Kaspersky Managed Detection and Response
- Kaspersky Managed Detection and Response Help
- What's new
- About Kaspersky Managed Detection and Response
- Hardware and software requirements
- Architecture of Kaspersky Managed Detection and Response
- Interfaces of Kaspersky Managed Detection and Response
- MDR section in Kaspersky Security Center
- Setting up MDR Plug-in in Kaspersky Security Center
- Configuring MDR Plug-in
- Setting access rights in Kaspersky Security Center
- Viewing and editing the MDR settings in Kaspersky Security Center
- Using MDR Plug-in functions on a virtual Administration Server
- Using MDR functions in Kaspersky Security Center through a proxy server
- Changing the certificates to use MDR functions in Kaspersky Security Center with a proxy server or anti-virus software
- Hiding and showing the MDR features in Kaspersky Security Center
- Setting up MDR Plug-in in Kaspersky Security Center
- MDR Web Console
- Switching the interface language in Kaspersky Security Center
- Switching the language for notifications and reports in Kaspersky Security Center
- Switching the interface language in MDR Web Console
- MDR section in Kaspersky Security Center
- Activating Kaspersky Managed Detection and Response
- Deactivating Kaspersky Managed Detection and Response
- Deployment of Kaspersky Managed Detection and Response
- About the MDR configuration file
- Licensing
- Data provision
- About Kaspersky Security Network
- Monitoring dashboards in MDR Web Console
- Receiving summary information
- Receiving notifications
- Managing users
- Managing assets
- Managing incidents
- About the incidents
- Viewing and searching incidents in MDR Web Console
- Filtering incidents in MDR Web Console
- Creating custom incidents in MDR Web Console
- Viewing detailed information about incidents in MDR Web Console
- Response types
- Processing responses to incidents in MDR Web Console
- Auto-accepting responses in MDR Web Console
- Auto-accepting responses in Kaspersky Security Center
- Closing incidents in MDR Web Console
- Using Kaspersky Endpoint Detection and Response Optimum features
- Multitenancy
- Managing the solution through the REST API
- Scenario: performing token-based authorization
- Creating an API connection in Kaspersky Security Center
- Creating an API connection in MDR Web Console
- Editing an API connection in Kaspersky Security Center
- Editing an API connection in MDR Web Console
- Creating an access token in Kaspersky Security Center
- Creating an access token in MDR Web Console
- Working with the REST API
- Revoking a refresh token in Kaspersky Security Center
- Deleting an API connection in Kaspersky Security Center
- Deleting an API connection in MDR Web Console
- Known issues
- Contact Technical Support
- Sources of information about the solution
- Glossary
- Information about third-party code
- Trademark notices
Deployment by using Kaspersky Security Center Web Console
Prerequisites
- Your IT infrastructure meets the hardware and software requirements of Kaspersky Managed Detection and Response.
- For ports 443 and 1443 on each asset that you want to protect, outgoing non-SSL traffic is allowed and traffic inspection is disabled. These ports are used for transferring telemetry data from the assets to the following Kaspersky servers:
- *.ksn.kaspersky-labs.com
- ksn-*.kaspersky-labs.com
- ds.kaspersky.com
Deployment of Kaspersky Managed Detection and Response by using Kaspersky Security Center Web Console proceeds in stages:
- Installing MDR Plug-in
Download and configure MDR Plug-in for managing the solution in Kaspersky Security Center Web Console.
- Activation of the solution
Activate the Kaspersky Managed Detection and Response solution with your license.
- Downloading the MDR configuration file
Download the MDR configuration file for your organization or download separate archives for every tenant from the Tenants section of MDR Web Console or by using MDR Plug-in in Kaspersky Security Center Web Console.
Starting from Kaspersky Endpoint Security for Windows 12.6, if you have only root tenant and if you are not using the MDR solution together with Kaspersky Endpoint Detection and Response Optimum you do not need to download MDR configuration file. Please refer to the instruction provided for Kaspersky Endpoint Security for Windows at stage 5.
- Installing EPP applications
Ensure that you have installed the EPP applications that support Kaspersky Managed Detection and Response functionality on your assets.
