Endpoint Detection and Response Expert (on-premise)

Kaspersky Endpoint Security for Windows supports integration with the Kaspersky Endpoint Detection and Response Expert (on-premise) solutions. Kaspersky Endpoint Detection and Response Expert (on-premise) is an enterprise cybersecurity solution that includes Kaspersky applications that allow an organization to defend against most types of cyber risks and cover the most important threat propagation scenarios. EDR Expert (on-premise) components are deployed on the Open Single Management Platform (OSMP). This platform runs cross-platform scenarios in a single interface and allows integrating Kaspersky applications with third-party applications into a comprehensive security system.

One of the central elements of the solution is SIEM. SIEM tracks events coming from all components and correlates these events with each other using vendor and user-defined rules. EDR Expert (on-premise) looks at logs and telemetry received from the corporate infrastructure to automatically detect attacks and allows investigating incidents using a unified investigation graph which combines all events collected in EDR Expert (on-premise), including events from Kaspersky applications and third-party information security products.

For response to advanced incidents, EDR Expert (on-premise) uses preset and user-defined scenarios. You can also use response actions from third-party applications and response scenarios that involve multiple applications.

Endpoint Detection and Response (KATA)

Kaspersky Endpoint Security for Windows supports working with the Kaspersky Endpoint Detection and Response component as part of the Kaspersky Anti Targeted Attack Platform (EDR (KATA)) solution. Kaspersky Anti Targeted Attack Platform is a solution designed for timely detection of sophisticated threats such as targeted attacks, advanced persistent threats (APT), zero-day attacks, and others. Kaspersky Anti Targeted Attack Platform includes three functional units:

Kaspersky Anti Targeted Attack Platform (KATA)
Kaspersky Endpoint Detection and Response (EDR (KATA))
Network Detection and Response (NDR (KATA))

You can purchase all functional units or individual functional units separately. For details about the solution, please refer to the Kaspersky Anti Targeted Attack Platform Help.

Kaspersky Endpoint Security is installed on individual computers on the corporate IT infrastructure and continuously monitors processes, open network connections, and files being modified. Information about events on the computer (telemetry data) is sent to the Kaspersky Anti Targeted Attack Platform server. In this case, Kaspersky Endpoint Security also sends information to the Kaspersky Anti Targeted Attack Platform server about threats discovered by the application as well as information about processing results for these threats.

The EDR (KATA) and NDR (KATA) integration is configured in the Kaspersky Security Center console. The built-in agent is then managed using the Kaspersky Anti Targeted Attack Platform console, including running tasks, managing quarantined objects, viewing reports, and other actions.

Endpoint Detection and Response Expert (on-premise) settings

Parameter	Description
Connection to telemetry collection servers	A telemetry collection server is a server that is part of a SIEM solution that collects, normalizes, correlates, analyzes, and stores information about events occurring on the computer. Configure the following to connect to the telemetry collection servers (KUMA): Timeout (sec). Maximum server response timeout. When the timeout runs out, Kaspersky Endpoint Security tries to connect to a different server. Server certificate. TLS certificate for establishing a trusted connection with the server. You can get a TLS certificate on the Open Single Management Platform (see instructions in the Kaspersky Endpoint Detection and Response Expert (on-premise) Help). Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Endpoint Security and the server. To use two-way authentication, you need to enable two-way authentication in the server settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container on the Open Single Management Platform (see instructions in the Kaspersky Endpoint Detection and Response Expert (on-premise) Help). After configuring the server settings, you need to also enable two-way authentication in Kaspersky Endpoint Security settings and load a password-protected crypto-container. The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.
Address and Port (telemetry collection servers)	Settings for connecting to telemetry collection servers. You can enter an IP address (IPv4 or IPv6). You can add multiple telemetry collection server addresses. Kaspersky Endpoint Security makes an attempt to connect to the server at the first IP address. If a connection cannot be established, Kaspersky Endpoint Security tries to connect at the second IP address in the list and so on.
Send telemetry to telemetry collection servers	This functionality lets you completely turn off the sending of telemetry to the KATA server. For example, if you are using Kaspersky Anti Targeted Attack Platform together with another solution which also uses telemetry, you can turn off telemetry sending for KATA (EDR). This lets you optimize server load for these solutions. If you have the Managed Detection and Response solution and KATA (EDR) deployed, you can use MDR telemetry and create Threat Response tasks in KATA (EDR). Send telemetry with IOA only. This allows optimizing telemetry and sending only telemetry with IOA. Indicator of Attack (IOA) is a rule that contains a description of suspicious behavior in the system that may indicate a targeted attack. The application compares ongoing behavior in the system with these rules and logs events that are indicative of a targeted attack. The application uses the streaming scan technology, which allows real time tracking of such events. Maximum event transmission delay (sec). The application synchronizes with the server to send events after the synchronization interval expires. The default setting is 30 seconds. Limit the number of event packets per transmission. The application synchronizes with the server when the buffer is filled with events. The default setting is 1024 events. This function allows disabling the buffering of events before synchronization with the server.
Enable request throttling	This feature helps optimize the load on the server. If the check box is selected, the application restricts the transmitted events. If the number of events exceeds the configured limits, Kaspersky Endpoint Security stops sending events. Configure telemetry settings: Maximum number of events per hour. The application analyzes the telemetry data stream and restricts the sending of events if the event stream exceeds the configured events-per-hour limit. Kaspersky Endpoint Security resumes sending events after an hour. The default setting is 3000 events per hour. If the application is installed on a server, the telemetry data stream is higher. For servers, it is recommended to increase the value to 60 000 events per hour. Percentage of event limit excess. The application sorts events by type (for example, "changes in the registry" events) and restricts transmission of events if the ratio of events of the same type to the total number of events exceeds the configured limit in percent. Kaspersky Endpoint Security resumes sending events when the ratio of other events to the total number of events becomes big enough again. The default setting is 15 %.
Send sync request to server every (min)	Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Endpoint Security sends information about modified application settings and tasks.
Connection to response servers	A response server is a server for receiving and scanning data, studying the behavior of objects, and publishing the results of such studies. Configure the following for the response servers connection: Timeout (sec). Maximum server response timeout. When the timeout runs out, Kaspersky Endpoint Security tries to connect to a different server. Server certificate. TLS certificate for establishing a trusted connection with the server. You can get a TLS certificate on the Open Single Management Platform (see instructions in the Kaspersky Endpoint Detection and Response Expert (on-premise) Help). Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Endpoint Security and the server. To use two-way authentication, you need to enable two-way authentication in the server settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container on the Open Single Management Platform (see instructions in the Kaspersky Endpoint Detection and Response Expert (on-premise) Help). After configuring the server settings, you need to also enable two-way authentication in Kaspersky Endpoint Security settings and load a password-protected crypto-container.
Address and Port (response servers)	Settings for connecting to response servers. You can enter an IP address (IPv4 or IPv6). You can add multiple telemetry collection server addresses. Kaspersky Endpoint Security makes an attempt to connect to the server at the first IP address. If a connection cannot be established, Kaspersky Endpoint Security tries to connect at the second IP address in the list and so on.

