Kaspersky Unified Monitoring and Analysis Platform

Configuring Kaspersky Security Center event receiving in CEF format

KUMA allows you to receive and export events in the CEF format from Kaspersky Security Center Administration Server to the KUMA

.

Configuring the receipt of Kaspersky Security Center events in the CEF format involves the following steps:

  1. Configuring the forwarding of Kaspersky Security Center events.
  2. Configuring the KUMA Collector.
  3. Installing the KUMA collector in the network infrastructure.
  4. Verifying receipt of Kaspersky Security Center events in the CEF format in the KUMA collector

    You can verify if the events from Kaspersky Security Center Administration Server in the CEF format were correctly exported to the KUMA SIEM system by using the KUMA web interface to search for related events.

    To display Kaspersky Security Center events in CEF format in the table, enter the following search expression:

    SELECT * FROM `events` WHERE DeviceProduct = 'KSC' ORDER BY Timestamp DESC LIMIT 250

In this section

Configuring export of Kaspersky Security Center events in CEF format

Configuring KUMA collector for collecting Kaspersky Security Center events

Installing KUMA collector for collecting Kaspersky Security Center events

Page top
[Topic 241235]

Configuring export of Kaspersky Security Center events in CEF format

Kaspersky Security Center allows you to configure the settings for exporting events in the CEF format to a SIEM system.

The function of exporting Kaspersky Security Center events in the CEF format to SIEM systems is available with Kaspersky Endpoint Security for Business Advanced license or above.

To configure export of events from Kaspersky Security Center Administration Server to the KUMA SIEM system:

  1. In Kaspersky Security Center console tree, select the Administration server node.
  2. In the workspace of the node, select the Events tab.
  3. Click the Configure notifications and event export link and select Configure export to SIEM system from the drop-down list.

    The Properties: Events window opens. By default the Events export section is displayed.

  4. In the Events export section, select the Automatically export events to SIEM system database check box.
  5. In the SIEM system drop-down list select ArcSight (CEF format).
  6. In the corresponding fields, specify the address of the KUMA SIEM system server and the port for connecting to the server. Select TCP/IP as the protocol.

    You can click Export archive and specify the starting date from which pre-existing KUMA events are to be exported to the SIEM system database. By default, Kaspersky Security Center exports events starting from the current date.

  7. Click OK.

As a result, the Kaspersky Security Center Administration Server automatically exports all events to the KUMA SIEM system.

Property: Events window

Configuring export of Kaspersky Security Center events to the KUMA SIEM system

Page top
[Topic 241236]

Configuring KUMA collector for collecting Kaspersky Security Center events

After configuring the export of events in the CEF format from Kaspersky Security Center Administration Server, configure the collector in the KUMA web interface.

To configure the KUMA Collector for Kaspersky Security Center events:

  1. In the KUMA web interface, select ResourcesCollectors.
  2. In the list of collectors, find the collector with the [OOTB] KSC normalizer and open it for editing.
  3. At the Transport step, in the URL field, specify the port to be used by the collector to receive Kaspersky Security Center events.

    The port must match the port of the KUMA SIEM system server.

  4. At the Event parsing step, make sure that the [OOTB] KSC normalizer is selected.
  5. At the Routing step, make sure that the following destinations are added to the collector resource set:
    • Storage. To send processed events to the storage.
    • Correlator. To send processed events to the correlator.

    If the Storage and Correlator destinations were not added, create them.

  6. At the Setup validation tab, click Create and save service.
  7. Copy the command for installing the KUMA collector that appears.
Page top
[Topic 241239]

Installing KUMA collector for collecting Kaspersky Security Center events

After configuring the collector for collecting Kaspersky Security Center events in the CEF format, install the KUMA collector on the network infrastructure server intended for receiving events.

For details on installing the KUMA collector, refer to the Installing collector in the network infrastructure section.

Page top
[Topic 241240]