You can configure response rules to automatically trigger response actions on Kaspersky Endpoint Detection and Response assets. For example, you can configure automatic asset network isolation.
When creating and editing response rules for Kaspersky Endpoint Detection and Response, you need to define values for the following settings:
When selecting this type of response, you need to define values for the following settings:
If necessary, you can add an exclusion for network isolation.
When adding exclusions to a network isolation rule, Kaspersky Endpoint Detection and Response may incorrectly display the port values in the rule details. This does not affect application performance. For more details on viewing a network isolation rule, please refer to the Kaspersky Anti Targeted Attack Platform Help Guide.
When selecting this type of response, you need to define values for the following settings:
The selected event fields and the values selected in the Event field must be added to the inherited fields of the correlation rule.
At least one of the above fields must be completed.
When selecting this type of response, you need to define values for the following settings:
When a response rule is triggered for users with the General Administrator role, the Run program task will be displayed in the Task manager section of the program web interface. Scheduled task is displayed for this task in the Created column of the task table. You can view task completion results.
All of the listed operations can be performed on assets that have Kaspersky Endpoint Agent for Windows. On assets that have Kaspersky Endpoint Agent for Linux, the program can only be started.
At the software level, the capability to create prevention rules and network isolation rules for assets with Kaspersky Endpoint Agent for Linux is unlimited. KUMA and Kaspersky Endpoint Detection and Response do not provide any notifications about unsuccessful application of these rules.
By default, the number of workers is the same as the number of virtual processors on the server where the service is installed.