Contents
- Kaspersky Industrial CyberSecurity Endpoint Detection and Response Help
- About Kaspersky Industrial CyberSecurity Endpoint Detection and Response
- Deployment and initial setup of the solution using Kaspersky Industrial CyberSecurity for Nodes
- Deployment and initial setup of the solution using Kaspersky Industrial CyberSecurity for Linux Nodes
- Licensing
- Solution activation
- Response actions
- Working with alert details
- Monitoring & Reporting
- Multitenancy
- Contact Technical Support
- Glossary
- Information about third-party code
- Trademark notices
Kaspersky Industrial CyberSecurity Endpoint Detection and Response Help
Key features:
- Network isolation of a device
- Execution prevention
- IOC Scan
- Viewing the list of alerts in Kaspersky Security Center Web Console
- Widget of EDR alerts in Kaspersky Security Center Web Console
Hardware and software requirements
Licensing
Deployment and initial setup
Contact Technical Support
Page top
About Kaspersky Industrial CyberSecurity Endpoint Detection and Response
Kaspersky Industrial CyberSecurity Endpoint Detection and Response is a solution designed to protect an organization IT infrastructure from complex cyberthreats. The solution's functionality combines automatic threat detection with threat response capabilities to resist complex attacks, including new exploits, ransomware, fileless attacks, and methods that use legitimate system tools.
Kaspersky Industrial CyberSecurity Endpoint Detection and Response reviews and analyses the development of threats and provides the Security Officer or Administrator with information about a potential attacks in order to respond to the threat in a timely manner or automatically performs the specified response actions.
If your infrastructure has devices protected by Kaspersky Endpoint Detection and Response Optimum, you can simultaneously manage these devices and devices with Kaspersky Industrial CyberSecurity Endpoint Detection and Response installed using Kaspersky Security Center. Thus, Kaspersky Security Center provides the capability to simultaneously manage solutions/devices protected by Kaspersky Endpoint Detection and Response Optimum and solutions/devices protected by Kaspersky Industrial CyberSecurity Endpoint Detection and Response using the Kaspersky Endpoint Agent policy.
Updates functionality (including providing anti-virus signature updates and codebase updates), as well as KSN functionality will not be available in the software in the U.S. territory from 12:00 AM Eastern Daylight Time (EDT) on September 10, 2024 in accordance with the restrictive measures.
Software Requirements
Kaspersky Industrial CyberSecurity Endpoint Detection and Response is compatible with the following versions of Kaspersky applications:
- Kaspersky Industrial CyberSecurity for Linux Nodes 1.5 and later.
- With Kaspersky Industrial CyberSecurity for Linux Nodes, you need to use applications for centralized network security management:
- Kaspersky Security Center Windows 14.2 and later.
- Kaspersky Security Center Linux 15.1 and later.
- Kaspersky Industrial CyberSecurity for Nodes 3.1 and later.
- Kaspersky Endpoint Agent 3.13 and later.
Kaspersky Endpoint Agent can be installed on individual devices in the organization IT infrastructure that have Microsoft Windows operating system. The application provides support for Kaspersky Industrial CyberSecurity Endpoint Detection and Response for Kaspersky Industrial CyberSecurity for Nodes.
- With the specified versions of Kaspersky Industrial CyberSecurity for Nodes and Kaspersky Endpoint Agent, you need to use applications for centralized network security management:
- Kaspersky Security Center versions from 10.5 to 12.1 support the limited functionality of Kaspersky Industrial CyberSecurity Endpoint Detection and Response (you can find out more about the functionality of Kaspersky Industrial CyberSecurity Endpoint Detection and Response with different versions of Kaspersky Security Center from the Kaspersky partner you purchased the license from).
- Kaspersky Security Center Windows 12.1 and later has full support of Kaspersky Industrial CyberSecurity Endpoint Detection and Response functionality.
- Kaspersky Security Center Linux 15.1 and later.
For information about the hardware and software requirements of the compatible applications, refer to the Help sections of the corresponding Kaspersky applications:
- Kaspersky Industrial CyberSecurity for Nodes.
- Kaspersky Industrial CyberSecurity for Linux Nodes;
- Kaspersky Endpoint Agent.
- Kaspersky Security Center Windows.
- Kaspersky Security Center Linux.
Solution architecture
Kaspersky Industrial CyberSecurity Endpoint Detection and Response includes the following components:
- (Kaspersky Industrial CyberSecurity for Nodes and Kaspersky Industrial CyberSecurity for Linux Nodes) that supports Kaspersky Industrial CyberSecurity Endpoint Detection and Response functionality and is installed on separate devices in the organization IT infrastructure. This application continuously monitors processes running on protected devices, open network connections, and file changes.
- Kaspersky Endpoint Agent is an application that continuously monitors and sends information about processes, open network connections, and modified files on the device to Kaspersky Industrial CyberSecurity for Nodes.
- A solution for centralized network security management (Kaspersky Security Center).