- Integration with EPP applications
Perform the application-specific deployment scenarios for all the Kaspersky applications installed on your assets:
- Kaspersky Endpoint Security for Windows
Deployment depends on the version of Kaspersky Endpoint Security for Windows that is installed on your assets. If you have more than one version of Kaspersky Endpoint Security for Windows installed in your infrastructure, you can perform the scenarios for these versions in any order:
Kaspersky Endpoint Security for Windows 12.6 and later with only root tenant and without Kaspersky Endpoint Detection and Response Optimum
If you have only root tenant, you can skip downloading the MDR configuration file and add and deploy your license key directly in Kaspersky Security Center.
To deploy Kaspersky Managed Detection and Response on Kaspersky Endpoint Security for Windows 12.6 and later:
- Ensure all your assets belong to the root tenant.
- Check whether Kaspersky Endpoint Security for Windows on all the assets is updated to the version 12.6 or later.
- Ensure Kaspersky Managed Detection and Response component is enabled in Kaspersky Endpoint Security for Windows on all the assets.
- Add a license key to the license key repository in Kaspersky Security Center.
- Deploy the license key to the assets automatically or by using the Add license key task.
If you have only root tenant, you can skip downloading the MDR configuration file and add and deploy your license key directly in Kaspersky Security Center Web Console.
To deploy Kaspersky Managed Detection and Response on Kaspersky Endpoint Security for Windows 12.6 and later:
- Ensure all your assets belong to the root tenant.
- Check whether Kaspersky Endpoint Security for Windows on all the assets is updated to the version 12.6 or later.
- Ensure Kaspersky Managed Detection and Response component is enabled in Kaspersky Endpoint Security for Windows on all the assets.
- Add a license key to the license key repository in Kaspersky Security Center Web Console.
- Deploy the license key to the assets automatically or by using the Add license key task.
For details about simultaneous use of MDR and EDR Optimum solutions refer to Kaspersky Endpoint Security for Windows help.
Kaspersky Endpoint Security for Windows 11.6– 12.5 and later with several tenants
If you are switching to the built-in MDR functionality in Kaspersky Endpoint Security for Windows after working with it by using the Kaspersky Endpoint Agent functionality, make sure to disable Kaspersky Managed Detection and Response in the Kaspersky Endpoint Agent policy after configuring the integration with Kaspersky Managed Detection and Response in the Kaspersky Endpoint Security for Windows policy for all assets with Kaspersky Endpoint Security for Windows 11.6 and later.
Note that if the same policy is also applied to assets with Kaspersky Endpoint Security for Windows 11.5 and earlier, it is necessary to create and configure a separate policy for these assets first, to maintain their integration with Kaspersky Managed Detection and Response via the Kaspersky Endpoint Agent policy.
Kaspersky Endpoint Security for Windows 11.0–11.5
- Create an Install application remotely task in Kaspersky Security Center. In the Select the distribution package for installation window, choose the BAT file from the MDR configuration file.
- Run the task manually or wait for it to launch according to the schedule you specified in the task settings.
Make sure that the task is performed on all of your assets.
- Configure Kaspersky Endpoint Security for Windows on your assets.
The following components must be enabled:
- Kaspersky Security Network
In the Kaspersky Security Network settings, select the Enable Extended KSN mode check box.
- Behavior Detection
Enabling these components is mandatory. Otherwise, Kaspersky Managed Detection and Response is not operable, as sending telemetry is not possible.
Additionally, Kaspersky Managed Detection and Response can use data from the following components:
- Web Threat Protection
- Mail Threat Protection
- Firewall
Enabling these components is optional. If they are disabled, Kaspersky Managed Detection and Response continues sending telemetry, but with limited data.
- Kaspersky Security Network
- If you have enabled Firewall in Kaspersky Endpoint Security for Windows, create a Firewall rule with the following properties:
- In the Action drop-down list, select the Allow value.
- In the Direction drop-down list, select the Inbound/Outbound value.
- In the Remote addresses and Local addresses drop-down lists, select the Any address value.
Once the rule is created, move it to the top of the rules list.
If you are using Kaspersky Endpoint Detection and Response Optimum
- Ensure that you have installed Kaspersky Endpoint Agent as part of Kaspersky Endpoint Security for Windows.
