Configuring Threat Response actions of Kaspersky Endpoint Agent to respond to threats detected by Kaspersky Sandbox
September 13, 2022
ID 193083
This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.
Kaspersky Endpoint Agent can perform actions in response to threats detected by Kaspersky Sandbox.
You can configure the following types of actions:
- Local – actions to be performed on each device where a threat is detected.
- Group – actions to be performed on all devices of the administration group for which the policy is configured.
Local actions:
- Quarantine and delete.
- Notify device user.
- Run Endpoint Protection Platform scan of critical areas on the device.
Group actions:
- Run IOC Scan on a managed group of devices.
- Quarantine and delete when IOC is found.
- Run Endpoint Protection Platform scan of critical areas on the device when IOC is found.
To configure group threat response actions, set up the permissions of Kaspersky Security Center users, whose accounts you want use for managing IOC Scan tasks.
When configuring threat response actions, keep in mind that as a result of some actions, the object containing the threat may be deleted from the workstation where it was detected.