Kaspersky Endpoint Detection and Response (KATA) (EDR (KATA)) is a component of the Kaspersky Anti Targeted Attack Platform solution, which is designed to protect the IT infrastructure of organizations and promptly detect threats, such as zero-day attacks, targeted attacks, and advanced persistent threats (APT). To read more, check out the Kaspersky Anti Targeted Attack Platform help section.
When interacting with EDR (KATA), Kaspersky Endpoint Security can perform the following functions:
Kaspersky Endpoint Detection and Response (KATA) Integration task allows you to configure and enable integration of the Kaspersky Endpoint Security application with the EDR (KATA) component. You can also manage the integration of Kaspersky Endpoint Security with EDR (KATA) using the Kaspersky Security Center Administration Console and Kaspersky Security Center Web Console.
Management of integration settings with EDR (KATA) via Kaspersky Security Center Cloud Console is not supported.
To integrate with EDR (KATA), the Behavior Detection task must be started.
The integration of Kaspersky Endpoint Security with EDR (KATA) is only possible if this task is started Otherwise, the required telemetry data cannot be transmitted.
EDR (KATA) can also use data received from the following tasks:
During integration with EDR (KATA), devices with Kaspersky Endpoint Security establish secure connections to the KATA server via the HTTPS protocol. To ensure a secure connection, the following certificates issued by the KATA server are used:
Certificates for securing the connection to the KATA server are provided by the Kaspersky Anti Targeted Attack Platform administrator.
A proxy server is used to connect to the KATA server if use of a proxy server is configured in the general application settings of Kaspersky Endpoint Security.
If Kaspersky Endpoint Security is integrated with Kaspersky Anti Targeted Attack Platform, a large number of events can be written to the systemd log. If you want to disable the logging of audit events to the systemd log, disable the systemd-journald-audit socket and restart the operating system.
To disable the systemd-journald-audit socket, run the following commands:
systemctl stop systemd-journald-audit.socket
systemctl disable systemd-journald-audit.socket
systemctl mask systemd-journald-audit.socket