Kaspersky Security Center (Beta)
Kaspersky Security Center Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
beta
This is a beta Integration, which lets you implement and test pre-release software. Since the integration is beta, it might contain bugs. Updates to the integration during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the integration to help us identify issues, fix them, and continually improve.
The administration console for controlling all Kaspersky Lab security solutions and system administration tools.
This integration was integrated and tested with version 12 of Kaspersky Security Center.
Note: The integration is in beta because it only covers a subset of the endpoints and API use cases.
#
PrerequisitesThe user should be assigned to a role with the relevant devices in scope, and the following access rights:
Basic functionality - Read
Management of administration groups - Modify
#
Configure Kaspersky Security Center in CortexParameter | Required |
---|---|
Server URL (e.g., https://kaspersky.domain.com:13299) | True |
Username | True |
Password | True |
Trust any certificate (not secure) | False |
Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
ksc-hosts-listReturns a list of hosts.
#
Base Commandksc-hosts-list
#
InputArgument Name | Description | Required |
---|---|---|
filter | Filter which contains a condition over host attributes, e.g., KLHST_WKS_OS_NAME = "Microsoft Windows Server 2016". See the integration documentation for the search filter syntax. | Optional |
limit | The maximum number of hosts to return. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
KasperskySecurityCenter.Host.KLHST_WKS_DN | String | Host display name. |
KasperskySecurityCenter.Host.KLHST_WKS_DNSDOMAIN | String | DNS suffix. |
KasperskySecurityCenter.Host.KLHST_WKS_DNSNAME | String | DNS name without DNS suffix. |
KasperskySecurityCenter.Host.KLHST_WKS_FQDN | String | Host FQDN name. |
KasperskySecurityCenter.Host.KLHST_WKS_GROUPID | String | ID of administration group where host is located. |
KasperskySecurityCenter.Host.KLHST_WKS_HOSTNAME | String | Host name ID. |
KasperskySecurityCenter.Host.KLHST_WKS_OS_NAME | String | Operating system name. |
#
Command Example!ksc-hosts-list filter=KLHST_WKS_OS_NAME = "Microsoft Windows Server 2016"
#
Context Example#
Human Readable Output#
Hosts List
KLHST_WKS_HOSTNAME KLHST_WKS_DN KLHST_WKS_OS_NAME KLHST_WKS_FQDN 4328e16f-bf83-47c3-8d0b-0fdf79f9d673 EC2AMAZ-U66K3JK Microsoft Windows Server 2016 ip-172-32-34-237.eu-west-2.compute.internal
#
ksc-host-getReturns details of a host
#
Base Commandksc-host-get
#
InputArgument Name | Description | Required |
---|---|---|
hostname | The unique hostname GUID to retrieve the details of. Can be retrieved using the ksc-hosts-list command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Endpoint.ID | String | The unique ID within the tool retrieving the endpoint. |
Endpoint.OS | String | Endpoint OS. |
Endpoint.Hostname | String | The hostname that is mapped to this endpoint. |
Endpoint.Domain | String | The domain of the endpoint. |
KasperskySecurityCenter.Host.KLHST_WKS_DN | String | Host display name. |
KasperskySecurityCenter.Host.KLHST_INSTANCEID | String | Network agent ID. |
KasperskySecurityCenter.Host.KLHST_WKS_DNSDOMAIN | String | DNS suffix. |
KasperskySecurityCenter.Host.KLHST_WKS_DNSNAME | String | DNS name without DNS suffix. |
KasperskySecurityCenter.Host.KLHST_WKS_FQDN | String | Host FQDN name. |
KasperskySecurityCenter.Host.KLHST_WKS_GROUPID | String | ID of administration group where host is located. |
KasperskySecurityCenter.Host.KLHST_WKS_HOSTNAME | String | Host name ID. |
KasperskySecurityCenter.Host.KLHST_WKS_OS_NAME | String | Operating system name. |
KasperskySecurityCenter.Host.KLHST_WKS_ANTI_SPAM_STATUS | Number | Product component status. |
