Kaspersky Anti Targeted Attack Platform
5.0
English

Contents

Managing prevention rules

You can use prevention rules to prevent files or processes from running on a selected hosts or all Kaspersky Endpoint Agent hosts. For example, you can block certain programs, which you consider insecure. The program identifies files based on their hash by using the MD5 and SHA256 hashing algorithms. A prevention rule created through external systems can contain multiple file hashes.

You can use external systems to manage all prevention rules created for a single host or all hosts at the same time. When you create a prevention rule for a selected host through external systems, Kaspersky Anti Targeted Attack Platform replaces all prevention rules applied to this host with a prevention rules with new parameters. For example, if you had added multiple prevention rules for a selected hosts through the program's web interface, and subsequently added a prevention rule through external systems, all prevention rules added in the web interface are replaced with the rule added through external systems.

When the parameters of a prevention rule created through external systems are modified, the program saves only the new parameters. For example, if you have added a prevention rule that contains hashes for multiple files, and want to add another hash to that rule, you must create a request to add a prevention rule and specify all hashes for which you had a prevention previously, plus the new hash.

The described scenario is also relevant for prevention rules applied to all hosts.

To create a prevention rule using the API, the following procedure is recommended for interacting with Kaspersky Anti Targeted Attack Platform:

  1. Create a request for getting the list of Kaspersky Endpoint Agent hosts
  2. Create a request for getting information about hosts that already have prevention rules.
  3. Create a request for one of the following operations with prevention rules:

Added prevention rules are displayed in the web interface of the program in the Prevention section, Prevention rules subsection.

If you are creating a prevention rule for all hosts through an external system, you must first make sure that no prevention rule for the same file exists on the server or is applied to one or multiple hosts. This prerequisite is also relevant if you want to create a prevention rule through an external system for a selected host: you must make sure that a prevention rule for the same file does not exist on the server and is not applied to all hosts. Otherwise, the server returns an error to the external system with a list of hosts that already have a prevention rule applied.

If the prevention rule created through an external system contains multiple file hashes, the error information mentions only the first file that caused the error. Information about other duplicated prevention rules is not displayed.

To modify a prevention rule previously created through the web interface or external systems, you must create a request to add a prevention rules with updated parameters.

Page top
[Topic 227294]

Request to create a prevention rule

To create the request, the HTTP POST method is used. Command settings are passed in the body of the request in JSON format.

Command syntax

curl -k --<path to TLS certificate file> --key <path to private key file> -X POST "<URL of Central Node server>:<port, 443 by default>/kata/response_api/v1/<external_system_id>/settings?sensor_id=<sensor_id or all, if you want to create the prevention rule for all hosts>&settings_type=prevention" -H 'Content-Type: application/json' -d '

{

"settings": {

"objects": [

{

"file": {

"<sha256 or md5>": "<SHA256- or MD5-hash of the file that you want to prevent from starting>"

}

},

{

"file": {

"<sha256 or md5>": "<SHA256- or MD5-hash of the file that you want to prevent from starting>"

}

'

If the request is processed successfully, the prevention rule is added. The prevention rule becomes active at the moment when it is added.

If necessary, you can delete the prevention rule.

Settings

Parameter

Type

Description

external_system_id

UUID

Unique ID of the external system used for authorization in Kaspersky Anti Targeted Attack Platform.

sensor_id

UUID

Unique Kaspersky Endpoint Agent host identifier.

objects

string

Type of the object that you want to prevent from running.

Possible value of the parameter: file.

sha256 or md5

string

SHA256 or MD5 has of the object that you want to prevent from running.

Example of entering a command with switches

curl -k --example.cert --example.key -X POST "https://10.10.0.22:443/kata/response_api/v1/15301050-0490-4A41-81EA-B0391CF21EF3/settings?sensor_id=all&settings_type=prevention" -H 'Content-Type: application/json' -d '

{

"settings": {

"objects": [

{

"file": {

"sha256": "830195824b742ee59390bc5b9302688c778fc95a64e7d597e28a74c03a04dd63"

}

"file": {

"md5": "d8e577bf078c45954f4531885478d5a9"

}

'

Returned value

Return code

Description

200

Operation completed successfully.

400

Incorrect parameters.

401

Authorization required.

404

Specified Kaspersky Endpoint Agent host not found.

500, 502, 503, 504

Internal server error. Repeat the request later.

Page top

[Topic 227449]

Request to delete a prevention rule

You can delete a prevention rule using a new request with blank values or a request with the DELETE parameter. POST and DELETE HTTP methods are used to create requests.

Command syntax for a new request

Command settings are passed in the body of the request in JSON format.

curl -k --<path to TLS certificate file> --key <path to private key file> -X POST "<URL of Central Node server>:<port, 443 by default>/kata/response_api/v1/<external_system_id>/settings?sensor_id=<sensor_id or all, if you want to delete the prevention rule for all hosts>&settings_type=prevention" -H 'Content-Type: application/json' -d '

{

"settings": {

"objects": []

}

}

'

Command syntax with the DELETE parameter

curl -k --<path to TLS certificate file> --key <path to private key file> -X DELETE "<URL of Central Node server>:<port, 443 by default>/kata/response_api/v1/<external_system_id>/settings?sensor_id=<sensor_id or all, if you want to delete the prevention rule for all hosts>&settings_type=prevention"

Settings

Parameter

Type

Description

external_system_id

UUID

Unique ID of the external system used for authorization in Kaspersky Anti Targeted Attack Platform.

sensor_id

UUID

Unique Kaspersky Endpoint Agent host identifier.

Example of command for a new request

curl -k --example.cert --example.key -X POST "https://10.10.0.22:443/kata/response_api/v1/15301050-0490-4A41-81EA-B0391CF21EF3/settings?sensor_id=all&settings_type=prevention"-H 'Content-Type: application/json' -d '

{

"settings": {

"objects": []

}

}

'

Example of entering a command with the DELETE parameter

curl -k --example.cert --example.key -X DELETE "https://10.10.0.22:443/kata/response_api/v1/15301050-0490-4A41-81EA-B0391CF21EF3/settings?sensor_id=all&settings_type=prevention"

If the request is processed successfully, the prevention rule is deleted.

Returned value

Return code

Description

200

Operation completed successfully.

400

Incorrect parameters.

401

Authorization required.

404

Specified Kaspersky Endpoint Agent host not found.

500, 502, 503, 504

Internal server error. Repeat the request later.

Page top

[Topic 227588]