Endpoint Detection and Response (KATA)
Kaspersky Endpoint Security for Windows supports working with the Kaspersky Endpoint Detection and Response component as part of the Kaspersky Anti Targeted Attack Platform (EDR (KATA)) solution. Kaspersky Anti Targeted Attack Platform is a solution designed for timely detection of sophisticated threats such as targeted attacks, advanced persistent threats (APT), zero-day attacks, and others. Kaspersky Anti Targeted Attack Platform includes three functional units:
You can purchase all functional units or individual functional units separately. For details about the solution, please refer to the Kaspersky Anti Targeted Attack Platform Help.
Kaspersky Endpoint Security is installed on individual computers on the corporate IT infrastructure and continuously monitors processes, open network connections, and files being modified. Information about events on the computer (telemetry data) is sent to the Kaspersky Anti Targeted Attack Platform server. In this case, Kaspersky Endpoint Security also sends information to the Kaspersky Anti Targeted Attack Platform server about threats discovered by the application as well as information about processing results for these threats.
The EDR (KATA) and NDR (KATA) integration is configured in the Kaspersky Security Center console. The built-in agent is then managed using the Kaspersky Anti Targeted Attack Platform console, including running tasks, managing quarantined objects, viewing reports, and other actions.
Endpoint Detection and Response Expert (on-premise)
Kaspersky Endpoint Security integration with the Kaspersky Endpoint Detection and Response Expert (on-premise) solution will be available soon. Kaspersky Endpoint Detection and Response Expert (on-premise) is an enterprise cybersecurity solution that includes Kaspersky applications that allow an organization to defend against most types of cyber risks and cover the most important threat propagation scenarios. EDR Expert (on-premise) components are deployed on the Open Single Management Platform (OSMP). This functionality is planned to be supported by the end of 2025. Keep track of our Release Notes to be aware of application upgrades and new features.
Endpoint Detection and Response Expert (on-premise) settings
Parameter |
Description |
|---|---|
Connection to KATA servers / Connection to telemetry collection servers |
Configure the following for the KATA server connection:
The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password. |
KATA servers / Telemetry collection servers |
Kaspersky Anti Targeted Attack Platform servers connection settings. You can enter an IP address (IPv4 or IPv6). You can add multiple Central Node server addresses. Kaspersky Endpoint Security makes an attempt to connect to the server at the first IP address. If a connection cannot be established, Kaspersky Endpoint Security tries to connect at the second IP address in the list and so on. |
Send sync request to KATA server every (min) |
Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Endpoint Security sends information about modified application settings and tasks. |
Send telemetry to KATA / Send telemetry to telemetry collection servers |
This functionality lets you completely turn off the sending of telemetry to the KATA server. For example, if you are using Kaspersky Anti Targeted Attack Platform together with another solution which also uses telemetry, you can turn off telemetry for KATA (EDR). This lets you optimize server load for these solutions. If you have the Managed Detection and Response solution and KATA (EDR) deployed, you can use MDR telemetry and create Threat Response tasks in KATA (EDR). |
Send telemetry with IOA only (available only for Endpoint Detection and Response (KATA)) |
This allows optimizing telemetry and sending only telemetry with IOA. Indicator of Attack (IOA) is a rule that contains a description of suspicious behavior in the system that may indicate a targeted attack. The application compares ongoing behavior in the system with these rules and logs events that are indicative of a targeted attack. The application uses the streaming scan technology, which allows real time tracking of such events. |
Maximum events transmission delay (sec) |
The application synchronizes with the server to send events after the synchronization interval expires. The default setting is 30 seconds. |
Enable throttling |
This feature helps optimize the load on the server. If the check box is selected, the application restricts the transmitted events. If the number of events exceeds the configured limits, Kaspersky Endpoint Security stops sending events. |
Maximum number of events per hour |
The application analyzes the telemetry data stream and restricts the sending of events if the event stream exceeds the configured events-per-hour limit. Kaspersky Endpoint Security resumes sending events after an hour. The default setting is 3000 events per hour. If the application is installed on a server, the telemetry data stream is higher. For servers, it is recommended to increase the value to 60 000 events per hour. |
Percentage of event limit excess |
The application sorts events by type (for example, "changes in the registry" events) and restricts transmission of events if the ratio of events of the same type to the total number of events exceeds the configured limit in percent. Kaspersky Endpoint Security resumes sending events when the ratio of other events to the total number of events becomes big enough again. The default setting is 15 %. |