Contents
Kaspersky Endpoint Detection and Response (KATA) Integration
Kaspersky Endpoint Detection and Response (KATA) is a component of the Kaspersky Anti Targeted Attack Platform solution, which is designed to protect the IT infrastructure of organizations and promptly detect threats, such as zero-day attacks, targeted attacks, and advanced persistent threats (APT). To read more, check out the Kaspersky Anti Targeted Attack Platform Help.
When interacting with Kaspersky Endpoint Detection and Response (KATA), Kaspersky Endpoint Security may send data about events on devices (telemetry) to the Kaspersky Anti Targeted Attack Platform server with the Central Node component ("KATA server") and execute commands from Kaspersky Anti Targeted Attack Platform intended to provide security.
This feature is not supported in the KESL container.
Management of integration settings with Kaspersky Endpoint Detection and Response (KATA) via Kaspersky Security Center Cloud Console is not supported.
For integration with Kaspersky Endpoint Detection and Response (KATA), the Behavior Detection component must be enabled.
The integration of Kaspersky Endpoint Security with Kaspersky Endpoint Detection and Response (KATA) is only possible if these components are enabled. Otherwise, the required telemetry data cannot be transmitted.
Kaspersky Endpoint Detection and Response (KATA) can additionally use data received from the following components:
- File Threat Protection.
- Network Threat Protection.
- Web Threat Protection.
When integrated with Kaspersky Endpoint Detection and Response (KATA), devices with Kaspersky Endpoint Security establish secure connections to the KATA server via the HTTPS protocol. To ensure a secure connection, the following certificates issued by the KATA server are used:
- KATA server certificate. The connection is encrypted using the server's TLS certificate. You can elevate the security of the connection by verifying the server certificate on the Kaspersky Endpoint Security side. You need to add the server certificate when configuring integration settings.
- Client certificate. This certificate is used for additional protection of the connection using two-way authentication (scanning devices with Kaspersky Endpoint Security KATA server). The same client certificate can be used by multiple devices. By default, the KATA server does not validate client certificates, but validation can be enabled on the KATA server side. In this case, you need to enable two-way authentication and add the client certificate in the integration settings (cryptocontainer with certificate and private key).
Certificates for securing the connection to the KATA server are provided by the Kaspersky Anti Targeted Attack Platform administrator.
A proxy server is used to connect to the KATA server if use of a proxy server is configured in the general application settings of Kaspersky Endpoint Security.
Kaspersky Endpoint Detection and Response (KATA) integration settings
|
Setting |
Description |
|---|---|
|
Integration with Endpoint Detection and Response (KATA) enabled / disabled |
Enables or disables the integration of the Kaspersky Endpoint Security application with Kaspersky Endpoint Detection and Response (KATA). The integration is disabled by default. |
|
Server connection settings |
Clicking the Configure button in the block opens a window where you can configure general settings for connecting to KATA servers, add a server certificate, and configure two-way authentication when connecting to KATA servers. |
|
KATA servers |
The table contains a list of KATA servers to which connection is configured. The Add button opens a window where you can configure the connection to the KATA server. You can use the buttons above the table to edit and remove previously configured connection settings. |
|
Maximum delay when sending events (sec) |
The maximum delay in sending events to the KATA server in seconds. The default value is |
|
Enable event throttling |
Enables or disables the regulation of the number of events sent to the KATA server. |
|
Maximum number of events per hour |
Maximum number of events per hour The default value is |
|
Event throttle threshold (percentage) |
Event throttle threshold (percentage). Sending events is limited if ratio of events of one type (for example, events about registry changes) to the total number of events exceeds the set threshold (as a percentage). The default value is |
Server connection settings window
In this window, you can configure general settings for connecting to KATA servers, add a server certificate, and configure two-way authentication when connecting to KATA servers.
KATA server connection settings
|
Setting |
Description |
|---|---|
|
Send a synchronization request to the KATA server every (minutes) |
Frequency of sending synchronization requests to the KATA server in minutes. The default value is |
|
Maximum time to wait for the server connection (sec) |
Maximum time to wait for a connection to the KATA server in seconds. The default value is |
|
Maximum time to wait for a response from the server (sec) |
Maximum time to wait for a response from the KATA server in seconds. The default value is |
|
Allow sending telemetry |
Enables or disables sending data about events on devices (telemetry) to the KATA server. Sending telemetry is enabled by default. |
|
Server certificate |
After adding the server certificate, information about the certificate is displayed:
|
|
Select |
Opens a standard file selection window where you can specify the path to the KATA server certificate. If a server certificate has been added, the server certificate is verified on the Kaspersky Endpoint Security side. This elevates the security of the connection. |
|
Remove |
Deletes the server certificate added previously. The button is displayed only if a server certificate has been added. |
|
Additional connection protection |
The settings section lets you enable or disable two-way authentication when connecting to the KATA server and add a client certificate. |
|
Use two-way authentication |
Enables or disables the use of two-way authentication to further secure the connection to the KATA server. Two-way authentication must be enabled on the KATA server side. To use two-way authentication, you need to add a client certificate. |
|
Add a client certificate |
Opens a standard file selection window where you can specify the path to the cryptocontainer (PFX archive) with the client certificate and private key. The button is available if the Use two-way authentication check box is selected. |
|
Edit |
Allows you to specify the password for the cryptocontainer with the client certificate. The Cryptocontainer password field cannot be edited. By default, the password is empty. To specify a password, click Edit. In the window that opens, enter the password and click OK. Clicking the Show button in the window displays the password in clear text in the password entry window. It is recommended to make sure that the password complexity and anti-bruteforce mechanisms ensure that the password cannot be guessed within 6 months. The button is available if the Use two-way authentication check box is selected. |
Server connection settings window
In this window you can specify the connection settings to the KATA server.
KATA server connection settings
|
Setting |
Description |
|---|---|
|
Address |
KATA server address IP address (IPv4 or IPv6) or fully qualified domain name (FQDN) of the integration server can be specified. To ensure that communication with the KATA server is not interrupted if the application fails when network isolation is enabled for the device, it is recommended to specify the server's IP address. Default value: |
|
Port |
Port to connect to the KATA server. The default value is |