Kaspersky Endpoint Security 12.9 for Windows introduces support for EDR Threat Response actions (EDR responses) using Kaspersky Security Center OpenAPI. That is, you can call OpenAPI methods to automate EDR threat response using Python. You can call these methods when integrated with SIEM solutions. Kaspersky Unified Monitoring and Analysis Platform, the Kaspersky SIEM solution, supports the EDR Threat Response OpenAPI starting with version 3.4.1. For example scripts, please refer to KUMA documentation.
To perform EDR Threat Response actions, you need to create a request and send it using KSC Open API (AddIncident). After the request is processed, a special task is created in the Kaspersky Security Center console.
To create tasks when responding to EDR threats, you must establish a background connection between the Administration Server and Kaspersky Security Center Web Console. The background connection service is available in Kaspersky Security Center Windows 14.2 or later and in Kaspersky Security Center Linux 15.2. Other consoles, including consoles of Kaspersky Detection and Response solutions, are not supported.
For EDR Threat Response, you need to specify basic request parameters, for example, in JSON format:
task is the type of the task (see below).targetHost is the ID of the computer on which the script must be run. Required argument. The script gets this argument from the event.responseEventIncidentArea is the name of the application that ran the script (for example, KUMA). This parameter is added to the name of the created task.To configure EDR Threat Response, you need to specify task settings in JSON format in the "KLINCDT_BODY": json.dumps(data) parameter. As a result, the application creates the [Response][KUMA] <task type> - <Date> <Time> - <ID> in the Kaspersky Security Center console.
Connecting to Kaspersky Security Center OpenAPI
As part of EDR Threat Response, the application creates special tasks in the Kaspersky Security Center console. Creating these tasks requires establishing a connection between the computer and Kaspersky Security Center. To achieve this, Kaspersky Security Center connection parameters must be specified in the request.
Kaspersky Security Center connection parameters
Parameter |
Type |
Description |
|---|---|---|
|
|
Kaspersky Security Center Administration Server Address. Required parameter. |
|
|
Administration Server connection port. Required parameter. |
|
|
Path to a certificate file for connecting to the Kaspersky Security Center Administration Server. By default, the parameter is set to |
|
|
User account name. Required parameter. |
|
|
User account password. Required parameter. |
Example
# KSC connection info
# reads Environment variables by default, change with corresponding values
# KSC host, string, required
kscHost = "kscHost"
# KSC port, required, default is "13299"
kscPort = "13299"
# KSC certificate file path, default is False
kscCert = False
# KSC user, string, required
kscUser = "kscUser"
# KSC password, string, required
kscPassword = "kscPassword"
server_url = 'https://' + kscHost + ':' + str(kscPort)
server = KlAkAdmServer.Create(
server_url, kscUser, kscPassword, verify=kscCert)
params = validate(args)
data = {"targetHost": <MyHost>,
"task": task,
"params": params,
"responseEventIncident": True,
"responseEventIncidentArea":"Kuma"}
oHostGroup = KlAkHostGroup(server)
incdnt = oHostGroup.AddIncident({"KLINCDT_SEVERITY": 2,
"KLINCDT_ADDED": paramDateTime(datetime.datetime.now()),
"KLINCDT_BODY": json.dumps(data),
"KLHST_WKS_HOSTNAME": args.targetHost}).RetVal()
oHostGroup.UpdateIncident(incdnt, {"KLINCDT_IS_HANDLED": False,
"KLHST_WKS_HOSTNAME": args.targetHost})
User account data is not protected, therefore you need to dedicate a separate user that will be used to perform only these actions.
