You can check the status of your assets by using the MDR Health functionality. It enables you to check which assets are currently protected by Kaspersky Managed Detection and Response and which ones never sent telemetry to Kaspersky Managed Detection and Response.
Data that is sent from assets to Kaspersky Managed Detection and Response.
The status reflects the current asset state. For assets in the OK, Warning, or Critical statuses, the application additionally lists the problems (if any) for the last 72 hours.
Mail Threat Protection and Additional Microsoft Office Outlook Extension—See how to enable or configure these components in Kaspersky Endpoint Security for Windows.
Anti-virus databases are outdated by more than 7 days.
These components affect the fullness of sent telemetry. If a component is disabled or missing, Kaspersky Managed Detection and Response does not send the telemetry events related to this component. The installed EPP application may not include all of the listed components.
KSN configuration file is expiring. The application displays the expiration date. Consider updating the KSN configuration file. If you keep working with the current configuration file, the status changes to Critical few days before the expiration date.
The Warning status is applicable for assets with Kaspersky Endpoint Security for Windows 11 or later, Kaspersky Endpoint Security for Linux 11.2 or later, Kaspersky Endpoint Security for Mac 11.2 or later, or Kaspersky Security for Virtualization Light Agent 5.2 or later installed. For assets with the Kaspersky Endpoint Security for Windows in the Endpoint Detection and Response Agent (EDR Agent) configuration, this status is not displayed.
Critical (red)
Possible reasons of the Critical status:
At least one of the following EPP application components on the asset is disabled or not installed:
If any of these components are disabled or missing, Kaspersky Managed Detection and Response stops sending telemetry from the asset. The installed EPP application may not include all of the listed components.
KSN configuration file is expiring soon or is already expired. The application displays the expiration date. Consider updating the KSN configuration file.
No telemetry for more than 7 days (default value). You can change the number of days of absence of telemetry, after which the Offline status is displayed for the asset, in the Settings section. The available range is 2–29 days.
If you see the Offline status for your assets:
Make sure the EPP application components listed with Warning and Critical statuses are installed and enabled on the assets.
Make sure Kaspersky Managed Detection and Response is properly deployed in your infrastructure.
Offline status is not applicable for VDI assets (temporary virtual machines).
Absent (black)
No telemetry for more than 30 days for physical assets or for more than 24 hours for VDI assets (temporary virtual machines).
If you see the Absent status for your assets:
Make sure the EPP application components with Warning and Critical statuses are installed and enabled on the assets.
Make sure Kaspersky Managed Detection and Response is properly deployed in your infrastructure.
You can hide assets with the Absent status in the asset list, in the reports, and in the data received via the API interface.
A unique identifier of an asset. An asset ID is generated automatically by Kaspersky Managed Detection and Response before the asset sends telemetry for the first time.
Number of days since the asset was last seen in Console.
Assets are sorted according to this attribute, in descending order.
By default, assets that were seen in the last 30 days are shown. You can extend the time range by filtering assets.
Use the following sorting and filtering options to work with this list:
Click any column header to sort the list by the selected column values.
Click the Status column, and then select the required statuses. The list will be filtered to show only the assets with the selected statuses.
Click the filter icon (), and then select the time period to view only those assets that were last seen during the selected time period. You can also specify a custom time period.
Click the export icon () above the asset list to make a CSV export.
Use the Search field to search for assets by name.
Statuses of the assets that never sent telemetry
This feature is working properly in Kaspersky Security Center 15.1 Windows and later versions, Kaspersky Security Center 15.1 Linux and later versions, and Kaspersky Security Center Cloud Console.
To view the assets that never sent telemetry:
In the MDR section of Kaspersky Security Center, navigate to the MDR Health tab.
Select the Malfunctioning assets tab.
The console displays a list of the assets that have been added to Kaspersky Security Center, but never sent telemetry to Kaspersky Managed Detection and Response.
The following details are displayed for each asset:
The MDR component of an EPP application installed on a asset can have one of the following statuses:
Unknown—Unlike other statuses, the Unknown status is not sent by applications. This option shows that the applications have no information about the selected component status. For example, this can happen when the selected component does not belong to any of the applications installed on the device, or when the device is turned off.
Stopped—The component is disabled and not working at the moment.
Paused—The component is suspended, for example, after the user has paused protection in the managed application.
Starting—The component is currently in the process of initialization.
Running—The component is enabled and working properly.
Failed—An error has occurred during the component operation.
Not installed—The user did not select the component for installation when configuring custom installation of the application.
No license—The license that covers the MDR functionality is missing or expired.
A list of EPP application components critical for MDR operation. Each component has color indication depending on the component status:
Yellow indication is used when the component has one of the following statuses: Paused, Starting, or Unknown.
Red indication is used when the component has one of the following statuses: Stopped, Failed, No license, or Not installed.
Also, the Self-Defense feature is listed along with the EPP application components. If this feature is disabled, it has red indication too.
The components that have the Running status are not listed in the table and have no indication.
To view the complete list of components, including those not critical for MDR operation, click the asset name. The components and their statuses will be displayed in the asset details window.
If necessary, you can filter the assets by MDR status. To do so, click the filter icon (), and then select the required MDR statuses. The console will display only those assets on which the MDR component has one of the selected MDR statuses. Alternatively, select one of the following options:
Installed and activated—The list will be filtered to display the assets that have one of the following MDR statuses: Unknown, Stopped, Paused, Starting, Running, or Failed.
License is missing or expired—The list will be filtered to display the assets that have the No license MDR status.
If necessary, click the Export button to export the asset list to a CSV file.