Kaspersky Endpoint Agent can be installed:
- During the installation of Kaspersky Endpoint Security for Windows.
- After the installation of Kaspersky Endpoint Security for Windows.
- Check whether your Kaspersky Endpoint Agent for Windows version is up to date and, if necessary, update it.
Kaspersky Endpoint Agent 3.10 or later is required for Kaspersky Endpoint Security for Windows 11.5.
- Configure your Kaspersky Endpoint Detection and Response Optimum solution.
- Create a policy for Kaspersky Endpoint Agent.
- Set up integration between Kaspersky Endpoint Agent for Windows and Kaspersky Managed Detection and Response by uploading the BLOB file from the MDR configuration file to the Kaspersky Endpoint Agent policy.
- Configure Kaspersky Endpoint Security for Windows on your assets.
The following components must be enabled:
- Kaspersky Security Network
In the Kaspersky Security Network settings, the Enable Extended KSN mode check box must be selected.
- Behavior Detection
Enabling these components is mandatory. Otherwise, Kaspersky Managed Detection and Response is not operable, as sending telemetry is not possible.
Additionally, Kaspersky Managed Detection and Response can use data from the following components:
- Web Threat Protection
- Mail Threat Protection
- Firewall
Enabling these components is optional. If they are disabled, Kaspersky Managed Detection and Response continues sending telemetry, but with limited data.
- Kaspersky Security Network
- If you have enabled Firewall in Kaspersky Endpoint Security for Windows, create a Firewall rule with the following properties:
- In the Action drop-down list, select the Allow value.
- In the Direction drop-down list, select the Inbound/Outbound value.
- In the Remote addresses and Local addresses drop-down lists, select the Any address value.
Once the rule is created, move it to the top of the rules list.
- Kaspersky Endpoint Security for Linux
- Kaspersky Endpoint Security for Mac
- Kaspersky Security for Windows Server
Deployment depends on the version of Kaspersky Security for Windows Server that is installed on your assets. If you have more than one version of Kaspersky Security for Windows Server installed in your infrastructure, you can perform the scenarios for these versions in any order:
Kaspersky Security for Windows Server 11 and later
- Ensure that you have installed Kaspersky Endpoint Agent for Windows as part of Kaspersky Security for Windows Server.
Kaspersky Endpoint Agent for Windows can be installed:
- During the installation of Kaspersky Security for Windows Server
- After the installation of Kaspersky Security for Windows Server
- Check whether your Kaspersky Endpoint Agent for Windows version is up to date and, if necessary, update it.
- Create a policy for Kaspersky Endpoint Agent for Windows by using Kaspersky Security Center Web Console.
- To set up integration between Kaspersky Endpoint Agent for Windows and Kaspersky Managed Detection and Response, upload the BLOB file from the MDR configuration file to the policy.
- Configure Kaspersky Security for Windows Server on your assets. You can perform each step locally, in Kaspersky Security for Windows Server on each of your assets; or globally, in Kaspersky Security Center.
- Start the KSN Usage task.
Starting the KSN Usage task enables using Kaspersky Security Network in Kaspersky Security for Windows Server.
In the Data processing window of the KSN Usage task, select all of the check boxes on all tabs.
In the Settings window of the KSN Usage task, on the Task management tab, select the Run by schedule check box. In the Frequency drop-down list, select the At application launch value.
In the KSN Usage subsection, ensure that a closed lock is displayed. The closed lock means the policy sets the specified settings for the assets.
- Start the Traffic Security task.
Starting the Traffic Security task enables the processing of web traffic (including traffic received via email), as well as intercepting and scanning objects transferred through web traffic, in order to detect known computer and other threats on the protected device.
In the Settings window of the Traffic Security task, on the General tab, select the Driver interceptor value from the Task mode drop-down list.
In the Settings window of the Traffic Security task, on the Task management tab, select the Run by schedule check box. In the Frequency drop-down list, select the At application launch value.
In the Traffic Security subsection, ensure that a closed lock is displayed. The closed lock means the policy sets the specified settings for the assets.
- Start the Applications Launch Control task
Starting the Applications Launch Control task enables the monitoring of users' attempts to start applications, and allows or denies the start of these applications.
