EDR telemetry exclusions

EDR telemetry exclusions

To improve performance and optimize data transmission to the Telemetry server, you can configure telemetry exclusions. For example, you can choose not to send network communications data for individual applications.

Creating EDR telemetry exclusions in the Kaspersky Security Center Administration Console

Creating EDR telemetry exclusions in the Kaspersky Security Center Web Console

Creating EDR telemetry exclusions in the Application Console

Telemetry exclusion parameters

Parameter	Description
Excluded processes	Optimize the telemetry size to send. Kaspersky Industrial CyberSecurity for Nodes allows optimizing the amount of transmitted data and excluding events with certain codes from telemetry: code 102 (basic communications) and 8 (network activity of the process) for the Microsoft SMB protocol, the WinRM service, and the klnagent.exe process of the Network Agent, as well as extended information about the types of network packets for all types of network protocols. Kaspersky Industrial CyberSecurity for Nodes combines rule triggering criteria with a logical AND. Process details and Parent process details: Full path. Full path to the file including its name and extension. Kaspersky Industrial CyberSecurity for Nodes supports environment variables and the `*` and `?` characters when entering a mask: Command line text. Command used to run the file. Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource. Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource. Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource. File checksums. MD5 and SHA256. You can also select a file manually, and the application will automatically fill out the fields from the selected file. In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the `C:\windows\system32` folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the `C:\windows\syswow64` folder. For example, if you select `C:\windows\system32\cmd.exe`, the plug-in displays parameters of the `C:\windows\syswow64\cmd.exe` file. Such behavior is dictated by peculiarities of the operating system. Use for the following event types: File modification. Network events. Process: console interactive input. Module loaded. Registry modified. DNS logs. Process access. Code injection. WMI query. Pipe. LDAP. AMSI.
Excluded network communications	Rule name. Name of the rule. Direction. Incoming or outgoing events. Protocol. Protocol type. Raw socket. Whether to use a raw socket. Protocol number. Protocol number. TLS certificate. Digital certificate that is used to encrypt the connection between the client and the server using the TLS protocol. Local port or range. Specific port or a range of possible local ports. Remote port or range. Specific port or a range of possible remote ports. Local address. The network address of the computer for which Kaspersky Industrial CyberSecurity for Nodes is excluding telemetry from network traffic. Remote address. The network address of the computer for which Kaspersky Industrial CyberSecurity for Nodes is excluding telemetry from network traffic. Only the IPv4 format is supported for IP addresses. Applications. List of executable files of applications for which Kaspersky Industrial CyberSecurity for Nodes is excluding EDR telemetry from network traffic.
Excluded file operations	Rule name. Name of the rule. File name or mask. Name or mask of a file or folder; Kaspersky Industrial CyberSecurity for Nodes applies the exclusion rule when this file or folder is accessed. Kaspersky Industrial CyberSecurity for Nodes supports the `` and `?` characters when entering a mask: Operation type. Type of file operations, for example, create file or edit file attributes. Previous path. Previous path to the file. Kaspersky Industrial CyberSecurity for Nodes combines rule triggering criteria with a logical AND. Process details and Parent process details: Full path. Full path to the file including its name and extension. Kaspersky Industrial CyberSecurity for Nodes supports environment variables and the `` and `?` characters when entering a mask: Command line text. Command used to run the file. Parent path. Path to the folder containing the file. Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource. Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource. Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource. File checksums. MD5 and SHA256. You can also select a file manually, and the application will automatically fill out the fields from the selected file. In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the `C:\windows\system32` folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the `C:\windows\syswow64` folder. For example, if you select `C:\windows\system32\cmd.exe`, the plug-in displays parameters of the `C:\windows\syswow64\cmd.exe` file. Such behavior is dictated by peculiarities of the operating system.
Excluded DNS operations	Rule name. Name of the rule. Kaspersky Industrial CyberSecurity for Nodes combines rule triggering criteria with a logical AND. Process details and Parent process details: Full path. Full path to the file including its name and extension. Kaspersky Industrial CyberSecurity for Nodes supports environment variables and the `*` and `?` characters when entering a mask: Command line text. Command used to run the file. Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource. Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource. Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource. File checksums. MD5 and SHA256. You can also select a file manually, and the application will automatically fill out the fields from the selected file. In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the `C:\windows\system32` folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the `C:\windows\syswow64` folder. For example, if you select `C:\windows\system32\cmd.exe`, the plug-in displays parameters of the `C:\windows\syswow64\cmd.exe` file. Such behavior is dictated by peculiarities of the operating system. DNS: DNS server IP address. Address of the server that processes DNS queries. Query options. Parameters that regulate the format and condition of the DNS query. Status. Current status of the DNS operation. Domain name. Domain name for which the query is being processed. Settings type ID. Unique ID of the DNS settings type. Response data. Data returned by the server in response to the DNS query.
Excluded LDAP operations	Rule name. Name of the rule. LDAP search scope. Scope in which the LDAP search is being performed. Filter. Search criteria for filtering LDAP objects. Distinguished name for LDAP objects search. Unique name of the object for the LDAP search. Object attributes. Properties of objects that will be extracted in the LDAP query. Kaspersky Industrial CyberSecurity for Nodes combines rule triggering criteria with a logical AND. Process details and Parent process details: Full path. Full path to the file including its name and extension. Kaspersky Industrial CyberSecurity for Nodes supports environment variables and the `*` and `?` characters when entering a mask: Command line text. Command used to run the file. Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource. Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource. Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource. File checksums. MD5 and SHA256. You can also select a file manually, and the application will automatically fill out the fields from the selected file. In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the `C:\windows\system32` folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the `C:\windows\syswow64` folder. For example, if you select `C:\windows\system32\cmd.exe`, the plug-in displays parameters of the `C:\windows\syswow64\cmd.exe` file. Such behavior is dictated by peculiarities of the operating system.
