Automatic response to security events

Kaspersky NGFW supports scenarios for automatically responding to certain events using Kaspersky Symphony XDR if you have configured integration with KUMA as the SIEM system.

In this case, when security events are logged in Kaspersky NGFW, the following occurs:

1. Kaspersky NGFW sends security events for which logging is enabled to KUMA and then to Kaspersky Symphony XDR.
2. Kaspersky Symphony XDR determines the order of response actions to respond to the received events in one of the following ways:
   • A Kaspersky Symphony XDR user with access to response actions manually initiates response actions to the event.
   • If a response algorithm (playbook) is configued for these events in Kaspersky Symphony XDR, the response actions are performed automatically in response to the event.

   For more information about response actions and playbooks, see the Kaspersky Symphony XDR Help.

3. Kaspersky Symphony XDR sends a sequence of threat response actions to be performed in response to these events to Kaspersky NGFW.
4. Based on the resulting sequence of actions, a security rule is created, which is then applied on the Kaspersky NGFW device.

   The created security rule is applied to all OSMP policies configured for Kaspersky NGFW.

   You can view the created rules in the Application & Services → NGFW → Policy → Security rules section.

   Response actions are considered completed after being written to the OSMP policy.

Kaspersky NGFW supports the following scenarios for responding to security events:

• Blocking the sender by IP address.

  In this case, the following actions are performed on the Kaspersky NGFW device:

  1. Separate blocking rules are created for the source IP address and the destination IP address of the sender. The name of the rule includes the event ID and the source IP address.
  2. The source IP address and the destination IP address of the sender are blocked.
  3. All sessions with these source and destination IP addresses are removed.
• Blocking the recipient by IP address.

  In this case, the following actions are performed on the Kaspersky NGFW device:

  1. Separate blocking rules are created for the source IP address and the destination IP address of the recipient. The name of the rule includes the event ID and the source IP address.
  2. The source IP address and the destination IP address of the recipient are blocked.
  3. All sessions with these source and destination IP addresses are removed.

Page top