Get file – getFile
Get file task settings
Parameter |
Type |
Description |
|---|---|---|
|
|
MD5 hash of the file that you want to get. |
|
|
SHA256 hash of the file that you want to get. |
|
|
Path to the file that you want to get. |
Example
type getFile = {
task: 'getFile';
targetHost: string;
params: {
// an empty string or a valid md5 hash of the file
md5hash: string;
// an empty string or a valid sha256 hash of the file
sha256hash: string;
// the path to the file
path: string;
};
responseEventIncidentArea: string;
};
Delete file – deleteFile
Delete file task settings
Parameter |
Type |
Description |
|---|---|---|
|
|
MD5 hash of the file that you want to delete. |
|
|
SHA256 hash of the file that you want to delete. |
|
|
Path to the file that you want to delete. |
|
|
Search for the file that you want to delete in subfolders. |
Example
type deleteFile = {
task: 'deleteFile';
targetHost: string;
params: {
// an empty string or a valid md5 hash of the file
md5hash: string;
// an empty string or a valid sha256 hash of the file
sha256hash: string;
// the path to the file
path: string;
// recursive search for a file (subfolder), optional
searchInSubfolders?: boolean;
};
responseEventIncidentArea: string;
};
Move file to Quarantine – quarantineFile
Move file to Quarantine task settings
Parameter |
Type |
Description |
|---|---|---|
|
|
MD5 hash of the file that you want to quarantine. |
|
|
SHA256 hash of the file that you want to quarantine. |
|
|
Path to the file that you want to quarantine. |
Example
type quarantineFile = {
task: 'quarantineFile';
targetHost: string;
params: {
// an empty string or a valid md5 hash of the file
md5hash: string;
// an empty string or a valid sha256 hash of the file
sha256hash: string;
// the path to the file
path: string;
};
responseEventIncidentArea: string;
};
IOC Scan – iocScan
IOC Scan task settings
Parameter |
Type |
Description |
|---|---|---|
|
|
Path to the ZIP archive with an IOC file that you want to use for scanning. |
|
|
Isolate the computer from the network when an indicator of compromise is detected to prevent the threat from spreading. |
|
|
Run the Critical Areas Scan task when an indicator of compromise is detected. |
|
|
Delete the malicious object when an indicator of compromise is detected. Before deleting the object, Kaspersky Endpoint Security creates a backup copy in case the object needs to be restored later. Kaspersky Endpoint Security moves the backup copy to Quarantine. |
Example
type iocScan = {
task: 'iocScan';
targetHost: string;
params: {
// the path to the zip archive with ioc files in base64 encoding
ioc: string;
// isolation of the computer from the network
isolateHost: boolean;
// critical areas scan
scanCriticalAreas: boolean;
// quarantine the file
quarantineObject: boolean;
};
responseEventIncidentArea: string;
};
Start process – startProcess
Start process task settings
Parameter |
Type |
Description |
|---|---|---|
|
|
Path to the executable file that is used to start the process. |
|
|
Additional command line arguments for starting the process. |
|
|
Path to the working folder of the process. |
Example
type startProcess = {
task: 'startProcess';
targetHost: string;
params: {
// the path to the file
executablePath: string;
// command line arguments, optional
arguments?: string;
// a working folder, optional
workingFolder?: string;
};
responseEventIncidentArea: string;
};
Terminate process – terminateProcess
Terminate process task settings
Parameter |
Type |
Description |
|---|---|---|
|
|
MD5 hash of the file whose process you want to terminate. |
|
|
SHA256 hash of the file whose process you want to terminate. |
|
|
Path to the file that you want to delete. |
|
|
Case sensitivity when searching for the file. |
Example
type terminateProcess = {
task: 'terminateProcess';
targetHost: string;
params: {
// an empty string or a valid md5 hash of the file
md5hash: string;
// an empty string or a valid sha256 hash of the file
sha256hash: string;
// the path to the file
path: string;
// case sensitive of the file name
caseSensitive: boolean;
};
responseEventIncidentArea: string;
};
Computer network isolation – isolateHost
Computer network isolation settings
Parameter |
Type |
Description |
|---|---|---|
|
|
MD5 hash of the file that you want to get. |
Example
type isolateHost = {
task: 'isolateHost';
targetHost: string;
params: {
// 0 - turning off network isolation, 1 - turning on network isolation
action: number;
};
responseEventIncidentArea: string;
};
Execution prevention – preventExecution
Execution prevention settings
Parameter |
Type |
Description |
|---|---|---|
|
|
MD5 hash of the file that you want to prevent from running. |
|
|
Path to the file that you want to prevent from running. |
|
|
Case sensitivity when searching for the file. |
Example
type preventExecution = {
task: 'preventExecution';
targetHost: string;
params: {
// a valid md5 hash of the file
hash: string;
// the path to the file
path: string;
// case sensitive of the file name
caseSensitive: boolean;
};
responseEventIncidentArea: string;
};
Malware Scan – onDemandScan
Malware Scan task settings
Parameter |
Type |
Description |
|---|---|---|
|
|
Space-delimited list of files and folders for Custom Scan. |
|
|
Recursive scanning mode. |
|
|
Scan scope. |
ScanObjectType = Enum("ScanObjectType", [ ("SystemMemory", 14), ("StartupObjectsAndRunningProcesses", 15), ("DiskBootSectors", 16), ("SystemBackupStorage", 17), ("Email", 18), ("Folder", 22), ("AllRemovableDrives", 23), ("AllNetworkDrives", 24), ("AllFixedDrives", 25)]) |
||
Example
type onDemandScan = {
task: 'onDemandScan';
targetHost: string;
// please note, this is an array
// array of scan object
params: [{
// enabling the scan object
enabled: boolean;
// an empty string or the path to the folder to scan
path: string;
// recursive scan mode
recursive: boolean;
// ID scan object
type: number;
}];
responseEventIncidentArea: string;
};
Page top