Transcription
Kaspersky Managed Detection andResponse 2021 AO Kaspersky Lab1
ContentsAbout Kaspersky Managed Detection and ResponseHardware and software requirementsArchitecture of Kaspersky Managed Detection and ResponseApplication licensingAbout the Terms and ConditionsAbout the End User License AgreementAbout the Privacy PolicyAbout the licenseComparison of commercial license solutions: MDR Optimum and MDR ExpertAbout the license certi cateAbout the activation codeAbout the MDR con guration leAbout data provisionKaspersky Endpoint Agent application dataService dataData in Windows Event LogProviding extended Kaspersky Endpoint Agent diagnostic information to the Technical Support specialistsData in trace and dump lesData in trace and dump les of Kaspersky Endpoint Agent for LinuxCollecting information for Technical SupportTrace les content and storageDump le content and storageActivating Kaspersky Managed Detection and ResponseDeployment of Kaspersky Managed Detection and ResponseKaspersky Endpoint Security for WindowsKaspersky Security for Windows ServerKaspersky Endpoint Security for LinuxKaspersky Anti-Targeted Attack PlatformPost deploymentScenario: con guring Kaspersky Endpoint Security for Windows for work with Kaspersky Managed Detection and ResponseScenario: con guring Kaspersky Security for Windows Server for work with Kaspersky Managed Detection and ResponseWorking with Kaspersky Managed Detection and Response by using MDR Plug-in and MDR ConsoleSetting up MDR Plug-inScenario: con guring MDR Plug-inSetting access rightsCreating a background connectionInserting a refresh tokenSwitching interface languagesReceiving noti cationsReceiving summary informationReceiving the a ected assets summary in CSV formatReceiving a summary of all assets in CSV formatReceiving an incident summary in PDF formatReceiving all incidents summary in PDF formatMonitoring dashboardsManaging Kaspersky Endpoint Agent for Linux2
Hardware and software requirementsInstalling and uninstalling Kaspersky Endpoint Agent for LinuxPreparing for Kaspersky Endpoint Agent for Linux installationInstalling Kaspersky Endpoint Agent for Linux using Kaspersky Security Center Web ConsoleInstalling Kaspersky Endpoint Agent Management web plug-inAdding devices for Kaspersky Endpoint Agent for Linux installationCreating Kaspersky Endpoint Agent for Linux installation packageRemote Kaspersky Endpoint Agent for Linux installation on the selected devicesInstalling Kaspersky Endpoint Agent for Linux using Kaspersky Security Center Administration ConsoleInstalling Kaspersky Endpoint Agent for Linux Management plug-inAdding devices for Kaspersky Endpoint Agent for Linux installationCreating Kaspersky Endpoint Agent for Linux installation packageRemote Kaspersky Endpoint Agent for Linux installation on the selected devicesUpdating and restoring Kaspersky Endpoint Agent for LinuxRemoving Kaspersky Endpoint Agent for LinuxManaging Kaspersky Endpoint Agent for Linux using Kaspersky Security Center Web ConsoleManaging Kaspersky Endpoint Agent for Linux policiesCreating Kaspersky Endpoint Agent for Linux policyEnabling settings in Kaspersky Endpoint Agent for Linux policyManaging database and module update tasks in Kaspersky Endpoint Agent for LinuxCreating Database and application module update taskCon guring Database and application module update taskManaging Kaspersky Endpoint Agent policies using Kaspersky Security Center Administration ConsoleCreating Kaspersky Endpoint Agent for Linux policyEnabling settings in Kaspersky Endpoint Agent for Linux policyManaging Kaspersky Endpoint Agent for Linux using the command lineManaging Kaspersky Endpoint Agent for WindowsHardware and software requirementsInstalling and uninstalling Kaspersky Endpoint AgentInstalling Kaspersky Endpoint AgentStand-alone installation of Kaspersky Endpoint AgentInstalling and uninstalling Kaspersky Endpoint Agent locallyInstalling Kaspersky Endpoint Agent using the Installation WizardRemoving Kaspersky Endpoint Agent using the Installation and Uninstallation WizardInstalling, restoring and uninstalling the application using the command lineInstalling Kaspersky Endpoint Agent using Kaspersky Security CenterCreating Kaspersky Endpoint Agent installation packageCreating Kaspersky Endpoint Agent remote installation taskUpdating Kaspersky Endpoint Agent from the previous versionRepairing Kaspersky Endpoint AgentInstalling Kaspersky Endpoint Agent administration toolsInstalling and updating Kaspersky Endpoint Agent Management web plug-inInstalling and updating Kaspersky Endpoint Agent Management plug-inChanges in the system after Kaspersky Endpoint Agent installationCon guring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and ResponseManaging Kaspersky Endpoint Agent using Kaspersky Security Center Web ConsoleManaging Kaspersky Endpoint Agent policiesCreating Kaspersky Endpoint Agent policy3
