Response types

Expand all | Collapse all

MDR SOC analysts examine incidents and create responses that you can either accept or reject. This is the default way of how incidents are handled in Kaspersky Managed Detection and Response.

However, you can manually create responses by using the Kaspersky Endpoint Detection and Response Optimum features.

This article only describes the types of SOC analyst responses.

Each response can have a set of parameters that are present on the Responses tab of an incident.

The available response types are:

• Get file

  Copying a file from your infrastructure to Kaspersky SOC. If you accept this response, the specified file will be copied to Kaspersky SOC.

  Note that this response type can obtain files containing personal and/or confidential data.

  The possible parameters are:

  • Infected file path

    The absolute file path. For example, C:\\file.exe.

  • Maximum file size

    The maximum file size, in MB.

    If the infected file exceeds the specified maximum file size, the attempt to accept the response will fail and the response will not be performed, but will appear on the History tab of an incident.

• Isolate

  Isolating the specified asset from the network.

  In case you need to disable network isolation urgently, please contact technical support or write a request on the Communication tab of the incident.

  The possible parameters are:

  • Password for disabling isolation

    The password for disabling isolation. Once technical support receives your request for disabling network isolation, they will send you the procedure with details on using the password.

  • Task ID

    The unique task identifier that is used in conjunction with Password for disabling isolation, for disabling network isolation manually.

  • Password details

    You can check the Password validity by generating a derived key from it and comparing the resulting value with the value in the Derived key parameter.

    • Version

      The numeric version of the password creation rules. A version of 1 means that the following parameters of PBKDF2 are applied for creating a derived key:

      • HMACSHA256 hash algorithm
      • 10,000 iterations
      • Key length of 32 bytes
    • Salt

      The salt in HEX format for obtaining a derived key via PBKDF2.

    • Derived key

      The derived key in HEX format.

  • Asset isolation term

    The time period in seconds after which isolation will be disabled automatically. If there is no custom time period specified, the default time period of seven days is applied. Maximum value is 2,678,400 seconds.

  • Exclusion rules

    Array of rules with the custom ports, protocols, IP addresses, and processes that isolation is not applied to.

    • Direction

      The traffic direction. The possible values are: Inbound, Outbound, Both.

    • Protocol

      The protocol number according to the IANA specification.

      The possible values are:

      • 1 (ICMP)
      • 6 (TCP)
      • 17 (UDP)
      • 58 (IPv6-ICMP)
    • Remote port range

      The range of remote ports specified in the nested From and To fields.

    • Remote IPv4 address

      The remote IPv4 address or subnet mask.

    • Remote IPv6 address

      The remote IPv6 address or subnet mask.

    • Local port range

      The range of local ports specified in the nested From and To fields.

    • Local IPv4 address

      The local IPv4 address or subnet mask.

    • Local IPv6 address

      The local IPv6 address or subnet mask.

    • Process

      The path to the process image specified in the nested Image → Path field.

• Disable isolation

  Disable network isolation of the specified asset.

• Delete registry key

  Delete a registry key or a registry branch on the specified asset.

  The possible parameters are:

  • Key

    The absolute key path, which starts with HKEY_LOCAL_MACHINE or HKEY_USERS. For example, HKEY_LOCAL_MACHINE\\SYSTEM\\WebClient.

    If the key is a symbolic link, only this key will be deleted while the link's target key will remain intact.

  • Value

    The key value.

    If this parameter is not specified, the key will be deleted recursively. During recursive deleting, each subkey that is a symbolic link will be deleted while its target key will remain intact.

    If the key value is an empty string, the default value will be deleted.

• Memory dump

  Creating a memory dump and sending it to Kaspersky SOC.

  The possible parameters are:

  • Dump type

    A memory dump can be one of two types:

    • Full memory dump

      A dump of the entire memory of an asset.

    • Process dump

      A dump of a specified process.

  • Maximum file size

    The maximum file size for the dump in ZIP format, in MB. The default value is 100 MB.

  • Process

    The process ID and image details.

    • Image
      • Path

        The absolute file path. For example, %systemroot%\\system32\\svchost.exe.

      • SHA-256

        The SHA256 checksum in HEX format.

      • MD5

        The MD5 checksum in HEX format.

    • Unique ID

      The unique process identifier.

  • Process count limit

    The maximum number of processes that can be contained within the dump file.

• Terminate process

  Terminate a process on the specified asset with Kaspersky Endpoint Security for Windows. The process to be terminated can be specified by its name or process identifier (PID).

See also: Using Kaspersky Endpoint Detection and Response Optimum features

Page top