Kaspersky Endpoint Detection and Response Expert
- Kaspersky Endpoint Detection and Response Expert Help
- About Kaspersky Endpoint Detection and Response Expert
- Licensing of Kaspersky Endpoint Detection and Response Expert
- Data provision
- Getting started
- User management
- Alerts
- Incidents
- Threat hunting
- About threat hunting
- Building and running queries for threat hunting
- About syntax in threat hunting queries
- Creating IOA rules from queries
- Viewing and configuring the event list
- Configuring the event table
- Viewing event details
- Viewing a tree of events
- Viewing information about related events in a tree of events
- Custom rules
- About custom rules
- Viewing and configuring custom rules list
- Viewing custom rule details
- About custom rule details
- Configuring custom rules table
- Creating custom IOA rules
- Creating exclusions from Kaspersky IOA rules
- Editing custom rules
- Enabling and disabling custom rules
- Deleting IOA custom rules
- Deleting exclusions
- Response actions
- About network isolation
- About moving file to quarantine
- Viewing a list of quarantined files
- Specifying settings for storing files in the Quarantine
- About deleting files
- About running critical areas scan
- About IOC scan
- About execution prevention
- About process start task
- About terminating process task
- About getting file task
- Monitoring and reporting
- Contact Customer Service
- Termination of the Kaspersky Endpoint Detection and Response Expert solution usage
- Sources of information about the application
- Glossary
- Known issues
- Information about third-party code
- Trademark notices
About data provision
In order for Kaspersky Endpoint Detection and Response Expert to work, it's necessary for Kaspersky to process the user's data. Components do not send data without the permission of the Kaspersky Endpoint Detection and Response Expert administrator.
Kaspersky protects any information received in accordance with law and applicable Kaspersky rules. Data is transmitted over a secure channel.
The following data is used for the operation of Kaspersky EDR Expert:
- Data listed in the Data Processing Agreement under Scope and purposes of processing personal data
You give consent to send user's data by confirming that you agree with the Data Processing Agreement during activation of the solution. After activation, you can view the Data Processing Agreement by clicking the Kaspersky Endpoint Detection and Response Expert tile in the Marketplace section or by clicking the Kaspersky EDR Expert settings button in the Threat hunting section.
- Information about alerts
The following information about alerts is sent to Kaspersky Security Center Cloud Console:
- Name and internal unique identifier of the device related to the alert
- Names and user account security identifiers (SID) related to the alert
- Date and time of the alert creation
- Alert type (IOA alert or IOC alert)
- Date and time of the first event related to the alert
- Date and time of the last event related to the alert
- Data about triggered rules:
- Identifier of the rule
- Name of the rule
- Severity of the rule
- Confidence of the rule
- If an IOA rule is triggered, the following data is sent:
- Signs that the custom rule has been triggered
- MITRE technique and MITRE tactic identifiers related to the triggered rule
- If an IOC rule is triggered, the following data is sent:
- Description of the IOC rule
- Information about detected objects (for example, files, processes, loaded modules, local and remote network addresses, registry keys and values, DNS records, system log records, users, Windows services)
- Identifier, start time, and end time of the IOC scan task
- Observables