Endpoint Detection and Response (KATA)

Kaspersky Endpoint Security version 12.1 now includes a built-in agent for managing the Kaspersky Endpoint Detection and Response component as part of the Kaspersky Anti Targeted Attack Platform solution. Kaspersky Anti Targeted Attack Platform is a solution designed for timely detection of sophisticated threats such as targeted attacks, advanced persistent threats (APT), zero-day attacks, and others. Kaspersky Anti Targeted Attack Platform includes two functional blocks: Kaspersky Anti Targeted Attack (hereinafter also referred to as "KATA") and Kaspersky Endpoint Detection and Response (hereinafter also referred to as "EDR (KATA)"). You can purchase EDR (KATA) separately. For details about the solution, please refer to the Kaspersky Anti Targeted Attack Platform Help.

Kaspersky Endpoint Security is installed on individual computers on the corporate IT infrastructure and continuously monitors processes, open network connections, and files being modified. Information about events on the computer (telemetry data) is sent to the Kaspersky Anti Targeted Attack Platform server. In this case, Kaspersky Endpoint Security also sends information to the Kaspersky Anti Targeted Attack Platform server about threats discovered by the application as well as information about processing results for these threats.

The EDR (KATA) integration is configured on the Kaspersky Security Center console. The built-in agent is then managed using the Kaspersky Anti Targeted Attack Platform console, including running tasks, managing quarantined objects, viewing reports, and other actions.

Endpoint Detection and Response (KATA) settings

Parameter

Description

Settings for connecting to KATA servers

Timeout. Maximum Central Node server response timeout. When the timeout runs out, Kaspersky Endpoint Security tries to connect to a different Central Node server.

Server TLS certificate. TLS certificate for establishing a trusted connection with the Central Node server. You can get a TLS certificate in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help).

Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Endpoint Security and Central Node. To use two-way authentication, you need to enable two-way authentication in the Central Node settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help). After configuring the Central Node settings, you need to also enable two-way authentication in Kaspersky Endpoint Security settings and load a password-protected crypto-container.

The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.

KATA servers

Central node server connection settings. You can enter an IP address (IPv4 or IPv6).

Send sync request to KATA server every (min)

Frequency of synchronization requests sent to the Central Node server. During synchronization, Kaspersky Endpoint Security sends information about modified application settings and tasks.

Send telemetry to KATA

This functionality lets you completely turn off the sending of telemetry to the server. If you are using Kaspersky Anti Targeted Attack Platform together with another solution which also uses telemetry, you can turn off telemetry for KATA (EDR). This lets you optimize server load for these solutions. For example, if you have the Managed Detection and Response solution and KATA (EDR) deployed, you can use MDR telemetry and create Threat Response tasks in KATA (EDR).

Maximum events transmission delay (sec)

The application synchronizes with the server to send events after the synchronization interval expires. The default setting is 30 seconds.

Enable request throttling

This feature helps optimize the load on the server. If the check box is selected, the application restricts the transmitted events. If the number of events exceeds the configured limits, Kaspersky Endpoint Security stops sending events.

Maximum number of events per hour

The application analyzes the telemetry data stream and restricts the sending of events if the event stream exceeds the configured events-per-hour limit. Kaspersky Endpoint Security resumes sending events after an hour. The default setting is 3000 events per hour.

Percentage of event limit excess

The application sorts events by type (for example, "changes in the registry" events) and restricts transmission of events if the ratio of events of the same type to the total number of events exceeds the configured limit in percent. Kaspersky Endpoint Security resumes sending events when the ratio of other events to the total number of events becomes big enough again. The default setting is 15 %.

See also

Integration with EDR (KATA)

Configuring telemetry

Page top