Configuring EDR (KATA) telemetry
Telemetry is a list of events that have occurred on the protected computer. Kaspersky Endpoint Security analyzes telemetry data and sends it to Kaspersky Anti Targeted Attack Platform during synchronization. Telemetry events arrive on the server almost continuously. Kaspersky Endpoint Security initiates synchronization with the server when any of the following conditions are satisfied:
- Synchronization interval has run out.
- The number of events in the buffer exceeds the upper limit.
Therefore, by default, the application synchronizes every 30 seconds or whenever the buffer holds 1024 events. You can configure the synchronization behavior in the Kaspersky Endpoint Security policy and select optimum values to match your network load (see instructions below).
If there is no connection between Kaspersky Endpoint Security and the server, the application queues new events. When the connection is restored, Kaspersky Endpoint Security sends queued events to the server in proper order. To avoid overloading the server, Kaspersky Endpoint Security may skip some events. To enable this, you can optimize event transmission settings, for example, to set a maximum events-per-hour value (see instructions below).
If you are using Kaspersky Anti Targeted Attack Platform together with another solution which also uses telemetry, you can turn off telemetry for KATA (EDR) (see instructions below). This lets you optimize server load for these solutions. For example, if you have the Managed Detection and Response solution and KATA (EDR) deployed, you can use MDR telemetry and create Threat Response tasks in KATA (EDR).
How to configure telemetry in the Administration Console (MMC)
- Open the Kaspersky Security Center Administration Console.
- In the console tree, select Policies.
- Select the necessary policy and double-click to open the policy properties.
- In the policy window, select Detection and Response and select the component that you want to configure: Endpoint Detection and Response Expert (on-premise) or Network Detection and Response (KATA).
- Configure the Send sync request to KATA server every (min) setting. Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Endpoint Security sends information about modified application settings and tasks.
- Make sure the Send telemetry to KATA check box is selected.
- If necessary, configure the synchronization with the server settings in the Data transmission settings block:
- Maximum event transmission delay (sec). The application synchronizes with the server to send events after the synchronization interval expires. The default setting is 30 seconds.
- Maximum number of event packages. The application synchronizes with the server when the buffer is filled with events. The default setting is 1024 events.
- If necessary, select the Enable request throttling check box in the Request throttling block.
This feature helps optimize the load on the server. If the check box is selected, the application restricts the transmitted events. If the number of events exceeds the configured limits, Kaspersky Endpoint Security stops sending events.
- Configure optimization settings for sending events to the server:
- Maximum number of events per hour. The application analyzes the telemetry data stream and restricts the sending of events if the event stream exceeds the configured events-per-hour limit. Kaspersky Endpoint Security resumes sending events after an hour. The default setting is 3000 events per hour. If the application is installed on a server, the telemetry data stream is higher. For servers, it is recommended to increase the value to 60 000 events per hour.
- Percentage of event limit excess. The application sorts events by type (for example, "changes in the registry" events) and restricts transmission of events if the ratio of events of the same type to the total number of events exceeds the configured limit in percent. Kaspersky Endpoint Security resumes sending events when the ratio of other events to the total number of events becomes big enough again. The default setting is 15 %.
- Save your changes. To apply the policy on computers, close the padlocks
.
How to configure telemetry in the Web Console
- In the main window of the Web Console, select the Assets (Devices) → Policies & profiles tab.
- Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to Built-in Agents Configuration → Endpoint Detection and Response Expert (on-premise).
- To configure EDR (KATA), select Endpoint Detection and Response Expert (version 7.1 or earlier) from the list of solutions.
- Make sure that the Send telemetry to KATA servers check box is selected in the Data transmission settings block.
- Configure the Send sync request to server every (min) setting. Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Endpoint Security sends information about modified application settings and tasks.
- Make sure the Send telemetry to KATA servers check box is selected.
- If necessary, configure the synchronization with the server settings in the Data transmission settings block:
- Maximum event transmission delay (sec). The application synchronizes with the server to send events after the synchronization interval expires. The default setting is 30 seconds.
- Maximum number of event packages. The application synchronizes with the server when the buffer is filled with events. The default setting is 1024 events.
- If necessary, select the Enable request throttling check box in the Request throttling block.
This feature helps optimize the load on the server. If the check box is selected, the application restricts the transmitted events. If the number of events exceeds the configured limits, Kaspersky Endpoint Security stops sending events.
- Configure optimization settings for sending events to the server:
- Maximum number of events per hour. The application analyzes the telemetry data stream and restricts the sending of events if the event stream exceeds the configured events-per-hour limit. Kaspersky Endpoint Security resumes sending events after an hour. The default setting is 3000 events per hour. If the application is installed on a server, the telemetry data stream is higher. For servers, it is recommended to increase the value to 60 000 events per hour.
- Percentage of event limit excess. The application sorts events by type (for example, "changes in the registry" events) and restricts transmission of events if the ratio of events of the same type to the total number of events exceeds the configured limit in percent. Kaspersky Endpoint Security resumes sending events when the ratio of other events to the total number of events becomes big enough again. The default setting is 15 %.
- Save your changes. To apply the policy on computers, close the padlocks
.
- In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
- Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to the KATA integration → Telemetry exclusions section.
- Under Data transmission settings, select the Use exclusions check box.
- Click Add and configure the exclusions:
Criteria are combined with the logical AND.
- Save your changes.
- In the Kaspersky Security Center Administration Console tree, select Tasks.
The list of tasks opens.
- Click New task.
The Task Wizard starts. Follow the instructions of the Wizard.
Step 1. Selecting task type
- Select Kaspersky Endpoint Security for Windows (12.12) → Update rollback.
Step 2. Selecting the devices to which the task will be assigned
Select the computers on which the task will be performed. The following options are available:
- Assign the task to an administration group. In this case, the task is assigned to computers included in a previously created administration group.
- Select computers detected by the Administration Server in the network: unassigned devices. The specific devices can include devices in administration groups as well as unassigned devices.
- Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP addresses, and IP subnets of devices to which you want to assign the task.
Step 3. Configuring a task start schedule
Configure the task schedule, for example, manually.
Step 4. Defining the task name
Enter a name for the task.
Step 7. Completing task creation
Exit the Wizard. If necessary, select the Run the task after the wizard finishes check box. You can monitor the progress of the task in the task properties.