Integration with Kaspersky Managed Detection and Response
December 12, 2023
ID 247439
Integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response (MDR) enables continuous search, detection and elimination of threats aimed at your organization.
When interacting with Kaspersky Managed Detection and Response, Kaspersky Endpoint Security can carry out the following functions:
- Send telemetry data to Kaspersky Managed Detection and Response for threat detection.
- Execute Kaspersky Managed Detection and Response commands for providing security features.
To configure integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response, perform the following actions:
- Make sure File Threat Protection and Behavior Detection tasks have started. Otherwise, the computer's status will be red in Kaspersky Managed Detection and Response. We also recommend to start Web Threat Protection and Network Threat Protection tasks. Otherwise, the computer's status will be red in Kaspersky Managed Detection and Response. See the online help for Kaspersky Managed Detection and Response to learn more about statuses.
- Enable the use of Kaspersky Security Network in the extended mode.
You can enable the use of Kaspersky Security Network using the command line, in the Administration Console, or in Kaspersky Security Center Web Console.
- Configure Kaspersky Private Security Network for sending telemetry using a Kaspersky Security Network configuration file located in the ZIP archive of the MDR configuration file.
You can configure Private KSN only in the Administration Console or in the Kaspersky Security Center Web Console.
- Enable integration with Kaspersky Managed Detection and Response and upload a BLOB configuration file, which is located in the ZIP archive of the MDR configuration file.
It is recommended to configure integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response in the Administration Console or in the Kaspersky Security Center Web Console.
You can also configure integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response and upload a BLOB configuration file from the command line.
To enable integration with Kaspersky Managed Detection and Response, execute the following command:
kesl-control --set-app-settings UseMDR=Yes
To disable integration with Kaspersky Managed Detection and Response, execute the following command:
kesl-control --set-app-settings UseMDR=No
To load the BLOB configuration file, execute the following command:
kesl-control --load-mdr-blob <path to MDR BLOB configuration file>
To remove the BLOB configuration file, execute the following command:
kesl-control --remove-mdr-blob
After enabling integration of Kaspersky Endpoint Security with the Kaspersky Managed Detection and Response solution, a Mdr_Autostart_Scan task is created in the application. If necessary, you can configure a schedule for this task using the command /opt/kaspersky/kesl/bin/kesl-control --set-schedule <task ID|task name> --file <full path to file>, specifying the task name Mdr_Autostart_Scan or the ID assigned to this task by the application.
If Kaspersky Endpoint Security is integrated with Kaspersky Managed Detection and Response, a large number of events can be written to the systemd log. If you want to disable the logging of audit events to the systemd log, disable the systemd-journald-audit socket and restart the operating system.
To disable the systemd-journald-audit socket, run the following commands:
systemctl stop systemd-journald-audit.socket
systemctl disable systemd-journald-audit.socket
systemctl mask systemd-journald-audit.socket
