Endpoint Detection and Response Expert (on-premise)

for Windows, macOS, and Linux

Endpoint Detection and Response Expert version 7.1 or earlier

Kaspersky Endpoint Security supports the Kaspersky Endpoint Detection and Response Expert component (version 7.1 and earlier, hereinafter also referred to as "EDR (KATA)") as part of the Kaspersky Anti Targeted Attack Platform solution. Kaspersky Anti Targeted Attack Platform is a solution designed for timely detection of sophisticated threats such as targeted attacks, advanced persistent threats (APT), zero-day attacks, and others. Kaspersky Anti Targeted Attack Platform includes three functional units:

Kaspersky Anti Targeted Attack Platform (KATA)
Kaspersky Endpoint Detection and Response (EDR (KATA))
Network Detection and Response (NDR (KATA))

You can purchase all functional units or individual functional units separately. For details about the solution, please refer to the Kaspersky Anti Targeted Attack Platform Help.

Kaspersky Endpoint Security is installed on individual computers on the corporate IT infrastructure and continuously monitors processes, open network connections, and files being modified. Information about events on the computer (telemetry data) is sent to the Kaspersky Anti Targeted Attack Platform server. In this case, Kaspersky Endpoint Security also sends information to the Kaspersky Anti Targeted Attack Platform server about threats discovered by the application as well as information about processing results for these threats.

The EDR (KATA) and NDR (KATA) integration is configured in the Kaspersky Security Center console. The built-in agent is then managed using the Kaspersky Anti Targeted Attack Platform console, including running tasks, managing quarantined objects, viewing reports, and other actions.

Endpoint Detection and Response Expert version 8.0 or later

Kaspersky Endpoint Security supports Kaspersky solutions of the Endpoint Detection and Response Expert class (version 8.0 and later, hereinafter also referred to as "EDR Expert (on-premise)"). Such solutions include, for example, Kaspersky Symphony XDR. Endpoint Detection and Response Expert (on-premise) is an enterprise cybersecurity solution that allows an organization to defend against most types of cyber risks and cover the most important threat propagation scenarios.

EDR Expert (on-premise) looks at logs and telemetry received from the corporate infrastructure to automatically detect attacks and allows investigating incidents using a unified investigation graph which combines all events collected in EDR Expert (on-premise), including events from Kaspersky applications and third-party information security products.

Components that Endpoint Detection and Response Expert requires

You must enable the following components for Endpoint Detection and Response Expert to work:

File Threat Protection.
Web Threat Protection.
Mail Threat Protection.
Exploit Prevention.
Behavior Detection.
Host Intrusion Prevention.
AMSI Protection.
Background scan.

Kaspersky Security Network.

