Telemetry is a list of events that have occurred on the protected computer. Kaspersky Industrial CyberSecurity for Nodes analyzes telemetry data and sends it to Kaspersky Anti Targeted Attack Platform during synchronization. Telemetry events arrive on the server almost continuously. Kaspersky Industrial CyberSecurity for Nodes initiates synchronization with the server when any of the following conditions are satisfied:
Synchronization interval has run out.
The number of events in the buffer exceeds the upper limit.
You can configure the synchronization behavior in the Kaspersky Industrial CyberSecurity for Nodes policy and select optimum values to match your network load.
If there is no connection between Kaspersky Industrial CyberSecurity for Nodes and the server, the application queues new events. When the connection is restored, Kaspersky Industrial CyberSecurity for Nodes sends queued events to the server in proper order. To avoid overloading the server, Kaspersky Industrial CyberSecurity for Nodes may skip some events. To enable this, you can optimize event transmission settings, for example, to set a maximum events-per-hour value.
If you are using Kaspersky Anti Targeted Attack Platform together with another solution which also uses telemetry, you can turn off telemetry for KATA. This lets you optimize server load for these solutions. For example, if you have Managed Detection and Response and Kaspersky Anti Targeted Attack Platform solutions deployed, you can use Managed Detection and Response telemetry while creating threat response tasks in Kaspersky Anti Targeted Attack Platform.
Open the Kaspersky Security Center Administration Console.
In the console tree, open the Policies folder.
Select a policy for managing the application and double-click it to open its settings window.
Select the Telemetry collection servers section.
In the KATA Integration block, click the Settings button.
The Properties: Endpoint Detection and Response Expert (on-premise) window opens.
Configure the Send sync request to KATA server every (min) setting. Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Industrial CyberSecurity for Nodes sends information about modified application settings and tasks.
Make sure that the Send telemetry to KATA check box is selected in the Data transmission settings block.
If necessary, configure the Maximum events transmission delay (sec) setting: When the specified time expires, Kaspersky Industrial CyberSecurity for Nodes tries to connect to the same server again or connects to the next server in the list, if there are multiple servers. The default setting is 30 seconds.
If necessary, configure the Maximum number of event packages setting: This setting regulates the maximum number of packets that can be sent as part of one transaction. The default value is 1024.
If necessary, select the Enable request throttling check box in the Request throttling block.
This feature helps optimize the load on the server. If the check box is selected, the application restricts the transmitted events. If the number of events exceeds the configured limits, Kaspersky Industrial CyberSecurity for Nodes stops sending events.
Configure optimization settings for sending events to the server:
Maximum number of events per hour. The application analyzes the telemetry data stream and restricts the sending of events if the event stream exceeds the configured events-per-hour limit. Kaspersky Industrial CyberSecurity for Nodes resumes sending events after an hour. The default setting is 3000 events per hour. If the application is installed on a server, the telemetry data stream is higher. For servers, it is recommended to increase the value to 60 000 events per hour.
Percentage of event limit excess. The application sorts events by type (for example, "changes in the registry" events) and restricts transmission of events if the ratio of events of the same type to the total number of events exceeds the configured limit in percent. Kaspersky Industrial CyberSecurity for Nodes resumes sending events when the ratio of other events to the total number of events becomes big enough again. The default setting is 15 %.
In the Application Console tree, select the Telemetry collection servers → KATA Integration section.
Click the Properties link in the results pane.
The Properties: Endpoint Detection and Response Expert (on-premise) window opens.
Configure the Send sync request to KATA server every (min) setting. Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Industrial CyberSecurity for Nodes sends information about modified application settings and tasks.
Make sure that the Send telemetry to KATA check box is selected in the Data transmission settings block.
If necessary, configure the Maximum events transmission delay (sec) setting: When the specified time expires, Kaspersky Industrial CyberSecurity for Nodes tries to connect to the same server again or connects to the next server in the list, if there are multiple servers. The default setting is 30 seconds.
If necessary, configure the Maximum number of event packages setting: This setting regulates the maximum number of packets that can be sent as part of one transaction. The default value is 1024.
If necessary, select the Enable request throttling check box in the Request throttling block.
This feature helps optimize the load on the server. If the check box is selected, the application restricts the transmitted events. If the number of events exceeds the configured limits, Kaspersky Industrial CyberSecurity for Nodes stops sending events.
Configure optimization settings for sending events to the server:
Maximum number of events per hour. The application analyzes the telemetry data stream and restricts the sending of events if the event stream exceeds the configured events-per-hour limit. Kaspersky Industrial CyberSecurity for Nodes resumes sending events after an hour. The default setting is 3000 events per hour. If the application is installed on a server, the telemetry data stream is higher. For servers, it is recommended to increase the value to 60 000 events per hour.
Percentage of event limit excess. The application sorts events by type (for example, "changes in the registry" events) and restricts transmission of events if the ratio of events of the same type to the total number of events exceeds the configured limit in percent. Kaspersky Industrial CyberSecurity for Nodes resumes sending events when the ratio of other events to the total number of events becomes big enough again. The default setting is 15 %.
In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
Click the name of the Kaspersky Industrial CyberSecurity for Nodes policy.
The policy properties window opens.
Select the Application settings tab.
Select the Telemetry collection servers section.
In the KATA Integration block, click the Configure button.
The Properties: Endpoint Detection and Response Expert (on-premise) window opens.
Configure the Send sync request to KATA server every (min) setting. Frequency of synchronization requests sent to the server. During synchronization, Kaspersky Industrial CyberSecurity for Nodes sends information about modified application settings and tasks.
Make sure that the Send telemetry to KATA check box is selected in the Data transmission settings block.
If necessary, configure the Maximum events transmission delay (sec) setting: When the specified time expires, Kaspersky Industrial CyberSecurity for Nodes tries to connect to the same server again or connects to the next server in the list, if there are multiple servers. The default setting is 30 seconds.
If necessary, configure the Maximum number of event packages setting: This setting regulates the maximum number of packets that can be sent as part of one transaction. The default value is 1024.
If necessary, select the Enable request throttling check box in the Request throttling block.
This feature helps optimize the load on the server. If the check box is selected, the application restricts the transmitted events. If the number of events exceeds the configured limits, Kaspersky Industrial CyberSecurity for Nodes stops sending events.
Configure optimization settings for sending events to the server:
Maximum number of events per hour. The application analyzes the telemetry data stream and restricts the sending of events if the event stream exceeds the configured events-per-hour limit. Kaspersky Industrial CyberSecurity for Nodes resumes sending events after an hour. The default setting is 3000 events per hour. If the application is installed on a server, the telemetry data stream is higher. For servers, it is recommended to increase the value to 60 000 events per hour.
Percentage of event limit excess. The application sorts events by type (for example, "changes in the registry" events) and restricts transmission of events if the ratio of events of the same type to the total number of events exceeds the configured limit in percent. Kaspersky Industrial CyberSecurity for Nodes resumes sending events when the ratio of other events to the total number of events becomes big enough again. The default setting is 15 %.