Integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response enables continuous search, detection and elimination of threats aimed at your organization.
When interacting with Kaspersky Managed Detection and Response, Kaspersky Endpoint Security can carry out the following functions:
To configure integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response, perform the following actions:
You can enable use of Kaspersky Security Network via the command line, in the Administration Console, or in Kaspersky Security Center Web Console.
You can configure Private KSN only in the Administration Console or in the Kaspersky Security Center Web Console.
It is recommended to configure integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response in the Administration Console or in the Kaspersky Security Center Web Console.
You can also configure integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response and upload a BLOB configuration file from the command line.
To enable integration with Kaspersky Managed Detection and Response, execute the following command:
kesl-control --set-app-settings UseMDR=Yes
To disable integration with Kaspersky Managed Detection and Response, execute the following command:
kesl-control --set-app-settings UseMDR=No
To load the BLOB configuration file, execute the following command:
kesl-control --load-mdr-blob <
path to MDR BLOB configuration file
>
To remove the BLOB configuration file, execute the following command:
kesl-control --remove-mdr-blob
After enabling integration of Kaspersky Endpoint Security with Kaspersky Managed Detection and Response, a Mdr_Autostart_Scan task is created in the application and will run once a day. If necessary, you can configure the start time for this task using the kesl-control --set-schedule <
task ID
|
task name
> --file <
full path to file
>
command, specifying the task name "Mdr_Autostart_Scan" or the ID assigned to this task by the application. The task's other settings and schedule cannot be configured.
If Kaspersky Endpoint Security is integrated with Kaspersky Managed Detection and Response, a large number of events can be written to the systemd log. If you want to disable the logging of audit events to the systemd log, disable the systemd-journald-audit socket and restart the operating system.
To disable the systemd-journald-audit socket, run the following commands:
systemctl stop systemd-journald-audit.socket
systemctl disable systemd-journald-audit.socket
systemctl mask systemd-journald-audit.socket