Enabling integration with a SIEM system

Support

Support for business applications

Kaspersky Endpoint Agent

Managing the application using Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console

Configuring Kaspersky Endpoint Agent settings

Configuring integration between Kaspersky Endpoint Agent and a SIEM system.

Enabling integration with a SIEM system

November 17, 2023

ID 265772

To enable integration with Kaspersky Industrial CyberSecurity for Networks:

Do one of the following:
- To configure the SIEM integration settings for a group of protected devices, open the application policy properties window.
  1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
  2. Select the policy you want to configure.
  3. In the <Policy name> window that opens, select the Application settings tab.
- To configure the SIEM integration settings for an individual protected device, open the application settings for the device.
  1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
  2. Select the device for which you want to configure application settings.
  3. In the <Device name> window that opens, select the Applications tab.
  4. Select Kaspersky Endpoint Agent.
  5. In the Kaspersky Endpoint Agent window that opens, select the Application settings tab.
In the Telemetry collection servers section, select SIEM integration.
The SIEM integration window opens.
In the Connection settings section, use the corresponding check box to enable integration with a SIEM system.
In the List of SIEM servers settings block, add the settings for connecting to one or more SIEM servers:
1. Click the Add button.
  The Parameters of SIEM server window opens.
2. In the corresponding field, enter the domain name or IP address of the SIEM server.
3. In the Port field, enter the port for connecting to the SIEM server.
4. In the Protocol drop-down list, select the protocol used for data transfer between Kaspersky Endpoint Agent and the SIEM server.
5. Click Add.
  The settings for connecting to the SIEM server will be displayed in the List of SIEM servers settings block.
6. If necessary, repeat steps a – e to add settings for connecting to other SIEM servers.
Kaspersky Endpoint Agent connects to the first SIEM server in the list. If the connection does not succeed, Kaspersky Endpoint Agent connects to the second SIEM server and so on down the list.
In the upper right corner of the settings group, change the switch from Undefined to Enforce.
The default switch position is Enforce.
Click OK.

Integration with SIEM will be enabled immediately after the policy is applied.