Triggering event response actions

You can trigger response actions on a device using a registered event that is associated with such device. To trigger a response action, an event must be registered using EPP technology and a threat development chain must be built for this event in Endpoint Agent (the event is an EDR incident).

Triggering a response action for a device in an EDR incident: Isolate device from the network

You can trigger the Isolate device from the network response action for any EDR incident.

To isolate a device associated with an EDR incident from the network:

  1. Connect to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface using an Administrator or Security Officer account.
  2. Select the Events and incidents tab in the Events section.
  3. In the table of events, select the relevant event that is an EDR incident.

    The details area appears in the right part of the web interface window.

  4. In the details area, open the Threat response drop-down list and select Isolate device from the network.

    A window with a confirmation prompt opens.

  5. In the request window, confirm the start of the response action.

The application will register a new response action. You can view information about this action in the Events section on the Response actions tab.

Triggering a response action for an object in an EDR incident activity event: Prevent run, Move to quarantine, Delete file, or Terminate process.

For EDR incidents that have activity events of the File creation or Starting a process type in the threat development chain, you can trigger the Prevent run, Move to quarantine, or Delete file response actions. Additionally, for activity events with the Starting a process type, the application provides the capability to trigger the Terminate process response action.

For the specified activity event types, you can use the following options for triggering response actions:

To trigger a response action for a threat detection object:

  1. Connect to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface using an Administrator or Security Officer account.
  2. Select the Events and incidents tab in the Events section.
  3. In the table of events, select the relevant event that is an EDR incident.

    The details area appears in the right part of the web interface window.

  4. In the details area, open the Threat response drop-down list and select the appropriate item:
    • If the activity event with the threat detection object has the File creation type, the following response action items are available for selection: Prevent run, Move to quarantine, and Delete file.
    • If the activity event with the threat detection object has the Starting a process type, the following response actions are available for selection: Prevent run, Move to quarantine, Delete file, and Terminate process.

    A window with a confirmation prompt opens.

  5. If a response action requires you to confirm the operation using your password, enter your password.
  6. In the request window, confirm the start of the response action.

The application will register a new response action. You can view information about this action in the Events section on the Response actions tab.

To trigger a response action for any activity event of a supported type:

  1. Connect to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface using an Administrator or Security Officer account.
  2. Select the Events and incidents tab in the Events section.
  3. In the table of events, select the relevant event that is an EDR incident.

    The details area appears in the right part of the web interface window.

  4. In the details area, go to the All activity events tab and select the appropriate activity event.

    You can select any activity event with the File creation or Starting a process type. A key activity event (with a threat detection object) is marked with the Detection icon.

  5. In the activity event details window that opens, click the appropriate button:
    • If an activity event of the File creation type is selected, buttons with the Prevent run, Move to quarantine, and Delete file response actions are available.
    • If an activity event of the Starting a process type is selected, buttons with the Prevent run, Move to quarantine, Delete file, and Terminate process response actions are available.

    A window with a confirmation prompt opens.

  6. If a response action requires you to confirm the operation using your password, enter your password.
  7. In the request window, confirm the start of the response action.

The application will register a new response action. You can view information about this action in the Events section on the Response actions tab.

Triggering a response action for a device in an EDR incident: Start process

You can trigger the Start process response action for any EDR incident.

To start a process on a device linked to an EDR incident:

  1. Connect to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface using an Administrator or Security Officer account.
  2. Select the Events and incidents tab in the Events section.
  3. In the table of events, select the relevant event that is an EDR incident.

    The details area appears in the right part of the web interface window.

  4. In the details area, open the Threat response drop-down list and select Start process.

    This opens the window for configuring the response action.

  5. Configure the settings for running the process on the device. To do so, enter values for the following settings:
    • Full path to the executable file, script, utility, or application.
    • Working directory (optional).
    • Additional startup keys (optional).
  6. Enter your password in the Operation confirmation password field.
  7. Click Run.

The application will register a new response action. You can view information about this action in the Events section on the Response actions tab.

Page top