[Music]
how to connect your infrastructure to
the kaspersky managed detection and
response service when using a local
kaspersky security center
kaspersky manage detection and response
as a service that helps customers detect
information security threats respond to
them and investigate cyber incidents
an experienced team of experts process
telemetry sent by the customer security
products on the vendor side around the
clock
kaspersky managed detection and response
provides you with benefits of a security
operations center and eliminates the
need to build it within your company
for more information visit the official
page
the customer is assumed to have a ready
kaspersky account which is used for
authentication in various kaspersky
services
kaspersky managed detection and response
has a portal at mdr.kaspersky.com
you can activate the service there and
download configuration files to connect
your infrastructure
after that you will be able to monitor
the hosts connected to the service and
work with security incidents in the
portal
alternatively you can integrate
kaspersky managed detection and response
with kaspersky security center and have
almost all of the portal's capabilities
in the kaspersky security center web
console
we presume that kaspersky security
center and security applications are
already deployed on the customer's
network
integration with the mdr portal is
configured in the kaspersky security
center web console
let's connect to kaspersky security
center in this case we are using a local
administrator account
first make sure that representation of
the mdr functionality is enabled in the
web console
for this purpose open the interface
options
the show mdr feature switch is turned on
by default but it never hurts to double
check
the mdr portal integrates into the
kaspersky security center web console
using a special plugin and our next step
is to install this plugin
let's open the list of plugins oh and
the side menu click console settings and
select web plugins
click add and select the necessary
plugin you can filter the list to
quickly find it
then click install plugin
you can see that the plugin is displayed
on the list with the installed status
now
after the plugin is installed the
incident section will appear in
monitoring and reporting
let's open it the activate service
button appears dimmed it means that the
account under which we have logged on to
the web console has insufficient
privileges
only a user who has the main
administrator role can click the
activate service button
let's go to the users and roles users
page to grant this role to our account
find the local ksc administrator account
and open its properties
switch to the roles tab grant the main
administrator role and save the changes
let's return to monitoring and reporting
incidents
awesome the activate service button is
available now
background connection between the web
console and the administration server
must be enabled
select the checkbox to proceed for
troubleshooting you can manually disable
and enable the connection in the console
settings on the integrations page
then enter the kaspersky account under
which you are going to work with
kaspersky manage detection and response
the kaspersky manage detection and
response activation page opens you can
activate the service only with a code
although you receive both a code and a
key file with your purchase
enter your activation code select your
country and click activate
the kaspersky manage detection and
response portal generates an application
programming interface token which is
then activated by the administration
server behind the scenes everything is
seamless for the user
the mdr agreement and the mdr data
processing agreement are displayed when
you connect to the portal for the first
time
read them you can download the
agreements as files if necessary
then select the check boxes and click
accept
you can see that the service has been
activated successfully
click start setting up
the first step is to enable kaspersky
private security network to specify
where kaspersky applications will send
telemetry
a configuration file is used here
it was previously uploaded manually but
in kaspersky manage detection and
response 2.1 the config file is added
automatically
click continue setting up and you will
be redirected to the getting started
page
that's it integration with kaspersky
security center web console is complete
you can now connect your infrastructure
to kaspersky manage detection and
response
to make sure that the kaspersky private
security network configuration file has
been applied let's open the
administration server properties and go
to the ksn proxy settings
indeed kaspersky security center has
switched to kaspersky private security
network
at the same time all policies also
switched to kaspersky private security
network
let's proceed to activate the mdr
component in kaspersky applications you
need a blob file
you can find it in the archive with the
configuration file for kpsn
let's download the archive and return to
our infrastructure
kaspersky security center is installed
in our virtual environment all client
machines are connected to the
administration server and various
security solutions are installed on all
endpoints
that's what our environment looks like
dc virtual machine with kaspersky
security for windows server 11.0
installed
ksc virtual machine with kaspersky
security for virtualization 5.2 lite
agent installed
alex desktop virtual machine with
kaspersky endpoint security 11.6 for
windows installed
admin laptop virtual machine with
kaspersky endpoint security 11.7 for
windows installed
ubuntu desktop virtual machine with
kaspersky endpoint security 11.2 for
linux installed
each protection application sends its
telemetry by itself except kaspersky
security for windows server 11.0 where a
special kaspersky endpoint agent
application is responsible for
transmitting telemetry
now we need to add the activation blob
file to each policy and make sure that
the use of kaspersky private security
network is enabled everywhere
open devices policies and profiles
open the properties of the kaspersky
endpoint security for windows 11.7
policy
go to application settings advanced
threat protection
open the properties of the kaspersky
security network component
