Configuring EDR Expert (on-premise) telemetry settings

Telemetry is a list of events that have occurred on the protected computer. Kaspersky Endpoint Security analyzes telemetry data and sends it to telemetry collection servers during synchronization. Telemetry events arrive on the server almost continuously. Kaspersky Endpoint Security initiates synchronization with the server when any of the following conditions are satisfied:

• Synchronization interval has run out.
• The number of events in the buffer exceeds the upper limit.

Therefore, by default, the application synchronizes every 30 seconds or whenever the buffer holds 1024 events. You can configure the synchronization behavior in the Kaspersky Endpoint Security policy and select optimum values to match your network load (see instructions below).

If there is no connection between Kaspersky Endpoint Security and the server, the application queues new events. When the connection is restored, Kaspersky Endpoint Security sends queued events to the server in proper order. To avoid overloading the server, Kaspersky Endpoint Security may skip some events. To enable this, you can optimize event transmission settings, for example, to set a maximum events-per-hour value (see instructions below).

To configure telemetry settings, perform the following steps:

1. In the main window of the Web Console, select the Assets (Devices) → Policies & profiles tab.
2. Click the name of the Kaspersky Endpoint Security policy.

   The policy properties window opens.

3. Select the Application settings tab.
4. Go to Built-in Agents Configuration → Endpoint Detection and Response Expert (on-premise).
5. To configure EDR Expert (on-premise), select Endpoint Detection and Response Expert (version 8.0 or later) from the list of solutions.
6. Make sure that the Send telemetry to telemetry collection servers check box is selected in the Data transmission settings block.
7. If necessary, select the Send telemetry with IOA only check box. Indicator of Attack (IOA) is a rule that contains a description of suspicious behavior in the system that may indicate a targeted attack. The application compares ongoing behavior in the system with these rules and logs events that are indicative of a targeted attack. The application uses the streaming scan technology, which allows real time tracking of such events.
8. If necessary, configure the synchronization with the server settings in the Data transmission settings block:
   • Maximum event transmission delay (sec). The application synchronizes with the server to send events after the synchronization interval expires. The default setting is 30 seconds.
   • Maximum number of event packages. The application synchronizes with the server when the buffer is filled with events. The default setting is 1024 events.
9. If necessary, select the Enable request throttling check box in the Request throttling block.

   This feature helps optimize the load on the server. If the check box is selected, the application restricts the transmitted events. If the number of events exceeds the configured limits, Kaspersky Endpoint Security stops sending events.

10. Configure optimization settings for sending events to the server:
    • Maximum number of events per hour. The application analyzes the telemetry data stream and restricts the sending of events if the event stream exceeds the configured events-per-hour limit. Kaspersky Endpoint Security resumes sending events after an hour. The default setting is 3000 events per hour. If the application is installed on a server, the telemetry data stream is higher. For servers, it is recommended to increase the value to 60 000 events per hour.
    • Percentage of event limit excess. The application sorts events by type (for example, "changes in the registry" events) and restricts transmission of events if the ratio of events of the same type to the total number of events exceeds the configured limit in percent. Kaspersky Endpoint Security resumes sending events when the ratio of other events to the total number of events becomes big enough again. The default setting is 15 %.
11. In the Connection to response servers block, enter a value for the Send sync request to server every (min) parameter.
12. Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Endpoint Security sends information about modified application settings and tasks.
13. Save your changes. To apply the policy on computers, close the padlocks .

Page top