How to add/export multiple prevention rules to KATA/EDR [KATA/KEDRE]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

You may need to add a batch of prevention rules to KATA. To speed up the process, we have created a script sample.

Adding more than 1000 prevention rules will require additional PF to improve Web UI performance. Please contact technical support to get this PF.

Adding more than 5000 prevention rules is highly NOT recommended as it may result in drastic performance degradation on both CN and Endpoint Agent.

Step-by-step guide

Script sample. To run it, you need any machine with 2 pre-requisites:

1. sh or bash should be installed on the machine
2. machine should have access to KATA Web UI

To use the script, please place a file with hashes (each hash should be on new line in this file) near the script, and please fill in the variables required for script operation:

#Fill in your KATA IP or FQDN address KATA_IP=""   #Default port is 8443 KATA_PORT="8443" #You need Senior Security Officer account to add preventions USER="SSO" PASS=""

To run the script, pass the file with hashes as argument to the script:

sh add_prev.sh /path/to/file/with/hashes.txt

Once the script is completed, it may take 5-10 minutes for the preventions to appear in Web UI.

Export user's prevention rules from KATA 4.0/4.1/5.0

1) Under root execute:

docker exec -it `docker ps | grep kedr_database_server | awk '{print $1}'` psql -U kluser antiapt -c "select * from agent_prevention_settings;" > /tmp/prevention_rules

2) Then import /tmp/prevention_rules to Excel as Data > From Text/CSV