Responding through KATA/KEDR

After you configure integration between Kaspersky XDR Expert and Kaspersky Anti Targeted Attack Platform, you can perform response actions on a device or with a file hash in one of the following ways:

From the alert or incident details.
From the device details.
From the event details.
This option is available for the Add prevention rule response action.
From an investigation graph.
This option is available if the investigation graph is built.

You can also configure the response action to run automatically when creating or editing a playbook.

To perform response actions through Kaspersky Anti Targeted Attack Platform, you must have of the following XDR roles: Main administrator, Tenant administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst.

To perform a response action through Kaspersky Anti Targeted Attack Platform:

In the main menu, go to the Monitoring & reporting section, and then select the Alerts or Incidents section.
If you want to respond from an investigation graph, select the Incidents section.

If you want to respond from the event details, select the Alerts section.
Click the ID of the required alert or incident.
In the window that opens, do one of the following:
- If you want to respond through the alert or incident details, go to the Assets tab, and then select check box next to the required device.
  You can select several devices, if necessary.
- If you want to respond through the event details, go to the Details tab, select the required file hash, click the Add prevention rule button, and then select the device for which you want to add the prevention rule.
  You can also go to the Observables tab, select check box next to the file hash that you want to block, and then click the Add prevention rule button.
- If you want to respond through the device details, go to the Assets tab, click the name of the required device, and then in the drop-down list, select View properties.
- If you want to respond through an investigation graph, click the View on graph button. In the investigation graph that opens, click the device name to open the device details.
In the Select response actions drop-down list, select the response action that you want to perform:
- Enable network isolation
  If you select this response action for a device on which network isolation is already enabled, the parameters are overwritten with new values.
  
  After you select this response action, you must configure the necessary settings in the window that opens on the right side of the screen.
- Disable network isolation
  You can select this response action for devices on which network isolation is enabled.
- Run executable file
  The executable file is always run on behalf of the system and must be available on the device before you start the response action.
  
  After you select this response action, you must configure the necessary settings in the window that opens on the right side of the screen.
- Add prevention rule
  After you select this response action, you must configure the necessary settings in the window that opens on the right side of the screen.
- Delete prevention rule
  You can select this response action for devices on which the prevention rule was applied.
All of the listed response actions are available on devices that use Kaspersky Endpoint Agent for Windows or Kaspersky Endpoint Security for Windows in the role of the Endpoint Agent component. On devices with Kaspersky Endpoint Agent for Linux and Kaspersky Endpoint Security for Linux, the only available response action is Run executable file.
In the window that opens, set the necessary parameters for the response action you selected at step 4:
- For network isolation
  1. Specify the period of the device isolation and the units.
  2. If you want to add an exception from the network isolation rule, click the Add exclusion button, and then fill in following fields:
    - LabelNetwork traffic direction.
      You can select one of the values:
      
      Inbound
      If you select this direction, you must specify a local ports range in the Start port and End port fields.
      
      Outbound
      If you select this direction, you must specify a remote ports range in the Start port and End port fields.
      
      Inbound/Outbound
      If you select this direction, you can not specify a ports range.
    - Asset IP address.
  3. Click the Enable button.
    The window is closed.
- For running executable file
  1. Fill in the following fields:
    - Path to executable file
    - Command line parameters
    - Working directory
  2. Click the Run button.
    The window is closed.
- For adding prevention rule
  1. Specify a hash of the file that you want to block:
    - SHA256
    - MD5
    If you want to specify more than one hash, click the Add hash button.
  2. Click the Add button.
    The window is closed.

If the response action is completed successfully, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.

Page top