Telemetry settings

for Windows, macOS, and Linux

This section lets you configure telemetry from managed devices to telemetry collection servers. Telemetry is a list of events that have occurred on the protected computer. Kaspersky Endpoint Security analyzes telemetry and sends it to Kaspersky Anti Targeted Attack Platform or to telemetry collection servers during synchronization. Telemetry events arrive on the server almost continuously. Kaspersky Endpoint Security initiates synchronization with the server when any of the following conditions are satisfied:

Synchronization interval has run out.
The number of events in the buffer exceeds the upper limit.

If there is no connection between Kaspersky Endpoint Security and the server, the application queues new events. When the connection is restored, Kaspersky Endpoint Security sends queued events to the server in proper order. To avoid overloading the server, Kaspersky Endpoint Security may skip some events.

You can manage synchronization settings for each Built-in Agent in the "Built-in agents" section and select optimal values depending on your network load.

In this section, you can configure:

Telemetry inclusion and exclusion rules.
Collection of telemetry to be sent to KATA servers, telemetry collection servers, or response servers.

EDR Expert (on-premise) telemetry

Settings	OS	Description
EDR Expert (on-premise) telemetry	`Windows` `macOS` `Linux`	Import and Export. You can export EDR Expert (on-premise) telemetry settings to a JSON file. Then you can modify the file to, for example, add a large number of event IDs. You can also use the export/import function to back up the settings of sent events or to migrate the list to another policy.
General exclusions	`Windows` `macOS` `Linux`	To optimize the transmitted data, you can configure exclusion rules for certain event types. Kaspersky Endpoint Security does not collect telemetry that falls under such a rule. This lets you reduce traffic and avoid processing events from trusted objects and processes. Rule name. Action: Do not collect. If you select this option, Kaspersky Endpoint Security does not collect telemetry that satisfies the conditions of the rule. Exclude IOA. If you select this option, Kaspersky Endpoint Security does not collect telemetry based on an IOA rule triggering. Indicator of Attack (IOA) is a rule that contains a description of suspicious behavior in the system that may indicate a targeted attack. Condition. Rule-triggering condition. Specify a telemetry parameter, a conditional operator, and the value of the parameter. By default, Kaspersky Endpoint Security combines rule triggering criteria with a logical AND. You can add multiple conditions or condition groups using the AND and OR logical operators.
All event types	`Windows` `macOS` `Linux`	List of event types for which telemetry is defined by default by Kaspersky. You can manually enable or disable telemetry for each event type and configure telemetry exclusion and inclusion rules.

EDR (KATA) / NDR (KATA) telemetry

for Windows and Linux

To improve performance and optimize data transmission to the Telemetry server, you can configure telemetry exclusions. For example, you can choose not to send network communications data for individual applications.