Enabling settings in Kaspersky Endpoint Agent policyCon guring Kaspersky Endpoint Agent settingsCon guring Kaspersky Endpoint Agent security settingsCon guring user permissionsEnabling Password protectionEnabling and disabling Self-DefenseCon guring Kaspersky Endpoint Agent connection settings to a proxy serverCon guring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activationCon guring malfunction diagnosisCon guring KSN usage in Kaspersky Endpoint AgentCon gure network isolation settingsAbout network isolation in Kaspersky Endpoint AgentAbout managing network isolation in Kaspersky Endpoint AgentEnabling and disabling network isolationEnabling and disabling user noti cation about network isolationCon guring automatic disabling of network isolationCon guring exclusions from network isolationCon guring Execution prevention settingsAbout Execution preventionManaging Execution preventionSupported le extensions for Execution preventionSupported script execution interpretersEnabling Execution preventionDisabling Execution preventionEnabling and disabling user noti cation about Execution preventionManaging Execution prevention rules listCon guring quarantine settings in Kaspersky Endpoint AgentAbout Kaspersky Endpoint Agent quarantineAbout quarantine management in Kaspersky Endpoint AgentCon guring quarantine settings and restoration of objects from quarantineCon guring data synchronization with the Administration ServerManaging Kaspersky Endpoint Agent tasksCreating tasksViewing the table of tasksDeleting a task from the listCon guring task schedule settingsStarting the tasks manuallyCon guring Database and application modules update taskCon guring IOC Scan tasksAbout IOC Scan tasks in Kaspersky Endpoint AgentRequirements for IOC lesSupported IOC termsManaging IOC Scan tasks in Kaspersky Endpoint AgentCon guring Standard IOC Scan taskViewing IOC Scan task execution resultsCon guring the Quarantine le taskCon guring the Delete le taskCon guring the Run application task4
Con guring the Terminate process taskManaging Kaspersky Endpoint Agent using command line interfaceRunning Kaspersky Endpoint Agent database and module updateViewing information about quarantine settings and quarantined objectsActions on quarantined objectsStarting, stopping and viewing the current application statusProtecting the application with passwordProtecting application services with PPL technologyManaging self-defense settingsManaging network isolationManaging Standard IOC Scan tasksManaging Execution preventionManaging event lteringCon guring tracingCon guring creation of dump lesManaging Kaspersky Endpoint Agent policies using Kaspersky Security Center Administration ConsoleCreating Kaspersky Endpoint Agent policyEnabling settings in Kaspersky Endpoint Agent policyManaging usersAbout role modelChanging user rolesEditing user noti cation methodsEditing user access to tenantsInviting new usersViewing assetsViewing and searching through assetsFiltering assetsViewing detailed information about assetsManaging incidentsViewing and searching through incidentsFiltering incidentsViewing detailed information about incidentsAdding new incidentsResponse typesProcessing responses to incidentAuto-accepting responsesUsing Kaspersky Endpoint Detection and Response Optimum featuresCreating an IOC scan taskCreating a Delete le taskCreating a Quarantine le taskCreating a Terminate process taskCreating a prevention ruleEnabling and disabling network isolation of the incident-related assetsClosing incidentsManaging the application through the REST APIScenario: performing token-based authorizationCreating a refresh tokenCreating an access token5
About work with the REST APIMultitenancyAbout multitenancy in Kaspersky Managed Detection and ResponseManaging tenantsViewing tenantsViewing tenant settingsEditing tenant settingsAdding new tenantsDelineating access rights to tenantsSources of information about the serviceContact Technical SupportHow to get technical supportGet technical support by phoneTechnical Support via Kaspersky CompanyAccountGlossaryAssetIncidentIndicator of compromiseMITRE tacticMITRE techniqueResponseTenantInformation about third-party codeTrademark notices6
About Kaspersky Managed Detection and ResponseKaspersky Managed Detection and Response (also referred to as MDR) delivers round-the-clock protection fromthe growing volume of threats that circumvent automated security barriers to organizations who struggle to ndthe expertise and sta , or for those with limited in-house resources. Unlike similar o erings on the market, thisservice leverages a proven track record of e ective targeted attack research to ensure continuous defenseagainst even the most complex threats. The service helps improve your corporate resilience to cyberthreats, whilefreeing up your existing resources to focus their attention on other tasks.You integrate Kaspersky Endpoint Agent into the client's infrastructure via Kaspersky Security Center. KasperskyEndpoint Agent processes data and sends it via Kaspersky Security Network streams to Kaspersky ManagedDetection and Response. For the list of processed data, refer to the About data