Configuring receiving Kaspersky Security Center event from MS SQL

KUMA allows you to receive information about Kaspersky Security Center events from an MS SQL database.

Before configuring, make sure that you have created the KUMA collector for Kaspersky Security Center events from MS SQL.

When creating the collector in the KUMA Console, at the Transport step, select the [OOTB] KSC SQL connector.

To receive Kaspersky Security Center events from the MS SQL database, at the Event parsing step, select the [OOTB] KSC from SQL normalizer.

Configuring event receiving consists of the following steps:

1. Creating an account in the MS SQL.
2. Configuring the SQL Server Browser service.
3. Creating a secret.
4. Configuring a connector.
5. Installation of collector in the network infrastructure.
6. Verifying receipt of events from MS SQL in the KUMA collector.

   You can verify that the receipt of events from MS SQL is configured correctly by searching for related events in the KUMA Console.

Creating an account in the MS SQL database

To receive Kaspersky Security Center events from MS SQL, a user account is required that has the rights necessary to connect and work with the database.

To create an account for working with MS SQL:

1. Log in to the server with MS SQL for Kaspersky Security Center installed.
2. Using SQL Server Management Studio, connect to MS SQL using an account with administrator rights.
3. In the Object Explorer pane, expand the Security section.
4. Right-click the Logins folder and select New Login from the context menu.

   The Login - New window opens.

5. On the General tab, click the Search button next to the Login name field.

   The Select User or Group window opens.

6. In the Enter the object name to select (examples) field, specify the object name and click OK.

   The Select User or Group window closes.

7. In the Login - New window, on the General tab, select the Windows authentication option.
8. In the Default database field, select the Kaspersky Security Center database.

   The default Kaspersky Security Center database name is KAV.

9. On the User Mapping tab, configure the account permissions:
   1. In the Users mapped to this login section, select the Kaspersky Security Center database.
   2. In the Database role membership for section, select the check boxes next to the db_datareader and public permissions.
10. On the Status tab, configure the permissions for connecting the account to the database:
    • In the Permission to connect to database engine section, select Grant.
    • In the Login section, select Enabled.
11. Click OK.

    The Login - New window closes.

To check the account permissions:

1. Run SQL Server Management Studio using the created account.
2. Go to any MS SQL database table and make a selection based on the table.

Configuring the SQL Server Browser service

After creating an account in MS SQL, you must configure the SQL Server Browser service.

To configure the SQL Server Browser service:

1. Open SQL Server Configuration Manager.
2. In the left pane, select SQL Server Services.

   A list of services opens.

3. Open the SQL Server Browser service properties in one of the following ways:
   • Double-click the name of the SQL Server Browser service.
   • Right-click the name of the SQL Server Browser service and select Properties from the context menu.
4. In the SQL Server Browser Properties window that opens, select the Service tab.
5. In the Start Mode field, select Automatic.
6. Select the Log On tab and click the Start button.

   Automatic startup of the SQL Server Browser service is enabled.

7. Enable and configure the TCP/IP protocol by doing the following:
   1. In the left pane, expand the SQL Server Network Configuration section and select the Protocols for <SQL Server name> subsection.
   2. Right-click the TCP/IP protocol and select Enable from the context menu.
   3. In the Warning window that opens, click OK.
   4. Open the TCP/IP protocol properties in one of the following ways:
      • Double-click the TCP/IP protocol.
      • Right-click the TCP/IP protocol and select Properties from the context menu.
   5. Select the IP Addresses tab, and then in the IPALL section, specify port 1433 in the TCP Port field.
   6. Click Apply to save the changes.
   7. Click OK to close the window.
8. Restart the SQL Server (<SQL Server name>) service by doing the following:
   1. In the left pane, select SQL Server Services.
   2. In the service list on the right, right-click the SQL Server (<SQL Server name>) service and select Restart from the context menu.
9. In Windows Defender Firewall with Advanced Security, allow inbound connections on the server on the TCP port 1433.

Creating a secret in KUMA

After creating and configuring an account in MS SQL, you must add a secret in the KUMA Console. This resource is used to store credentials for connecting to MS SQL.

To create a KUMA secret:

1. In the KUMA Console, open the Resources → Secrets section.

   The list of available secrets will be displayed.

2. Click the Add secret button to create a new secret.

   The secret window is displayed.

3. Enter information about the secret:
   1. In the Name field, choose a name for the added secret.
   2. In the Tenant drop-down list, select the tenant that will own the created resource.
   3. In the Type drop-down list, select urls.
   4. In the URL field, specify a string of the form:

      sqlserver://[<domain>%5C]<username>:<password>@<server>:1433/<database_name>

      where:

      • domain is a domain name.
      • %5C is the domain/user separator. Represents the "\" character in URL format.
      • username is the name of the created MS SQL account.
      • password is the password of the created MS SQL account.
      • server is the name or IP address of the server where the MS SQL database for Kaspersky Security Center is installed.
      • database_name is the name of the Kaspersky Security Center database. The default name is KAV.

      Example: sqlserver://test.local%5Cuser:password123@10.0.0.1:1433/KAV

      If the MS SQL database account password contains special characters (@ # $ % & * ! + = [ ] : ' , ? / \ ` ( ) ;), convert them to URL format.

4. Click Save.

   For security reasons, the string specified in the URL field is hidden after the secret is saved.

Configuring a connector

To connect KUMA to an MS SQL database, you must configure the connector.

To configure a connector:

1. In the KUMA Console, go to the Resources → Connectors section.
2. In the list of connectors, find the [OOTB] KSC SQL connector and open it for editing.

   If a connector is not available for editing, copy it and open the connector copy for editing.

   If the [OOTB] KSC SQL connector is not available, contact your system administrator.

3. On the Basic settings tab, in the URL drop-down lists, select the secret created for connecting to the MS SQL database.
4. Click Save.

Configuring the KUMA Collector for receiving Kaspersky Security Center events from an MS SQL database

After configuring the event export settings, you must create a collector in the KUMA Console for Kaspersky Security Center events received from MS SQL.

For details on creating a KUMA collector, refer to Creating a collector.

When creating the collector in the KUMA Console, at the Transport step, select the [OOTB] KSC SQL connector.

To receive Kaspersky Security Center events from MS SQL, at the Event parsing step, select the [OOTB] KSC from SQL normalizer.

Installing the KUMA Collector for receiving Kaspersky Security Center events from the MS SQL database

After configuring the collector for receiving Kaspersky Security Center events from MS SQL, install the KUMA collector on the network infrastructure server where you intend to receive events.

For details on installing the KUMA collector, refer to the Installing collector in the network infrastructure section.