In the Settings window of the Applications Launch Control task, on the General tab, select the Monitor loading of DLL modules and Allow applications trusted by KSN check boxes.
In the Settings window of the Applications Launch Control task, on the Task management tab, select the Run by schedule check box. In the Frequency drop-down list, select the At application launch value.
In the Applications Launch Control subsection, ensure that a closed lock is displayed. The closed lock means the policy sets the specified settings for the assets.
- Start the KSN Usage task.
Kaspersky Security for Windows Server 10.1.*
- Ensure that you have installed Kaspersky Endpoint Agent for Windows as a stand-alone application.
- Check whether your Kaspersky Endpoint Agent for Windows version is up to date and, if necessary, update it.
- Create a policy for Kaspersky Endpoint Agent for Windows by using Kaspersky Security Center Web Console.
- To set up integration between Kaspersky Endpoint Agent for Windows and Kaspersky Managed Detection and Response, upload the BLOB file from the MDR configuration file to the policy.
- Configure Kaspersky Security for Windows Server on your assets. You can perform each step locally, in Kaspersky Security for Windows Server on each of your assets; or globally, in Kaspersky Security Center.
- Start the KSN Usage task.
Starting the KSN Usage task enables using Kaspersky Security Network in Kaspersky Security for Windows Server.
In the Data processing window of the KSN Usage task, select all of the check boxes on all tabs.
In the Settings window of the KSN Usage task, on the Task management tab, select the Run by schedule check box. In the Frequency drop-down list, select the At application launch value.
In the KSN Usage subsection, ensure that a closed lock is displayed. The closed lock means the policy sets the specified settings for the assets.
- Start the Traffic Security task.
Starting the Traffic Security task enables the processing of web traffic (including traffic received via email), as well as intercepting and scanning objects transferred through web traffic, in order to detect known computer and other threats on the protected device.
In the Settings window of the Traffic Security task, on the General tab, select the Driver interceptor value from the Task mode drop-down list.
In the Settings window of the Traffic Security task, on the Task management tab, select the Run by schedule check box. In the Frequency drop-down list, select the At application launch value.
In the Traffic Security subsection, ensure that a closed lock is displayed. The closed lock means the policy sets the specified settings for the assets.
- Start the Applications Launch Control task
Starting the Applications Launch Control task enables the monitoring of users' attempts to start applications, and allows or denies the start of these applications.
In the Settings window of the Applications Launch Control task, on the General tab, select the Monitor loading of DLL modules and Allow applications trusted by KSN check boxes.
In the Settings window of the Applications Launch Control task, on the Task management tab, select the Run by schedule check box. In the Frequency drop-down list, select the At application launch value.
In the Applications Launch Control subsection, ensure that a closed lock is displayed. The closed lock means the policy sets the specified settings for the assets.
- Start the KSN Usage task.
- Ensure that you have installed Kaspersky Endpoint Agent for Windows as part of Kaspersky Security for Windows Server.
- Kaspersky Security for Virtualization 5.2 Light Agent
- Kaspersky Security for Virtualization 5.2 Light Agent
- If you are using Kaspersky Endpoint Detection and Response Optimum (for Kaspersky Endpoint Security for Windows 11.6 and earlier)
- Ensure that you have installed Kaspersky Endpoint Agent as part of Kaspersky Endpoint Security for Windows.
Kaspersky Endpoint Agent can be installed:
- During the installation of Kaspersky Endpoint Security for Windows.
- After the installation of Kaspersky Endpoint Security for Windows.
- Check whether your Kaspersky Endpoint Agent for Windows version is up to date and, if necessary, update it.
Kaspersky Endpoint Agent 3.10 or later is required for Kaspersky Endpoint Security for Windows 11.5.
- Configure your Kaspersky Endpoint Detection and Response Optimum solution.
- Create a policy for Kaspersky Endpoint Agent.
- Set up integration between Kaspersky Endpoint Agent for Windows and Kaspersky Managed Detection and Response by uploading the BLOB file from the MDR configuration file to the Kaspersky Endpoint Agent policy.
- Configure Kaspersky Endpoint Security for Windows on your assets.
The following components must be enabled:
- Kaspersky Security Network
In the Kaspersky Security Network settings, select the Enable Extended KSN mode check box.