you can see that everything is ok here
the component is enabled and private ksn
is used
let's go to detection and response open
the properties of the manage detection
and response component
enable it and add the activation blob
file with the p7 extension
do not forget to enforce the policy to
apply the settings to the client
computers
if all is well a new component will
appear in the kaspersky endpoint
security interface on the client
computers after a while
in kaspersky endpoint security for
windows 11.6 it looks like this
and this is the new interface of
kaspersky endpoint security for windows
11.7
let's get back to the policies and open
the policy of kaspersky endpoint
security 11.2 for linux
go to application settings advanced
threat protection
open the properties of the kaspersky
security network component
you can see that the component is
configured to use kaspersky private
security network but it is disabled
let's enable the component and accept
the terms of the agreement
go to the general settings section open
the properties of the manage detection
and response component
enable it and add the activation blob
file with the p7
extension do not forget to enforce the
settings
if all is good the application
information will show that the blob file
has been loaded and that the manage
detection and response component is
active on the client computer after a
while
let's get back to the policies and open
the kaspersky security 11 for windows
server policy
switch to the application settings tab
and open real-time server protection
open the properties of the ksn usage
component
switch to the kaspersky private security
network tab
accept the terms of the statement and
enforce the settings on the client
computers
also ensure that the ksn usage task
starts automatically when the
application launches
note that you cannot load the activation
blob file into the kaspersky security
for windows server policy you need
kaspersky endpoint agent to connect
kaspersky security for windows server to
kaspersky manage detection and response
the blob file is designed to be uploaded
to the kaspersky endpoint agent policy
let's open it
switch to the application settings tab
and open manage detection and response
enable the manage detection and response
component you can specify any user id
let's add the activation blob file with
the p7 extension
check the device properties to make sure
that kaspersky endpoint agent has been
activated successfully
open the devices manage devices page
in this case we need the dc device
because it has kaspersky security for
windows server and kaspersky endpoint
agent installed
let's open the dc properties and switch
to the applications tab
click kaspersky endpoint agent and
switch to the component section
you can see that the managed detection
and response component is running
kaspersky manage detection and response
2.1 supports kaspersky security for
virtualization 5.2 light agent for
windows
however you can only load the blob file
through the kaspersky security center
mmc console so far
open the policy of kaspersky security
for virtualization 5.2 light agent for
windows in the mmc console
go to other settings manage detection
and response
enable the manage detection and response
component
add the activation blob file with the p7
extension
and make sure that the lock is closed to
have the settings enforced on the client
computers
the ksn settings are located in the
protection server policy let's open the
policy kaspersky security for
virtualization 5.2 lite agent protection
server
switch to kaspersky security network
settings
you can see that everything is ok here
the component is enabled and private
kaspersky security network is used
to make sure that the manage detection
and response component has been
activated successfully open the device
properties in any console
let's open the ksc device properties and
switch to the applications
tab open the properties of kaspersky
security for virtualization 5.2 light
agent and then the component section
you can see that the managed detection
and response component is running
that's all our hosts will connect to
kaspersky manage detection and response
after a while
for now the best way to monitor the
connected devices is the assets page of
the kaspersky managed detection and
response portal
you can see that all our devices have
connected and are displayed in the
portal
after your infrastructure has appeared
in the kaspersky managed detection and
response console we recommend that you
make a few more adjustments for your
convenience such as connect a telegram
bot or set up emailing reports
switch to the settings tab
pay attention to the notifications area
by default incident notifications are
not sent anywhere we recommend that you
enable email notifications and connect
the telegram bot to receive
notifications faster
click subscribe and then click the link
confirm that you want to open the link
in the application
click start
if the user authorized message arrives
congratulations the telegram bot is
working
let us return to the web console
a few words about the auto-accepting
responses option
when kaspersky analysts see suspicious
activity they can request permissions
for some actions on a related device for
example retrieve a file for analysis
terminate a process isolate the device
and so forth
however the customer must manually
accept each request on the incident card
if you select to automatically accept
all responses the customers
administrator will not have to confirm
anything and the analyst will be able to
take the necessary actions immediately
let's switch to the schedules tab
actually this tab is not about schedules
it's about reports
you can create a task that will send an
incident report on schedule
type mdr daily report for the task name
specify an email address you can add
several addresses if necessary
select i agree to receive data from the
incidents you can also select to
validate the email addresses if desired
let's schedule the task using the utc
time
click save to save the changes
a six character verification code will
be sent to the specified email address
type it here
if you specify more than one address
each will have its own code and you will
need to enter all of them
that's finally all major setup is
complete
