Contents
Host network isolation management
To isolate a host with the Endpoint Agent component using the API, the following procedure is recommended for interacting with Kaspersky Anti Targeted Attack Platform:
- Creating a request for getting the list of hosts with the Endpoint Agent component
- Creating a request for getting information about hosts that already have network isolation enabled
- Creating a request for one of the following operations with hosts with the Endpoint Agent component:
You can manage the created network isolation rules in the web interface of the application.
Page topRequest to enable network isolation
To enable network isolation for a selected host, you must add a network isolation rule. To create the request, the HTTP POST method is used.
Command settings are passed in the body of the request in JSON format.
Command syntax
curl -k --<path to TLS certificate file> --key <path to private key file> -X POST "<URL of Central Node server>:<port, 443 by default>/kata/response_api/v1/<external_system_id>/settings?sensor_id=<sensor_id>&settings_type=network_izolation" -H 'Content-Type: application/json' -d '
{
"settings": {
"autoTurnoffTimeoutInSec": <network isolation time period>}
}
'
If the request is processed successfully, the network isolation rule is added. Network isolation for the selected host becomes active at the moment when the rule is added.
After a period of time specified when the request is created, network isolation becomes inactive. The network isolation rule itself is not deleted. If necessary, you can delete the selected rule.
To disable network isolation, you must create a request to disable the selected rule.
Settings
Parameter |
Type |
Description |
|---|---|---|
|
UUID |
Unique ID of the external system used for authorization in Kaspersky Anti Targeted Attack Platform. |
|
UUID |
Unique ID of the host with the Endpoint Agent component |
|
integer |
Period of time during which the network isolation will be active. Allowed range - 1 to 9,999 hours. Network isolation time period is specified in seconds. For example, if you want to enable network isolation of a host for two hours, you must specify 7,200 seconds. |
Example of entering a command with switches
|
Returned value
Return code |
Description |
|---|---|
|
Operation completed successfully. |
|
Incorrect parameters. |
|
Authorization required. |
|
Specified hosts with the Endpoint Agent component not found. |
|
Internal server error. Repeat the request later. |
If you want to edit the settings of the created network isolation rule, you must create a new request to add the rule with the new settings.
Page topRequest to disable network isolation
To disable network isolation for a selected host, you must create a request to disable the network isolation rule. HTTP method DELETE is used to create the request.
Command syntax
curl -k --<path to TLS certificate file> --key <path to private key file> -X DELETE "<URL of Central Node server>:<port, 443 by default>/kata/response_api/v1/<external_system_id>/settings?sensor_id=<sensor_id>&settings_type=network_izolation"
If the request is processed successfully, the network isolation rule is disabled.
Settings
Parameter |
Type |
Description |
|---|---|---|
|
UUID |
Unique ID of the external system used for authorization in Kaspersky Anti Targeted Attack Platform. |
|
UUID |
Unique ID of the host with the Endpoint Agent component |
Example of entering a command with switches
|
Returned value
Return code |
Description |
|---|---|
|
Operation completed successfully. |
|
Incorrect parameters. |
|
Authorization required. |
|
Specified hosts with the Endpoint Agent component not found. |
|
Internal server error. Repeat the request later. |
Request to add an exclusion to a network isolation rule
To add an exclusion to a previously created network isolation rule, you must create a request to add an exclusion. To create the request, the HTTP POST method is used.
Command settings are passed in the body of the request in JSON format.
Command syntax
curl -k --cert <path to TLS certificate file> --key <path to private key file> -X POST "<URL of Central Node server>:<port, 443 by default>/kata/response_api/v1/<external_system_id>/settings?sensor_id=<sensor_id>&settings_type=network_isolation" -H 'Content-Type: application/json' -d '
{"settings": {"excludedRules": [{"direction": "<outbound, inbound, or both>","protocol": <number of the IP protocol>,"remoteIpv4Address": "<IP address of the host with the Endpoint Agent component whose traffic must not be blocked>","localPortRange":{"fromPort": <port number>,"toPort": <port number>}},{"direction": "<outbound, inbound, or both>","protocol": <number of the IP protocol>,"remoteIpv4Address": "<IP address of the host with the Endpoint Agent component whose traffic must not be blocked>","remotePortRange":{"fromPort": <port number>,"toPort": <port number>}},{"direction": "<outbound, inbound, or both>","protocol": <number of the IP protocol>,"remoteIpv4Address": "<IP address of the host with the Endpoint Agent component whose traffic must not be blocked>"}],"autoTurnoffTimeoutInSec": <network isolation duration>}}'
If the request is processed successfully, the exclusion from the network isolation rule is added.
Settings
Parameter |
Type |
Description |
|
|
Unique ID of the external system used for authorization in Kaspersky Anti Targeted Attack Platform. |
|
|
Unique ID of the host with the Endpoint Agent component |
|
|
Direction of network traffic that must not be blocked. Possible values:
If you do not specify a value for this parameter, the default value is 'both', which means the application transmits traffic in both directions. |
|
|
IP protocol number assigned by the Internet Assigned Numbers Authority (IANA). If you do not specify a value for this parameter, by default, network isolation is applied to all protocols. |
|
|
IP address of the host with the Endpoint Agent component whose traffic must not be blocked |
|
|
Destination port. You can specify a destination port only if you have selected an outbound direction of network traffic. Port ranges cannot be specified for bidirectional traffic. |
|
|
Port from which the connection is initiated. You can specify a destination port only if you have selected an inbound direction of network traffic. Port ranges cannot be specified for bidirectional traffic. |
|
|
Period of time during which the network isolation will be active. Allowed range - 1 to 9,999 hours. Network isolation time period is specified in seconds. For example, if you want to enable network isolation of a host for two hours, you must specify 7,200 seconds. |
Example of entering a command with switches
|
Returned value
Return code |
Description |
|---|---|
|
Operation completed successfully. |
|
Incorrect parameters. |
|
Authorization required. |
|
Specified hosts with the Endpoint Agent component not found. |
|
Internal server error. Repeat the request later. |
If you want to edit the settings of the created exclusion, you must create a new request to add the exclusion with the new settings.
Page top