Kaspersky Endpoint Detection and Response (KATA) Integration
December 12, 2023
ID 246827
Kaspersky Endpoint Detection and Response (KATA) (EDR (KATA)) is a component of the Kaspersky Anti Targeted Attack Platform solution, which is designed to protect the IT infrastructure of organizations and promptly detect threats, such as zero-day attacks, targeted attacks, and advanced persistent threats (APT). To read more, check out the Kaspersky Anti Targeted Attack Platform Help.
When interacting with EDR (KATA), Kaspersky Endpoint Security may send data about events on devices (telemetry) to the Kaspersky Anti Targeted Attack Platform server with the Central Node component ("KATA server") and execute commands from Kaspersky Anti Targeted Attack Platform intended to provide security.
This feature is not supported in the KESL container.
Management of integration settings with EDR (KATA) via Kaspersky Security Center Cloud Console is not supported.
To integrate with EDR (KATA), the Behavior Detection component must be enabled.
The integration of Kaspersky Endpoint Security with EDR (KATA) is only possible if these components are enabled. Otherwise, the required telemetry data cannot be transmitted.
EDR (KATA) can also use data received from the following components:
- File Threat Protection.
- Network Threat Protection.
- Web Threat Protection.
During integration with EDR (KATA), devices with Kaspersky Endpoint Security establish secure connections to the KATA server via the HTTPS protocol. To ensure a secure connection, the following certificates issued by the KATA server are used:
- KATA server certificate. The connection is encrypted using the server's TLS certificate. You can elevate the security of the connection by verifying the server certificate on the Kaspersky Endpoint Security side. You need to add the server certificate when configuring integration settings.
- Client certificate. This certificate is used for additional protection of the connection using two-way authentication (scanning devices with Kaspersky Endpoint Security KATA server). The same client certificate can be used by multiple devices. By default, the KATA server does not validate client certificates, but validation can be enabled on the KATA server side. In this case, you need to enable two-way authentication and add the client certificate in the integration settings (cryptocontainer with certificate and private key).
Certificates for securing the connection to the KATA server are provided by the Kaspersky Anti Targeted Attack Platform administrator.
A proxy server is used to connect to the KATA server if use of a proxy server is configured in the general application settings of Kaspersky Endpoint Security.
Kaspersky Endpoint Detection and Response (KATA) integration settings
Setting | Description |
|---|---|
Integration with Endpoint Detection and Response (KATA) enabled / disabled | Enables or disables integration of Kaspersky Endpoint Security with EDR (KATA). The integration server is disabled by default. |
Server connection settings | Clicking the Configure button in the block opens a window where you can configure general settings for connecting to KATA servers, add a server certificate, and configure two-way authentication when connecting to KATA servers. |
KATA servers | The table contains a list of KATA servers to which connection is configured. The Add button opens a window where you can configure the connection to the KATA server. You can use the buttons above the table to edit and remove previously configured connection settings. |
Maximum delay when sending events (sec) | The maximum delay in sending events to the KATA server in seconds. The default value is |
Enable event throttling | Enables or disables regulating the number of events sent to the KATA server. |
Maximum number of events per hour | Maximum number of events per hour The default value is |
Event throttle threshold (percentage) | Event throttle threshold (percentage). Sending events is limited if ratio of events of one type (for example, events about registry changes) to the total number of events exceeds the set threshold (as a percentage). The default value is |