- Threat Intelligence Tools:
- Kaspersky Security Network (KSN) infrastructure of cloud services that provides access to the online Kaspersky Knowledge Base, which contains information about the reputation of files, web resources, and software. Using data from the Kaspersky Security Network ensures the rapid response of Kaspersky applications to threats, improves the performance of various security components, and reduces the likelihood of false positives.
- Integration with Kaspersky Private Security Network (KPSN) that allows the users to access KSN reputation databases, as well as other statistics without submitting data to KSN from their devices.
- Integration with Kaspersky Threat Intelligence Portal, which contains and displays information about the reputation of files and URLs.
- Kaspersky Threats database.
Deployment and initial setup of the solution using Kaspersky Industrial CyberSecurity for Nodes
The deployment scenario consists of the following steps:
- Installing Kaspersky Security Center and Kaspersky Security Center Web Console
For detailed information about installing Kaspersky Security Center Windows and Kaspersky Security Center Web Console, refer to Kaspersky Security Center Help.
For detailed information about installing Kaspersky Security Center Linux and Kaspersky Security Center Web Console, refer to Kaspersky Security Center Linux Help.
For information on the supported versions of Kaspersky Security Center, see the Software requirements section.
- Installing Kaspersky Industrial CyberSecurity for Nodes
For detailed information about installing Kaspersky Industrial CyberSecurity for Nodes, refer to Kaspersky Industrial CyberSecurity for Nodes Help.
- Installing Kaspersky Endpoint Agent
You can get the distribution package for installing Kaspersky Endpoint Agent from the vendor of Kaspersky Industrial CyberSecurity Endpoint Detection and Response solution.
- Installing the management web plug-in for Kaspersky Endpoint Agent
For detailed information about installing management web plug-ins, refer to Kaspersky Security Center Help.
- Performing initial setup of Kaspersky Endpoint Agent web plug-in
Activate Kaspersky Endpoint Agent and create a policy for Kaspersky Endpoint Agent.
- Configuring threat report
Configure the threat report for viewing incident cards.
- Adding a widget
Add the EDR alerts widget to the dashboard for monitoring alerts.
- Displaying the list of alerts
Enable display of the Alerts section in Kaspersky Security Center Web Console.
Kaspersky Industrial CyberSecurity Endpoint Detection and Response is ready to use, Kaspersky Industrial CyberSecurity for Nodes and Kaspersky Endpoint Agent are installed and configured.
Page top
Deployment and initial setup of the solution using Kaspersky Industrial CyberSecurity for Linux Nodes
The deployment scenario consists of the following steps:
- Installing Kaspersky Security Center and Kaspersky Security Center Web Console
For detailed information about installing Kaspersky Security Center Windows and Kaspersky Security Center Web Console, refer to Kaspersky Security Center Help.
For detailed information about installing Kaspersky Security Center Linux and Kaspersky Security Center Web Console, refer to Kaspersky Security Center Linux Help.
For information on the supported versions of Kaspersky Security Center, see the Software requirements section.
- Installing Kaspersky Industrial CyberSecurity for Linux Nodes
For detailed information about installing Kaspersky Industrial CyberSecurity for Linux Nodes, refer to Kaspersky Industrial CyberSecurity for Linux Nodes Help.
- Installing Kaspersky Industrial CyberSecurity for Linux Nodes administration plug-in
For detailed information about installing management web plug-ins, refer to Kaspersky Security Center Help.
- Kaspersky Industrial CyberSecurity Endpoint Detection and Response activation
- Installing Kaspersky Endpoint Detection and Response administration plug-in
For detailed information about installing management web plug-ins, refer to Kaspersky Security Center Help.
- Creating a policy in Kaspersky Security Center
Create policies that will be applied to groups of devices with Kaspersky Industrial CyberSecurity for Linux Nodes installed. For details on creating policy, refer to Kaspersky Security Center Help.
- Configuring threat report
Configure the threat report for viewing incident cards.
- Adding a widget
Add the EDR alerts widget to the dashboard for monitoring alerts.
- Displaying the list of alerts
Enable display of the Alerts section in Kaspersky Security Center Web Console.
Kaspersky Industrial CyberSecurity Endpoint Detection and Response is ready to use, Kaspersky Industrial CyberSecurity for Linux Nodes is installed and configured.
Page top
Licensing
This section contains information about the basic licensing concepts.
For more information about licensing the applications included in the Kaspersky Industrial CyberSecurity Endpoint Detection and Response solution, refer to the Helps of the corresponding applications:
- Kaspersky Security Center Windows.
- Kaspersky Security Center Linux;
- Kaspersky Industrial CyberSecurity for Nodes.
- Kaspersky Industrial CyberSecurity for Linux Nodes;
- Kaspersky Endpoint Agent.
About the End User License Agreement
End User License Agreement is a binding agreement between you and AO Kaspersky Lab, stipulating the terms on which you may use the application.