Endpoint Detection and Response Expert (on-premise) component settings

Settings	OS	Description
Endpoint Detection and Response Expert solution	`Windows` `macOS` `Linux`	Endpoint Detection and Response Expert solutions that Kaspersky Endpoint Security can integrate with. Endpoint Detection and Response Expert (version 7.1 or earlier). Endpoint Detection and Response Expert (version 8.0 or later).
Connection settings to KATA servers / telemetry servers	`Windows` `macOS` `Linux`	Manage the following KATA or telemetry server connection settings: Server connection timeout. Maximum Central Node server response timeout. When the timeout runs out, Kaspersky Endpoint Security tries to connect to a different Central Node server. Server certificate. TLS certificate for establishing a trusted connection with the Central Node server. You can get a TLS certificate in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help). Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Endpoint Security and the Central Node server. To use two-way authentication, you need to enable two-way authentication in the Central Node server settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help). After configuring the Central Node settings, you need to also enable two-way authentication in Kaspersky Endpoint Security settings and load a password-protected crypto-container. The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.
Send sync request to server every (min) (available only for Endpoint Detection and Response Expert version 7.1 or earlier)	`Windows` `macOS` `Linux`	Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Endpoint Security sends information about modified application settings and tasks.
Connection to KATA servers / Connection to telemetry collection servers	`Windows` `macOS` `Linux`	Kaspersky Anti Targeted Attack Platform servers connection settings. You can enter an IP address (IPv4 or IPv6). You can add multiple Central Node server addresses. Kaspersky Endpoint Security makes an attempt to connect to the server at the first IP address. If a connection cannot be established, Kaspersky Endpoint Security tries to connect at the second IP address in the list and so on. The EDR (KATA) and EDR Expert (on-premise) solutions have different architectures. To process telemetry, EDR Expert (on-premise) uses a telemetry server instead of a Central Node server used by EDR (KATA). Therefore, if you are integrating the application with EDR Expert (on-premise), you need to add a telemetry server.
Send telemetry to KATA / Send telemetry to telemetry collection servers	`Windows` `macOS` `Linux`	This function allows completely preventing telemetry from being sent to the KATA server or telemetry server, depending on the selected solution. For example, if you are using Kaspersky Anti Targeted Attack Platform together with another solution which also uses telemetry, you can turn off telemetry for KATA (EDR). This lets you optimize server load for these solutions. If you have the Managed Detection and Response solution and KATA (EDR) deployed, you can use MDR telemetry and create Threat Response tasks in KATA (EDR).
Send telemetry with IOA only (available only for Endpoint Detection and Response Expert version 8.0 or later)	`Windows` `Linux`	This allows optimizing telemetry and sending only telemetry with IOA. Indicator of Attack (IOA) is a rule that contains a description of suspicious behavior in the system that may indicate a targeted attack. The application compares ongoing behavior in the system with these rules and logs events that are indicative of a targeted attack. The application uses the streaming scan technology, which allows real time tracking of such events.
Maximum event transmission delay (sec)	`Windows` `macOS` `Linux`	The application synchronizes with the server to send events after the synchronization interval expires. The default setting is 30 seconds.
Maximum number of event packages	`Windows`	The application synchronizes with the server when the buffer is filled with events. The default setting is 1024 events.
Enable request throttling	`Windows` `macOS` `Linux`	This feature helps optimize the load on the server. If the check box is selected, the application restricts the transmitted events. If the number of events exceeds the configured limits, Kaspersky Endpoint Security stops sending events. Maximum number of events per hour. The application analyzes the telemetry data stream and restricts the sending of events if the event stream exceeds the configured events-per-hour limit. Kaspersky Endpoint Security resumes sending events after an hour. The default setting is 3000 events per hour. If the application is installed on a server, the telemetry data stream is higher. For servers, it is recommended to increase the value to 60 000 events per hour. Percentage of event limit excess. The application sorts events by type (for example, "changes in the registry" events) and restricts transmission of events if the ratio of events of the same type to the total number of events exceeds the configured limit in percent. Kaspersky Endpoint Security resumes sending events when the ratio of other events to the total number of events becomes big enough again. The default setting is 15 %.
Connection to response servers (available only for Endpoint Detection and Response Expert version 8.0 or later)	`Windows` `macOS` `Linux`	Connection to response servers settings. You can enter an IP address (IPv4 or IPv6). You can add multiple response server addresses. Kaspersky Endpoint Security makes an attempt to connect to the server at the first IP address. If a connection cannot be established, Kaspersky Endpoint Security tries to connect at the second IP address in the list and so on.
Connection settings (available only for Endpoint Detection and Response Expert version 8.0 or later)	`Windows` `macOS` `Linux`	Configure the following for the response server connection: Server connection timeout. Maximum response server response timeout. When the timeout runs out, Kaspersky Endpoint Security tries to connect to a different response server. Server certificate. TLS certificate for establishing a trusted connection with the response server. Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Endpoint Security and the response server. To use two-way authentication, you need to enable two-way authentication in the response server settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help). After configuring the response server settings, you need to also enable two-way authentication in Kaspersky Endpoint Security settings and load a password-protected crypto-container. The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.

Settings

Description

Endpoint Detection and Response Expert solution

Windows

macOS

Linux

Endpoint Detection and Response Expert solutions that Kaspersky Endpoint Security can integrate with.

Endpoint Detection and Response Expert (version 7.1 or earlier).

Endpoint Detection and Response Expert (version 8.0 or later).

Connection settings to KATA servers / telemetry servers

Windows

macOS

Linux

Manage the following KATA or telemetry server connection settings:

Server connection timeout. Maximum Central Node server response timeout. When the timeout runs out, Kaspersky Endpoint Security tries to connect to a different Central Node server.
Server certificate. TLS certificate for establishing a trusted connection with the Central Node server. You can get a TLS certificate in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help).
Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Endpoint Security and the Central Node server. To use two-way authentication, you need to enable two-way authentication in the Central Node server settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help). After configuring the Central Node settings, you need to also enable two-way authentication in Kaspersky Endpoint Security settings and load a password-protected crypto-container.

