Response rules with EDR actions

Starting with KUMA 3.4.1 and Kaspersky Endpoint Security 12.9 for Windows, EDR actions are supported when responding to threats. When correlation events are received, KUMA performs EDR actions. Performing EDR actions requires first setting up response rules. In the properties of response rules, you need to specify the arguments of scripts that you can download by following this link:

https://box.kaspersky.com/d/579c0271a38e440b9144/

When a response rule is triggered, Kaspersky Endpoint Security performs EDR actions and creates the following tasks in Kaspersky Security Center:

onDemandScan.py performs a Critical Areas Scan.
ioCScan.py searches for indicators of compromise.
quarantineFile.py quarantines a file.
deleteFile.py deletes a file.
getFile.py gets a file.
isolateHost.py isolates the computer from the network.
preventExecution.py prevents execution of objects.
To perform this task, it is important to make sure that in Kaspersky Security Center, in the Assets (Devices) → Policies & profiles → <Kaspersky Endpoint Security policy name> → Application settings → Detection and Response → Endpoint Detection and Response, the Execution Prevention ENABLED toggle switch is disabled.
startProcess.py starts a process.
terminateProcess.py terminates a process

When setting up response rules with EDR actions, we recommend taking into account the load on the computer when running tasks. If the response rules cause scripts to create too many tasks, the computer's performance may be degraded. If there are too many requests, the requests are rotated regardless of whether a particular request has been completed. Kaspersky Endpoint Security allows creating no more than 100 tasks. When this limit is reached, Kaspersky Endpoint Security rotates tasks in Kaspersky Security Center. The lifespan of a task is 30 days.

Tasks created when the response rules are triggered in KUMA are displayed in Kaspersky Endpoint Security and cannot be hidden. These are not deleted immediately after the completion of the response script. These tasks are not displayed in Kaspersky Security Center.

You can use reports to view information about the execution of EDR actions in the Administration Console of Kaspersky Security Center. Kaspersky Endpoint Security generates events with descriptions in the '[Response][kuma] $<script name> - $<date>' format. A description in this format allows creating event selections for EDR actions.

Page top