Read through the terms of the End User License Agreement carefully before you start using the application.
You can review the terms of the End User License Agreement in the following ways:
- During installation of applications included in Kaspersky Industrial CyberSecurity Endpoint Detection and Response.
- By reading the license.txt document. This document is included in the distribution kit of applications included in Kaspersky Industrial CyberSecurity Endpoint Detection and Response.
You accept the terms of the End User License Agreement when you confirm your consent to the End User License Agreement during installation of the application. If you do not accept the terms of the End User License Agreement, you must abort application installation and must not use the application.
Page top
About the license
A license is a time-limited right to use Kaspersky Industrial CyberSecurity Endpoint Detection and Response, granted under the End User License Agreement.
The list of available functions and the validity period of the application depend on the license under which the application is used.
The following types of licenses are available:
- Trial – a free license intended for trying out the application.
Trial licenses have a short validity period. When the trial license expires, all the functions of Kaspersky Industrial CyberSecurity Endpoint Detection and Response become unavailable. To continue using the application, you need to purchase a commercial license.
You can use the application under a trial license for only one trial period.
- Commercial is a paid license.
The main functions of the application stop working when a commercial license expires. To continue working with Kaspersky Industrial CyberSecurity Endpoint Detection and Response, you need to renew the commercial license. After the license expires, you can no longer use the application and must uninstall it from the device.
It is recommended to renew the license before its expiration date to ensure continued protection of your device against security threats.
About the license certificate
The License Certificate is a document provided together with the key file or activation code.
The License Certificate contains the following license information:
- License key or order number
- Information about the license user
- Information about the application that can be activated under the provided license
- Restrictions on the number of licensing units (for example, devices on which the application can be used under the license)
- License start date
- License expiration date or validity period
- License type
About license key
The license key is a sequence of bits that can be used to activate the application for further usage in accordance with the terms of the End User License Agreement. License key is generated by Kaspersky experts.
You can add a license key to the application using one of the following methods: by applying a key file or by entering an activation code. After you add a key to the application, the license key is displayed in the application interface as a unique alphanumeric sequence.
The license key may be blocked by Kaspersky, if the terms of the End User License Agreement are violated. If the license key is blocked, add another license key for proper application operation.
There are two types of license keys: active and additional (backup).
Active license key is currently used to run the application. A license key for a trial or commercial license can be added as the active key. The application cannot have more than one active license key.
Additional (backup) license key confirms your right to use the application, but is not currently in use. The additional license key automatically becomes active when the license associated with the current active license key expires. An additional license key can be added only if an active license key is already added.
A trial license key can only be added as an active license key. A trial license key cannot be added as an additional license key.
Page top
About the activation code
Activation code is a unique sequence of twenty Latin letters and numbers. Activation code is used to add a license key that activates Kaspersky Industrial CyberSecurity Endpoint Detection and Response. You receive the activation code at the email address that you provided when purchasing Kaspersky Industrial CyberSecurity Endpoint Detection and Response or when ordering a trial version of Kaspersky Industrial CyberSecurity Endpoint Detection and Response.
To activate the application with an activation code, you need Internet access in order to connect to Kaspersky activation servers.
If you lost your activation code after activating the application, contact the Kaspersky partner from whom you purchased the license.
Page top
About the key file
Key file is a file with the .key extension that you receive from Kaspersky. Key files are intended to add a license key for activating the application.
You receive the key file at the email address that you provided when purchasing Kaspersky Industrial CyberSecurity Endpoint Detection and Response or when ordering a trial version of Kaspersky Industrial CyberSecurity Endpoint Detection and Response.
You do not need to connect to Kaspersky activation servers in order to activate the application with a key file.
You can restore a key file if it has been accidentally deleted. You may need a key file to register a Kaspersky CompanyAccount, for example.
To restore the key file, perform one of the following actions:
- Contact the license distributor.
- Get the key file on Kaspersky website based on the available activation code.
About Kaspersky Security Network
Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to the online Kaspersky Knowledge Base that contains information about the reputation of files, web resources, and software.
For more information about sending to Kaspersky, storing and destroying statistical information obtained while using KSN, refer to Kaspersky website.
KSN Infrastructure
Kaspersky Security Network offers the following infrastructure solutions:
- Global KSN is the solution that is used by most Kaspersky applications. KSN participants receive information from Kaspersky Security Network and send to Kaspersky information about objects detected on the user device to be analyzed additionally by Kaspersky analysts and to be included in the reputation and statistical databases of Kaspersky Security Network.
- Private KSN is the solution that enables the users of the devices with Kaspersky Industrial CyberSecurity Endpoint Detection and Response or other Kaspersky applications installed to access Kaspersky Security Network reputation databases and other statistical data without sending data from their devices to KSN. Private KSN is designed for corporate customers who are unable to participate in Kaspersky Security Network for any of the following reasons:
- Local workstations are not connected to internet.
