Integrating EDR Agent with MDR

EDR Agent is installed on workstations and servers in the IT infrastructure of the organization. EDR Agent processes data and sends it through Kaspersky Security Network streams to Kaspersky Managed Detection and Response.

To set up integration with Kaspersky Managed Detection and Response, you must enable the Managed Detection and Response component and configure EDR Agent. For Kaspersky Managed Detection and Response to work with Administration Server via Kaspersky Security Center Web Console, you must also establish a new secure connection, a background connection. Kaspersky Managed Detection and Response prompts you to establish a background connection when you deploy the solution. Make sure the background connection is established.

Establishing a background connection in Web Console

Integration with Kaspersky Managed Detection and Response consists of the following steps:

  1. Installing the Managed Detection and Response component

    You can select the MDR component during installation or upgrade, as well as using the Change application components task.

    You must restart your computer to finish upgrading the application with the new components.

  2. Configuring Kaspersky Private Security Network

    Skip this step if you are using Kaspersky Security Center Cloud Console. Kaspersky Security Center Cloud Console automatically configures Kaspersky Private Security Network when installing the MDR plug-in.

    Kaspersky Private Security Network (KPSN) is a solution that enables users of computers hosting Kaspersky Endpoint Security or other Kaspersky applications to obtain access to Kaspersky reputation databases, and to other statistical data without sending data to Kaspersky from their own computers.

    Upload the Kaspersky Security Network configuration file in the Administration Server properties. The Kaspersky Security Network configuration file is located within the ZIP archive of the MDR configuration file. You can obtain the ZIP archive in the Kaspersky Managed Detection and Response Console. For details on configuring Kaspersky Private Security Network, please refer to the Kaspersky Security Center Help. You can also upload a Kaspersky Security Network configuration file to the computer from the command line (see the instructions below).

    How to configure Kaspersky Private Security Network from the command line

    As a result, Kaspersky Endpoint Security will use Kaspersky Private Security Network to determine the reputation of files, applications, and websites. Kaspersky Security Network section of the policy settings will display the following operating status: Infrastructure: Kaspersky Private Security Network.

    You must enable extended KSN mode for Managed Detection and Response to work.

  3. Activating Kaspersky Managed Detection and Response

  4. You need to purchase a separate license for MDR (Kaspersky Managed Detection and Response Add-on).

    The feature will be available after you add a separate key for Kaspersky Managed Detection and Response Add-on. Licensing for the stand-alone Managed Detection and Response functionality is the same as the licensing of Kaspersky Endpoint Security.

    Make sure that the MDR functionality is included in the license and is working in the local interface of the application.

  5. Enabling Managed Detection and Response component

    Load the BLOB configuration file in the Kaspersky Endpoint Security policy (see the instructions below). The BLOB file contains the client ID and information about the license for Kaspersky Managed Detection and Response. The BLOB file is located inside the ZIP archive of the MDR configuration file. You can obtain the ZIP archive in the Kaspersky Managed Detection and Response Console. For detailed information about a BLOB file, please refer to the Kaspersky Managed Detection and Response Help.

    Starting with Kaspersky Endpoint Security 12.6 for Windows, adding a BLOB file is optional for Kaspersky Managed Detection and Response without tenants if you have a current license.

    How to enable Managed Detection and Response component in the Administration Console (MMC)

    How to enable Managed Detection and Response component in the Web Console and Cloud Console

    How to enable Managed Detection and Response component from the command line

    As a result, Kaspersky Endpoint Security will verify the BLOB file. BLOB file verification includes checking the digital signature and the license term. If the BLOB file is successfully verified, Kaspersky Endpoint Security will download the file and send the file to the computer during the next synchronization with Kaspersky Security Center. Check the operating status of the component by viewing the Application components status report. You can also view the operating status of a component in reports in the local interface of Kaspersky Endpoint Security. The Managed Detection and Response component will be added to the list of Kaspersky Endpoint Security components.

Page top