Integration with Kaspersky Managed Detection and Response
February 8, 2024
ID 221465
Integration between Kaspersky Industrial CyberSecurity for Linux Nodes and Kaspersky Managed Detection and Response (MDR) enables continuous search, detection and elimination of threats aimed at your organization.
When interacting with Kaspersky Managed Detection and Response, Kaspersky Industrial CyberSecurity for Linux Nodes allows you to perform the following actions:
- Send telemetry data to Kaspersky Managed Detection and Response for threat detection.
- Execute Kaspersky Managed Detection and Response commands for providing security features.
To configure integration between Kaspersky Industrial CyberSecurity for Linux Nodes and Kaspersky Managed Detection and Response, perform the following actions:
- Enable use of Kaspersky Security Network and send statistics.
You can enable the use of Kaspersky Security Network using the command line, in the Administration Console, or in Kaspersky Security Center Web Console.
- Configure Private KSN for sending telemetry using a Kaspersky Security Network configuration file located in the ZIP archive of the MDR configuration file.
You can configure Private KSN only in the Administration Console or in the Kaspersky Security Center Web Console.
- Make sure that the Behavior Detection task (ID=20) is running.
- Enable integration with Kaspersky Managed Detection and Response and upload a BLOB configuration file, which is located in the ZIP archive of the MDR configuration file.
It is recommended to configure integration between Kaspersky Industrial CyberSecurity for Linux Nodes and Kaspersky Managed Detection and Response in the Administration Console or in Kaspersky Security Center Web Console.
You can also configure integration between Kaspersky Industrial CyberSecurity for Linux Nodes and Kaspersky Managed Detection and Response and upload a BLOB configuration file from the command line.
To enable integration with Kaspersky Managed Detection and Response, execute the following command:
kics-control --set-app-settings UseMDR=Yes
To disable integration with Kaspersky Managed Detection and Response, execute the following command:
kics-control --set-app-settings UseMDR=No
To load the BLOB configuration file, execute the following command:
kics-control --load-mdr-blob <
path to MDR BLOB configuration file MDR BLOB
>
To remove the BLOB configuration file, execute the following command:
kics-control --remove-mdr-blob
If Kaspersky Industrial CyberSecurity for Linux Nodes is integrated with Kaspersky Managed Detection and Response, a large number of events can be written to the systemd log. If you want to disable the logging of audit events to the systemd log, disable the systemd-journald-audit socket.
To disable the systemd-journald-audit socket, run the following commands:
systemctl stop systemd-journald-audit.socket
systemctl disable systemd-journald-audit.socket
systemctl mask systemd-journald-audit.socket