About threat response actions based on commands from Detection and Response solutions

When integrated with Detection and Response solutions, Kaspersky Endpoint Security can perform threat response actions to maintain security functionality. Threat response actions can be generated on the side of the Detection and Response solution and automatically performed on Kaspersky Endpoint Security devices if this functionality is enabled in the settings of the Detection and Response solution. You can also configure and perform threat response actions manually.

The settings of threat response actions vary depending on the Detection and Response solution with which Kaspersky Endpoint Security is integrated.

Kaspersky Endpoint Security can perform the following threat response actions:

• Isolate the device from the network.

  When integrated with Endpoint Detection and Response Expert (on-premise), with Kaspersky Endpoint Detection and Response (KATA), or with Kaspersky Managed Detection and Response, network isolation is enabled or disabled on the side of the Detection and Response solution. You can manually disable network isolation of a device.

  When integrated with Kaspersky Endpoint Detection and Response Optimum, the device can be isolated from the network automatically or manually. You can configure network isolation or manually disable network isolation for a device.

• Quarantine file.

  The action is performed using the Quarantine file task.

  When integrated with Endpoint Detection and Response Expert (on-premise), with Kaspersky Endpoint Detection and Response (KATA), or with Kaspersky Managed Detection and Response, the task is created and run on the side of the Detection and Response solution.

  When integrated with Kaspersky Endpoint Detection and Response Optimum, a file can be quarantined automatically as a result of detection of indicators of compromise.

  When integrated with Kaspersky Endpoint Detection and Response Optimum or with Kaspersky Managed Detection and Response, you can also manually quarantine files.

• Restore files from Quarantine.

  When integrated with Endpoint Detection and Response Expert (on-premise), with Kaspersky Endpoint Detection and Response (KATA), or with Kaspersky Managed Detection and Response, the threat response action is generated on the side of the Detection and Response solution. You can also perform the action manually using Kaspersky Security Center or the command line.

  When integrated with Kaspersky Endpoint Detection and Response Optimum, you can perform the action manually using Kaspersky Security Center or the command line.

• Delete a file from Quarantine.

  When integrated with Endpoint Detection and Response Expert (on-premise), with Kaspersky Endpoint Detection and Response (KATA), or with Kaspersky Managed Detection and Response, the threat response action is generated on the side of the Detection and Response solution. You can also perform the action manually using Kaspersky Security Center or the command line.

  When integrated with Kaspersky Endpoint Detection and Response Optimum, you can perform the action manually using Kaspersky Security Center or the command line.

• Get a file from Quarantine.

  When integrated with Kaspersky Endpoint Detection and Response (on-premise) or Kaspersky Endpoint Detection and Response (KATA), the threat response action is generated on the side of the relevant Detection and Response solution.

  When integrated with Kaspersky Endpoint Detection and Response Optimum, you can perform the action manually using Kaspersky Security Center.

• Receive file from device.

  This action is performed using the Get file task. For example, you can configure the application to get an event log file generated by a third-party application.

  When integrated with Endpoint Detection and Response Expert (on-premise), with Kaspersky Endpoint Detection and Response (KATA), or with Kaspersky Managed Detection and Response, the task is created and run on the side of the Detection and Response solution.

  When integrating with the Kaspersky Endpoint Detection and Response Optimum solution, you can create Get file tasks in the Web Console.

• Delete file from device.

  This action is performed using the Delete file task.

  When integrated with Kaspersky Endpoint Detection and Response (on-premise) or Kaspersky Endpoint Detection and Response (KATA), the task is created and run on the side of the Detection and Response solution.

  When integrating with the Kaspersky Endpoint Detection and Response Optimum solution, you can create Delete file tasks in the Web Console.

• Remotely run a process on a device.

  This action is performed using the Run application task. For example, you can remotely run a utility that creates a device configuration file, and then retrieve the created file using the Get file task.

  When integrated with Endpoint Detection and Response Expert (on-premise), with Kaspersky Endpoint Detection and Response (KATA), or with Kaspersky Managed Detection and Response, the task is created and run on the side of the Detection and Response solution.

  When integrating with the Kaspersky Endpoint Detection and Response Optimum solution, you can create and run Run process tasks in the Web Console.

• Remotely terminate a process on a device.

  The action is performed using the Kill process task. For example, you can remotely terminate an Internet speed test utility that was launched using the "Run process" task.

  When integrated with Endpoint Detection and Response Expert (on-premise), with Kaspersky Endpoint Detection and Response (KATA), or with Kaspersky Managed Detection and Response, the task is created and run on the side of the Detection and Response solution.

  When integrating with the Kaspersky Endpoint Detection and Response Optimum solution, you can create and run Kill process tasks in the Web Console.

• Detecting indicators of compromise (IOC) on devices. An Indicator of Compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to a device (compromised data). For example, an indicator of compromise could be a high number of failed login attempts.

  An Indicator of Compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to a device (compromised data). For example, an indicator of compromise could be a high number of failed login attempts.

  When integrated with Kaspersky Endpoint Detection and Response (on-premise) or Kaspersky Endpoint Detection and Response (KATA), the IOC Scan task on a Kaspersky Endpoint Security device is created and run on the side of the relevant Detection and Response solution.

  When integrated with Kaspersky Endpoint Detection and Response Optimum, an IOC Scan is performed using the IOC Scan task. You can create IOC Scan tasks manually.

• Starting a YARA scan. During a YARA scan, Kaspersky Endpoint Security uses YARA files to search for signatures of malicious activity on a device. YARA files are files with the .YARA or .YAR extension that contain YARA rules. YARA rules describe signatures of targeted attacks and intrusions into corporate IT infrastructure. Kaspersky Endpoint Security uses these rules to scan objects. If the conditions of a rule is satisfied, the analyzer concludes that an infection is ongoing, and records the detail in the log. The scan is performed recursively on local drives. Scanning of network, removable, and cloud resources is not supported.

  The command for a YARA scan on a Kaspersky Endpoint Security device is created and run on the side of the Kaspersky Endpoint Detection and Response Expert (on-premise) solution.

• Execution prevention for objects.

  When integrated with Endpoint Detection and Response Expert (on-premise), with Kaspersky Endpoint Detection and Response (KATA), or with Kaspersky Endpoint Detection and Response Optimum, you can enable Execution prevention rules. Kaspersky Endpoint Security prevents the execution of objects or opening of documents that match the criteria of the prevention rules.

  When integrated with Kaspersky Endpoint Detection and Response Expert (on-premise) or with Kaspersky Endpoint Detection and Response (KATA), the application receives execution prevention rules from Kaspersky Endpoint Detection and Response Expert (on-premise) or from Kaspersky Endpoint Detection and Response (KATA).

  When integrated with Kaspersky Endpoint Detection and Response Optimum, you can configure execution prevention rules in the Web Console.

• Getting forensics.

  When integrated with Kaspersky Endpoint Detection and Response Expert (on-premise), you can collect digital data that may be useful when investigating incidents related to cybercrimes and data leaks.

  This action can be performed using the following tasks:

  • The Get forensics task, which collects the following types of information:
    • List of files
    • List of processes
    • List of autorun points
  • Get memory dump tasks
  • Get process memory dump tasks
  • Get disk image tasks

  Tasks are created and run on the side of the Kaspersky Endpoint Detection and Response Expert (on-premise) solution.

Page top