KasperskySecurityCenter.Host.KLHST_WKS_COLLAB_SRVS_STATUS | Number | Collaboration servers protection status. |
KasperskySecurityCenter.Host.KLHST_WKS_CPU_ARCH | Number | CPU architecture from the operating system point of view (since KSC 10 SP1). |
KasperskySecurityCenter.Host.KLHST_WKS_CREATED.value | Date | Time of host record creation. |
KasperskySecurityCenter.Host.KLHST_WKS_CTYPE | Number | Computer type. |
KasperskySecurityCenter.Host.KLHST_WKS_DLP_STATUS | Number | DLP status. |
KasperskySecurityCenter.Host.KLHST_WKS_EDR_STATUS | Number | EDR component status. |
KasperskySecurityCenter.Host.KLHST_WKS_LAST_VISIBLE.value | Date | Last host visibility time. |
KasperskySecurityCenter.Host.KLHST_WKS_NAG_VERSION | String | Network agent build number in format A.B.C[.D]. |
KasperskySecurityCenter.Host.KLHST_WKS_NAG_VER_ID | Number | Network Agent version ID. |
KasperskySecurityCenter.Host.KLHST_WKS_OSSP_VER_MAJOR | Number | Service Pack version major part (since KSC 10 SP1). |
KasperskySecurityCenter.Host.KLHST_WKS_OSSP_VER_MINOR | Number | Service Pack version minor part (since KSC 10 SP1). |
KasperskySecurityCenter.Host.KLHST_WKS_OS_BUILD_NUMBER | Number | Operating system version build number. |
KasperskySecurityCenter.Host.KLHST_WKS_OS_RELEASE_ID | Number | Operating system version release ID (for Windows 10). |
KasperskySecurityCenter.Host.KLHST_WKS_OWNER_IS_CUSTOM | Boolean | If owner was changed via UpdateHostwith KLHST_WKS_CUSTOM_OWNER_ID. |
KasperskySecurityCenter.Host.KLHST_WKS_PTYPE | Number | Platform type. |
KasperskySecurityCenter.Host.KLHST_WKS_RBT_REQUEST_REASON | Number | Reboot request reasons mask. |
KasperskySecurityCenter.Host.KLHST_WKS_RBT_REQUIRED | Boolean | If reboot is required. |
KasperskySecurityCenter.Host.KLHST_WKS_RTP_AV_BASES_TIME.value | Date | Anti-virus bases time. |
KasperskySecurityCenter.Host.KLHST_WKS_RTP_AV_VERSION | String | Protection build number in format A.B.C[.D]. |
KasperskySecurityCenter.Host.KLHST_WKS_STATUS | Number | Host status. |
#
Command Example!ksc-host-get hostname="4328e16f-bf83-47c3-8d0b-0fdf79f9d673"
#
Context Example#
Human Readable Output#
Host 4328e16f-bf83-47c3-8d0b-0fdf79f9d673
KLHST_WKS_HOSTNAME KLHST_WKS_OS_NAME KLHST_WKS_FQDN KLHST_WKS_DN KLHST_WKS_NAG_VERSION 4328e16f-bf83-47c3-8d0b-0fdf79f9d673 Microsoft Windows Server 2016 ip-172-32-34-237.eu-west-2.compute.internal EC2AMAZ-U66K3L 12.2.0.4376
#
ksc-groups-listReturns a list of groups.
#
Base Commandksc-groups-list
#
InputArgument Name | Description | Required |
---|---|---|
filter | Filter which contains a condition over group attributes, e.g., name = "Managed devices". See the integration documentation for the search filter syntax. | Optional |
limit | The maximum number of groups to return. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
KasperskySecurityCenter.Group.id | Number | Group ID. |
KasperskySecurityCenter.Group.name | String | Group name. |
#
Command Example!ksc-groups-list filter=name = "Managed devices"
#
Context Example#
Human Readable Output#
Groups List
id name 0 Managed devices
#
ksc-group-addCreate new administration group.
#
Base Commandksc-group-add
#
InputArgument Name | Description | Required |
---|---|---|
name | The name of the group to add. | Required |
parent_id | ID of group under which to create the group. Can be retrieved using the ksc-groups-list command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
KasperskySecurityCenter.Group.id | Number | Group ID. |
KasperskySecurityCenter.Group.name | String | Group name. |
#
Command Example!ksc-group-add name="Assigned Devices" parent_id=1
#
Context Example#
Human Readable Output#
Group was added successfully
id name 10 Assigned Devices
#
ksc-group-deleteDeletes an administrative group.