Endpoint Detection and Response (KATA) settings

Parameter	Description
Send sync request to server every (min)	Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Endpoint Security sends information about modified application settings and tasks.
Connection to KATA servers	Configure the following for the Central Node server connection: Timeout (sec). Maximum Central Node server response timeout. When the timeout runs out, Kaspersky Endpoint Security tries to connect to a different Central Node server. Server certificate. TLS certificate for establishing a trusted connection with the Central Node server. You can get a TLS certificate in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help). Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Endpoint Security and the Central Node server. To use two-way authentication, you need to enable two-way authentication in the Central Node server settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help). After configuring the Central Node settings, you need to also enable two-way authentication in Kaspersky Endpoint Security settings and load a password-protected crypto-container. The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.
Address and Port (KATA servers)	Settings for connecting to Kaspersky Anti Targeted Attack Platform servers. Enter the Central Node server IP address (IPv4 or IPv6) and port to connect to the server. You can add multiple Central Node server addresses. Kaspersky Endpoint Security makes an attempt to connect to the server at the first IP address. If a connection cannot be established, Kaspersky Endpoint Security tries to connect at the second IP address in the list and so on.
Send telemetry to KATA	This functionality lets you completely turn off the sending of telemetry to the KATA server. For example, if you are using Kaspersky Anti Targeted Attack Platform together with another solution which also uses telemetry, you can turn off telemetry sending for KATA (EDR). This lets you optimize server load for these solutions. If you have the Managed Detection and Response solution and KATA (EDR) deployed, you can use MDR telemetry and create Threat Response tasks in KATA (EDR). Configure telemetry settings: Maximum event transmission delay (sec). The application synchronizes with the server to send events after the synchronization interval expires. The default setting is 30 seconds. Maximum number of event packages. The application synchronizes with the server when the buffer is filled with events. The default setting is 1024 events.
Enable request throttling	This feature helps optimize the load on the server. If the check box is selected, the application restricts the transmitted events. If the number of events exceeds the configured limits, Kaspersky Endpoint Security stops sending events. Configure telemetry settings: Maximum number of events per hour. The application analyzes the telemetry data stream and restricts the sending of events if the event stream exceeds the configured events-per-hour limit. Kaspersky Endpoint Security resumes sending events after an hour. The default setting is 3000 events per hour. If the application is installed on a server, the telemetry data stream is higher. For servers, it is recommended to increase the value to 60 000 events per hour. Percentage of event limit excess. The application sorts events by type (for example, "changes in the registry" events) and restricts transmission of events if the ratio of events of the same type to the total number of events exceeds the configured limit in percent. Kaspersky Endpoint Security resumes sending events when the ratio of other events to the total number of events becomes big enough again. The default setting is 15 %.