Enabling integration with a SIEM system

Support

Support for business applications

Kaspersky Endpoint Agent

Managing Kaspersky Endpoint Agent using Kaspersky Security Center Administration Console

Configuring Kaspersky Endpoint Agent settings

Configuring integration between Kaspersky Endpoint Agent and a SIEM system.

Enabling integration with a SIEM system

November 17, 2023

ID 265771

To enable integration with a SIEM system:

Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
Select the administration group for which you want to configure application settings.
Perform one of the following actions in the details pane of the selected administration group:
- To configure application settings for a group of protected devices, select the Policies tab and open the Properties: <Policy name> window.
  1. In the tree of Kaspersky Security Center Administration Console, expand the Managed devices node.
  2. Expand the administration group whose policy settings you want to configure, and select the Policies tab in the results pane.
  3. Select the policy you want to configure.
  4. Open the Properties: <Policy name> window in one of the following ways:
    - Select the Properties option in the context menu of the policy.
    - Click the Configure policy settings link in the results pane of the selected policy.
    - Double-click the required policy.
    The Properties: <Policy name> window opens.
- To configure the settings of a task or application for an individual protected device, select the Devices tab and go to the settings of a local task or the application settings.
In the Telemetry collection servers section, select the SIEM integration subsection.
In the Connection settings section, use the corresponding check box to enable integration with a SIEM system.
In the List of SIEM servers settings block, add the settings for connecting to one or more SIEM servers:
1. Click the Add button.
  The Server properties window will open.
2. In the corresponding field, enter the domain name or IP address of the SIEM server.
3. In the Port field, enter the port for connecting to the SIEM server.
4. In the Protocol drop-down list, select the protocol used for data transfer between Kaspersky Endpoint Agent and the SIEM server.
5. Click Add.
  The settings for connecting to the SIEM server will be displayed in the List of SIEM servers settings block.
6. If necessary, repeat steps a – e to add settings for connecting to other SIEM servers.
Kaspersky Endpoint Agent connects to the first SIEM server in the list. If the connection does not succeed, Kaspersky Endpoint Agent connects to the second SIEM server and so on down the list.
In the upper right corner of the settings group, change the switch from Policy not enforced to Under policy.
Click OK.

Integration with SIEM will be enabled immediately after the policy is applied.