#
Base Commandksc-group-delete
#
InputArgument Name | Description | Required |
---|---|---|
group_id | ID of group to delete. Can be retrieved using the ksc-groups-list command. | Required |
flags | 1 = Delete group only if it is empty, 2 = delete group with subgroups, policies and tasks 3 = delete group with subgroups, hosts, policies and tasks. Possible values are: 1, 2, 3. Default is 1. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!ksc-group-delete group_id=10 flags=1
#
Human Readable OutputDelete group action was submitted
#
ksc-software-applications-listReturns limited attributes for all software applications.
#
Base Commandksc-software-applications-list
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
KasperskySecurityCenter.Inventory.Software.ARPRegKey | String | Subkey for application under registry key for list of add-remove progamms. |
KasperskySecurityCenter.Inventory.Software.Comments | String | Software application comments. |
KasperskySecurityCenter.Inventory.Software.DisplayName | String | Software application display name. |
KasperskySecurityCenter.Inventory.Software.DisplayVersion | String | Software application display version. |
KasperskySecurityCenter.Inventory.Software.ProductID | String | Software application product ID. |
KasperskySecurityCenter.Inventory.Software.Publisher | String | Software application publisher. |
#
Command Example!ksc-software-applications-list
#
Context Example#
Human Readable Output#
Inventory Software Applications
DisplayName Publisher DisplayVersion Microsoft SQL Server 2014 Transact-SQL ScriptDom Microsoft Corporation 12.2.5000.0 Plug-in for Microsoft Exchange ActiveSync Kaspersky 12.0.0.7734
#
ksc-software-patches-listReturns limited attributes for all software application updates.
#
Base Commandksc-software-patches-list
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
KasperskySecurityCenter.Inventory.Patch.Classification | String | Classification of the update. |
KasperskySecurityCenter.Inventory.Patch.Comments | String | Software application patch comments. |
KasperskySecurityCenter.Inventory.Patch.DisplayName | String | Software application patch display name. |
KasperskySecurityCenter.Inventory.Patch.DisplayVersion | String | Software application patch display version. |
KasperskySecurityCenter.Inventory.Patch.PatchID | String | Software application patch ID. |
KasperskySecurityCenter.Inventory.Patch.Publisher | String | Software application patch publisher. |
#
Command Example!ksc-software-patches-list
#
Context Example#
Human Readable Output#
Inventory Software Patches
DisplayName Publisher DisplayVersion Service Pack 2 for SQL Server 2014 (KB3171021) (64-bit) Microsoft Corporation 12.2.5000.0 Update (KB3176936) Microsoft Windows
#
ksc-host-software-applications-listRetrieve software applications for a host.
#
Base Commandksc-host-software-applications-list
#
InputArgument Name | Description | Required |
---|---|---|
hostname | The unique hostname GUID to retrieve the software applications of. Can be retrieved using the ksc-hosts-list command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
KasperskySecurityCenter.Host.Software.ARPRegKey | String | Subkey for application under registry key for list of add-remove progamms. |
KasperskySecurityCenter.Host.Software.Comments | String | Software application comments. |
KasperskySecurityCenter.Host.Software.DisplayName | String | Software application display name. |
KasperskySecurityCenter.Host.Software.DisplayVersion | String | Software application display version. |
KasperskySecurityCenter.Host.Software.ProductID | String | Software application product ID. |
KasperskySecurityCenter.Host.Software.Publisher | String | Software application publisher. |
#
Command Example!ksc-host-software-applications-list hostname=4328e16f-bf83-47c3-8d0b-0fdf79f9d673
#
Context Example#
Human Readable Output#
Host 4328e16f-bf83-47c3-8d0b-0fdf79f9d673 Software Applications
DisplayName Publisher DisplayVersion Microsoft SQL Server 2014 Transact-SQL ScriptDom Microsoft Corporation 12.2.5000.0 Plug-in for Microsoft Exchange ActiveSync Kaspersky 12.0.0.7734
#
ksc-host-software-patches-listRetrieves patches for a host.
