Kaspersky Endpoint Detection and Response (KATA) Integration task (KATAEDR, ID:24)
Oct 22, 2023
Kaspersky Endpoint Detection and Response (KATA) (EDR (KATA)) is a component of the Kaspersky Anti Targeted Attack Platform solution, which is designed to protect the IT infrastructure of organizations and promptly detect threats, such as zero-day attacks, targeted attacks, and advanced persistent threats (APT). To read more, check out the Kaspersky Anti Targeted Attack Platform help section.
When interacting with EDR (KATA), Kaspersky Endpoint Security can perform the following functions:
- Send data about events on devices (telemetry) to the Kaspersky Anti Targeted Attack Platform server with the Central Node component ("KATA server"). Kaspersky Endpoint Security sends monitoring data on processes, open network connections, and modified files to the KATA server, as well as data on threats detected by the application and data on the results of processing these threats.
- Execution of tasks received from Kaspersky Anti Targeted Attack Platform to provide security.
Kaspersky Endpoint Detection and Response (KATA) Integration task allows you to configure and enable integration of the Kaspersky Endpoint Security application with the EDR (KATA) component. You can also manage the integration of Kaspersky Endpoint Security with EDR (KATA) using the Kaspersky Security Center Administration Console and Kaspersky Security Center Web Console.
Management of integration settings with EDR (KATA) via Kaspersky Security Center Cloud Console is not supported.
To integrate with EDR (KATA), the Behavior Detection task must be started.
The integration of Kaspersky Endpoint Security with EDR (KATA) is only possible if this task is started Otherwise, the required telemetry data cannot be transmitted.
EDR (KATA) can also use data received from the following tasks:
- File Threat Protection.
- Network Threat Protection.
- Web Threat Protection.
During integration with EDR (KATA), devices with Kaspersky Endpoint Security establish secure connections to the KATA server via the HTTPS protocol. To ensure a secure connection, the following certificates issued by the KATA server are used:
- KATA server certificate. The connection is encrypted using the server's TLS certificate. You can elevate the security of the connection by verifying the server certificate on the Kaspersky Endpoint Security side. To do this, add the integration server certificate before running the Kaspersky Endpoint Detection and Response (KATA) Integration task.
- Client certificate. This certificate is used for additional protection of the connection using two-way authentication (scanning devices with Kaspersky Endpoint Security KATA server). The same client certificate can be used by multiple devices. By default, the KATA server does not check client certificates, but two-way authentication can be enabled on the Kaspersky Anti Targeted Attack Platform side. In this case, you need to enable two-way authentication in the Kaspersky Endpoint Detection and Response (KATA) Integration task settings and add the client certificate (cryptocontainer with certificate and private key).
Certificates for securing the connection to the KATA server are provided by the Kaspersky Anti Targeted Attack Platform administrator.
A proxy server is used to connect to the KATA server if use of a proxy server is configured in the general application settings of Kaspersky Endpoint Security.
If Kaspersky Endpoint Security is integrated with Kaspersky Anti Targeted Attack Platform, a large number of events can be written to the systemd log. If you want to disable the logging of audit events to the systemd log, disable the systemd-journald-audit socket and restart the operating system.
To disable the systemd-journald-audit socket, run the following commands:
systemctl stop systemd-journald-audit.socket
systemctl disable systemd-journald-audit.socket
systemctl mask systemd-journald-audit.socket