • Add prevention rule

     After you select this response action, you must configure the necessary settings in the window that opens on the right side of the screen.

   • Delete prevention rule

     You can select this response action for devices on which the prevention rule was applied.

   All of the listed response actions are available on devices that use Kaspersky Endpoint Agent for Windows or Kaspersky Endpoint Security for Windows in the role of the Endpoint Agent component. On devices with Kaspersky Endpoint Agent for Linux and Kaspersky Endpoint Security for Linux, the only available response action is Run executable file.

5. In the window that opens, set the necessary parameters for the response action you selected at step 4:
   • For network isolation
     1. Specify the period of the device isolation and the units.
     2. If you want to add an exception from the network isolation rule, click the Add exclusion button, and then fill in following fields:
        • Network traffic direction.

          You can select one of the values:

          • Inbound

            If you select this direction, you must specify a local ports range in the Start port and End port fields.

          • Outbound

            If you select this direction, you must specify a remote ports range in the Start port and End port fields.

          • Inbound/Outbound

            If you select this direction, you cannot specify a ports range.

        • Asset IP address.
     3. Click the Enable button.

        The window is closed.

   • For running executable file
     1. Fill in the following fields:
        • Path to an executable file
        • Command line parameters
        • Working directory
     2. Click the Run button.

        The window is closed.

   • For adding prevention rule
     1. Specify a hash of the file that you want to block:
        • SHA256
        • MD5

        If you want to specify more than one hash, click the Add hash button.

     2. Click the Add button.

        The window is closed.

   • For deleting prevention rule
     1. Select what you want to delete:
        • If you want to delete all prevention rules, select Delete everything.
        • If you want to delete a prevention rule by file hash, in the File hash field specify a hash of the file to delete.

          If you want to specify more than one hash, click the Add hash button.

     2. Click the Delete button.

        The window is closed.

If the response action is completed successfully, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.

Performing response actions from the device details

To perform a response action from the device details:

1. Do one of the following:
   • In the main menu, go to Monitoring & reporting → Alerts. In the ID column, click the ID of the alert that includes the required device.
   • In the main menu, go to Monitoring & reporting → Incidents section. In the ID column, click the ID of the incident that includes the required device.
2. In the window that opens, go to the Assets tab.
3. Click the name of the required device, and then in the drop-down list, select View properties.
4. Perform the same actions as described at steps 4-5 in Performing response actions from the device details.

If the response action is completed successfully, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.

Performing a response action from the event details

This option is available for the Add prevention rule response action. 

To perform a response action from the event details:

1. In the main menu, go to Monitoring & reporting → Alerts. In the ID column, click the ID of the alert that includes the required device.
2. In the window that opens, go to the Details tab, and select the required file hash.
3. Click the Add prevention rule button, and then select the device for which you want to add the prevention rule.

   You can also go to the Observables tab, select check box next to the file hash that you want to block, and then click the Add prevention rule button.

4. Perform the same actions as described at steps 4-5 in Performing response actions from the device details.

If the response action is completed successfully, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.

Performing response actions from an investigation graph

This option is available if the investigation graph is built.

To perform a response action from an investigation graph:

1. In the main menu, go to Monitoring & reporting → Incidents section. In the ID column, click the ID of the incident that includes the required device.
2. In the window that opens, click the View on graph button.

   The investigation graph opens.

3. Click the device name to open the device details.
4. Perform the same actions as described at steps 4-5 in Performing response actions from the device details.

If the response action is completed successfully, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.

If you encounter a failure when running the response actions, you have to make sure that the device name in Kaspersky Next XDR Expert is the same as in Kaspersky Anti Targeted Attack Platform.