- Transmission of any data outside the country or outside the corporate LAN is prohibited by law or restricted by corporate security policies.
About data provisioning
For proper operation of Kaspersky Industrial CyberSecurity Endpoint Detection and Response components, data processing on Kaspersky side is required.
The received information is protected by Kaspersky in accordance with the requirements established by the law and the current Kaspersky rules. Data is transmitted via encrypted communication channels.
For detailed information on data submitted when using Kaspersky Industrial CyberSecurity Endpoint Detection and Response, refer to the Help of Kaspersky applications installed in your IT infrastructure:
- Kaspersky Industrial CyberSecurity for Nodes.
- Kaspersky Industrial CyberSecurity for Linux Nodes;
- Kaspersky Endpoint Agent.
- Kaspersky Security Center Windows.
- Kaspersky Security Center Linux.
Solution activation
Activation of Kaspersky Industrial CyberSecurity Endpoint Detection and Response involves activation of the Kaspersky Industrial CyberSecurity for Nodes application installed on the protected devices using a license that includes Kaspersky Industrial CyberSecurity Endpoint Detection and Response functionality.
You can purchase the license for Kaspersky Industrial CyberSecurity Endpoint Detection and Response in the following ways:
- As part of a license to use the Kaspersky Industrial CyberSecurity for Nodes application.
- Separately, in addition to the previously purchased license to use the Kaspersky Industrial CyberSecurity for Nodes application.
If you purchased a license for Kaspersky Industrial CyberSecurity Endpoint Detection and Response as part of the license for using the Kaspersky Industrial CyberSecurity for Nodes application, Kaspersky Industrial CyberSecurity Endpoint Detection and Response will become available after you perform the initial setup of the solution.
If you purchased a license for Kaspersky Industrial CyberSecurity Endpoint Detection and Response separately, in addition to the previously purchased license after installing and activating Kaspersky Industrial CyberSecurity for Nodes on the devices, you will need to activate Kaspersky Endpoint Agent on the devices using the new activation code or key file, depending on the way you purchased the license for Kaspersky Industrial CyberSecurity Endpoint Detection and Response. After that, perform initial setup of the solution.
For more details on activating the solution, refer to the documentation of Kaspersky applications:
- Kaspersky Security Center Windows.
- Kaspersky Security Center Linux;
- Kaspersky Industrial CyberSecurity for Nodes.
- Kaspersky Industrial CyberSecurity for Linux Nodes;
- Kaspersky Endpoint Agent.
Response actions
This section contains information on the response actions to the detected threats that are available in Kaspersky Industrial CyberSecurity Endpoint Detection and Response.
About network isolation
Kaspersky Industrial CyberSecurity Endpoint Detection and Response provides the ability to isolate devices from the network on demand (manually) or as an automatic action to respond to detected threats.
In case of automatic response, the corresponding commands will be executed on the devices without confirmation from the operator. Despite the use of standard operating system mechanisms, unforeseen problems may occur. They can be caused by incorrect or highly-focused configuration of devices, compatibility problems, or errors in the software of devices or industrial-control systems (ICS), which do not appear during normal use. For example, the following problems may occur: turning off the device, loss of communication with the device, inoperability of the device, other failures in the operation of the solution and equipment. Also, unintentional impact on the ICS operation is possible.
The administrator of Kaspersky Industrial CyberSecurity Endpoint Detection and Response is fully responsible for the impact of automatic actions of the solution in relation to detected threats on the stability of the ICS and the technological process.
After enabling network isolation, the application breaks all active TCP/IP connections and blocks all new TCP/IP network connections on the devices, except for the connections listed below:
- connections specified as network isolation exclusions;
- connections initiated by services of the Kaspersky Industrial CyberSecurity for Nodes or Kaspersky Industrial CyberSecurity for Linux Nodes;
- connections initiated by Kaspersky Security Center Network Agent.
You can apply device network isolation manually in Kaspersky Industrial CyberSecurity for Nodes settings on the device or in the alert details. It can also be applied automatically as a result of alert response actions when the IOC Scan task is performed. You can unlock an isolated device manually from the alert details, in Kaspersky Industrial CyberSecurity for Nodes settings on the device or from the command line. You can also configure the period after which to disable network isolation automatically.
You can configure network isolation exclusions. Network connections that meet the conditions of the specified exclusion will not be blocked on the devices after network isolation is enabled.
For more details on how to manage network isolation manually using the application settings on the device, refer to Kaspersky Endpoint Agent Help.
Read the Kaspersky Industrial CyberSecurity for Linux Nodes Help about enabling and disabling network isolation on a device and setting up exceptions from network isolation.
Page top
About moving file to Quarantine
One of the possible response actions when a threat is detected is to quarantine the file.
Quarantine is a special local repository on a device with Kaspersky Industrial CyberSecurity Endpoint Detection and Response which is intended for storing files that are probably infected by viruses or cannot be disinfected at the time when they are detected. Quarantined files are stored on the protected device in an encrypted form and therefore do not compromise the device security.
