By default, Kaspersky Anti Targeted Attack Platform processes all event data (telemetry) received from Endpoint Agent. By limiting the volume of telemetry, you can reduce the load on the servers that store and process telemetry. Limited telemetry includes full information about the events themselves and the most important information about the processes that triggered these events. Information about other processes associated with the events is excluded.
Users with the Senior security officer role can limit the amount of telemetry. Users with the Administrator or Security auditor role can view telemetry limitation settings, but cannot manage these settings. User with the Security officer role do not have access to telemetry settings.
To limit the volume of telemetry from Endpoint Agent:
Telemetry is limited.
Special considerations involved in limiting telemetry on Central Node and SCN
After clicking Apply, a Failed to limit the scope of received data message may be displayed. This means that some of the user-defined TAA (IOA) rules do not allow limiting telemetry because those rules contain fields that are not processed when telemetry is limited. You can disable or delete such rules.
The list of rules that need to be disabled or deleted is displayed in the warning window under the TAA rules to be disabled or modified heading. You can copy the list of these rules by clicking Copy list and save the list in any way you want. The Go to TAA rules button in the warning window takes you to the user-defined TAA (IOA) rules section.
Special considerations involved in limiting telemetry on the PCN
Kaspersky Anti Targeted Attack Platform does not check whether the user-defined TAA (IOA) rules that are active on the PCN can remain functional with limited telemetry. We recommend taking steps to test each user-defined TAA (IOA) rule.
Testing user-defined TAA (IOA) rules for functionality with limited telemetry involves the following steps:
To search for events by the code from a rule, open the rule window and click Run query button. After you start the search, the Threat Hunting window is opened.
A TAA (IOA) rule is working if the window contains a table of events that match the search conditions. If the window displays the Server error: Request failed error next to the PCN name, it means that the rule is not working.
If you want to delete or disable a rule that does not work on the PCN, but still want to apply the rule on SCNs, you need to create a similar rule in the web interface of each SCN on which you want the rule to apply.
If you do not want to disable or delete any rules, do not limit telemetry.