Kaspersky Endpoint Detection and Response (KATA) Integration task (KATAEDR, ID:24)

Kaspersky Endpoint Security is compatible with the Kaspersky Anti Targeted Attack Platform solution, which is designed to protect the IT infrastructure of organizations and promptly detect threats, such as zero-day attacks, targeted attacks, and advanced persistent threats (APT). To read more, check out the Kaspersky Anti Targeted Attack Platform Help.

Kaspersky Endpoint Detection and Response (KATA) (EDR (KATA)) is a component of the Kaspersky Anti Targeted Attack Platform solution.

When interacting with EDR (KATA), Kaspersky Endpoint Security can perform the following functions:

• Send data about events on devices (telemetry) to the Kaspersky Anti Targeted Attack Platform server with the Central Node component ("KATA server"). Kaspersky Endpoint Security sends monitoring data on processes, open network connections, and modified files to the KATA server, as well as data on threats detected by the application and data on the results of processing these threats.
• Perform the following response actions aimed at ensuring protection functions, based on commands received from Kaspersky Anti Targeted Attack Platform:
  • The "Get file" task lets you get files from user devices. For example, you can configure the application to get an event log file generated by a third-party program.
  • The "Delete file" task lets you delete a file from the device.
  • The "Run process" task lets you remotely run files on the device. For example, you can remotely run a utility that creates a device configuration file, and then retrieve the created file using the "Get file" task.
  • The "Terminate process" task lets you remotely terminate processes on the device. For example, you can remotely terminate an Internet speed test utility that was launched using the "Run process" task.
  • The IOC Scan task lets you detect indicators of compromise on a device and perform actions to respond to threats. An indicator of compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to a device (compromised data). IOC files are used to search for IOCs. The IOC Search task checks for IOC terms (properties of IOC objects, for example, a file hash) only in the operating system's main namespace. The IOC Search task does not calculate the hash of files larger than 200 MB.

    A file containing a set of IOCs that, if matched, will be considered a detection by the application. The likelihood of detection may increase if object data exactly matches multiple IOC files during a scan.

  • Network device isolation lets you isolate devices from the network. You can disable network isolation of a device if the connection with the KATA server is lost after enabling network isolation.

Network isolation limitations

When you use network isolation, we strongly recommended that you familiarize yourself with the limitations described below.

For network isolation to work, Kaspersky Endpoint Security must be running. If Kaspersky Endpoint Security malfunctions (and the application is not running), traffic may not be blocked when network isolation is enabled by Kaspersky Anti Targeted Attack Platform.

Transit traffic with network isolation enabled is supported with limitations and may be filtered.

DHCP and DNS are not automatically added to network isolation exceptions, so if the network address of a resource is changed during network isolation, Kaspersky Endpoint Security will not be able to access it. The same applies to the nodes of the fault-tolerant KATA server. We recommend to not change their addresses so that Kaspersky Endpoint Security does not lose contact with them.

The proxy server is also not automatically added to the network isolation exclusions, so you need to add it to the exclusions manually so that Kaspersky Endpoint Security does not lose contact with the KATA server.

Adding a process to network isolation and excluding a process from network isolation by name is not supported.

When using network isolation, we recommend to use a KSN proxy server to interact with Kaspersky Security Network, use Kaspersky Security Center as a proxy server to activate the application, and specify Kaspersky Security Center as the source of database updates. If it is impossible to use Kaspersky Security Center as a proxy server, configure the settings of the required proxy server and add it to the exceptions.

Integration conditions

Kaspersky Endpoint Detection and Response (KATA) Integration task allows you to configure and enable integration of the Kaspersky Endpoint Security application with the EDR (KATA) component. You can also manage the integration of Kaspersky Endpoint Security with EDR (KATA) using the Kaspersky Security Center Administration Console and Kaspersky Security Center Web Console.

Settings for integration with EDR (KATA) cannot be managed via Kaspersky Security Center Cloud Console.

To integrate with EDR (KATA), the Behavior Detection task must be started.

The integration of Kaspersky Endpoint Security with EDR (KATA) is only possible if the Behavior Detection task is started. Otherwise, the required telemetry data cannot be transmitted.

For telemetry exclusions to work, integration of Kaspersky Endpoint Security with the Kaspersky Managed Detection and Response solution must be disabled. If integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response is enabled, exclusions by process are not applied.

EDR (KATA) can also use data received from the following tasks:

• File Threat Protection.
• Network Threat Protection.
• Web Threat Protection.

Securing the connection

During integration with EDR (KATA), devices with Kaspersky Endpoint Security establish secure connections to the KATA server via the HTTPS protocol. To ensure a secure connection, the following certificates issued by the KATA server are used:

• KATA server certificate. The connection is encrypted using the server's TLS certificate. You can elevate the security of the connection by verifying the server certificate on the Kaspersky Endpoint Security side. To do this, add the integration server certificate before running the Kaspersky Endpoint Detection and Response (KATA) Integration task.
• Client certificate. This certificate is used for additional protection of the connection using two-way authentication (scanning devices with Kaspersky Endpoint Security KATA server). The same client certificate can be used by multiple devices. By default, the KATA server does not check client certificates, but two-way authentication can be enabled on the Kaspersky Anti Targeted Attack Platform side. In this case, you need to enable two-way authentication in the Kaspersky Endpoint Detection and Response (KATA) Integration task settings and add the client certificate (cryptocontainer with certificate and private key).

Certificates for securing the connection to the KATA server are provided by the Kaspersky Anti Targeted Attack Platform administrator.

A proxy server is used to connect to the KATA server if use of a proxy server is configured in the general application settings of Kaspersky Endpoint Security.

Logging events

If Kaspersky Endpoint Security is integrated with Kaspersky Anti Targeted Attack Platform, a large number of events can be written to the systemd log. If you want to disable the logging of audit events to the systemd log, disable the systemd-journald-audit socket and restart the operating system.

To disable the systemd-journald-audit socket, run the following commands:

systemctl stop systemd-journald-audit.socket

systemctl disable systemd-journald-audit.socket

systemctl mask systemd-journald-audit.socket