#
Base Commandksc-host-software-patches-list
#
InputArgument Name | Description | Required |
---|---|---|
hostname | The unique hostname GUID to retrieve the software patches of. Can be retrieved using the ksc-hosts-list command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
KasperskySecurityCenter.Host.Patch.Classification | String | Classification of the update. |
KasperskySecurityCenter.Host.Patch.Comments | String | Software application patch comments. |
KasperskySecurityCenter.Host.Patch.DisplayName | String | Software application patch display name. |
KasperskySecurityCenter.Host.Patch.DisplayVersion | String | Software application patch display version. |
KasperskySecurityCenter.Host.Patch.PatchID | String | Software application patch ID. |
KasperskySecurityCenter.Host.Patch.Publisher | String | Software application patch publisher. |
#
Command Example!ksc-host-software-patches-list hostname=4328e16f-bf83-47c3-8d0b-0fdf79f9d673
#
Context Example#
Human Readable Output#
Host 4328e16f-bf83-47c3-8d0b-0fdf79f9d673 Software Patches
DisplayName Publisher DisplayVersion Service Pack 2 for SQL Server 2014 (KB3171021) (64-bit) Microsoft Corporation 12.2.5000.0 Update (KB3176936) Microsoft Windows
#
ksc-policies-listReturns policies located in specified group.
#
Base Commandksc-policies-list
#
InputArgument Name | Description | Required |
---|---|---|
group_id | ID of group to retrieve the policies of. Can be retrieved using the ksc-groups-list command. Set to -1 to retrieve policies of all groups. Default is -1. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
KasperskySecurityCenter.Policy.KLPOL_ACTIVE | Boolean | Whether the policy is active. |
KasperskySecurityCenter.Policy.KLPOL_CREATED.value | Date | Policy creation date. |
KasperskySecurityCenter.Policy.KLPOL_MODIFIED.value | Date | Policy modification date. |
KasperskySecurityCenter.Policy.KLPOL_DN | String | Policy display name. |
KasperskySecurityCenter.Policy.KLPOL_PRODUCT | String | Policy product name. |
KasperskySecurityCenter.Policy.KLPOL_VERSION | String | Policy product version. |
KasperskySecurityCenter.Policy.KLPOL_GROUP_ID | Number | Policy group ID. |
KasperskySecurityCenter.Policy.KLPOL_ID | Number | Policy ID. |
#
Command Example!ksc-policies-list group_id=0
#
Context Example#
Human Readable Output#
Policies List
KLPOL_ID KLPOL_DN KLPOL_PRODUCT KLPOL_VERSION 1 Kaspersky Endpoint Security for Windows (11.5.0) KES 11.0.0.0 2 Kaspersky Security Center Network Agent 1103 1.0.0.0
#
ksc-policy-getRetrieves data for specified policy.
#
Base Commandksc-policy-get
#
InputArgument Name | Description | Required |
---|---|---|
policy_id | ID of policy to retrieve details of. Can be retrieved using the ksc-policies-list command. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
KasperskySecurityCenter.Policy.KLPOL_ACTIVE | Boolean | Whether the policy is active. |
KasperskySecurityCenter.Policy.KLPOL_CREATED.value | Date | Policy creation date. |
KasperskySecurityCenter.Policy.KLPOL_MODIFIED.value | Date | Policy modification date. |
KasperskySecurityCenter.Policy.KLPOL_DN | String | Policy display name. |
KasperskySecurityCenter.Policy.KLPOL_PRODUCT | String | Policy product name. |
KasperskySecurityCenter.Policy.KLPOL_VERSION | String | Policy product version. |
KasperskySecurityCenter.Policy.KLPOL_GROUP_ID | Number | Policy group ID. |
KasperskySecurityCenter.Policy.KLPOL_ID | Number | Policy ID. |
#
Command Example!ksc-policy-get policy_id=1
#
Context Example#
Human Readable Output#
Policy 1
KLPOL_ID KLPOL_DN KLPOL_PRODUCT KLPOL_VERSION 1 Kaspersky Endpoint Security for Windows (11.5.0) KES 11.0.0.0
#
Search Filter SyntaxA number of commands are using a search filter that has syntax resembling one from RFC 2254.
Integer must be provided as signed decimal.
Quoted string may contain following wildcards. If 'value' in 'simple' has wildcards then 'filtertype' must be 'equal'
Wildcard Description ? Any single character. * Any string of zero or more characters. [ ] Any single character within the specified range ([a-f]) or set ([abcdef]). [^] Any single character not within the specified range (a-f) or set (abcdef). UTC time can be specified either in absolute or relative format. Absolute format: T"YYYY-MM-DD hh:mm:ss" Example: T"2005-04-27 23:59:01" To specify UTC time in relative format the 'Pseudovalue' CURTIME([\<signed integer delta>]) may be used as "current time (in UTC) + \<signed integer delta>"
Binary must be provided as hex with '0x' prefix. For example, 0xF41748C0BEF943a6AE2C5D1010F046A.