How to integrate KATA with KPSN reputation database [KATA/KEDRE]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Scenario:

KATA/EDR CN is integrated with the KPSN server, and you want to enrich the KPSN reputation database with the detections from the sandbox server. You can integrate a KATA Platform Central node with the KPSN reputation database and automatically populate it with information about the files that the sandbox technology finds to be dangerous and highly important.

Pre-requisites:

To configure sending checksums of the files detected by the sandbox technology to KPSN, you will need a certificate of a KPSN user account entitled to use KPSN API.

Download the certificate (both parts, public and private) of a KPSN user who has permission to use KPSN API from the user’s profile in the KPSN web console. The KPSN administrator has the required permissions, but a pair of encryption keys of any user allowed to access the KPSN API will do as well. and key from the user’s profile from the KPSN web interface.

You can provide the API access to the required user from KPSN Web UI → Users → and the API option should be enabled under permissions.

To send the sandbox detections to KPSN:

• In the central node administrator’s console, open Settings | KPSN reputation database and specify:
  • HOST – IP address of the KPSN server where the local KPSN reputation database is stored;
  • TLS Certificate – a certificate for the user authentication in KPSN;
  • TLS encryption key – private encryption key;

There are two or more servers with different roles in a typical KPSN installation. A KPSN server can have several roles. Specify the IP address of the KPSN server that has the Monitoring Service role.

In the Central node console of a senior security office, open Settings | KPSN reputation database and select the checkbox to Assign the ‘Untrusted’ status to objects.

You can upload the test file to the KATA Central node for scanning, once the file is detected by Sandbox component, the checksum of the detected file will be published in the KPSN local reputation database.

The KPSN administrator can manually create records in the KPSN reputation database. A record added by KATA/EDR has the KATA tag in the description. You cannot delete the KATA records, but you can disable them.

Below screenshot display the samples hashes added in the KPSN Reputation database from the KATA server.