Integrating EDR Agent with KATA (EDR)

EDR Agent is installed on workstations and servers in the IT infrastructure of the organization. On these computers, EDR Agent continuously monitors processes, open network connections, and files being modified, and sends monitoring data to the server with the Central Node component.

To integrate with EDR (KATA), you must enable the Endpoint Detection and Response (KATA) component and configure EDR Agent.

The following conditions must be fulfilled for Endpoint Detection and Response (KATA) to work:

Kaspersky Anti Targeted Attack Platform version 5.0 or higher.
Kaspersky Security Center version 14.2 or higher. In earlier versions of Kaspersky Security Center, it is impossible to activate the Endpoint Detection and Response (KATA) feature.

Integration with Endpoint Detection and Response (KATA) involves the following steps:

Activating Endpoint Detection and Response (KATA)
You need to purchase a separate license for EDR (KATA) (Kaspersky Endpoint Detection and Response (KATA) Add-on).

The functionality becomes available after adding a separate key for Kaspersky Endpoint Detection and Response (KATA). Licensing for the stand-alone Endpoint Detection and Response (KATA) functionality is the same as the licensing of Kaspersky Endpoint Security.

Make sure that the EDR (KATA) functionality is included in the license and is running in the local interface of the application.
Connecting to Central Node
Kaspersky Anti Targeted Attack Platform requires establishing a trusted connection between Kaspersky Endpoint Security and the Central Node component. To configure a trusted connection, you must use a TLS certificate. You can get a TLS certificate in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help). Then you must add the TLS certificate to Kaspersky Endpoint Security (see instructions below).

Adding a TLS certificate to Kaspersky Endpoint Security

By default, Kaspersky Endpoint Security only checks the TLS certificate of Central Node. To make the connection more secure, you can additionally enable the verification of the computer on Central Node (two-way authentication). To enable this verification, you must turn on two-way authentication in Central Node and Kaspersky Endpoint Security settings. To use two-way authentication, you will also need a crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help).

How to connect a Kaspersky Endpoint Security computer to Central Node using the Administration Console (MMC)
1. In the main window of the Web Console, select the Assets (Devices) → Policies & profiles tab.
2. Click the name of the Kaspersky Endpoint Security policy.
  The policy properties window opens.
3. Select the Application settings tab.
4. Go to the Detection and Response section and select the component that you want to configure: Endpoint Detection and Response Expert (on-premise) or Network Detection and Response (KATA).
5. Select the corresponding check box: Endpoint Detection and Response Expert (on-premise) or Network Detection and Response (KATA).
6. Click Connection settings.
7. Configure the server connection:
  - Timeout (sec). Maximum Central Node server response timeout. When the timeout runs out, Kaspersky Endpoint Security tries to connect to a different Central Node server.
  - Server certificate. TLS certificate for establishing a trusted connection with the Central Node server. You can get a TLS certificate in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help).
  - Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Endpoint Security and the Central Node server. To use two-way authentication, you need to enable two-way authentication in the Central Node server settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help). After configuring the Central Node settings, you need to also enable two-way authentication in Kaspersky Endpoint Security settings and load a password-protected crypto-container.
    The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.
8. Click OK.
9. Add Central Node servers. To do this, specify the server address (IPv4, IPv6) and the port to connect to the server.
  You can add multiple Central Node server addresses for EDR (KATA). Kaspersky Endpoint Security makes an attempt to connect to the server at the first IP address. If a connection cannot be established, Kaspersky Endpoint Security tries to connect at the second IP address in the list and so on.
10. If necessary, configure telemetry.
11. Save your changes. To apply the policy on computers, close the padlocks .
How to connect a Kaspersky Endpoint Security computer to Central Node using the Web Console
1. In the main window of the Web Console, select the Assets (Devices) → Policies & profiles tab.
2. Click the name of the Kaspersky Endpoint Security policy.
  The policy properties window opens.
3. Select the Application settings tab.
4. Go to the Built-in Agents Configuration section and select the component that you want to configure: Endpoint Detection and Response Expert (on-premise) or Network Detection and Response (KATA).
5. Turn on the corresponding toggle switch: Endpoint Detection and Response Expert (on-premise) ENABLED or Network Detection and Response (KATA) ENABLED.
6. To configure EDR (KATA), select Endpoint Detection and Response (KATA) from the list of solutions.
7. Click Connection settings.
8. Configure the server connection:
  - Timeout (sec). Maximum Central Node server response timeout. When the timeout runs out, Kaspersky Endpoint Security tries to connect to a different Central Node server.
  - Server certificate. TLS certificate for establishing a trusted connection with the Central Node server. You can get a TLS certificate in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help).
  - Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Endpoint Security and the Central Node server. To use two-way authentication, you need to enable two-way authentication in the Central Node server settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You can get a crypto-container in the Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help). After configuring the Central Node settings, you need to also enable two-way authentication in Kaspersky Endpoint Security settings and load a password-protected crypto-container.
    The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.
9. Click OK.
10. Add Central Node servers. To do this, specify the server address (IPv4, IPv6) and the port to connect to the server.
  You can add multiple Central Node server addresses for EDR (KATA). Kaspersky Endpoint Security makes an attempt to connect to the server at the first IP address. If a connection cannot be established, Kaspersky Endpoint Security tries to connect at the second IP address in the list and so on.
11. If necessary, configure telemetry.
12. Save your changes. To apply the policy on computers, close the padlocks .
As a result, the computer is added on the Kaspersky Anti Targeted Attack Platform console. Check the operating status of the component by viewing the Report on status of application components. You can also view the operating status of a component in reports in the local interface of Kaspersky Endpoint Security. The Endpoint Detection and Response Expert (on-premise) component will be added to the list of Kaspersky Endpoint Security components.

Page top