You can quarantine a file manually or configure automatic quarantining of a file as a result of alert response actions. You also can quarantine file from the alert details window.
This action is not available on computers running Linux operating systems with Kaspersky Industrial CyberSecurity for Linux Nodes version 1.5 installed.
For details on quarantine, refer to Kaspersky Endpoint Agent Help.
Page top
Configuring the settings for storing files in Quarantine
To view a list of quarantined files,
in the main Kaspersky Security Center Web Console window select Repositories → Quarantine.
Scanning of objects quarantined by Kaspersky Industrial CyberSecurity Endpoint Detection and Response is not available.
For more details on working with quarantine, see:
- Kaspersky Security Center Windows Help
- Kaspersky Security Center Linux Help
- Kaspersky Endpoint Agent Help
The objects are quarantined with the permissions of the system account (SYSTEM). When being restored from the Quarantine, the file is not moved to its original location, but to a special folder on the device, from which you can manually move it to the destination folder.
To configure the settings for storing quarantined files:
- In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
- Click the name of the policy you want to configure.
The policy properties window opens.
- Select the Application settings tab.
- In the Repositories section, select Quarantine and specify the required settings.
Quarantine files storage settings are not available on computers running Linux operating systems with Kaspersky Industrial CyberSecurity for Linux Nodes version 1.5 installed.
Page top
About the Delete file task
One of the possible response actions when a threat is detected is to delete the file from the device.
For more details about deleting files, see Kaspersky Endpoint Agent Help and Kaspersky Industrial CyberSecurity for Linux Nodes Help.
Page top
About running Critical Areas Scan
One of the possible response actions when a threat is detected is running Critical Areas scan on the device.
You can run Critical Areas scan manually or configure the scan to run automatically as a result of alert response actions.
For more details on critical areas scanning, please refer to the Kaspersky Endpoint Agent Help and Kaspersky Industrial CyberSecurity for Linux Nodes Help.
Page top
About IOC Scan
An indicator of compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to the device (data compromise). For example, many unsuccessful attempts to sign in to the system can constitute an Indicator of Compromise. The IOC Scan task allows finding Indicators of Compromise on the device and performing threat response actions.
are used to search for IOCs. IOC files contain a set of indicators that are compared to the indicators of an event. If the compared indicators match, the EPP application considers the event to be alert. IOC files must conform to the OpenIOC standard.Kaspersky Industrial CyberSecurity Endpoint Detection and Response provides an IOC Scan task. It is a group or local task that is created and configured manually in Kaspersky Security Center Web Console. The IOC files that you prepared are used to run the task.
When an IOC is detected on a device, Kaspersky Industrial CyberSecurity Endpoint Detection and Response performs the specified response action. The following response actions are available for the detected IOCs:
- Isolate device from the network.
- Run scan of critical areas.
- Move the copy of the object to the quarantine, and delete the object.
When responding to threats, Kaspersky Industrial CyberSecurity Endpoint Detection and Response can automatically create IOC Scan tasks.
For details on creating an IOC search task, see:
- Kaspersky Security Center Windows Help
- Kaspersky Endpoint Agent Help
- Kaspersky Industrial CyberSecurity for Linux Nodes Help
About Execution prevention
You can configure execution prevention rules for executable files and scripts, as well as for opening office-format files on the selected devices. For example, you can prevent launching the applications whose usage is considered unsafe on the selected device protected by Kaspersky Industrial CyberSecurity Endpoint Detection and Response. The application identifies the files by their paths or checksums using MD5 and SHA256 hash algorithms.
Execution prevention rule is a set of criteria that are considered when preventing an object from execution. The object must meet all the criteria of the Execution prevention rule in order for the application to block it from execution.
Kaspersky Industrial CyberSecurity Endpoint Detection and Response has the following modes for applying execution prevention rules:
- Block and log to the report. In this mode, EPP application blocks execution of objects or opening of documents that match execution prevention rules criteria.
- Log an event only. In this mode, EPP application records to the Windows Event Log and to Kaspersky Security Center an event about attempts to execute objects or open documents that meet the criteria of the Execution prevention rules, but does not block execution or opening these objects.
For information on enabling execution prevention, configuring its settings and managing execution prevention rules from the command line, refer to Kaspersky Endpoint Agent Help.
You can also prevent the file execution from the alert details window.
This action is not available on computers running Linux operating systems with Kaspersky Industrial CyberSecurity for Linux Nodes version 1.5 installed.
Page top
About starting and terminating the process
The Start process task allows you to remotely start files on the device. For example, you can remotely start a utility that creates a file with the computer configuration, and then get the created file using the Get file task.
The Terminate process task allows you to remotely terminate processes on the device. For example, you can remotely terminate the Internet speed testing utility that was started using the Start process task.
More about configuring process startup task and process completion task settings see Help for Kaspersky Endpoint Agent and Help for Kaspersky Industrial CyberSecurity for Linux Nodes.
