Kaspersky Managed Detection and Response
- Kaspersky Managed Detection and Response Help
- What's new
- About Kaspersky Managed Detection and Response
- Hardware and software requirements
- Architecture of Kaspersky Managed Detection and Response
- Interfaces of Kaspersky Managed Detection and Response
- MDR section in Kaspersky Security Center
- Setting up MDR Plug-in in Kaspersky Security Center
- Configuring MDR Plug-in
- Setting access rights in Kaspersky Security Center
- Viewing and editing the MDR settings in Kaspersky Security Center
- Using MDR Plug-in functions on a virtual Administration Server
- Using MDR functions in Kaspersky Security Center through a proxy server
- Changing the certificates to use MDR functions in Kaspersky Security Center with a proxy server or anti-virus software
- Hiding and showing the MDR features in Kaspersky Security Center
- Setting up MDR Plug-in in Kaspersky Security Center
- MDR Web Console
- Switching the interface language in Kaspersky Security Center
- Switching the language for notifications and reports in Kaspersky Security Center
- Switching the interface language in MDR Web Console
- MDR section in Kaspersky Security Center
- Activating Kaspersky Managed Detection and Response
- Deactivating Kaspersky Managed Detection and Response
- Deployment of Kaspersky Managed Detection and Response
- About the MDR configuration file
- Licensing
- Data provision
- About Kaspersky Security Network
- Monitoring dashboards in MDR Web Console
- Receiving summary information
- Receiving notifications
- Managing users
- Managing assets
- Managing incidents
- About the incidents
- Viewing and searching incidents in MDR Web Console
- Filtering incidents in MDR Web Console
- Creating custom incidents in MDR Web Console
- Viewing detailed information about incidents in MDR Web Console
- Response types
- Processing responses to incidents in MDR Web Console
- Auto-accepting responses in MDR Web Console
- Auto-accepting responses in Kaspersky Security Center
- Closing incidents in MDR Web Console
- Using Kaspersky Endpoint Detection and Response Optimum features
- Multitenancy
- Managing the solution through the REST API
- Scenario: performing token-based authorization
- Creating an API connection in Kaspersky Security Center
- Creating an API connection in MDR Web Console
- Editing an API connection in Kaspersky Security Center
- Editing an API connection in MDR Web Console
- Creating an access token in Kaspersky Security Center
- Creating an access token in MDR Web Console
- Working with the REST API
- Revoking a refresh token in Kaspersky Security Center
- Deleting an API connection in Kaspersky Security Center
- Deleting an API connection in MDR Web Console
- Known issues
- Contact Technical Support
- Sources of information about the solution
- Glossary
- Information about third-party code
- Trademark notices
Configuring audit settings for work with Kaspersky Managed Detection and Response
We recommend configuring the following audit settings to ensure stable operation and maximize efficiency of Kaspersky Managed Detection and Response:
- Configuring Windows Event Audit Policy
To maximize efficiency of Kaspersky Managed Detection and Response, you need to configure Windows Event Audit Policy on your assets.
To configure Windows Event Audit Policy:
- On your assets running Windows, press Win+R to open the Run window.
- In the Open field, type
gpedit.msc, and then press Enter or click OK. The Local Group Policy Editor window appears. - In the console tree, click Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → System Audit Policies - Local Group Policy Object.
- Click the Account Logon node. Set the following values in the right side of the window:
Subcategory
Audit Events
Audit Credential Validation
Success and Failure
Audit Kerberos Authentication Service
Success and Failure
Audit Kerberos Service Ticket Operations
Success and Failure
- Click the Account Management node. Set the following values in the right side of the window:
Subcategory
Audit Events
Audit Computer Account Management
Success and Failure
Audit Security Group Management
Success
Audit User Account Management
Success and Failure
- Click the DS access node. Set the following values in the right side of the window:
Subcategory
Audit Events
Audit Directory Service Access
Success and Failure
Audit Directory Service Changes
Success and Failure
- Click the Logon/Logoff node. Set the following values in the right side of the window:
Subcategory
Audit Events
Audit Account Lockout
Failure
Audit Logon
Success and Failure
Audit Special Logon
Success and Failure
- Click the Object Access node. Set the following values in the right side of the window:
Subcategory
Audit Events
Audit Certification Services
Success and Failure
Audit File Share
Success
Audit Filtering Platform Connection
Success
Audit Other Object Access Events
Success
- Click the Policy Change node. Set the following values in the right side of the window:
Subcategory
Audit Events
Audit Policy Change
Success
Audit MPSSVC Rule-Level Policy Change
Success
- Click the Privilege Use node. Set the following value in the right side of the window:
Subcategory
Audit Events
Audit Sensitive Privilege Use
Success
- Click the System node. Set the following values in the right side of the window:
Subcategory
Audit Events
Audit Security State Change
Success
Audit Security System Extension
Success
- In the console tree, click the Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell. Set the following value in the right side of the window:
Subcategory
Audit Events
Turn on PowerShell Script Block Logging
Enabled
- Close the Local Group Policy Editor window.
