Kaspersky Endpoint Detection and Response (KATA) Integration
Oct 22, 2023
Kaspersky Endpoint Detection and Response (KATA) (EDR (KATA)) is a component of the Kaspersky Anti Targeted Attack Platform solution, which is designed to protect the IT infrastructure of organizations and promptly detect threats, such as zero-day attacks, targeted attacks, and advanced persistent threats (APT). To read more, check out the Kaspersky Anti Targeted Attack Platform help section.
When interacting with EDR (KATA), Kaspersky Endpoint Security may send data about events on devices (telemetry) to the Kaspersky Anti Targeted Attack Platform server with the Central Node component ("KATA server") and execute commands from Kaspersky Anti Targeted Attack Platform intended to provide security.
This feature is not supported in the KESL container.
To integrate with EDR (KATA), the Behavior Detection component must be enabled.
The integration of Kaspersky Endpoint Security with EDR (KATA) is only possible if these components are enabled. Otherwise, the required telemetry data cannot be transmitted.
EDR (KATA) can also use data received from the following components:
- File Threat Protection.
- Network Threat Protection.
- Web Threat Protection.
During integration with EDR (KATA), devices with Kaspersky Endpoint Security establish secure connections to the KATA server via the HTTPS protocol. To ensure a secure connection, the following certificates issued by the KATA server are used:
- KATA server certificate. The connection is encrypted using the server's TLS certificate. You can elevate the security of the connection by verifying the server certificate on the Kaspersky Endpoint Security side. You need to add the server certificate when configuring integration settings.
- Client certificate. This certificate is used for additional protection of the connection using two-way authentication (scanning devices with Kaspersky Endpoint Security KATA server). The same client certificate can be used by multiple devices. By default, the KATA server does not validate client certificates, but validation can be enabled on the KATA server side. In this case, you need to enable two-way authentication in the integration options and add the client certificate (cryptocontainer with certificate and private key).
Certificates for securing the connection to the KATA server are provided by the Kaspersky Anti Targeted Attack Platform administrator.
A proxy server is used to connect to the KATA server if use of a proxy server is configured in the general application settings of Kaspersky Endpoint Security.
Kaspersky Endpoint Detection and Response (KATA) integration settings
Integration with Endpoint Detection and Response (KATA).
Enables or disables integration of Kaspersky Endpoint Security with EDR (KATA).
The integration server is disabled by default.
The Configure button in the block opens the КАТА servers window. In this window, you can configure a connection to KATA servers and view the list of servers to which a connection is configured.
Server connection settings
The Configure button in the block opens a window where you can configure general settings for connecting to KATA servers, add a server certificate, and configure two-way authentication upon connecting to KATA servers.
Data transfer settings
The Configure button in the block opens a window where you can configure settings for data to KATA servers.