Excluded process access queries	Rule name. Name of the rule. Operation type. Type of process access operation, for example, "any" or "open". Requested access to the process. Level of access to the process. Call stack trace. Information about the sequence of function calls related to access to the process. Kaspersky Industrial CyberSecurity for Nodes combines rule triggering criteria with a logical AND. Process details, Parent process details, Target process, File of a source process and File of a target process. Full path. Full path to the file including its name and extension. Kaspersky Industrial CyberSecurity for Nodes supports environment variables and the `*` and `?` characters when entering a mask: Command line text. Command used to run the file. Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource. Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource. Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource. File checksums. MD5 and SHA256. You can also select a file manually, and the application will automatically fill out the fields from the selected file. In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the `C:\windows\system32` folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the `C:\windows\syswow64` folder. For example, if you select `C:\windows\system32\cmd.exe`, the plug-in displays parameters of the `C:\windows\syswow64\cmd.exe` file. Such behavior is dictated by peculiarities of the operating system.
Excluded code injections	Rule name. Name of the rule. Access method. Access method used for the code injection. Call stack. Function call sequence related to the code injection. Modified command line. Command line that was modified by the injection. Injection address. Memory location where the injection took place. Injected DLL name. Name of the dynamic-link library (DLL) used for the injection. Kaspersky Industrial CyberSecurity for Nodes combines rule triggering criteria with a logical AND. Process details and Parent process details: Full path. Full path to the file including its name and extension. Kaspersky Industrial CyberSecurity for Nodes supports environment variables and the `*` and `?` characters when entering a mask: Command line text. Command used to run the file. Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource. Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource. Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource. File checksums. MD5 and SHA256. You can also select a file manually, and the application will automatically fill out the fields from the selected file. In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the `C:\windows\system32` folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the `C:\windows\syswow64` folder. For example, if you select `C:\windows\system32\cmd.exe`, the plug-in displays parameters of the `C:\windows\syswow64\cmd.exe` file. Such behavior is dictated by peculiarities of the operating system.
Excluded WMI queries	Rule name. Name of the rule. WMI operation type. Type of operation performed using WMI. Remote query. Information on whether the WMI query was executed remotely. Name of a computer that executed a WMI command. Name of the computer that initiated the query. WMI user account. User account that was used for the WMI query. Executed WMI command. Specific command executed via WMI. WMI namespace. Namespace in which the WMI operation was performed. WMI event consumer filter. Filter that is used to process events in WMI. Name of the created WMI event consumer. Name of the event consumer created using WMI. Source code of a WMI event consumer. Code used to create a WMI event consumer. Kaspersky Industrial CyberSecurity for Nodes combines rule triggering criteria with a logical AND. Process details and Parent process details: Full path. Full path to the file including its name and extension. Kaspersky Industrial CyberSecurity for Nodes supports environment variables and the `*` and `?` characters when entering a mask: Command line text. Command used to run the file. Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource. Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource. Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource. File checksums. MD5 and SHA256. You can also select a file manually, and the application will automatically fill out the fields from the selected file. In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the `C:\windows\system32` folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the `C:\windows\syswow64` folder. For example, if you select `C:\windows\system32\cmd.exe`, the plug-in displays parameters of the `C:\windows\syswow64\cmd.exe` file. Such behavior is dictated by peculiarities of the operating system.
Excluded pipe operations	Rule name. Name of the rule. Pipe name. Name of the pipe. Operation type. Type of operations with pipes, for example, creation or connection. Kaspersky Industrial CyberSecurity for Nodes combines rule triggering criteria with a logical AND. Process details and Parent process details: Full path. Full path to the file including its name and extension. Kaspersky Industrial CyberSecurity for Nodes supports environment variables and the `*` and `?` characters when entering a mask: Command line text. Command used to run the file. Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource. Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource. Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource. File checksums. MD5 and SHA256. You can also select a file manually, and the application will automatically fill out the fields from the selected file. In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the `C:\windows\system32` folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the `C:\windows\syswow64` folder. For example, if you select `C:\windows\system32\cmd.exe`, the plug-in displays parameters of the `C:\windows\syswow64\cmd.exe` file. Such behavior is dictated by peculiarities of the operating system.
Excluded registry changes	Rule name. Name of the rule. Operation type. Type of operation performed with the registry, for example, add, delete, modify. Path. Path to the registry key in which the changes took place. Value name. Name of the registry value that was modified. Value. New or modified registry value. Full name of a registry file. Full path to the registry file in which the modifications were made. Kaspersky Industrial CyberSecurity for Nodes combines rule triggering criteria with a logical AND. Process details and Parent process details: Full path. Full path to the file including its name and extension. Kaspersky Industrial CyberSecurity for Nodes supports environment variables and the `*` and `?` characters when entering a mask: Command line text. Command used to run the file. Description. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource. Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource. Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource. File checksums. MD5 and SHA256. You can also select a file manually, and the application will automatically fill out the fields from the selected file. In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the `C:\windows\system32` folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the `C:\windows\syswow64` folder. For example, if you select `C:\windows\system32\cmd.exe`, the plug-in displays parameters of the `C:\windows\syswow64\cmd.exe` file. Such behavior is dictated by peculiarities of the operating system.
Excluded operations with devices	Rule name. Name of the rule. Device type. Device type: local printer, removable drive, CD/DVD drive, etc. For details, see Device Access Rules. Device ID. Unique ID that can be used to identify the specific instance of the device. Device name. Name of the device. Kaspersky Industrial CyberSecurity for Nodes combines rule triggering criteria with a logical AND.