Kaspersky Endpoint Detection and Response Expert (on-premise) Integration

Kaspersky Endpoint Detection and Response Expert (on-premise) is an enterprise cyber security solution that allows defending against most cybersecurity risks and cover the main scenarios of threat spread. Components of Kaspersky Endpoint Detection and Response Expert (on-premise) are deployed on the Open Single Management Platform (OSMP). For more information about the solution and the platform, see the Kaspersky Endpoint Detection and Response Expert (on-premise) Help.

When integrated with Kaspersky Endpoint Detection and Response Expert (on-premise), Kaspersky Endpoint Security can:

• Send data about events on devices (telemetry) to the telemetry server on the OSMP platform (hereinafter also referred to as the OSMP telemetry server). Kaspersky Endpoint Security sends monitoring data on processes, open network connections, and modified files to the telemetry server, as well as data on threats detected by the application and data on the results of processing these threats.
• Perform threat response actions aimed at maintaining security functions based on commands received from the OSMP threat response server (hereinafter also referred to as the OSMP threat response server).

Integration with the Kaspersky Endpoint Detection and Response Expert (on-premise) solution is provided by the Kaspersky Endpoint Security application component, Endpoint Detection and Response Expert (on-premise) (hereinafter also referred to as EDR Expert (on-premise)).

When integrating with Kaspersky Endpoint Detection and Response Expert (on-premise), devices running Kaspersky Endpoint Security establish encrypted HTTPS connections with the OSMP threat response server and the OSMP telemetry server. To ensure a secure connection, the following certificates issued by OSMP servers are used:

• Server certificate. The connection is encrypted using the server's TLS certificate. You can elevate the security of the connection by verifying the server certificate on the Kaspersky Endpoint Security side. To do this, add the server certificate before enabling the integration with the Kaspersky Endpoint Detection and Response Expert (on-premise) solution.
• Client certificate. This certificate is used for additional connection protection using two-way authentication (the OSMP server authenticates devices with the Kaspersky Endpoint Security application). The same client certificate can be used by multiple devices. By default, the server does not validate client certificates, but two-way authentication can be enabled on the Kaspersky Endpoint Detection and Response Expert (on-premise) side. In this case, you need to enable two-way authentication in the settings of the EDR Expert (on-premise) component and add the client certificate (cryptocontainer with certificate and private key).

Certificates for securing the connection with OSMP servers must be provided by the administrator of the OSMP platform.

If the use of a proxy server is configured in the general settings of the Kaspersky Endpoint Security application, a proxy server is used for the connection to OSMP servers.

To use Endpoint Detection and Response Expert (on-premise) functionality, you need to activate the EDR Expert (on-premise) component. If the main license under which you are using Kaspersky Endpoint Security does not include the Kaspersky Endpoint Detection and Response Expert (on-premise) functionality, you need to purchase a separate license for this functionality and add the EDR Expert (on-premise) license key to the application.

If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, activation is performed on the Protection Server (a component of Kaspersky Hybrid Cloud Security for Virtualization Light Agent) by adding license keys to SVMs.

Integration with Endpoint Detection and Response Expert (on-premise) involves the following steps:

1. Enabling required components of Kaspersky Endpoint Security

   The EDR Expert (on-premise) component can use data from the following components:

   • File Threat Protection.
   • Network Threat Protection.
   • Web Threat Protection.
   • Anti-Cryptor.
   • Application Control.
   • Device Control.
   • System Integrity Monitoring.

   To fully integrate the Kaspersky Endpoint Security application with Kaspersky Endpoint Detection and Response Expert (on-premise), you need to enable the Behavior Detection component. If Behavior Detection is disabled, necessary telemetry is not transmitted (except for synchronization requests and threat detection data from other protection components).

   If Behavior Detection uses the eBPF mechanism to get system telemetry (available on 64-bit operating systems with kernel version 5.3 and later with eBPF support), the telemetry data is more comprehensive.

2. Activating the EDR Expert (on-premise) component

   Make sure one of the following conditions is satisfied:

   • You are using Kaspersky Endpoint Security under a license that includes the Kaspersky Endpoint Detection and Response Expert (on-premise) functionality.
   • You have purchased a separate license for using the Kaspersky Endpoint Detection and Response Expert (on-premise) functionality and added the EDR Expert (on-premise) license key to the application.

     If you are using Kaspersky Endpoint Security in Light Agent mode to protect virtual environments, you need to add the license key for activating the additional functionality to SVMs.

3. Enabling the EDR Expert (on-premise) component

   The Kaspersky Endpoint Detection and Response Expert (on-premise) Integration is disabled by default. To enable the integration, you need to enable and configure the EDR Expert (on-premise) component:

   • Using Kaspersky Security Center Web Console.
   • Using the command line.

   Configuring integration with Kaspersky Endpoint Detection and Response Expert (on-premise) in the Administration Console of Kaspersky Security Center is not supported.

   For integration with Kaspersky Endpoint Detection and Response Expert (on-premise), you need to select the EDR Expert (OSMP) integration mode in the settings of the EDR Expert (on-premise) component. If you are using the Web Console, select Endpoint Detection and Response Expert (version 8.0 or later) in the policy settings. If you are using the command line, set Mode=EDRExpertOnPrem in the task settings.

   If you want to use Execution prevention for objects, you can enable the rules for execution prevention of objects of the EDR Expert (on-premise) component.

You can check the status of the EDR Expert (on-premise) component:

• Using the Application component status report in the Web Console.

  For detailed information about reports, please refer to the Kaspersky Security Center Help.

• In the device properties in the Web Console (Assets (Devices) → Managed devices → <device name> link → Applications → <name of the Kaspersky Endpoint Security application> link → General → Components).
• On the command line by running the following command: kesl-control --app-info.

In this section Configuring the с Kaspersky Endpoint Detection and Response Expert (on-premise) integration in the Web Console Configuring the с Kaspersky Endpoint Detection and Response Expert (on-premise) integration on the command line

Page top