Configuring Threat Response actions of Kaspersky Endpoint Agent to respond to threats detected by Kaspersky Sandbox

This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Kaspersky Endpoint Agent can perform actions in response to threats detected by Kaspersky Sandbox.

You can configure the following types of actions:

Local actions
Local actions – actions to be performed on each device where a threat is detected:
- Quarantine and delete.
  When a threat is detected on a device, a copy of the object containing the threat is quarantined, and the object is deleted from the device.
- Notify device user.
  When a threat is detected on a device, a notification about the detected threat is displayed to the device user.
  
  The notification is displayed if the device is running under the user account same to the account under which the threat was detected.
  
  If the device is not running or is running under another user account, the notification is not displayed.
- Run Endpoint Protection Platform scan of critical areas on the device.
  If a threat is detected on a device, Kaspersky Endpoint Agent sends a command to EPP to scan critical areas of the device. Critical areas include kernel memory, objects loaded at operating system startup, and boot sectors of the hard drive. For more details on configuring the scan settings refer to the documentation of EPP being used.
Group actions
Group actions – actions to be performed on all devices of the administration group for which the policy is configured.
- Run IOC Scan on a managed group of devices.
  If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent scans all devices of this administration group for objects containing the detected threat.
- Quarantine and delete when IOC is found.
  If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent scans all devices of this administration group for objects containing the detected threat. When an object which contains a threat is detected on devices of this administration group, a copy of the object containing the threat is quarantined, and the object is deleted from the device.
- Run Endpoint Protection Platform scan of critical areas on the device when IOC is found.
  If a threat is detected on any device of the administration group for which you configure the policy, Kaspersky Endpoint Agent sends a command to EPP to scan critical areas on all administration group's devices where the object containing the threat was detected. For more details on configuring the scan settings refer to the documentation of EPP being used.

When configuring threat response actions, keep in mind that as a result of some actions, the object containing the threat may be deleted from the workstation where it was detected.

If you want Kaspersky Endpoint Agent to create Autonomous IOC Scan tasks when responding to threats, configure authentication on the Administration Server.

The application uses a special Administration Server user account, which has limited permissions and is intended only for creating Autonomous IOC Scan tasks.

The special account can only be created in the Threat Response window in Kaspersky Endpoint Agent policy properties or in the application properties of an individual device. The special account must be created on the Administration Server only once and its password must be used to configure Threat Response settings in the properties of other devices or other policies of the same Administration Server.

It is not possible to change the password of the special account created for Autonomous IOC Scan tasks. If you forget the password of this account, delete it using standard Kaspersky Security Center tools and create it again in the Threat Response window.

To configure Kaspersky Endpoint Agent response actions to threats detected by Kaspersky Sandbox:

Do one of the following:
- Open the application properties window for an individual device.
  1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
  2. Select the device.
  3. In the <Device name> window that opens, select the Applications tab.
  4. Select Kaspersky Endpoint Agent.
  5. In the window that opens, select the Application settings tab.
- Open the policy properties window.
  1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
  2. Select the policy you want to configure.
  3. In the <Policy name> window that opens, select the Application settings tab.
In the Kaspersky Sandbox integration section select the Threat Response subsection.
Select the Take response actions on threats detected by Kaspersky Sandbox check box.
In the Selected actions list, select the check boxes for the actions you want to enable.
If you select the Run IOC Scan on a managed group of devices action, perform the following actions in the Authentication on Administration Server group of settings:
1. Click the Create the Administration Server special user button.
  Unavailability of the Create the Administration Server special user button indicates that a special account for the Autonomous IOC Scan tasks has already been created. Go to the step "d" of the instruction.
2. In the window that opens, in the Administration Server password field, specify a password with the length of 8–16 characters and click the Create the user button.
3. Click OK.
  A special Administration Server account for Autonomous IOC Scan tasks is created.
4. In the Administration Server password field, enter the password for the special account created for the Autonomous IOC Scan tasks.
If you configure the policy settings, in the upper right corner of the group of settings, change the switch from Undefined to Enforce.
Click OK.
In the policy properties window, click Save.

Kaspersky Endpoint Agent response actions to threats detected by Kaspersky Sandbox are configured and ready to be applied on devices.