EDR (KATA) / NDR (KATA) telemetry exclusion settings

Settings	OS	Description
Excluded processes	`Windows` `Linux`	Kaspersky Endpoint Security does not process data related to processes from the list. Optimize the telemetry size to send. Kaspersky Endpoint Security allows optimizing the amount of transmitted data and excluding events with certain codes from telemetry: code 102 (basic communications) and 8 (network activity of the process) for the Microsoft SMB protocol, the WinRM service, and the klnagent.exe process of the Network Agent, as well as extended information about the types of network packets for all types of network protocols. Kaspersky Endpoint Security combines rule triggering criteria with a logical AND. Process and Parent process: Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the `*` and `?` characters when entering a mask. Command line text. Command used to run the file. Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource. Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource. Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource. File checksums. MD5 and SHA256. You can also select a file manually, and the application will automatically fill out the fields from the selected file. In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the `C:\windows\system32` folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the `C:\windows\syswow64` folder. For example, if you select `C:\windows\system32\cmd.exe`, the plug-in displays the parameters of `C:\windows\syswow64\cmd.exe`. Such behavior is dictated by peculiarities of the operating system. Use for the following event types: File modification. Network events. Process: console interactive input. Module loaded. Registry modified. DNS logs. Process access. Code injection. `Windows` WMI query Pipe. LDAP. `Windows` AMSI
Excluded network communications	`Windows` `Linux`	Kaspersky Endpoint Security does not process data related to network communications from the list. In the exclusion rule you can specify: Rule name. Direction. Protocol. Raw socket. Protocol number. Local address. The network address of the computer for which Kaspersky Endpoint Security is excluding telemetry from network traffic. Local port or range. Remote address. The network address of the computer for which Kaspersky Endpoint Security is excluding telemetry from network traffic. Remote port or range. Only the IPv4 format is supported for IP addresses. Apply the rule to the selected applications. If this check box is selected Kaspersky Endpoint Security excludes EDR telemetry from the network traffic for executable files of applications from the list.
Excluded file operations	`Windows` `Linux`	Kaspersky Endpoint Security does not process file operations from the list. In the exclusion rule you can specify: Rule name. File name or mask. The file name or mask to which Kaspersky Endpoint Security applies the exclusion rule when the file is accessed. Kaspersky Endpoint Security supports the `` and `?` characters when entering a mask. Select file operation. Type of file operation to which the rule will apply. Previous path. Kaspersky Endpoint Security combines rule triggering criteria with a logical AND. Process and Parent process: Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the `` and `?` characters when entering a mask. Command line text. Command used to run the file. Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource. Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource. Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource. File checksums. MD5 and SHA256. You can also select a file manually, and the application will automatically fill out the fields from the selected file. In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the `C:\windows\system32` folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the `C:\windows\syswow64` folder. For example, if you select `C:\windows\system32\cmd.exe`, the plug-in displays the parameters of `C:\windows\syswow64\cmd.exe`. Such behavior is dictated by peculiarities of the operating system.
Excluded DNS operations	`Windows` `Linux`	Kaspersky Endpoint Security does not process DNS operations from the list. In the exclusion rule you can specify: Rule name. Kaspersky Endpoint Security combines rule triggering criteria with a logical AND. Process and Parent process: Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the `*` and `?` characters when entering a mask. Command line text. Command used to run the file. Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource. Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource. Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource. File checksums. MD5 and SHA256. You can also select a file manually, and the application will automatically fill out the fields from the selected file. In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the `C:\windows\system32` folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the `C:\windows\syswow64` folder. For example, if you select `C:\windows\system32\cmd.exe`, the plug-in displays the parameters of `C:\windows\syswow64\cmd.exe`. Such behavior is dictated by peculiarities of the operating system. DNS operation: DNS server IP address. Query options. Status. Domain name. Settings type ID. Response data. Content of the DNS response to the query.
Excluded LDAP operations	`Windows`	Kaspersky Endpoint Security does not process LDAP operations from the list. In the exclusion rule you can specify: Rule name. Kaspersky Endpoint Security combines rule triggering criteria with a logical AND. Process and Parent process: Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the `*` and `?` characters when entering a mask. Command line text. Command used to run the file. Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource. Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource. Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource. File checksums. MD5 and SHA256. You can also select a file manually, and the application will automatically fill out the fields from the selected file. In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the `C:\windows\system32` folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the `C:\windows\syswow64` folder. For example, if you select `C:\windows\system32\cmd.exe`, the plug-in displays the parameters of `C:\windows\syswow64\cmd.exe`. Such behavior is dictated by peculiarities of the operating system. LDAP operation: LDAP search scope. LDAP search scope. Can have one of the following values: ADS_SCOPE_BASE, ADS_SCOPE_ONELEVEL, ADS_SCOPE_SUBTREE. Filter. Distinguished name for LDAP objects search. Name of the record in the LDAP directory. Object attributes used for LDAP operations search. Attributes set in the query as return values.