Page top
About the Get file task
The Get file task allows you to get files from the users devices. For example, you can configure getting an event log file created by a third-party application. As a result of the execution of the task, the file is saved in Quarantine. You can download this file from the Quarantine to your device using Kaspersky Security Center Web Console. On the user device, the file remains in its original folder.
To receive a copy of a file, create the Quarantine file task and specify that the file does not need to be deleted when it is moved to quarantine in the Actions after quarantining a file section. For more details, see the Kaspersky Endpoint Agent Help and theKaspersky Industrial CyberSecurity for Linux Nodes Help.
If you are using Kaspersky Endpoint Security 12.1 for Linux, the task is moved to the Backup folder of Kaspersky Security Center.
Page top
Working with alert details
This section contains information about actions that can be performed directly from the detection details window ("alert" in Kaspersky Security Center Linux version 15.1 and later).
About alert details
Alert details contain all available information about the detected threat and allow you to manage alert response actions.
Alert details contain the following information:
- Threat development chain graph that provides visual information about the objects involved, such as key processes on the device, network connections, libraries, registry hives. It is used to analyze the causes of the threat.
- General information about the alert, including detection mode (for example, detection during on-demand scan or during automatic scan).
- Information about the protected device on which the alert occurs (for example, device name, IP address, MAC address, user list, operating system).
- Information about detected object.
- Registry changes associated with the alert.
- History of the file presence on the device.
- Response actions performed by the application.
The following information is also available in the detection details generated by the Kaspersky Industrial CyberSecurity for Linux Nodes application version 1.5 and later:
- Recommendations for responding to detection. Each recommendation is provided with a link that you can use to apply the selected response method.
- Information about the trust group, digital signature, file distribution and other data.
This block of information is available if the Kaspersky Security Network function is enabled in the Kaspersky Industrial CyberSecurity for Linux Nodes application at the time of detection.
The listed data is specified at the time of detection of the threat. The solution does not update the listed data; therefore, it may differ from the data displayed on the Kaspersky Threat Intelligence Portal. To view the latest data, use the links to the Kaspersky Threat Intelligence Portal data in the detection details.
You can perform the following response actions from the alert details:
- isolate the device on which the alert occurred;
- quarantine file;
This action is not available on computers running Linux operating systems with Kaspersky Industrial CyberSecurity for Linux Nodes version 1.5 installed.
- create an IOC Scan task;
- prevent execution of the detected file.
This action is not available on computers running Linux operating systems with Kaspersky Industrial CyberSecurity for Linux Nodes version 1.5 installed.
Alert details are automatically deleted one month after creation.
If the amount of information in the alert details exceeds 100 KB, or if more than 20 alerts occurred on the device during a day, then the alert data is stored on the device locally and connection to the device is required to access this data.
Page top
Configuring threat report for viewing alert details
To configure the capability to open the alert details window from the Report on threats:
- In the main Kaspersky Security Center Web Console window select Monitoring & Reporting → Reports.
- In the list of reports, select the Report on threats template and click the Open report template properties button.
- In the report properties window that opens, go to the Fields tab.
- Make sure that the Open alert field is available in the list of report fields in the Details fields group of settings.
- If the Open alert field is not available in the list, follow these steps:
- Click the Add button.
- At the right side of the window, select the Open alert field from the drop-down list.
- Click OK.
- Click the Save button.
Viewing alert details
Alert details are available in the list of alerts. The list of alerts is available in the Report on threats or in the Alerts subsection of the Monitoring & Reporting section in Kaspersky Security Center Web Console.
If you add a license key for Kaspersky Industrial CyberSecurity Endpoint Detection and Response, the Alerts subsection will automatically appear in the main menu in the Monitoring & Reporting section. You can also configure the displaying of the Alerts subsection in the properties of Kaspersky Security Center Windows or Kaspersky Security Center Linux interface.
To view the alert details in the Monitoring and reporting section:
- In the main Kaspersky Security Center Web Console window select Monitoring & Reporting → Alerts.
- Select the alert and click the Details link.
The alert details are displayed.
To view the alert details in the report on threats:
- In the main Kaspersky Security Center Web Console window select Monitoring & Reporting → Reports.
- Select the Report on threats template and click the Show report button.
- In the report window on the Details tab, select the alert and click the Open alert details link.
The alert details are displayed.
To display the alert details, Kaspersky Industrial CyberSecurity Endpoint Detection and Response needs to get data from the device on which the alert occurred. If the data or the device is not available, an error message is displayed. The device response time may take several minutes.
To view information about a detected threat in Kaspersky Industrial CyberSecurity for Linux Nodes, please refer to the Application Help.
Page top
Applying network isolation to a device
To isolate a device from the network from the alert details window:
- Open the alert details window.
- In the Computer section, click the Isolate the computer from the network button to apply network isolation to this device.