- Behavior Detection
Enabling these components is mandatory. Otherwise, Kaspersky Managed Detection and Response is not operable, as sending telemetry is not possible.
Additionally, Kaspersky Managed Detection and Response can use data from the following components:
- Web Threat Protection
- Mail Threat Protection
- Firewall
Enabling these components is optional. If they are disabled, Kaspersky Managed Detection and Response continues sending telemetry, but with limited data.
- Kaspersky Security Network
- If you have enabled Firewall in Kaspersky Endpoint Security for Windows, create a Firewall rule with the following properties:
- In the Action drop-down list, select the Allow value.
- In the Direction drop-down list, select the Inbound/Outbound value.
- In the Remote addresses and Local addresses drop-down lists, select the Any address value.
Once the rule is created, move it to the top of the rules list.
- Ensure that you have installed Kaspersky Endpoint Agent as part of Kaspersky Endpoint Security for Windows.
Kaspersky Endpoint Agent can be installed:
- During the installation of Kaspersky Endpoint Security for Windows.
- After the installation of Kaspersky Endpoint Security for Windows.
- Check whether your Kaspersky Endpoint Agent for Windows version is up to date and, if necessary, update it.
Kaspersky Endpoint Agent 3.10 or later is required for Kaspersky Endpoint Security for Windows 11.5.
- Configure your Kaspersky Endpoint Detection and Response Optimum solution.
- Create a policy for Kaspersky Endpoint Agent.
- Set up integration between Kaspersky Endpoint Agent for Windows and Kaspersky Managed Detection and Response by uploading the BLOB file from the MDR configuration file to the Kaspersky Endpoint Agent policy.
- Configure Kaspersky Endpoint Security for Windows on your assets.
The following components must be enabled:
- Kaspersky Security Network
In the Kaspersky Security Network settings, select the Enable Extended KSN mode check box.
- Behavior Detection
Enabling these components is mandatory. Otherwise, Kaspersky Managed Detection and Response is not operable, as sending telemetry is not possible.
Additionally, Kaspersky Managed Detection and Response can use data from the following components:
- Web Threat Protection
- Mail Threat Protection
- Firewall
Enabling these components is optional. If they are disabled, Kaspersky Managed Detection and Response continues sending telemetry, but with limited data.
- Kaspersky Security Network
- If you have enabled Firewall in Kaspersky Endpoint Security for Windows, create a Firewall rule with the following properties:
- In the Action drop-down list, select the Allow value.
- In the Direction drop-down list, select the Inbound/Outbound value.
- In the Remote addresses and Local addresses drop-down lists, select the Any address value.
Once the rule is created, move it to the top of the rules list.
- Ensure that you have installed Kaspersky Endpoint Agent as part of Kaspersky Endpoint Security for Windows.
- Kaspersky Anti-Targeted Attack Platform
Kaspersky Managed Detection and Response allows you to analyze and monitor the data from Kaspersky Anti-Targeted Attack (KATA) Platform.
Integration with Kaspersky Anti-Targeted Attack Platform is not available when using a license key for the Saudi Arabia region.
To configure integration between Kaspersky Managed Detection and Response and Kaspersky Anti-Targeted Attack Platform, you need to receive an MDR configuration file, first. For details on how to configure the integration, refer to Kaspersky Anti-Targeted Attack Platform online help.
Kaspersky Anti-Targeted Attack Platform is not part of Kaspersky Managed Detection and Response. If you want to use Kaspersky Anti-Targeted Attack Platform, you must purchase it separately.
If you have more than one Kaspersky application installed in your infrastructure, you can perform the application-specific scenarios in any order.
- Kaspersky Endpoint Security for Windows
In case you do not use MDR Plug-in, manually set up Private KSN on your assets by using your KSN configuration file from the MDR configuration file. This step ensures that telemetry is sent to the dedicated servers that comply with GDPR regulations. If you do not set up Private KSN and do not use MDR Plug-in for initial deployment of Kaspersky Managed Detection and Response, your telemetry is not transmitted, and the Kaspersky Managed Detection and Response service is not provided.
You can check the status of your assets by using the MDR Health functionality.