MDR SOC analysts examine incidents and create responses that you can either accept or reject. This is the default way of how incidents are handled in Kaspersky Managed Detection and Response.
However, you can manually create responses by using the Kaspersky Endpoint Detection and Response Optimum features.
This article only describes the types of SOC analyst responses.
Each response can have a set of parameters that are present on the Responses tab of an incident.
The available response types are:
Copying a file from your infrastructure to Kaspersky SOC. If you accept this response, the specified file will be copied to Kaspersky SOC.
Note that this response type can obtain files containing personal and/or confidential data.
The possible parameters are:
The absolute file path. For example, C:\\file.exe
.
The maximum file size, in MB.
If the infected file exceeds the specified maximum file size, the attempt to accept the response will fail and the response will not be performed, but will appear on the History tab of an incident.
Isolating the specified asset from the network.
In case you need to disable network isolation urgently, please contact technical support or write a request on the Communication tab of the incident.
The possible parameters are:
The password for disabling isolation. Once technical support receives your request for disabling network isolation, they will send you the procedure with details on using the password.
The unique task identifier that is used in conjunction with Password for disabling isolation, for disabling network isolation manually.
You can check the Password validity by generating a derived key from it and comparing the resulting value with the value in the Derived key parameter.
The numeric version of the password creation rules. A version of 1 means that the following parameters of PBKDF2 are applied for creating a derived key:
The salt in HEX format for obtaining a derived key via PBKDF2.
The derived key in HEX format.
The time period in seconds after which isolation will be disabled automatically. If there is no custom time period specified, the default time period of seven days is applied. Maximum value is 2,678,400 seconds.
Array of rules with the custom ports, protocols, IP addresses, and processes that isolation is not applied to.
The traffic direction. The possible values are: Inbound, Outbound, Both.
The protocol number according to the IANA specification.
The possible values are:
The range of remote ports specified in the nested From and To fields.
The remote IPv4 address or subnet mask.
The remote IPv6 address or subnet mask.
The range of local ports specified in the nested From and To fields.
The local IPv4 address or subnet mask.
The local IPv6 address or subnet mask.
The path to the process image specified in the nested Image → Path field.
Disable network isolation of the specified asset.
Delete a registry key or a registry branch on the specified asset.
The possible parameters are:
The absolute key path, which starts with HKEY_LOCAL_MACHINE
or HKEY_USERS
. For example, HKEY_LOCAL_MACHINE\\SYSTEM\\WebClient
.
If the key is a symbolic link, only this key will be deleted while the link's target key will remain intact.
The key value.
If this parameter is not specified, the key will be deleted recursively. During recursive deleting, each subkey that is a symbolic link will be deleted while its target key will remain intact.
If the key value is an empty string, the default value will be deleted.
Creating a memory dump and sending it to Kaspersky SOC.
The possible parameters are:
A memory dump can be one of two types:
A dump of the entire memory of an asset.
A dump of a specified process.
The maximum file size for the dump in ZIP format, in MB. The default value is 100 MB.
The process ID and image details.
The absolute file path. For example, %systemroot%\\system32\\svchost.exe
.
The SHA256 checksum in HEX format.
The MD5 checksum in HEX format.
The unique process identifier.
The maximum number of processes that can be contained within the dump file.
Terminate a process on the specified asset with Kaspersky Endpoint Security for Windows. The process to be terminated can be specified by its name or process identifier (PID).
Run a script on the specified asset with Kaspersky Endpoint Security for Windows.
For this response to work, the PowerShell component must be installed on the asset. You can view the script to be run and its description in MDR Web Console.
Places a potentially dangerous file in a special local storage. The files in this storage are stored encrypted and do not threaten the security of the device. The confirmation request specifies the asset, the path to the file and the hash of the file (MD5 or SHA256).
Restores the previously quarantined file to its original location. If there is a file with the same name in the original location, restoring is not performed.
See also: Using Kaspersky Endpoint Detection and Response Optimum features |