Read the Kaspersky Endpoint Agent Help about enabling or disabling network isolation on a device through Kaspersky Security Center and about managing network isolation.
Read the Kaspersky Industrial CyberSecurity for Linux Nodes Help about enabling and disabling network isolation on a device and setting up exceptions from network isolation.
Page top
Moving a file to Quarantine from alert details
To move a file to Quarantine from the alert details:
- Open the alert details.
- In the File section click the Quarantine button.
The file will be deleted from the device, and its copy will be quarantined.
This action is not available on computers running Linux operating systems with Kaspersky Industrial CyberSecurity for Linux Nodes version 1.5 installed.
Page top
Creating IOC Scan task from alert details
To create IOC Scan task from the alert details:
- Open the alert details.
- On the All alert events tab, select the items from which you want to create an IOC Scan task.
- Click Create IOC.
- Select the triggering criteria for the compromise indicator:
- If you want the indicator of compromise to be triggered when any of the selected objects is detected, select OR on the right side of the screen.
- If you want the indicator of compromise to be triggered when all the selected objects are detected, select AND on the right side of the screen.
- Select the actions to be taken when the IOC is triggered:
- Click Create task.
You can view the created tasks in the Devices → Tasks section.
When you create an IOC Scan task for the selected object (file or process) from the alert details, an
with the FileItem term is automatically created. For more details about IOC terms, see Kaspersky Endpoint Agent Help and Kaspersky Industrial CyberSecurity for Linux Nodes Help. Page top
Preventing a file execution from the alert details
File execution prevention rules are applied to the device on which alert occurred if an active Kaspersky Endpoint Agent policy for Kaspersky Industrial CyberSecurity Endpoint Detection and Response is applied to this device. If the device, on which the alert occurred, is not managed by an active policy, the Execution prevention rule will not be created.
To prevent file execution from the alert details:
- Open the alert details.
- In the File section click the Prevent execution button.
The file execution will be prevented. Execution prevention rule will be added to the policy for the group the device belongs to.
This action is not available on computers running Linux operating systems with Kaspersky Industrial CyberSecurity for Linux Nodes version 1.5 installed.
Page top
Monitoring & Reporting
The following features are available to monitor operation of Kaspersky Industrial CyberSecurity Endpoint Detection and Response:
- EDR alerts widget
- List of alerts
- Kaspersky Security Center reports and selections
Adding EDR alerts widget
The EDR alerts widget displays information about the number of alerts on the devices for the last month. The widget is available on the Dashboard tab in Kaspersky Security Center Web Console. The widget allows you to switch to the Alerts section, where a list of alerts on devices is displayed.
To add the EDR alerts widget to the dashboard:
- Go to the Monitoring & Reporting → Dashboard section.
- Click the Add or restore web widget button.
- In the list of available web widgets, select the Alerts web widget from the Threat statistics category.
- Click the Add button.
The web widget is added to the end of the dashboard.
For more details on working with widgets, please refer to Kaspersky Security Center Windows Help and Kaspersky Security Center Linux Help.
Page top
Viewing the list of alerts
To view all alerts as a list,
in Kaspersky Security Center Web Console, go to the Alerts section.
The Alerts section displays automatically after Kaspersky Endpoint Detection and Response Optimum activation. You can also enable display of this section in Kaspersky Security Center Windows or Kaspersky Security Center Linux.
From the list of alerts, you can open the details of the selected alert.
Page top
Monitoring the solution performance on devices
Kaspersky Security Center functionality allows you to get information on the current protection status of the devices and on the devices in your infrastructure where the EPP application that supports Kaspersky Industrial CyberSecurity Endpoint Detection and Response is not installed.
You can get this information by generating a selection of devices by the status of Kaspersky Industrial CyberSecurity Endpoint Detection and Response component.
To generate a selection of devices by the status of Kaspersky Industrial CyberSecurity Endpoint Detection and Response component:
- In Kaspersky Security Center Web Console, go to the Devices → Device selections section.
- Create a new device selection with the following condition:
- Select the Details of Kaspersky applications section.
- In the Application components list, select the Endpoint Detection and Response component for Kaspersky Endpoint Agent.
- In the Status drop-down list, select the required value of the selection criterion to display devices with this operation status.
- Click the Save button.
The new selection displays the list of devices with the selected operation status of Kaspersky Industrial CyberSecurity Endpoint Detection and Response.
Page top
Viewing information about triggering of the Execution prevention rules
Kaspersky Security Center functionality allows you to get information about the applications, execution of which was prevented by Kaspersky Industrial CyberSecurity Endpoint Detection and Response as a result of the triggering the execution prevention rules.
To view a report on the applications prevented from execution:
- In Kaspersky Security Center Web Console select Monitoring & Reporting → Reports.
- Select the required report from the list:
- Report on prohibited applications – to view information about the applications that were prevented from execution in the Block and log to the report mode.
- Report on prohibited applications in test mode – to view information about the applications that were prevented from execution in the Log events only mode.
