Integration with Kaspersky Managed Detection and Response

Integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response enables continuous search, detection and elimination of threats aimed at your organization.

When interacting with Kaspersky Managed Detection and Response, Kaspersky Endpoint Security can carry out the following functions:

To configure integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response, perform the following actions:

You can also configure integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response and upload a BLOB configuration file from the command line.

To enable integration with Kaspersky Managed Detection and Response, execute the following command:

kesl-control --set-app-settings UseMDR=Yes

To disable integration with Kaspersky Managed Detection and Response, execute the following command:

kesl-control --set-app-settings UseMDR=No

To load the BLOB configuration file, execute the following command:

kesl-control --load-mdr-blob <path to MDR BLOB configuration file>

To remove the BLOB configuration file, execute the following command:

kesl-control --remove-mdr-blob

After enabling integration of Kaspersky Endpoint Security with Kaspersky Managed Detection and Response, a Mdr_Autostart_Scan task is created in the application and will run once a day. If necessary, you can configure the start time for this task using the kesl-control --set-schedule <task ID|task name> --file <full path to file> command, specifying the task name "Mdr_Autostart_Scan" or the ID assigned to this task by the application. The task's other settings and schedule cannot be configured.

If Kaspersky Endpoint Security is integrated with Kaspersky Managed Detection and Response, a large number of events can be written to the systemd log. If you want to disable the logging of audit events to the systemd log, disable the systemd-journald-audit socket and restart the operating system.

To disable the systemd-journald-audit socket, run the following commands:

systemctl stop systemd-journald-audit.socket

systemctl disable systemd-journald-audit.socket

systemctl mask systemd-journald-audit.socket

Page top