provision section.Kaspersky Managed Detection and Response can also be integrated with other Kaspersky solutions.Hardware and software requirementsNon-compliance with these requirements may lead to unstable work of Kaspersky Managed Detection andResponse, data integrity violation, and decrease in the service quality up to inability of providing the service.Kaspersky Managed Detection and Response Console has the following hardware and software requirements:Monitor that supports a display resolution of 1024 x 768 or greaterAny of the following browsers:Apple Safari— three latest versionsGoogle Chrome— three latest versionsMicrosoft EdgeMozilla Firefox—two latest versionsKaspersky Managed Detection and Response can be deployed in the following con gurations of Kasperskyprograms on assets:Kaspersky Endpoint Agent (standalone installation on assets)Kaspersky Endpoint Detection and Response ExpertKaspersky Endpoint Security for WindowsKaspersky Endpoint Security for Windows Kaspersky Endpoint AgentKaspersky Endpoint Security for Linux Kaspersky Endpoint AgentKaspersky Security for Windows Server Kaspersky Endpoint AgentKaspersky Managed Detection and Response is supported by the following versions of Kaspersky programs:Kaspersky Endpoint Security for Windows - version 11 or later7
Kaspersky Endpoint Security for Linux - version 11.0 or laterKaspersky Endpoint Agent for Windows - version 3.9 or laterKaspersky Endpoint Agent for Linux - version 3.9 or laterKaspersky Security for Windows Server - version 10.1 or laterKaspersky Security Center - version 12 or laterKaspersky Security Center Web Console - latest versionKaspersky Security Center Network Agent - version 12 or laterRequired in case network con guration implies distribution points working with Kaspersky SecurityNetwork directly. Usage of Kaspersky Security Center Network Agent 11 or earlier causes the Private KSNcon guration to be ignored, which prevents correct provision of service and protection of your data.Kaspersky Anti Targeted Attack Platform - version 3.7 or laterKaspersky Managed Detection and Response supports the following operating systems:Microsoft Windows operating systems:Windows 7 (32-bit / 64-bit)Windows 10 RS5 (64-bit)64-bit Linux operating systems:Ubuntu 16.04 LTS or laterUbuntu 18.04 LTS or laterRed Hat Enterprise Linux 7.2 or laterRed Hat Enterprise Linux 8.0 or laterCentOS 7.2 or laterCentOS 8.0 or laterDebian GNU/Linux 9.4 or laterDebian GNU/Linux 10.1 or laterOracleLinux 7.3 or laterOracleLinux 8 or laterSUSE Linux Enterprise Server 12 or later8
Architecture of Kaspersky Managed Detection and ResponseArchitecture of Kaspersky Managed Detection and ResponseAsset is an organization's device that is protected by Kaspersky solutions.Endpoint Protection Platform application is a Kaspersky application that protects devices, and the data storedon them, from malware and other threats.Kaspersky Endpoint Agent is a program component that is installed on workstations and servers of thecorporate IT infrastructure. Kaspersky Endpoint Agent continuously monitors processes running on thosecomputers, active network connections, and the les that are modi ed.Kaspersky Network Agent is a Kaspersky Security Center component that enables interaction between theadministration server and Kaspersky applications that are installed on a speci c network node (workstation orserver). This component is common to all of the company's applications for Microsoft Windows. Separateversions of Network Agent exist for Kaspersky applications developed for Unix-like operation systems andmacOS.Kaspersky Security Center is an application aimed at corporate network administrators and employeesresponsible for protection of devices in a wide range of organizations.Kaspersky Security Network is an infrastructure of cloud services that provides access to the Kaspersky onlineknowledge base, which contains information about the reputation of les, web resources, and software. Theuse of data from Kaspersky Security Network ensures faster responses by Kaspersky applications to threats,improves the performance of some protection components, and reduces the likelihood of false alarms.Kaspersky Managed Detection and Response (also referred to as MDR) Service is an application that deliverscontinuous managed protection, enabling organizations to automatically hunt down evasive threats, whilefreeing up IT security teams to focus on those critical tasks that require their involvement.MDR Console provides a web interface for managing and maintaining the protection system of a clientorganization's network that is managed by Kaspersky Managed Detection and Response.9
MDR API is the Application Programming Interface for managing and supporting the network protection systemof a client organization managed by Kaspersky Managed Detection and Response.10