The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.

Send sync request to server every (min)

(available only for Endpoint Detection and Response Expert version 7.1 or earlier)

Windows

macOS

Linux

Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Endpoint Security sends information about modified application settings and tasks.

Connection to KATA servers / Connection to telemetry collection servers

Windows

macOS

Linux

Kaspersky Anti Targeted Attack Platform servers connection settings. You can enter an IP address (IPv4 or IPv6).

You can add multiple Central Node server addresses. Kaspersky Endpoint Security makes an attempt to connect to the server at the first IP address. If a connection cannot be established, Kaspersky Endpoint Security tries to connect at the second IP address in the list and so on.

The EDR (KATA) and EDR Expert (on-premise) solutions have different architectures. To process telemetry, EDR Expert (on-premise) uses a telemetry server instead of a Central Node server used by EDR (KATA). Therefore, if you are integrating the application with EDR Expert (on-premise), you need to add a telemetry server.

Send telemetry to KATA / Send telemetry to telemetry collection servers

Windows

macOS

Linux

This function allows completely preventing telemetry from being sent to the KATA server or telemetry server, depending on the selected solution. For example, if you are using Kaspersky Anti Targeted Attack Platform together with another solution which also uses telemetry, you can turn off telemetry for KATA (EDR). This lets you optimize server load for these solutions.

If you have the Managed Detection and Response solution and KATA (EDR) deployed, you can use MDR telemetry and create Threat Response tasks in KATA (EDR).

Send telemetry with IOA only

(available only for Endpoint Detection and Response Expert version 8.0 or later)

Windows

Linux

This allows optimizing telemetry and sending only telemetry with IOA.

Indicator of Attack (IOA) is a rule that contains a description of suspicious behavior in the system that may indicate a targeted attack. The application compares ongoing behavior in the system with these rules and logs events that are indicative of a targeted attack. The application uses the streaming scan technology, which allows real time tracking of such events.

Maximum event transmission delay (sec)

Windows

macOS

Linux

The application synchronizes with the server to send events after the synchronization interval expires. The default setting is 30 seconds.

Maximum number of event packages

Windows

The application synchronizes with the server when the buffer is filled with events. The default setting is 1024 events.

Enable request throttling

Windows

macOS

Linux

This feature helps optimize the load on the server. If the check box is selected, the application restricts the transmitted events. If the number of events exceeds the configured limits, Kaspersky Endpoint Security stops sending events.

Maximum number of events per hour. The application analyzes the telemetry data stream and restricts the sending of events if the event stream exceeds the configured events-per-hour limit. Kaspersky Endpoint Security resumes sending events after an hour. The default setting is 3000 events per hour. If the application is installed on a server, the telemetry data stream is higher. For servers, it is recommended to increase the value to 60 000 events per hour.

Percentage of event limit excess. The application sorts events by type (for example, "changes in the registry" events) and restricts transmission of events if the ratio of events of the same type to the total number of events exceeds the configured limit in percent. Kaspersky Endpoint Security resumes sending events when the ratio of other events to the total number of events becomes big enough again. The default setting is 15 %.

Connection to response servers

(available only for Endpoint Detection and Response Expert version 8.0 or later)

Windows

macOS

Linux

Connection to response servers settings. You can enter an IP address (IPv4 or IPv6).

You can add multiple response server addresses. Kaspersky Endpoint Security makes an attempt to connect to the server at the first IP address. If a connection cannot be established, Kaspersky Endpoint Security tries to connect at the second IP address in the list and so on.

Connection settings

(available only for Endpoint Detection and Response Expert version 8.0 or later)

Windows

macOS

Linux

Configure the following for the response server connection:

Server connection timeout. Maximum response server response timeout. When the timeout runs out, Kaspersky Endpoint Security tries to connect to a different response server.
Server certificate. TLS certificate for establishing a trusted connection with the response server.

Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Endpoint Security and the response server. To use two-way authentication, you need to enable two-way authentication in the response server settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help). After configuring the response server settings, you need to also enable two-way authentication in Kaspersky Endpoint Security settings and load a password-protected crypto-container.

The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.

Page top