Configuring telemetry
Telemetry is a list of events that have occurred on the protected computer. Kaspersky Endpoint Security analyzes telemetry data and sends it to Kaspersky Anti Targeted Attack Platform during synchronization. Telemetry events arrive on the server almost continuously. Kaspersky Endpoint Security initiates synchronization with the server when any of the following conditions are satisfied:
- Synchronization interval has run out.
- The number of events in the buffer exceeds the upper limit.
Therefore, by default, the application synchronizes every 30 seconds or whenever the buffer holds 1024 events. You can configure the synchronization behavior in the Kaspersky Endpoint Security policy and select optimum values to match your network load (see instructions below).
If there is no connection between Kaspersky Endpoint Security and the server, the application queues new events. When the connection is restored, Kaspersky Endpoint Security sends queued events to the server in proper order. To avoid overloading the server, Kaspersky Endpoint Security may skip some events. To enable this, you can optimize event transmission settings, for example, to set a maximum events-per-hour value (see instructions below).
If you are using Kaspersky Anti Targeted Attack Platform together with another solution which also uses telemetry, you can turn off telemetry for KATA (EDR) (see instructions above). This lets you optimize server load for these solutions. For example, if you have the Managed Detection and Response solution and KATA (EDR) deployed, you can use MDR telemetry and create Threat Response tasks in KATA (EDR).
How to configure EDR telemetry on the Administration Console (MMC)
- Open the Kaspersky Security Center Administration Console.
- In the console tree, select Policies.
- Select the necessary policy and double-click to open the policy properties.
- In the policy window, select Detection and Response → Endpoint Detection and Response (KATA).
- Configure the Send sync request to KATA server every (min) setting. Frequency of synchronization requests sent to the Central Node server. During synchronization, Kaspersky Endpoint Security sends information about modified application settings and tasks.
- Make sure the Send telemetry to KATA check box is selected.
- If necessary, configure the Maximum events transmission delay (sec) setting in the Data transmission settings block. The application synchronizes with the server to send events after the synchronization interval expires. The default setting is 30 seconds.
- If necessary, select the Enable request throttling check box in the Request throttling block.
This feature helps optimize the load on the server. If the check box is selected, the application restricts the transmitted events. If the number of events exceeds the configured limits, Kaspersky Endpoint Security stops sending events.
- Configure optimization settings for sending events to the server:
- Maximum number of events per hour. The application analyzes the telemetry data stream and restricts the sending of events if the event stream exceeds the configured events-per-hour limit. Kaspersky Endpoint Security resumes sending events after an hour. The default setting is 3000 events per hour.
- Percentage of event limit excess. The application sorts events by type (for example, "changes in the registry" events) and restricts transmission of events if the ratio of events of the same type to the total number of events exceeds the configured limit in percent. Kaspersky Endpoint Security resumes sending events when the ratio of other events to the total number of events becomes big enough again. The default setting is 15 %.
- Save your changes.
How to configure EDR telemetry on the Web Console
- In the main window of the Web Console, select Devices → Policies & Profiles.
- Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to Detection and Response → Endpoint Detection and Response (KATA).
- Configure the Send sync request to KATA server every (min) setting. Frequency of synchronization requests sent to the Central Node server. During synchronization, Kaspersky Endpoint Security sends information about modified application settings and tasks.
- Make sure the Send telemetry to KATA check box is selected.
- If necessary, configure the Maximum events transmission delay (sec) setting in the Data transmission settings block. The application synchronizes with the server to send events after the synchronization interval expires. The default setting is 30 seconds.
- If necessary, select the Enable request throttling check box in the Request throttling block.
This feature helps optimize the load on the server. If the check box is selected, the application restricts the transmitted events. If the number of events exceeds the configured limits, Kaspersky Endpoint Security stops sending events.
- Configure optimization settings for sending events to the server:
- Maximum number of events per hour. The application analyzes the telemetry data stream and restricts the sending of events if the event stream exceeds the configured events-per-hour limit. Kaspersky Endpoint Security resumes sending events after an hour. The default setting is 3000 events per hour.
- Percentage of event limit excess. The application sorts events by type (for example, "changes in the registry" events) and restricts transmission of events if the ratio of events of the same type to the total number of events exceeds the configured limit in percent. Kaspersky Endpoint Security resumes sending events when the ratio of other events to the total number of events becomes big enough again. The default setting is 15 %.
- Save your changes.
Telemetry exclusions
To optimize transmitted data, you can add an executable file to the list of trusted applications. In that case, Kaspersky Endpoint Security does not send telemetry events for that application. This lets you reduce network traffic and minimize the amount of events from trusted objects.
- In the main window of the Web Console, select Devices → Policies & Profiles.
- Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to the KATA integration → Telemetry exclusions section.
- Under Data transmission settings, select the Use exclusions check box.
- Click Add and configure the exclusions:
Criteria are combined with the logical AND.
- Save your changes.
- Open the Kaspersky Security Center Administration Console.
- In the console tree, select Policies.
- Select the necessary policy and double-click to open the policy properties.
- In the policy window, select KATA integration → Telemetry exclusions.
- Under Data transmission settings, select the Use exclusions check box.
- Click Add and configure the exclusions:
Criteria are combined with the logical AND.
- Save your changes.
Page top