Network Detection and Response (KATA)

Kaspersky Endpoint Security for Windows supports working with the Kaspersky Endpoint Detection and Response component as part of the Kaspersky Anti Targeted Attack Platform (EDR (KATA)) solution. Kaspersky Anti Targeted Attack Platform is a solution designed for timely detection of sophisticated threats such as targeted attacks, advanced persistent threats (APT), zero-day attacks, and others. Kaspersky Anti Targeted Attack Platform includes three functional units:

You can purchase all functional units or individual functional units separately. For details about the solution, please refer to the Kaspersky Anti Targeted Attack Platform Help.

Kaspersky Endpoint Security is installed on individual computers on the corporate IT infrastructure and continuously monitors processes, open network connections, and files being modified. Information about events on the computer (telemetry data) is sent to the Kaspersky Anti Targeted Attack Platform server. In this case, Kaspersky Endpoint Security also sends information to the Kaspersky Anti Targeted Attack Platform server about threats discovered by the application as well as information about processing results for these threats.

The EDR (KATA) and NDR (KATA) integration is configured in the Kaspersky Security Center console. The built-in agent is then managed using the Kaspersky Anti Targeted Attack Platform console, including running tasks, managing quarantined objects, viewing reports, and other actions.

Network Detection and Response (KATA) parameters

Parameter

Description

Server connection settings

Timeout. Maximum Central Node server response timeout. When the timeout runs out, Kaspersky Endpoint Security tries to connect to a different Central Node server.

Server TLS certificate. TLS certificate for establishing a trusted connection with the Central Node server. You can get a TLS certificate in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help).

Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Endpoint Security and Central Node. To use two-way authentication, you need to enable two-way authentication in the Central Node settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help). After configuring the Central Node settings, you need to also enable two-way authentication in Kaspersky Endpoint Security settings and load a password-protected crypto-container.

The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.

Address and Port

Kaspersky Anti Targeted Attack Platform servers connection settings. You can enter an IP address (IPv4 or IPv6).

Send sync request to NDR server every (min)

Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Endpoint Security sends information about modified application settings and tasks.

Maximum events transmission delay (sec)

The application synchronizes with the server to send events after the synchronization interval expires. The default setting is 30 seconds.

Enable request throttling

This feature helps optimize the load on the server. If the check box is selected, the application restricts the transmitted events. If the number of events exceeds the configured limits, Kaspersky Endpoint Security stops sending events.

Maximum number of events per hour

The application analyzes the telemetry data stream and restricts the sending of events if the event stream exceeds the configured events-per-hour limit. Kaspersky Endpoint Security resumes sending events after an hour. The default setting is 3000 events per hour. If the application is installed on a server, the telemetry data stream is higher. For servers, it is recommended to increase the value to 60 000 events per hour.

Percentage of event limit excess

The application sorts events by type (for example, "changes in the registry" events) and restricts transmission of events if the ratio of events of the same type to the total number of events exceeds the configured limit in percent. Kaspersky Endpoint Security resumes sending events when the ratio of other events to the total number of events becomes big enough again. The default setting is 15 %.

Page top