For EDR Threat Response, you need to specify basic request parameters, for example, in JSON format:
task is the type of the task (see below).targetHost is the ID of the computer on which the script must be run. Required argument. The script gets this argument from the event.responseEventIncidentArea is the name of the application that ran the script (for example, KUMA). This parameter is added to the name of the created task.To configure EDR Threat Response, you need to specify task settings in JSON format in the "KLINCDT_BODY": json.dumps(data) parameter. As a result, the application creates the [Response][KUMA] <task type> - <Date> <Time> - <ID> in the Kaspersky Security Center console.
Get file – getFile
Get file task settings
Parameter |
Type |
Description |
|---|---|---|
|
|
MD5 hash of the file that you want to get. |
|
|
SHA256 hash of the file that you want to get. |
|
|
Path to the file that you want to get. |
Example
type getFile = {
task: 'getFile';
targetHost: string;
params: {
// an empty string or a valid md5 hash of the file
md5hash: string;
// an empty string or a valid sha256 hash of the file
sha256hash: string;
// the path to the file
path: string;
};
responseEventIncidentArea: string;
};
Delete file – deleteFile
Delete file task settings
Parameter |
Type |
Description |
|---|---|---|
|
|
MD5 hash of the file that you want to delete. |
|
|
SHA256 hash of the file that you want to delete. |
|
|
Path to the file that you want to delete. |
|
|
Search for the file that you want to delete in subfolders. |
Example
type deleteFile = {
task: 'deleteFile';
targetHost: string;
params: {
// an empty string or a valid md5 hash of the file
md5hash: string;
// an empty string or a valid sha256 hash of the file
sha256hash: string;
// the path to the file
path: string;
// recursive search for a file (subfolder), optional
searchInSubfolders?: boolean;
};
responseEventIncidentArea: string;
};
Move file to Quarantine – quarantineFile
Move file to Quarantine task settings
Parameter |
Type |
Description |
|---|---|---|
|
|
MD5 hash of the file that you want to quarantine. |
|
|
SHA256 hash of the file that you want to quarantine. |
|
|
Path to the file that you want to quarantine. |
Example
type quarantineFile = {
task: 'quarantineFile';
targetHost: string;
params: {
// an empty string or a valid md5 hash of the file
md5hash: string;
// an empty string or a valid sha256 hash of the file
sha256hash: string;
// the path to the file
path: string;
};
responseEventIncidentArea: string;
};
IOC Scan – iocScan
IOC Scan task settings
Parameter |
Type |
Description |
|---|---|---|
|
|
Path to the ZIP archive with an IOC file in base64 encoding that you that you want to use for scanning. Required argument. Enter this argument manually. |
|
|
Isolate the computer from the network when an indicator of compromise is detected to prevent the threat from spreading. |
|
|
Run the Critical Areas Scan task when an indicator of compromise is detected. |
|
|
Delete the malicious object when an indicator of compromise is detected. Before deleting the object, Kaspersky Endpoint Security creates a backup copy in case the object needs to be restored later. Kaspersky Endpoint Security moves the backup copy to Quarantine. |
Example
type iocScan = {
task: 'iocScan';
targetHost: string;
params: {
// the path to the zip archive with ioc files in base64 encoding
ioc: string;
// isolation of the computer from the network
isolateHost: boolean;
// critical areas scan
scanCriticalAreas: boolean;
// quarantine the file
quarantineObject: boolean;
};
responseEventIncidentArea: string;
};
Start process – startProcess
Start process task settings
Parameter |
Type |
Description |
|---|---|---|
|
|
Path to the executable file that is used to start the process. |
|
|
Additional command line arguments for starting the process. |
|
|
Path to the working folder of the process. |
Example
type startProcess = {
task: 'startProcess';
targetHost: string;
params: {
// the path to the file
executablePath: string;
// command line arguments, optional
arguments?: string;
// a working folder, optional
workingFolder?: string;
};
responseEventIncidentArea: string;
};
Terminate process – terminateProcess
Terminate process task settings
Parameter |
Type |
Description |
|---|---|---|
|
|
MD5 hash of the file whose process you want to terminate. |
|
|
SHA256 hash of the file whose process you want to terminate. |
|
|
Path to the file that you want to delete. |
|
|
Case sensitivity when searching for the file. |
Example
type terminateProcess = {
task: 'terminateProcess';
targetHost: string;
params: {
// an empty string or a valid md5 hash of the file
md5hash: string;
// an empty string or a valid sha256 hash of the file
sha256hash: string;
// the path to the file
path: string;
// case sensitive of the file name
caseSensitive: boolean;
};
responseEventIncidentArea: string;
};
Computer network isolation – isolateHost
Computer network isolation settings
Parameter |
Type |
Description |
|---|---|---|
|
|
MD5 hash of the file that you want to get. |
Example
type isolateHost = {
task: 'isolateHost';
targetHost: string;
params: {
// 0 - turning off network isolation, 1 - turning on network isolation
action: number;
};
responseEventIncidentArea: string;
};
Execution prevention – preventExecution
Execution prevention settings
Parameter |
Type |
Description |
|---|---|---|
|
|
MD5 hash of the file that you want to prevent from running. |
|
|
Path to the file that you want to prevent from running. |
|
|
Case sensitivity when searching for the file. |
Example
type preventExecution = {
task: 'preventExecution';
targetHost: string;
params: {
// a valid md5 hash of the file
hash: string;
// the path to the file
path: string;
// case sensitive of the file name
caseSensitive: boolean;
};
responseEventIncidentArea: string;
};
Malware Scan – onDemandScan
Malware Scan task settings
Parameter |
Type |
Description |
|---|---|---|
|
|
Space-delimited list of files and folders for Custom Scan. |
|
|
Recursive scanning mode. |
|
|
Scan scope. |
ScanObjectType = Enum("ScanObjectType", [ ("SystemMemory", 14), ("StartupObjectsAndRunningProcesses", 15), ("DiskBootSectors", 16), ("SystemBackupStorage", 17), ("Email", 18), ("Folder", 22), ("AllRemovableDrives", 23), ("AllNetworkDrives", 24), ("AllFixedDrives", 25)]) |
||
Example
type onDemandScan = {
task: 'onDemandScan';
targetHost: string;
// please note, this is an array
// array of scan object
params: [{
// enabling the scan object
enabled: boolean;
// an empty string or the path to the folder to scan
path: string;
// recursive scan mode
recursive: boolean;
// ID scan object
type: number;
}];
responseEventIncidentArea: string;
};
Page top