Application licensingThis section covers the main aspects of application licensing.About the Terms and ConditionsTerms and Conditions is a binding agreement between you and AO Kaspersky Lab, stipulating the terms on howyou may use the service.Carefully read the Terms and Conditions before you start using the service.You can view the Terms and Conditions agreement:During the activation of Kaspersky Managed Detection and Response.In the About section of Kaspersky Managed Detection and Response Console:https://mdr.kaspersky.com/about .The About section is available only for logged-in users.You accept the Terms and Conditions by con rming that you agree with the Terms and Conditions when activatingthe service. If you do not accept the Terms and Conditions, cancel the service activation and do not use theservice.About the End User License AgreementEnd User License Agreement is a binding agreement between you and AO Kaspersky Lab, stipulating the terms onwhich you can use Kaspersky applications.It is recommended to read through the terms of the End User License Agreement carefully before you startusing the application.You can view the terms of the End User License Agreement by reading the license.txt document. This document isincluded in the application distribution kit and is also saved to the application installation directory.About the Privacy PolicyThe Privacy Policy is a document that informs you how your data is processed.It is recommended to read through the terms of the Privacy Policy carefully before you start using theapplication.You can view the terms of the Privacy Policy by reading the license.txt le. This document is included in theapplication distribution kit and is also saved to the application installation directory.11
About the licenseA license is a time-limited right to use the application, granted under the Terms and Conditions.A license entitles you to the following kinds of services:Use of the application in accordance with the Terms and ConditionsGetting technical supportThe scope of services and validity period depend on the type of license under which the application was activated.The following license types are provided:Trial—a free license intended for trying out the application.A trial license usually has a short term. When the trial license expires, all Kaspersky Managed Detection andResponse features become disabled. To continue using the application, you need to purchase a commerciallicense.You can activate the application under the trial license only once.Commercial—a paid license granted upon purchase of the application.When the commercial license expires, the application continues running with limited functionality (telemetry isnot provided). To continue using all of the features of Kaspersky Managed Detection and Response, you mustrenew your commercial license.We recommend renewing the license before its expiration, to ensure maximum protection against all securitythreats.Subscription—a paid license that enables the application usage for a monthly or annual billing period, with autorenewal, until canceled or expired.The subscription license can be of two types:Limited—automatically renewed at the end of each billing period up until the de ned expiration date.Open-ended—auto-renewed at the end of each billing period until canceled by the customer.You can manage the subscription license via the Kaspersky License Management Portal (LMP).When the subscription license is canceled or expired, the application continues running with limitedfunctionality (telemetry is not provided). To continue using all of the features of Kaspersky Managed Detectionand Response, you must renew your subscription license.We recommend renewing the license before its expiration, to ensure maximum protection against all securitythreats.Kaspersky Managed Detection and Response license also grants usage of the Kaspersky Endpoint Detection andResponse Optimum solution. The solution becomes available on an asset after con guring integration betweenKaspersky Managed Detection and Response and Kaspersky Endpoint Agent.Comparison of commercial license solutions: MDR Optimum and MDRExpert12
The commercial license provides two solutions, Kaspersky MDR Optimum and Kaspersky MDR Expert. The set offeatures available in Kaspersky Managed Detection and Response depends on the solution of your commerciallicense (see the table below).Comparison of Kaspersky Managed Detection and Response commercial license solutionsFeatureMDROptimumMDRExpert24x7 proactive monitoringThreat Hunting and incident investigationResponse playbooks and automatic incident responseSecurity health check and asset visibilityMDR web portal with dashboards and reporting (Kaspersky Managed Detectionand Response Console)MultitenancyOne-year incident history storageOne-month raw data storageThree-month raw data storageAccess to Kaspersky SOC analystsCustom semi-automated playbooksAccess to the Threat Intelligence PortalCr
Kaspersky Network Agent is a Kaspersky Security Center component that enables interaction between the administration server and Kaspersky applications that are installed on a specic network node (workstation or server). This component is common to all of t
