Triggering event response actions

You can trigger response actions on a device using a registered event that is associated with such device. To trigger a response action, the event must be associated with a device that has the Endpoint Agent software component and is prepared to receive data from EPP applications.

When working with events, you can trigger the following response actions:

For events that are EDR incidents, you can trigger the Prevent run and Move to quarantine actions both for the threat detection object and for objects specified in other activity events with the File creation or Starting a process type.

To isolate a device associated with an event from the network:

  1. Connect to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface using the Administrator account.
  2. Select the event on the Events and incidents tab in the Events section.

    You can select either an EDR incident or any event associated with the device running the Endpoint Agent software component.

    The details area appears in the right part of the web interface window.

  3. In the details area, open the Threat response drop-down list and select Isolate device from the network.

    A window with a confirmation prompt opens.

  4. In the request window, confirm the start of the response action.

The application will register a new response action. You can view information about this action in the Events section on the Response actions tab.

To prevent execution or move to quarantine a threat detection object:

  1. Connect to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface using the Administrator account.
  2. Select the event on the Events and incidents tab in the Events section.

    You can select an EDR incident if the threat development chain includes an activity event with a threat detection object and the File creation or Starting a process type.

    The details area appears in the right part of the web interface window.

  3. In the details area, open the Threat response drop-down list and select the appropriate item:
    • Prevent run – if you want to prevent execution of the threat detection object.
    • Move to quarantine – if you want to move the threat detection object to quarantine.

    A window with a confirmation prompt opens.

  4. In the request window, confirm the start of the response action.

The application will register a new response action. You can view information about this action in the Events section on the Response actions tab.

To prevent execution or move to quarantine an object specified in any activity event with the File creation or Starting a process type in the threat development chain:

  1. Connect to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface using the Administrator account.
  2. Select the event on the Events and incidents tab in the Events section.

    You can select an EDR incident.

    The details area appears in the right part of the web interface window.

  3. In the details area, go to the All activity events tab and select the appropriate activity event.

    You can select any activity event with the File creation or Starting a process type. A key activity event (with a threat detection object) is marked with the Detection icon.

  4. In the activity event details window that opens, click the appropriate button:
    • Prevent run – if you want to prevent execution of the object from the selected activity event.
    • Move to quarantine – if you want to move the object from the selected activity event to quarantine.

    A window with a confirmation prompt opens.

  5. In the request window, confirm the start of the response action.

The application will register a new response action. You can view information about this action in the Events section on the Response actions tab.

Page top