Excluded process access queries	`Windows`	Kaspersky Endpoint Security does not process access requests to processes from the list. In the exclusion rule you can specify: Rule name. Kaspersky Endpoint Security combines rule triggering criteria with a logical AND. Process, Parent process, Target process, File of a source process and File of a target process. Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the `*` and `?` characters when entering a mask. Command line text. Command used to run the file. Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource. Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource. File checksums. MD5 and SHA256. You can also select a file manually, and the application will automatically fill out the fields from the selected file. In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the `C:\windows\system32` folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the `C:\windows\syswow64` folder. For example, if you select `C:\windows\system32\cmd.exe`, the plug-in displays the parameters of `C:\windows\syswow64\cmd.exe`. Such behavior is dictated by peculiarities of the operating system. Process access queries: Operation type. Requested access to the process. Call stack trace.
Excluded code injections	`Windows`	Kaspersky Endpoint Security does not process code injections from the list. In the exclusion rule you can specify: Rule name. Kaspersky Endpoint Security combines rule triggering criteria with a logical AND. Process and Parent process: Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the `*` and `?` characters when entering a mask. Command line text. Command used to run the file. Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource. Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource. Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource. File checksums. MD5 and SHA256. You can also select a file manually, and the application will automatically fill out the fields from the selected file. In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the `C:\windows\system32` folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the `C:\windows\syswow64` folder. For example, if you select `C:\windows\system32\cmd.exe`, the plug-in displays the parameters of `C:\windows\syswow64\cmd.exe`. Such behavior is dictated by peculiarities of the operating system. Code injections: Access method. Call stack. The API call stack at the moment of interception of the function related to the code injection Modified command line. Injection address. Address in the address space of the target process at which the remotely run code was placed. This field is left empty if the code injection was achieved using the SET_WINDOWS_HOOK and ARG_SPOOFING methods. Modified command line. Injected DLL name. Name of the DLL containing the interceptor routine and name of the function to which control is passed after the injection. This field is filled if the code injection was achieved using the SET_WINDOWS_HOOK methods. Injected DLL path. Path to the DLL containing the interceptor routine. This field is filled if the code injection was achieved using the SET_WINDOWS_HOOK methods.
Excluded WMI queries	`Windows`	Kaspersky Endpoint Security does not process WMI requests from the list. In the exclusion rule you can specify: Rule name. Kaspersky Endpoint Security combines rule triggering criteria with a logical AND. Process and Parent process: Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the `*` and `?` characters when entering a mask. Command line text. Command used to run the file. Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource. Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource. Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource. File checksums. MD5 and SHA256. You can also select a file manually, and the application will automatically fill out the fields from the selected file. In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the `C:\windows\system32` folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the `C:\windows\syswow64` folder. For example, if you select `C:\windows\system32\cmd.exe`, the plug-in displays the parameters of `C:\windows\syswow64\cmd.exe`. Such behavior is dictated by peculiarities of the operating system. WMI queries: WMI operation type. Remote query. Name of a computer that executed a WMI command. WMI user account. Executed WMI command. WMI namespace. WMI event consumer filter. Name of the created WMI event consumer. Source code of a WMI event consumer.
Excluded pipe operations	`Windows`	Kaspersky Endpoint Security does not process pipe operations from the list. In the exclusion rule you can specify: Rule name. Kaspersky Endpoint Security combines rule triggering criteria with a logical AND. Process and Parent process: Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the `*` and `?` characters when entering a mask. Command line text. Command used to run the file. Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource. Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource. Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource. File checksums. MD5 and SHA256. You can also select a file manually, and the application will automatically fill out the fields from the selected file. In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the `C:\windows\system32` folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the `C:\windows\syswow64` folder. For example, if you select `C:\windows\system32\cmd.exe`, the plug-in displays the parameters of `C:\windows\syswow64\cmd.exe`. Such behavior is dictated by peculiarities of the operating system. Pipe operations: Pipe name. Operation type.
Excluded registry changes	`Windows`	Kaspersky Endpoint Security does not process registry modifications from the list. In the exclusion rule you can specify: Rule name. Kaspersky Endpoint Security combines rule triggering criteria with a logical AND. Process and Parent process: Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the `*` and `?` characters when entering a mask. Command line text. Command used to run the file. Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource. Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource. Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource. File checksums. MD5 and SHA256. You can also select a file manually, and the application will automatically fill out the fields from the selected file. In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the `C:\windows\system32` folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the `C:\windows\syswow64` folder. For example, if you select `C:\windows\system32\cmd.exe`, the plug-in displays the parameters of `C:\windows\syswow64\cmd.exe`. Such behavior is dictated by peculiarities of the operating system. Registry changes: Operation type. Path. Path to the registry key in which the modification was made. Value name. Name of the modified value, for example, RegistrySizeLimit. Value. Full name of a registry file.
Excluded operations with devices	`Windows`	Kaspersky Endpoint Security does not process operations related to USB devices from the list. In the exclusion rule you can specify: Rule name. Device type. Device ID. Device name.

KUMA telemetry

Parameter	OS	Description
Windows Event Logs	`Windows`	List of Windows event logs that you have added manually. You can add logs one by one or import a JSON file with settings. For each event log, you can select how you want it to be sent: Send all events. In this mode, the application sends all events from the Windows log except events added to exclusion rules. Send only selected events. In this mode, the application sends only events added in inclusion rules. You can also configure exclusion or inclusion rules for the relevant event sending mode. To add rules, you need to specify the ID of the event in the Windows event log. You can list multiple event IDs in a rule. When specify multiple event IDs, use commas as delimiters.

Page top