All changes are saved automatically.
The Windows Event Audit Policy is now configured for use with Kaspersky Managed Detection and Response.
- Configuring Audit for Active Directory objects
To maximize efficiency of Kaspersky Managed Detection and Response, you need to configure audit on your Windows Domain controllers.
To configure audit for Active Directory objects:
- On your Windows Domain controller, press Win+R to open the Run window.
- In the Open field, type
dsa.msc, and then press Enter or click OK. The Active Directory User and Computers window appears. - In the console tree, right-click <your domain name>, and then select Find. The Find Users, Contacts and Groups window appears.
- Enter Administrator in the Name field, and then click Find Now.
- In the Search results area, right-click Administrator object, and then select the Properties → Security → Advanced - Auditing tab.
- Click Add to open the Auditing Entry for Administrator window. Click Select a principal, enter
Everyone, click Check Names, and then click OK. - In the Auditing Entry for Administrator window, select the List contents, Read permissions, Modify permissions, Modify owner, Read all properties, and Write all properties checkboxes.
- Click OK → Apply → OK buttons.
The audit for Active Directory object Administrator is now configured to use with Kaspersky Managed Detection and Response.
- Perform the same steps for the following default Active Directory objects and for your sensitive domain users and groups, that exist and are enabled in your system:
- Administrators
- Allowed RODC Password Replication Group
- Cert Publishers
- Cloneable Domain Controllers
- Denied RODC Password Replication Group
- DnsAdmins
- DnsUpdateProxy
- Domain Admins
- Domain Computers
- Domain Controllers
- Enterprise Admins
- Enterprise Key Admins
- Enterprise Read-only Domain Controllers
- Group Policy Creator Owners
- Key Admins
- krbtgt
- Protected Users
- RAS and IAS Servers
- Read-only Domain Controllers
- Schema Admins
- Configuring audit for Active Directory Certificate Services, certificate templates, and certificate objects
To maximize efficiency of Kaspersky Managed Detection and Response, you need to configure audit for the Active Directory Certificate Services service, certificate templates, and objects on the hosts with Active Directory Certificate Services (AD CS) enabled.
To configure audit for the Active Directory Certificate Services service:
- Press Win+R to open the Run window.
- In the Open field, type in
cmd, and then press Enter or click OK. The Command Prompt window appears. - To configure audit settings for Certification Authority, enter the commands below, and then press Enter:
certutil -setreg CA\AuditFilter 127certutil -setreg policy\EditFlags +EDITF_AUDITCERTTEMPLATELOAD - To restart the Certificate Services service, enter the command below, and then press Enter:
net stop certsvc && net start certsvc
To configure security auditing for certificate templates:
- Press Win+R to open the Run window.
- In the Open field, type in
adsiedit.msc, and then press Enter or click OK. - Right-click ADSI Edit, and then select Connect to.
- In the Connection Point section, select the Configuration value in the Select a Well Known Naming Context field.
- Double click Configuration/Schema on the left pane.
- Select the CN=Configuration,DC=… → CN=Services → CN=Public Key Services → CN=Certificate Templates folder.
- Right-click the CN=Certificate Templates folder, select Properties, and then open the Security tab.
- Click the Advanced button, and then select the Auditing tab.
- Click the Everyone principal, select the Write all properties, Delete, Modify permissions, Modify owner, All validated writes checkboxes, and then click OK.
To configure security auditing for NTAuthCertificates object:
- In the Open field, type
adsiedit.msc, and then press Enter or click OK. - Right-click ADSI Edit, and then select Connect to.
- In the Connection Point section, select the Configuration value in the Select a Well Known Naming Context field.
- Double click Configuration/Schema on the left pane.
- Select the CN=Configuration,DC=… → CN=Services → CN=Public Key Services → CN=NTAuthCertificates folder.
- Right-click the CN=NTAuthCertificates folder, select Properties, and then open the Security tab.
- Click the Advanced button, and then select the Auditing tab.
- Click the Everyone principal, select the Write all properties, Delete, Modify permissions, Modify owner, All validated writes checkboxes, and then click OK.