Generating a list of isolated devices
Kaspersky Security Center functionality allows you to get information about the devices with enabled network isolation.
You can get this information by generating a selection of devices by the ISOLATED FROM NETWORK tag.
In Kaspersky Security Center Web Console, you can generate a selection of isolated devices on a physical Administration Server only after network isolation was applied at least once on this server.
To generate a selection of devices isolated from the network:
- In Kaspersky Security Center Web Console, go to the Devices → Device selection section.
- Create a new device selection with the following condition:
- Select the Tags section.
- Click the Add button and create a selection criterion for all devices having the ISOLATED FROM NETWORK tag.
The new selection displays a list of devices isolated from the network.
Page top
Multitenancy
Multitenancy is an operation mode when the solution is used to protect infrastructure of several organizations at the same time.
You can use Kaspersky Industrial CyberSecurity Endpoint Detection and Response to protect infrastructure of several organizations at the same time using Kaspersky Security Center. For this purpose create virtual Administration Servers for the organizations which you want to protect using Kaspersky Industrial CyberSecurity Endpoint Detection and Response. These virtual Administration Servers must be created under the physical Administration Server of the provider organization. For details on creating virtual Administration Servers, refer to Kaspersky Security Center Help.
A separate virtual Administration Server must be created for each
. The administrator of a physical Administration Server can manage the solution on all devices that are managed by this Server. The administrator of the virtual Administration Server can manage the solution only on the devices connected to the Server that he administers. Page top
Contact Technical Support
This section describes the ways to get technical support and the terms on which it is available.
How to get technical support
If you cannot find a solution to your problem in the application documentation or in other sources of information about Kaspersky Industrial CyberSecurity Endpoint Detection and Response, you are advised to contact Technical Support. Technical Support specialists will answer your questions about installing and using Kaspersky Industrial CyberSecurity Endpoint Detection and Response.
Kaspersky provides support for Kaspersky Industrial CyberSecurity Endpoint Detection and Response during its lifecycle (see the Product Support Lifecycle page). Before contacting Technical Support, please read the technical support rules.
You can contact Technical Support in one of the following ways:
- Visit the Technical Support website.
- Submit a request to Kaspersky Technical Support from the Kaspersky CompanyAccount portal.
Technical Support via Kaspersky CompanyAccount
Kaspersky CompanyAccount is a portal for organizations that use Kaspersky applications. The Kaspersky CompanyAccount portal is designed to facilitate interaction between users and Kaspersky specialists via online requests. The Kaspersky CompanyAccount portal lets you monitor the progress of electronic request processing by Kaspersky specialists and store a history of electronic requests.
You can register all of your organization employees under a single Kaspersky CompanyAccount. A single account lets you centrally manage electronic requests from registered employees to Kaspersky and also manage the privileges of these employees via Kaspersky CompanyAccount.
The Kaspersky CompanyAccount portal is available in the following languages:
- English
- Spanish
- Italian
- German
- Polish
- Portuguese
- Russian
- French
- Japanese
To learn more about Kaspersky CompanyAccount, visit the Technical Support website.
Page topGlossary
Endpoint Protection Platform (EPP)
An integrated system of comprehensive endpoint protection (for example, mobile devices, computers or laptops) using various security technologies. An example of an Endpoint Protection Platform is Kaspersky Endpoint Security for Business solution.
EPP application
An application included in a protection system for endpoint devices (Endpoint Protection Platform, EPP). EPP applications are installed on endpoint devices within the IT infrastructure of an organization (for example, mobile devices, computers, or laptops). An example of an EPP application is Kaspersky Industrial CyberSecurity for Nodes included in Kaspersky Endpoint Detection and Response EPP solution.
IOC
Indicator of Compromise. A set of data about a malicious object or action.
IOC file
A file that contains a set of compromise indicators that are compared to the indicators of an event. If the compared indicators match, the application considers the event to be an alert. The alert probability may increase if exact matches of data about the object with several IOC files were found during the scan.
OpenIOC
An open standard for Indicator of Compromise (IOC) description created on the basis of XML and containing over 500 various indicators of compromise.
Response
Incident response is a structured methodology for handling security incidents, breaches, and cyberthreats.
Targeted attack
An attack targeted at a specific person or organization. Unlike mass attacks by computer viruses aimed at infecting maximum number of computers, targeted attacks can be aimed at infecting the network of a certain organization or even one server in the organization IT infrastructure. A special trojan program may be developed for each targeted attack.
Tenant
A tenant is an organization to which you supply Kaspersky Industrial CyberSecurity Endpoint Detection and Response solution.
Page top
Information about third-party code
Information about the third-party code is contained in the legal_notices.txt file located in the installation folder of each application compatible with Kaspersky Industrial CyberSecurity Endpoint Detection and Response.
Page top
Trademark notices
Registered trademarks and service marks are the property of their respective owners.
Microsoft and Windows are trademarks of the Microsoft group of companies.
Page top