Integrating EDR Agent with KATA (EDR)

EDR Agent is installed on workstations and servers in the IT infrastructure of the organization. On these computers, EDR Agent continuously monitors processes, open network connections, and files being modified, and sends monitoring data to the EDR Expert (on-premise) server.

To integrate with EDR Expert (on-premise), you must enable the Endpoint Detection and Response Expert (on-premise) component and configure EDR Agent.

Integration with Endpoint Detection and Response Expert (on-premise) involves the following steps:

Activating Kaspersky Endpoint Detection and Response Expert (on-premise)
You need to purchase a separate license for EDR Expert (on-premise) (Kaspersky Endpoint Detection and Response Expert (on-premise) Add-on).

The functionality becomes available after adding a separate key for Kaspersky Endpoint Detection and Response Expert (on-premise). Licensing for the stand-alone Endpoint Detection and Response Expert (on-premise) functionality is the same as the licensing of Kaspersky Endpoint Security.

Make sure that the EDR Expert (on-premise) functionality is included in the license and is running in the local interface of the application.
Connecting to telemetry collection server and response server
Kaspersky Endpoint Detection and Response Expert (on-premise) requires a trusted connection between Kaspersky Endpoint Security and two servers:
- A telemetry collection server is a server that is part of a SIEM solution that collects, normalizes, correlates, analyzes, and stores information about events occurring on the computer.
- A response server is a server for receiving and scanning data, studying the behavior of objects, and publishing the results of such studies.
To configure a trusted connection, you must use a TLS certificate. You can get a TLS certificate on the Open Single Management Platform (see instructions in the Kaspersky Endpoint Detection and Response Expert (on-premise) Help). Then you must add the TLS certificate to Kaspersky Endpoint Security (see instructions below).

By default, Kaspersky Endpoint Security only checks the TLS certificate of the servers. To make the connection more secure, you can additionally enable the verification of the computer on the server (two-way authentication). To enable this verification, you must turn on two-way authentication in the server and Kaspersky Endpoint Security settings. To use two-way authentication, you will also need a crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container on the Open Single Management Platform (see instructions in the Kaspersky Endpoint Detection and Response Expert (on-premise) Help).

How to connect a Kaspersky Endpoint Security computer to EDR Expert (on-premise) using the Web Console
1. In the main window of the Web Console, select the Assets (Devices) → Policies & profiles tab.
2. Click the name of the Kaspersky Endpoint Security policy.
  The policy properties window opens.
3. Select the Application settings tab.
4. Go to Built-in Agents Configuration → Endpoint Detection and Response Expert (on-premise).
5. Turn on the Endpoint Detection and Response Expert (on-premise) ENABLED toggle.
6. To configure EDR Expert (on-premise), select Endpoint Detection and Response Expert (version 8.0 or later) from the list of solutions.
7. Configure the telemetry collection servers connection:
  1. In the Connection to telemetry collection servers block, click the Connection settings link.
  2. Configure the telemetry collection servers connection:
    - Timeout (sec). Maximum server response timeout. When the timeout runs out, Kaspersky Endpoint Security tries to connect to a different server.
    - Server certificate. TLS certificate for establishing a trusted connection with the server. You can get a TLS certificate on the Open Single Management Platform (see instructions in the Kaspersky Endpoint Detection and Response Expert (on-premise) Help).
    - Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Endpoint Security and the server. To use two-way authentication, you need to enable two-way authentication in the server settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container on the Open Single Management Platform (see instructions in the Kaspersky Endpoint Detection and Response Expert (on-premise) Help). After configuring the server settings, you need to also enable two-way authentication in Kaspersky Endpoint Security settings and load a password-protected crypto-container.
      The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.
  3. Click OK.
  4. Add telemetry collection servers. To do this, specify the server address (IPv4, IPv6) and the port to connect to the server.
    You can add multiple telemetry collection server addresses. Kaspersky Endpoint Security makes an attempt to connect to the server at the first IP address. If a connection cannot be established, Kaspersky Endpoint Security tries to connect at the second IP address in the list and so on.
  5. If necessary, configure telemetry.
8. Configure the response servers connection:
  1. In the Connection to response servers block, configure the Send sync request to server every (min) setting. Frequency of synchronization requests sent to the server. During the synchronization, Kaspersky Endpoint Security receives threat response tasks and sends task results.
  2. Click the Connection settings link.
  3. Configure the response servers connection:
    - Timeout (sec). Maximum server response timeout. When the timeout runs out, Kaspersky Endpoint Security tries to connect to a different server.
    - Server certificate. TLS certificate for establishing a trusted connection with the server. You can get a TLS certificate on the Open Single Management Platform (see instructions in the Kaspersky Endpoint Detection and Response Expert (on-premise) Help).
    - Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Endpoint Security and the server. To use two-way authentication, you need to enable two-way authentication in the server settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container on the Open Single Management Platform (see instructions in the Kaspersky Endpoint Detection and Response Expert (on-premise) Help). After configuring the server settings, you need to also enable two-way authentication in Kaspersky Endpoint Security settings and load a password-protected crypto-container.
      The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.
  4. Click OK.
  5. Add response servers. To do this, specify the server address (IPv4, IPv6) and the port to connect to the server.
    You can add multiple response server addresses. Kaspersky Endpoint Security makes an attempt to connect to the server at the first IP address. If a connection cannot be established, Kaspersky Endpoint Security tries to connect at the second IP address in the list and so on.
9. Save your changes. To apply the policy on computers, close the padlocks .
As a result, the computer is added on the Open Single Management Platform (OSMP). Check the operating status of the component by viewing the Report on status of application components. You can also view the operating status of a component in reports in the local interface of Kaspersky Endpoint Security. The Endpoint Detection and Response Expert (on-premise) component will be added to the list of Kaspersky Endpoint Security components.

Page top