- Kaspersky Container Security 1.2 Help
- About the Kaspersky Container Security platform
- Solution architecture
- Standard deployment schemes
- Preparing to install the solution
- Solution installation
- Removing the solution
- Updating the solution
- Solution interface
- Licensing the solution
- Data provisioning
- Working with clusters
- View the list of clusters
- Namespaces in the cluster
- Pods in the cluster
- Visualization of cluster resources
- Setting up integration with external image registries
- Working with images from registers
- Integration with CI/CD
- Image scanning in CI/CD processes
- Configuring integration with GitLab CI/CD
- Configuring integration with Jenkins CI/CD
- Configuring integration with TeamCity CI/CD
- Defining the path to container images
- Monitoring the integrity and origin of images
- Running the scanner in SBOM mode
- Getting scan results in JSON or HTML format
- Running the scanner in lite SBOM mode
- Risk handling
- Compliance check
- Configuring and generating reports
- Security policies configuration
- Managing container runtime profiles
- File Threat Protection
- Configuring integration with image signature validators
- Setting up integration with notification outputs
- Configuring LDAP server integration
- Users, roles, and scopes
- Managing users
- About user roles
- Working with system roles
- Displaying list of roles
- About scopes
- Scopes and enforcement of security policies
- Switching between scopes
- Adding users, roles, and scopes
- Resetting password for user accounts
- Changing settings for users, roles, and scopes
- Removing users, roles, and scopes
- Using Kaspersky Container Security OpenAPI
- Security event log
- Exporting events to SIEM systems
- Information about the status of solution components
- Ensuring safety and reliability of components
- Managing the dynamics of data accumulation
- Backing up and restoring data
- Contacting Technical Support
- Sources of information about the application
- Limitations and warnings
- Glossary
- Third party code information
- Trademark notices
Exporting events to SIEM systems
Kaspersky Container Security allows you to send event messages to
Security information and event management is a class of software solution that obtains and analyzes data about security events.
The data about the system events is transmitted as the integration with the SIEM system is configured during the installation of the solution. Event messages are forwarded to the SIEM registration server in the CEF format over TCP or UDP using the provided port (typically port 514). When the solution is deployed, these parameters are specified in the values.yaml configuration file:
CEF_PROTOCOL=tcp
CEF_HOST=<ip address>
CEF_PORT=<port>
The transmitted message consists of the following components:
- The Syslogheader, which specifies the date, time, and host name.
A standard for sending and logging system event messages used for the UNIX and GNU/Linux platforms.
- Prefix and CEF version number.
- Device vendor.
- Solution name.
- Solution version.
- Solution-generated unique event type code.
- Event description.
- Event severity assessment.
- Additional information, such as device IP address, event reason, event result, and event status.
Example of a message forwarded to a SIEM system
The message is sent to the SIEM system as a string that includes all specified message components:
Oct 12 04:16:11 localhost CEF:0|nxlog.org|nxlog|2.7.1243|Executable Code was Detected|Advanced exploit detected|100|src=192.168.255.110 spt=46117 dst=172.25.212.204 dpt=80