Kaspersky Managed Detection and Response
- Kaspersky Managed Detection and Response Help
- What's new
- About Kaspersky Managed Detection and Response
- Hardware and software requirements
- Architecture of Kaspersky Managed Detection and Response
- Interfaces of Kaspersky Managed Detection and Response
- MDR section in Kaspersky Security Center
- Setting up MDR Plug-in in Kaspersky Security Center
- Configuring MDR Plug-in
- Setting access rights in Kaspersky Security Center
- Viewing and editing the MDR settings in Kaspersky Security Center
- Using MDR Plug-in functions on a virtual Administration Server
- Using MDR functions in Kaspersky Security Center through a proxy server
- Changing the certificates to use MDR functions in Kaspersky Security Center with a proxy server or anti-virus software
- Hiding and showing the MDR features in Kaspersky Security Center
- Setting up MDR Plug-in in Kaspersky Security Center
- MDR Web Console
- Switching the interface language in Kaspersky Security Center
- Switching the language for notifications and reports in Kaspersky Security Center
- Switching the interface language in MDR Web Console
- MDR section in Kaspersky Security Center
- Activating Kaspersky Managed Detection and Response
- Deactivating Kaspersky Managed Detection and Response
- Deployment of Kaspersky Managed Detection and Response
- About the MDR configuration file
- Licensing
- Data provision
- About Kaspersky Security Network
- Monitoring dashboards in MDR Web Console
- Receiving summary information
- Receiving notifications
- Managing users
- Managing assets
- Managing incidents
- About the incidents
- Viewing and searching incidents in MDR Web Console
- Filtering incidents in MDR Web Console
- Creating custom incidents in MDR Web Console
- Viewing detailed information about incidents in MDR Web Console
- Response types
- Processing responses to incidents in MDR Web Console
- Auto-accepting responses in MDR Web Console
- Auto-accepting responses in Kaspersky Security Center
- Closing incidents in MDR Web Console
- Using Kaspersky Endpoint Detection and Response Optimum features
- Multitenancy
- Managing the solution through the REST API
- Scenario: performing token-based authorization
- Creating an API connection in Kaspersky Security Center
- Creating an API connection in MDR Web Console
- Editing an API connection in Kaspersky Security Center
- Editing an API connection in MDR Web Console
- Creating an access token in Kaspersky Security Center
- Creating an access token in MDR Web Console
- Working with the REST API
- Revoking a refresh token in Kaspersky Security Center
- Deleting an API connection in Kaspersky Security Center
- Deleting an API connection in MDR Web Console
- Known issues
- Contact Technical Support
- Sources of information about the solution
- Glossary
- Information about third-party code
- Trademark notices
Viewing detailed information about assets in MDR Web Console
To view detailed information about assets:
- In the MDR Web Console window, navigate to the Assets menu item.
The asset list opens.
- Click the string with the asset whose details you want to view.
The asset card appears. The asset card contains two tabs:
- Properties has general information about the asset
- Incidents has information on incidents that have occurred with the asset
General information on the Properties tab contains the following information:
- Asset name
Network name of a computer.
You can click Asset name to view the asset information in Kaspersky Security Center Web Console.
- Status
The status reflects the current asset state. For assets in the OK, Warning, or Critical statuses, the application additionally lists the problems (if any) for the last 72 hours.
For assets with the Kaspersky Endpoint Security for Windows in the Endpoint Detection and Response Agent (EDR Agent) configuration, the Warning and Critical statuses for protection and control components may be displayed incorrectly.
The assets have one of the following statuses:
- OK (green)
Telemetry is being sent, protection is fully operational.
- Warning (yellow)
Minor telemetry losses. Refer to this article: How to avoid loss of telemetry data from assets.
Possible reasons of the Warning status:
- At least one of the following EPP application components on the asset is disabled or not installed:
- Firewall—See how to enable or configure this component in Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Security for Linux, or Kaspersky Security for Virtualization Light Agent.
- Network Threat Protection—See how to enable or configure this component in Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Security for Linux, or Kaspersky Endpoint Security for Mac.
