Kaspersky Endpoint Detection and Response Expert (on-premise) Integration settings

The table below describes the settings of the Kaspersky Endpoint Detection and Response Expert (on-premise) (KATAEDR) Integration predefined task, which you can manage when integrating with Kaspersky Endpoint Detection and Response Expert (on-premise).

This task also allows you to manage the Kaspersky Endpoint Detection and Response (KATA) Integration settings. For the Kaspersky Endpoint Detection and Response Expert (on-premise) integration, you need to select the EDR Expert (OSMP) integration mode (Mode=EDRExpertOnPrem) in the task settings.

Setting	Description	Value

`Mode`	Integration mode. For the Kaspersky Endpoint Detection and Response Expert (on-premise) integration, the Kaspersky Endpoint Security application interacts with servers on the OSMP platform. For the Kaspersky Endpoint Detection and Response (KATA) integration, the Kaspersky Endpoint Security application interacts with servers on the Kaspersky Anti Targeted Attack Platform.	`EDRKATA` (default) is the EDR (KATA) integration mode. Allows enabling integration with Kaspersky Endpoint Detection and Response (KATA), a component of Kaspersky Anti Targeted Attack Platform. `EDRExpertOnPrem` is the EDR Expert (OSMP) integration mode. Enables the Kaspersky Endpoint Detection and Response Expert (on-premise) integration
`UseClientPinnedCertificate`	Enable or disable two-way authentication for additional security of the connection to the OSMP threat response action server. If two-way authentication is enabled on the OSMP threat response server side, you need to enable two-way authentication in the settings of Kaspersky Endpoint Detection and Response Expert (on-premise) Integration task and add the client certificate before starting the task.	`Yes` enables two-way authentication for additional security of the connection to the OSMP threat response action server. `No` (default value) disables two-way authentication.
`SynchronizationPeriod`	Periodicity of synchronization requests to the OSMP threat response action server, in minutes.	The default value is `5`.
`ConnectionTimeout`	The maximum time to wait for a connection to the OSMP threat response action server, in seconds.	The default value is `10`.
`RequestTimeout`	The maximum time to wait for a response from the OSMP threat response action server, in seconds.	The default value is `10`.
`EnableTelemetry`	Enable and disable sending event data (telemetry) to the OSMP telemetry server.	`Yes` (default value) enables the sending of telemetry to the OSMP telemetry server. `No` disables the sending of telemetry.
The [Endpoints.item_#] section contains the address and port of the OSMP threat response action server. You can add multiple servers.
`Address`	OSMP threat response action server address. IP address (IPv4 or IPv6) or fully qualified domain name (FQDN) of the integration server can be specified. To ensure that communication with the server is not interrupted in the event of an application failure while network isolation is enabled on the device, we recommend specifying the server's IP address.	Default value: `127.0.0.1`.
`Port`	Port for connecting to the OSMP threat response server.	The default value is `443`.
The [TelemetrySettings] section contains general settings for connecting to OSMP telemetry servers.
`UseClientPinnedCertificate`	Enable or disable two-way authentication for additional security of the connection to the OSMP telemetry server. If two-way authentication is enabled on the OSMP telemetry server side, you need to enable two-way authentication in the settings of Kaspersky Endpoint Detection and Response Expert (on-premise) Integration task and add the client certificate before starting the task.	`Yes` enables two-way authentication for additional security of the connection to the OSMP telemetry server. `No` (default value) disables two-way authentication.
`ConnectionTimeout`	The maximum time to wait for a connection to the OSMP telemetry server, in seconds.	The default value is `10`.
`RequestTimeout`	The maximum time to wait for a response from the OSMP telemetry server, in seconds.	The default value is `10`.
`OnlyTaggedEvents`	Enables or disables the sending of telemetry only with an Indicator of Attack (IOA). An Indicator of Attack is a description of suspicious behavior of objects in an organization's IT infrastructure, which may be a sign of a targeted attack on the organization.	`Yes` – send only telemetry with an Indicator of Attack (IOA). `No` (default) – send all telemetry.
The [TelemetrySettings.Endpoints.item_#] section contains the address and port of the OSMP telemetry server. You can add multiple servers.
`Address`	OSMP telemetry server certificate address IP address (IPv4 or IPv6) or fully qualified domain name (FQDN) of the integration server can be specified. To ensure that communication with the server is not interrupted in the event of an application failure while network isolation is enabled on the device, we recommend specifying the server's IP address.	Default value: `127.0.0.1`.
`Port`	Port for connecting to the OSMP telemetry server.	The default value is `443`.
The [TelemetrySettings.EventTransferSettings] section contains settings for data transfer to the OSMP telemetry server.
`MaximumDataTransferTime`	The maximum delay in sending events to the OSMP telemetry server in seconds.	The default value is `30`.
`UseRequestCountLimits`	Enable or disable the regulation of the number of events sent to the OSMP telemetry server.	`Yes` (default value) – regulate the number of events sent. `No` – do not regulate the number of events.
`MaximumNumberOfEventsInHour`	Maximum number of events per hour	The default value is `3000`.
`MaximumNumberOfEventsInPackage`	Maximum number of events in one package.	The default value is `1024`.
`EventLimitExceededPercentage`	Number of events above the limit (percentage). Sending events is limited if the ratio of events of a certain type to the total number of events exceeds the configured threshold (as a percentage).	The default value is `15`.

Page top