Response types

MDR SOC analysts examine incidents and create responses that you can either accept or reject. This is the default way of how incidents are handled in Kaspersky Managed Detection and Response.

However, you can manually create responses by using the Kaspersky Endpoint Detection and Response Optimum features.

This article only describes the types of SOC analyst responses.

Each response can have a set of parameters that are present on the Responses tab of an incident.

The available response types are:

Get file
Copying a file from your infrastructure to Kaspersky SOC. If you accept this response, the specified file will be copied to Kaspersky SOC.

Note that this response type can obtain files containing personal and/or confidential data.

The possible parameters are:
- Infected file path
  The absolute file path. For example, C:\\file.exe.
- Maximum file size
  The maximum file size, in MB.
  
  If the infected file exceeds the specified maximum file size, the attempt to accept the response will fail and the response will not be performed, but will appear on the History tab of an incident.
Isolate
Isolating the specified asset from the network.

In case you need to disable network isolation urgently, please contact technical support or write a request on the Communication tab of the incident.

The possible parameters are:
- Password for disabling isolation
  The password for disabling isolation. Once technical support receives your request for disabling network isolation, they will send you the procedure with details on using the password.
- Task ID
  The unique task identifier that is used in conjunction with Password for disabling isolation, for disabling network isolation manually.
- Password details
  You can check the Password validity by generating a derived key from it and comparing the resulting value with the value in the Derived key parameter.
  - Version
    The numeric version of the password creation rules. A version of 1 means that the following parameters of PBKDF2 are applied for creating a derived key:
    - HMACSHA256 hash algorithm
    - 10,000 iterations
    - Key length of 32 bytes
  - Salt
    The salt in HEX format for obtaining a derived key via PBKDF2.
  - Derived key
    The derived key in HEX format.
- Asset isolation term
  The time period in seconds after which isolation will be disabled automatically. If there is no custom time period specified, the default time period of seven days is applied. Maximum value is 2,678,400 seconds.
- Exclusion rules
  Array of rules with the custom ports, protocols, IP addresses, and processes that isolation is not applied to.
  - Direction
    The traffic direction. The possible values are: Inbound, Outbound, Both.
  - Protocol
    The protocol number according to the IANA specification.
    
    The possible values are:
    - 1 (ICMP)
    - 6 (TCP)
    - 17 (UDP)
    - 58 (IPv6-ICMP)
  - Remote port range
    The range of remote ports specified in the nested From and To fields.
  - Remote IPv4 address
    The remote IPv4 address or subnet mask.
  - Remote IPv6 address
    The remote IPv6 address or subnet mask.
  - Local port range
    The range of local ports specified in the nested From and To fields.
  - Local IPv4 address
    The local IPv4 address or subnet mask.
  - Local IPv6 address
    The local IPv6 address or subnet mask.
  - Process
    The path to the process image specified in the nested Image → Path field.
Disable isolation
Disable network isolation of the specified asset.
Delete registry key
Delete a registry key or a registry branch on the specified asset.

The possible parameters are:
- Key
  The absolute key path, which starts with HKEY_LOCAL_MACHINE or HKEY_USERS. For example, HKEY_LOCAL_MACHINE\\SYSTEM\\WebClient.
  
  If the key is a symbolic link, only this key will be deleted while the link's target key will remain intact.
- Value
  The key value.
  
  If this parameter is not specified, the key will be deleted recursively. During recursive deleting, each subkey that is a symbolic link will be deleted while its target key will remain intact.
  
  If the key value is an empty string, the default value will be deleted.
Memory dump
Creating a memory dump and sending it to Kaspersky SOC.

The possible parameters are:
- Dump type
  A memory dump can be one of two types:
  - Full memory dump
    A dump of the entire memory of an asset.
  - Process dump
    A dump of a specified process.
- Maximum file size
  The maximum file size for the dump in ZIP format, in MB. The default value is 100 MB.
- Process
  The process ID and image details.
  - Image
    - Path
      The absolute file path. For example, %systemroot%\\system32\\svchost.exe.
    - SHA-256
      The SHA256 checksum in HEX format.
    - MD5
      The MD5 checksum in HEX format.
  - Unique ID
    The unique process identifier.
- Process count limit
  The maximum number of processes that can be contained within the dump file.
Terminate process
Terminate a process on the specified asset with Kaspersky Endpoint Security for Windows. The process to be terminated can be specified by its name or process identifier (PID).
Run script
Run a script on the specified asset with Kaspersky Endpoint Security for Windows.

For this response to work, the PowerShell component must be installed on the asset. You can view the script to be run and its description in MDR Web Console.
Put file in quarantine
Places a potentially dangerous file in a special local storage. The files in this storage are stored encrypted and do not threaten the security of the device. The confirmation request specifies the asset, the path to the file and the hash of the file (MD5 or SHA256).
Restore file from quarantine

Restores the previously quarantined file to its original location. If there is a file with the same name in the original location, restoring is not performed.