- Mail Threat Protection and Additional Microsoft Office Outlook Extension—See how to enable or configure these components in Kaspersky Endpoint Security for Windows.
- Web Threat Protection—See how to enable or configure this component in Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Security for Linux, Kaspersky Endpoint Security for Mac, or Kaspersky Security for Virtualization Light Agent.
- Product Self Defense—See how to enable or configure this component in Kaspersky Endpoint Security for Windows or Kaspersky Security for Virtualization Light Agent.
- Anti-virus databases are outdated by more than 7 days.
These components affect the fullness of sent telemetry. If a component is disabled or missing, Kaspersky Managed Detection and Response does not send the telemetry events related to this component. The installed EPP application may not include all of the listed components.
- KSN configuration file is expiring. The application displays the expiration date. Consider updating the KSN configuration file. If you keep working with the current configuration file, the status changes to Critical few days before the expiration date.
The Warning status is applicable for assets with Kaspersky Endpoint Security for Windows 11 or later, Kaspersky Endpoint Security for Linux 11.2 or later, Kaspersky Endpoint Security for Mac 11.2 or later, or Kaspersky Security for Virtualization Light Agent 5.2 or later installed. For assets with the Kaspersky Endpoint Security for Windows in the Endpoint Detection and Response Agent (EDR Agent) configuration, this status is not displayed.
- At least one of the following EPP application components on the asset is disabled or not installed:
- Critical (red)
Major telemetry losses, telemetry data is insufficient for analysis. Refer to this article: How to avoid loss of telemetry data from assets.
Possible reasons of the Critical status:
- At least one of the following EPP application components on the asset is disabled or not installed:
- System Watcher or Behavior Detection—See how to enable or configure these components in Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Security for Linux, or Kaspersky Security for Virtualization Light Agent.
- File Threat Protection—See how to enable or configure this component in Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Security for Linux, Kaspersky Endpoint Security for Mac, or Kaspersky Security for Virtualization Light Agent.
If any of these components are disabled or missing, Kaspersky Managed Detection and Response stops sending telemetry from the asset. The installed EPP application may not include all of the listed components.
- KSN configuration file is expiring soon or is already expired. The application displays the expiration date. Consider updating the KSN configuration file.
This status is applicable for assets with Kaspersky Endpoint Security for Windows 11 or later, Kaspersky Endpoint Security for Linux 11.2 or later, Kaspersky Endpoint Security for Mac 11.2 or later, or Kaspersky Security for Virtualization 5.2 Light Agent or later installed. For assets with the Kaspersky Endpoint Security for Windows in the Endpoint Detection and Response Agent (EDR Agent) configuration, this status is not displayed.
- At least one of the following EPP application components on the asset is disabled or not installed:
- Offline (black)
No telemetry for more than 7 days (default value). You can change the number of days of absence of telemetry, after which the Offline status is displayed for the asset, in the Settings section. The available range is 2–29 days.
If you see the Offline status for your assets:
- Make sure the EPP application components listed with Warning and Critical statuses are installed and enabled on the assets.
- Make sure Kaspersky Managed Detection and Response is properly deployed in your infrastructure.
Offline status is not applicable for VDI assets (temporary virtual machines).
- Absent (black)
No telemetry for more than 30 days for physical assets or for more than 24 hours for VDI assets (temporary virtual machines).
If you see the Absent status for your assets:
- Make sure the EPP application components with Warning and Critical statuses are installed and enabled on the assets.
- Make sure Kaspersky Managed Detection and Response is properly deployed in your infrastructure.
You can hide assets with the Absent status in the asset list, in the reports, and in the data received via the API interface.
- OK (green)
- IP address
The IP address of the asset.
- Physical address
- Tenant
Name of the tenant, if the asset belongs to one of the tenants. If the asset does not belong to a tenant, this field is blank.
- First seen
- Last seen
- Operating system
Operating system that is installed on the asset.
- Kaspersky applications that work with MDR
- Domain
The Incidents tab contains the list of incidents. The ID/Created column of the list contains an incident identifier and time the incident was created. The Status column of the list contains information on the incident status.