Configuring integration with Kaspersky Anti Targeted Attack Platform
December 13, 2023
A user can configure integration with Kaspersky Anti Targeted Attack Platform (hereinafter also referred to as "KATA") only if the user has the Edit settings permission.
Kaspersky Anti Targeted Attack Platform is a solution designed for the protection of corporate IT infrastructure and timely detection of threats such as zero-day attacks, targeted attacks, and complex targeted attacks known as advanced persistent threats.
KATA can be integrated with other Kaspersky applications for the purpose of receiving and processing the objects that are scanned by those applications. Kaspersky Web Traffic Security is an application that can serve in this role.
The Kaspersky Web Traffic Security administrator must configure KATA integration on the node with role Control. After this is done, the integration settings are sent to all nodes with role Secondary that are part of the cluster. Each cluster node then interacts with the KATA server independent from other nodes.
Two modes are available when integrated with KATA: transmission of files to the KATA server, and receipt of objects detected by KATA.
Sending files to the KATA server
Kaspersky Web Traffic Security sends the KATA server the objects that were not blocked by traffic processing rules or the default protection policy. However, the application does not wait for the KATA server to send the results of scanning these objects.
When each file is processed, the application checks whether the file needs to be sent to the KATA server. Based on the results, the scan status is written to the application event log. The following statuses are available:
- Not applicable. No file to check – the HTTP message does not contain files to scan.
- Disabled according to application settings – the mode for sending files to the KATA server is disabled in the application settings.
- Skipped according to rule action – the HTTP message was blocked by the application (the Block or Redirect actions are applied) or skipped without scanning according to the bypass rule.
- Rejected by KATA filter – the file does not satisfy the conditions to be sent to the KATA server.
- Scheduled – file transmission is scheduled.
- Failed – file transmission could not be scheduled.
For files with the Scheduled and Failed statuses, detailed information about the result of file transmission is also logged.
All events related to the transmission of files to the KATA server are logged to the operating system log over the Syslog protocol.
Receiving objects detected by KATA
Kaspersky Web Traffic Security receives from the KATA server information about the objects detected by KATA using Sandbox and YARA technologies. For details about these technologies, please refer to the Kaspersky Anti Targeted Attack Platform Help Guide.
Information about received objects is saved in the KATA cache. Each cluster node stores its own KATA cache and receives the objects detected by KATA, independent of other nodes. When the storage term expires, information about objects is deleted from the cache. These objects are no longer taken into account when protection rules and the default protection policy are applied.
In protection rules and in the default protection policy, you can configure actions to take on objects whose information was received from the KATA server. When such objects are detected in user traffic, Kaspersky Web Traffic Security will process these objects according to the settings defined in rules. This lets you block potentially harmful objects until information about them is added to the KSN reputation databases and to the local application databases.
The result from scanning each object is written to the event log. The following scan statuses are available:
- Not detected – no matches detected in the KATA cache.
- Detected – threats were detected.
- Not scanned – a scan was not performed based on the application settings.
- Scan error – the scan ended with an error.
All events related to scanning traffic for matches with KATA objects are logged to the operating system log over the Syslog protocol.