Kaspersky Endpoint Detection and Response integration

Kaspersky Endpoint Detection and Response (hereinafter also referred to as "KEDR") is a functional unit of Kaspersky Anti Targeted Attack Platform that protects assets in an enterprise LAN.

You can configure KUMA integration with Kaspersky Endpoint Detection and Response versions 4.0 and 4.1 to manage threat response actions on assets connected to Kaspersky Endpoint Detection and Response servers, and on Kaspersky Security Center assets. Commands to perform operations are received by the Kaspersky Endpoint Detection and Response server, which then relays those commands to the Kaspersky Endpoint Agent installed on assets.

You can also import events to KUMA and receive information about Kaspersky Endpoint Detection and Response alerts (for more details, see the Configuring integration with an SIEM system section of the Kaspersky Anti Targeted Attack Platform online help).

When KUMA is integrated with Kaspersky Endpoint Detection and Response, you can perform the following operations on Kaspersky Endpoint Detection and Response assets that have Kaspersky Endpoint Agent:

• Manage network isolation of assets.
• Manage prevention rules.
• Start applications.

You can manage response actions only if you have a Kaspersky Symphony XDR license.

To get instructions on configuring integration for response action management, contact your account manager or Technical Support.

Importing events from Kaspersky Endpoint Detection and Response

When importing events from Kaspersky Endpoint Detection and Response, telemetry is transmitted in clear text and may be intercepted by an intruder.

Kaspersky Endpoint Detection and Response 4.0 raw events can be imported into KUMA with the help of a Kafka connector.

To import events, you will need to perform actions on the Kaspersky Endpoint Detection and Response side and on the KUMA side.

On the Kaspersky Endpoint Detection and Response side, perform the following actions:

1. Use SSH or a terminal to log in to the management console of the Central Node server from which you want to export events.
2. When prompted by the system, enter the administrator account name and the password that was set during installation of Kaspersky Endpoint Detection and Response.

   The program component administrator menu is displayed.

3. In the program component administrator menu, select Technical Support Mode.
4. Press Enter.

   The Technical Support Mode confirmation window opens.

5. Confirm that you want to operate the application in Technical Support Mode. To do so, select Yes and press Enter.
6. Run the sudo -i command.
7. In the /etc/sysconfig/apt-services configuration file, in the KAFKA_PORTS field, delete the value 10000.

   If Secondary Central Node servers or the Sensor component installed on a separate server are connected to the Central Node server, you need to allow the connection with the server where you modified the configuration file via port 10000.

   It is strongly not recommended to use this port for any external connections other than KUMA. To restrict connection on port 10000 to KUMA only, run the command iptables -I INPUT -p tcp! -s KUMA_IP_address --dport 10000 -j DROP.

8. Run the command systemctl restart apt_ipsec.service.
9. In the configuration file /usr/bin/apt-start-sedr-iptables add the value 10000 in the WEB_PORTS field, separated by a comma without a space.
10. Run sudo sh /usr/bin/apt-start-sedr-iptables.

Preparations for exporting events on the Kaspersky Endpoint Detection and Response side are now complete.

On the KUMA side, complete the following steps:

1. On the KUMA server, add the IP address of the Central Node server in the format <IP address> centralnode to one of the following files:
   • %WINDIR%\System32\drivers\etc\hosts—for Windows.
   • /etc/hosts file—for Linux.
2. In the KUMA web interface, create a connector of the Kafka type.

   When creating the connector, in the URL field, you will need to specify the <Central Node server IP address>:10000.

3. In the KUMA web interface, create a collector.

   Use the connector created at the previous step as the transport for the collector.

If the collector is successfully created and installed, Kaspersky Endpoint Detection and Response events will be imported into KUMA. You can find and view these events in the events table.