Starting with KUMA 3.4.1 and Kaspersky Endpoint Security 12.9 for Windows, EDR actions are supported when responding to threats. When correlation events are received, KUMA performs EDR actions. Performing EDR actions requires first setting up response rules. In the properties of response rules, you need to specify the arguments of scripts that are available for download. When a response rule is triggered, Kaspersky Endpoint Security performs EDR actions and creates the following tasks in Kaspersky Security Center:
To perform this task, it is important to make sure that in Kaspersky Security Center, in the Assets (Devices) → Policies & profiles → <Kaspersky Endpoint Security policy name> → Application settings → Detection and Response → Endpoint Detection and Response, the Execution Prevention ENABLED toggle switch is disabled.
When setting up response rules with EDR actions, we recommend taking into account the load on the computer when running tasks. If the response rules cause scripts to create too many tasks, the computer's performance may be degraded. If there are too many requests, the requests are rotated regardless of whether a particular request has been completed. Kaspersky Endpoint Security allows creating no more than 100 tasks. When this limit is reached, Kaspersky Endpoint Security rotates tasks in Kaspersky Security Center. The lifespan of a task is 30 days.
You can monitor the execution of EDR actions in the administration console using reports. Kaspersky Endpoint Security generates events with descriptions in the '[Response][kuma] $<script name> - $<date>' format. A description in this format allows creating event selections for EDR actions.
Page top