By default, Kaspersky Endpoint Security sends a limited set of Windows log events to KUMA. To improve performance and optimize data transmission to the KUMA server, you can manually add or exclude individual events from telemetry. For example you can exclude Sysmon events.
Open the Kaspersky Security Center Administration Console.
In the console tree, select Policies.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select General settings → Exclusions and object types.
In the Scan exclusions and trusted applications → KUMA telemetry block, click the Settings button.
In the window that is displayed, configure the event filters to be sent to KUMA.
You can configure event filtering for the standard Application, Security, System logs or manually add another log.
Click Add or open log properties.
Select an event sending mode:
Send all events. In this mode, the application sends all events from the Windows log except events added to exclusion rules.
Send only selected events. In this mode, the application sends only events added in inclusion rules.
Create lists of exclusion rules or inclusion rules for the relevant event sending mode.
To add rules, you need to specify the ID of the event in the Windows event log. You can list multiple event IDs in a rule. To specify multiple event IDs, use the comma character (",").
Save your changes. To apply the policy on computers, close the padlocks .
In the main window of the Web Console, select the Assets (Devices) → Policies & profiles tab.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to General Settings → Telemetry Settings.
Select the KUMA telemetry tab.
In the window that is displayed, configure the event filters to be sent to KUMA.
You can configure event filtering for the standard Application, Security, System logs or manually add another log.
Click Add or open log properties.
Select an event sending mode:
Send all events. In this mode, the application sends all events from the Windows log except events added to exclusion rules.
Send only selected events. In this mode, the application sends only events added in inclusion rules.
Create lists of exclusion rules or inclusion rules for the relevant event sending mode.
To add rules, you need to specify the ID of the event in the Windows event log. You can list multiple event IDs in a rule. To specify multiple event IDs, use the comma character (",").
Save your changes. To apply the policy on computers, close the padlocks .
.
.