Kaspersky Unified Monitoring and Analysis Platform
English

Contents

Preparing Kaspersky Security Center for integration with KUMA

For Kaspersky Security Center and KUMA to be able to interact with each other you must complete steps below:

  • Make sure that Kaspersky Security Center can be reached via UDP from KUMA.
  • Create user in Kaspersky Security Center with required permissions.
  • Create Kaspersky Security Center tasks covering all assets in all applications connected to Kaspersky Security Center.
  • Configure Kaspersky Security Center to send events to KUMA. This step is required if you want to receive information about Kaspersky Security Center tasks in KUMA.

In this section

Creating KUMA user in Kaspersky Security Center

Configuring Kaspersky Security Center to send events to KUMA

Creating KUMA tasks in Kaspersky Security Center
Page top
[Topic 217952]

Creating KUMA user in Kaspersky Security Center

To create a user in Kaspersky Security Center for KUMA integration:

  1. In the Kaspersky Security Center Administration Console, select the node with the name of the required Administration Server.
  2. In the context menu of the Administration Server, select Properties.
  3. In the Administration Server properties window, select the Security section.
  4. In the Names of groups or users field, click the Internal user button.

    User selection window opens.

  5. Click the Add user button and add the user.

    Only the user name and password are required. When the user is created, it will be appear in the User selection window.

  6. Select the user you created and click OK.

    The user will be displayed in the Names of groups or users field.

  7. Select the user and in the Rights tab of Permissions for web section of the workspace and configure KUMA user rights:
    • Receiving information about assets from Kaspersky Security Center: check the Allow check box in the Basic functionality node next to Read permissions.
    • Starting Kaspersky Endpoint Security tasks for Linux: check the Allow check boxes in the Basic functionality node next to Read and Modify permissions.
    • Starting scan tasks in Kaspersky Endpoint Security for Windows: check the Allow check boxes in the Basic Functionality and Protection Components nodes next to Read and Modify permissions.
    • Starting update tasks in Kaspersky Endpoint Security for Windows: check the Allow check boxes in the Basic functionality and Protection components nodes next to Read and Modify permissions.
  8. Click OK.

KUMA user is added to Kaspersky Security Center. It can now be used to create a Kaspersky Security Center connection.

Page top
[Topic 217790]

Configuring Kaspersky Security Center to send events to KUMA

If you want to be able to see task related information from Kaspersky Security Center in KUMA, you must configure exporting Kaspersky Security Center events using the CEF format and select event types that must be exported from Kaspersky Security Center.

To export Kaspersky Security Center events to KUMA:

  1. In the Kaspersky Security Center console tree, select the Administration Server whose events you want to export.
  2. In the workspace of the selected Administration Server, click the Events tab.
  3. Click the drop-down arrow next to the Configure notifications and event export link and select Configure export to SIEM system in the drop-down list.
  4. The events properties window opens, displaying the Event export section.
  5. In the Event export section, specify the following export settings:
    1. Select the Automatically export events to SIEM system database check box.
    2. In the SIEM system drop-down list select ArcSight (CEF format).
    3. In the SIEM system server address field, enter the web address of the KUMA collector server that will be used to receive events from Kaspersky Security Center.
    4. In the SIEM system server port field, enter the port where the KUMA collector server will expect Kaspersky Security Center events.
    5. In the Protocol drop-down list select TCP/IP.
  6. Click OK.

Automatic export of Kaspersky Security Center events will be enabled. For more information about exporting events from Kaspersky Security Center to SIEM systems, see Kaspersky Security Center online help.

To select event types for export for each Kaspersky Security Center policy you need:

  1. In the console tree of Kaspersky Security Center, select the Policies node.
  2. Right-click to open the context menu of the relevant policy and select Properties.
  3. In the policy properties window that opens, select the Event configuration section.
  4. In the Info tab select the Task started and Task completed event types and click the Properties button.
  5. In the event properties window that appears, select the Export to SIEM system using Syslog check box to enable export for the selected events.
  6. Click OK to save the changes.
  7. In the policy properties window, click OK.

The selected events will be sent to the KUMA over the Syslog protocol. For more information about exporting events from Kaspersky Security Center using Syslog protocol see Kaspersky Security Center online help.

You must configure KUMA Collector to be able to receive Kaspersky Security Center events. Events from Kaspersky Security Center have DeviceProduct = SecurityCenter field value, which can be used to search them in KUMA.

Example collector for receiving Kaspersky Security Center events is included to KUMA installation package. It is named [Example] KSC. It consists of the connector that listens for TCP port 5141 and, more importantly, of the normalizer [Example] KSC that can you can use to process Kaspersky Security Center events in your own collectors.

Page top
[Topic 217767]

Creating KUMA tasks in Kaspersky Security Center

If you want to start asset related tasks in Kaspersky Security Center from KUMA, you must create these tasks in Kaspersky Security Center beforehand.

You must create separate tasks for each Kaspersky program that is not compatible with other. For example, create separate tasks for Linux and Windows products or, if you have Kaspersky Endpoint Security for Windows both version 10 and 11, create separate tasks for each of them. For compatible products create tasks for the latest version.

If you have several hierarchically linked Kaspersky Security Center Administration Servers, you should create tasks on the main Administration Server only. Otherwise create tasks on every secondary Kaspersky Security Center Administration Server.

To create Kaspersky Security Center task :

  1. In the Kaspersky Security Center console tree, select the administration group for which you want to create a task.
  2. In the group workspace, select the Tasks tab.
  3. Run the task creation by clicking the Create a task button.

    The New Task Wizard starts.

  4. Follow the instructions of the Wizard to create the required task.

    The name of the task must begin with "KUMA ". For example, "KUMA asset virus scan".

Created task will be displayed in the Tasks section of Kaspersky Security Center console tree. These task can be started from KUMA.

Page top
[Topic 217789]