Telemetry is a list of events that have occurred on the protected computer. Kaspersky Endpoint Security analyzes telemetry data and sends it to Kaspersky Anti Targeted Attack Platform during synchronization. Telemetry events arrive on the server almost continuously. Kaspersky Endpoint Security initiates synchronization with the server when any of the following conditions are satisfied:
Synchronization interval has run out.
The number of events in the buffer exceeds the upper limit.
Therefore, by default, the application synchronizes every 30 seconds or whenever the buffer holds 1024 events. You can configure the synchronization behavior in the Kaspersky Endpoint Security policy and select optimum values to match your network load (see instructions below).
If there is no connection between Kaspersky Endpoint Security and the server, the application queues new events. When the connection is restored, Kaspersky Endpoint Security sends queued events to the server in proper order. To avoid overloading the server, Kaspersky Endpoint Security may skip some events. To enable this, you can optimize event transmission settings, for example, to set a maximum events-per-hour value (see instructions below).
If you are using Kaspersky Anti Targeted Attack Platform together with another solution which also uses telemetry, you can turn off telemetry for KATA (EDR) (see instructions below). This lets you optimize server load for these solutions. For example, if you have the Managed Detection and Response solution and KATA (EDR) deployed, you can use MDR telemetry and create Threat Response tasks in KATA (EDR).
Open the Kaspersky Security Center Administration Console.
In the console tree, select Policies.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Detection and Response and select the component that you want to configure: Endpoint Detection and Response (KATA) or Network Detection and Response (KATA).
Configure the Send sync request to KATA server every (min) setting. Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Endpoint Security sends information about modified application settings and tasks.
Make sure the Send telemetry to KATA check box is selected.
If necessary, configure the Maximum events transmission delay (sec) setting in the Data transmission settings block. The application synchronizes with the server to send events after the synchronization interval expires. The default setting is 30 seconds.
If necessary, select the Enable request throttling check box in the Request throttling block.
This feature helps optimize the load on the server. If the check box is selected, the application restricts the transmitted events. If the number of events exceeds the configured limits, Kaspersky Endpoint Security stops sending events.
Configure optimization settings for sending events to the server:
Maximum number of events per hour. The application analyzes the telemetry data stream and restricts the sending of events if the event stream exceeds the configured events-per-hour limit. Kaspersky Endpoint Security resumes sending events after an hour. The default setting is 3000 events per hour. If the application is installed on a server, the telemetry data stream is higher. For servers, it is recommended to increase the value to 60 000 events per hour.
Percentage of event limit excess. The application sorts events by type (for example, "changes in the registry" events) and restricts transmission of events if the ratio of events of the same type to the total number of events exceeds the configured limit in percent. Kaspersky Endpoint Security resumes sending events when the ratio of other events to the total number of events becomes big enough again. The default setting is 15 %.
In the main window of the Web Console, select Devices → Policies & profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to the Detection and Response section and select the component that you want to configure: Endpoint Detection and Response (KATA) or Network Detection and Response (KATA).
Configure the Send sync request to KATA server every (min) setting. Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Endpoint Security sends information about modified application settings and tasks.
Make sure the Send telemetry to KATA check box is selected.
If necessary, configure the Maximum events transmission delay (sec) setting in the Data transmission settings block. The application synchronizes with the server to send events after the synchronization interval expires. The default setting is 30 seconds.
If necessary, select the Enable request throttling check box in the Request throttling block.
This feature helps optimize the load on the server. If the check box is selected, the application restricts the transmitted events. If the number of events exceeds the configured limits, Kaspersky Endpoint Security stops sending events.
Configure optimization settings for sending events to the server:
Maximum number of events per hour. The application analyzes the telemetry data stream and restricts the sending of events if the event stream exceeds the configured events-per-hour limit. Kaspersky Endpoint Security resumes sending events after an hour. The default setting is 3000 events per hour. If the application is installed on a server, the telemetry data stream is higher. For servers, it is recommended to increase the value to 60 000 events per hour.
Percentage of event limit excess. The application sorts events by type (for example, "changes in the registry" events) and restricts transmission of events if the ratio of events of the same type to the total number of events exceeds the configured limit in percent. Kaspersky Endpoint Security resumes sending events when the ratio of other events to the total number of events becomes big enough again. The default setting is 15 %.
Save your changes.
In the main window of the Web Console, select Devices → Policies & profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to the KATA integration → Telemetry exclusions section.
Under Data transmission settings, select the Use exclusions check box.
Click Add and configure the exclusions:
Criteria are combined with the logical AND.
Path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask. For the exclusion to work, the path to the file must be specified.
Command line. Command used to run the object.
Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource.
For more details on the VersionInfo resource, please visit the Microsoft website.
Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource.
Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource.
MD5. MD5 hash of the file.
SHA256. SHA256 hash of the file.
Event types. For the exclusion to work, you must select at least one event type.
Save your changes.
Open the Kaspersky Security Center Administration Console.
In the console tree, select Policies.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select KATA integration → Telemetry exclusions.
Under Data transmission settings, select the Use exclusions check box.
Click Add and configure the exclusions:
Criteria are combined with the logical AND.
Path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask. For the exclusion to work, the path to the file must be specified.
Command line. Command used to run the object.
Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource.
For more details on the VersionInfo resource, please visit the Microsoft website.
Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource.
Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource.
MD5. MD5 hash of the file.
SHA256. SHA256 hash of the file.
Event types. For the exclusion to work, you must select at least one event type.