Integration of the built-in agent with EDR / NDR (KATA)

For integration with EDR / NDR (KATA), you must add the relevant component: Endpoint Detection and Response (KATA) or Network Detection and Response (KATA). You can select components for integration with EDR / NDR (KATA) when installing or upgrading the application, as well as using the Change application components task.

EDR Optimum, EDR Expert and EDR (KATA) components are not compatible with each other.

To use EDR / NDR (KATA), the following conditions must be met:

• EDR (KATA): Kaspersky Anti Targeted Attack Platform version 5.0 or higher.
• NDR (KATA): Kaspersky Anti Targeted Attack Platform version 6.0 or higher.
• Kaspersky Security Center version 14.2 or higher. In earlier versions of Kaspersky Security Center, it is impossible to activate the EDR / NDR (KATA) functionality.
• The application is activated and the functionality is covered by the license.
• The Endpoint Detection and Response (KATA) and Network Detection and Response (KATA) components are enabled.
• Application components that ensure the operation of EDR / NDR (KATA) are enabled and operational. The following components ensure the operation of EDR / NDR (KATA):
  • File Threat Protection.
  • Web Threat Protection.
  • Mail Threat Protection.
  • Exploit Prevention.
  • Behavior Detection.
  • Host Intrusion Prevention.
  • AMSI Protection.
  • Background scan.
  • Kaspersky Security Network.

Integration with Endpoint Detection and Response (KATA) involves the following steps:

1. Installing the Endpoint Detection and Response (KATA) and Network Detection and Response (KATA) components

   You can select EDR (KATA) and NDR (KATA) components during installation or upgrade, as well as using the Change application components task.

   You must restart your computer to finish upgrading the application with the new components.

2. Activating Endpoint Detection and Response (KATA) and Network Detection and Response (KATA)

   You need to purchase a separate license for EDR (KATA) and NDR (KATA) (for example, Kaspersky Endpoint Detection and Response (KATA) Add-on).

   The functionality becomes available after adding a separate key that covers EDR (KATA) and NDR (KATA) functionality. As a result, multiple keys are added on the computer: a key for Kaspersky Endpoint Security and keys for Kaspersky Endpoint Detection and Response (KATA) and Network Detection and Response (KATA).

   Licensing for the stand-alone EDR (KATA) and NDR (KATA) functionality is the same as the licensing of Kaspersky Endpoint Security.

   Make sure that both the EDR (KATA) and the NDR (KATA) functionality is included in the license and is running in the local interface of the application.

3. Connecting to Central Node

   Kaspersky Anti Targeted Attack Platform requires establishing a trusted connection between Kaspersky Endpoint Security and the Central Node component. To configure a trusted connection, you must use a TLS certificate. You can get a TLS certificate in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help). Then you must add the TLS certificate to Kaspersky Endpoint Security (see instructions below).

   

   Adding a TLS certificate to Kaspersky Endpoint Security

   By default, Kaspersky Endpoint Security only checks the TLS certificate of Central Node. To make the connection more secure, you can additionally enable the verification of the computer on Central Node (two-way authentication). To enable this verification, you must turn on two-way authentication in Central Node and Kaspersky Endpoint Security settings. To use two-way authentication, you will also need a crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help).

   How to connect a Kaspersky Endpoint Security computer to Central Node using the Administration Console (MMC)

   1. Open the Kaspersky Security Center Administration Console.
   2. In the console tree, select Policies.
   3. Select the necessary policy and double-click to open the policy properties.
   4. In the policy window, select Detection and Response and select the component that you want to configure: Endpoint Detection and Response (KATA) or Network Detection and Response (KATA).
   5. Select the corresponding check box: Endpoint Detection and Response (KATA) or Network Detection and Response (KATA).
   6. Click Settings for connecting to KATA servers.
   7. Configure the server connection:
      • Timeout (sec). Maximum Central Node server response timeout. When the timeout runs out, Kaspersky Endpoint Security tries to connect to a different Central Node server.
      • Server TLS certificate. TLS certificate for establishing a trusted connection with the Central Node server. You can get a TLS certificate in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help).
      • Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Endpoint Security and Central Node. To use two-way authentication, you need to enable two-way authentication in the Central Node settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help). After configuring the Central Node settings, you need to also enable two-way authentication in Kaspersky Endpoint Security settings and load a password-protected crypto-container.

        The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.

   8. Click OK.
   9. Add Central Node servers. To do this, specify the server address (IPv4, IPv6) and the port to connect to the server.
   10. If necessary, configure telemetry.
   11. Save your changes.

   How to connect a Kaspersky Endpoint Security computer to Central Node using the Web Console

   1. In the main window of the Web Console, select Devices → Policies & profiles.
   2. Click the name of the Kaspersky Endpoint Security policy.

      The policy properties window opens.

   3. Select the Application settings tab.
   4. Go to the Detection and Response section and select the component that you want to configure: Endpoint Detection and Response (KATA) or Network Detection and Response (KATA).
   5. Turn on the corresponding toggle switch: Endpoint Detection and Response (KATA) ENABLED or Network Detection and Response (KATA) ENABLED.
   6. Click Settings for connecting to KATA servers.
   7. Configure the server connection:
      • Timeout (sec). Maximum Central Node server response timeout. When the timeout runs out, Kaspersky Endpoint Security tries to connect to a different Central Node server.
      • Server TLS certificate. TLS certificate for establishing a trusted connection with the Central Node server. You can get a TLS certificate in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help).
      • Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Endpoint Security and Central Node. To use two-way authentication, you need to enable two-way authentication in the Central Node settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help). After configuring the Central Node settings, you need to also enable two-way authentication in Kaspersky Endpoint Security settings and load a password-protected crypto-container.

        The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.

   8. Click OK.
   9. Add Central Node servers. To do this, specify the server address (IPv4, IPv6) and the port to connect to the server.
   10. If necessary, configure telemetry.
   11. Save your changes.

   You can also add a TLS certificate locally using the command line.

   As a result, the computer is added on the Kaspersky Anti Targeted Attack Platform console. Check the operating status of components by viewing the Application components status report. You can also view the operating status of components in reports in the local interface of Kaspersky Endpoint Security. Endpoint Detection and Response (KATA) and Network Detection and Response (KATA) components will be added to the list of Kaspersky Endpoint Security components.

   Starting with Kaspersky Endpoint Security 12.6 for Windows, you can monitor the status of EDR (KATA) component in Kaspersky Security Center Administration Console (MMC). The current status of the component is displayed in computer properties in the Endpoint Sensor status column (Running, Starting, Stopped, Paused, Failed, No data from device). The Web Console does not display the status of the Endpoint Sensor.

Page top