Kaspersky Endpoint Detection and Response (KATA) Integration task (KATAEDR, ID:24)

Kaspersky Endpoint Security is compatible with the Kaspersky Anti Targeted Attack Platform solution, which is designed to protect the IT infrastructure of organizations and promptly detect threats, such as zero-day attacks, targeted attacks, and advanced persistent threats (APT). To read more, check out the Kaspersky Anti Targeted Attack Platform Help.

Kaspersky Endpoint Detection and Response (KATA) (EDR (KATA)) is a component of the Kaspersky Anti Targeted Attack Platform solution.

When interacting with EDR (KATA), Kaspersky Endpoint Security can perform the following functions:

Network isolation limitations

When you use network isolation, we strongly recommended that you familiarize yourself with the limitations described below.

For network isolation to work, Kaspersky Endpoint Security must be running. If Kaspersky Endpoint Security malfunctions (and the application is not running), traffic may not be blocked when network isolation is enabled by Kaspersky Anti Targeted Attack Platform.

Transit traffic with network isolation enabled is supported with limitations and may be filtered.

DHCP and DNS are not automatically added to network isolation exceptions, so if the network address of a resource is changed during network isolation, Kaspersky Endpoint Security will not be able to access it. The same applies to the nodes of the fault-tolerant KATA server. We recommend to not change their addresses so that Kaspersky Endpoint Security does not lose contact with them.

The proxy server is also not automatically added to the network isolation exclusions, so you need to add it to the exclusions manually so that Kaspersky Endpoint Security does not lose contact with the KATA server.

Adding a process to network isolation and excluding a process from network isolation by name is not supported.

When using network isolation, we recommend to use a KSN proxy server to interact with Kaspersky Security Network, use Kaspersky Security Center as a proxy server to activate the application, and specify Kaspersky Security Center as the source of database updates. If it is impossible to use Kaspersky Security Center as a proxy server, configure the settings of the required proxy server and add it to the exceptions.

Integration conditions

Kaspersky Endpoint Detection and Response (KATA) Integration task allows you to configure and enable integration of the Kaspersky Endpoint Security application with the EDR (KATA) component. You can also manage the integration of Kaspersky Endpoint Security with EDR (KATA) using the Kaspersky Security Center Administration Console and Kaspersky Security Center Web Console.

Settings for integration with EDR (KATA) cannot be managed via Kaspersky Security Center Cloud Console.

To integrate with EDR (KATA), the Behavior Detection task must be started.

The integration of Kaspersky Endpoint Security with EDR (KATA) is only possible if the Behavior Detection task is started. Otherwise, the required telemetry data cannot be transmitted.

For telemetry exclusions to work, integration of Kaspersky Endpoint Security with the Kaspersky Managed Detection and Response solution must be disabled. If integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response is enabled, exclusions by process are not applied.

EDR (KATA) can also use data received from the following tasks:

Securing the connection

During integration with EDR (KATA), devices with Kaspersky Endpoint Security establish secure connections to the KATA server via the HTTPS protocol. To ensure a secure connection, the following certificates issued by the KATA server are used:

Certificates for securing the connection to the KATA server are provided by the Kaspersky Anti Targeted Attack Platform administrator.

A proxy server is used to connect to the KATA server if use of a proxy server is configured in the general application settings of Kaspersky Endpoint Security.

Logging events

If Kaspersky Endpoint Security is integrated with Kaspersky Anti Targeted Attack Platform, a large number of events can be written to the systemd log. If you want to disable the logging of audit events to the systemd log, disable the systemd-journald-audit socket and restart the operating system.

To disable the systemd-journald-audit socket, run the following commands:

systemctl stop systemd-journald-audit.socket

systemctl disable systemd-journald-audit.socket

systemctl mask systemd-journald-audit.socket

In this Help section

Kaspersky Endpoint Detection and Response (KATA) Integration task settings

Managing certificates for connecting to KATA servers

Page top