Tenants settings

Kaspersky CyberTrace supports a multi-tenant architecture that allows you to manage tenants. A tenant is a client-specific set of configuration parameters. Tenants are especially useful if you are a Managed Security Service Provider, to help you differentiate your customers within a single Kaspersky CyberTrace instance.

This feature can be disabled due to restrictions imposed by the licensing level.

By default, Kaspersky CyberTrace uses a General tenant that provides the overall settings. You can create or edit the tenants in Kaspersky CyberTrace Web on the Settings → Tenants page. To access this page, you need to switch to the System management mode. This mode is accessible only to users with the Administrator role.

On the Tenants page, you can view information about the tenants that are used in Kaspersky CyberTrace and perform the following actions:

• Add a new tenant
• Go to the settings of a tenant
• Delete a tenant

Among other settings, you must select the SIEM system with which the tenant is to be integrated. Kaspersky CyberTrace uses a number of preset settings for each SIEM, such as settings for parsing events and event format settings (for detection and service alerts).

The following SIEM systems are supported:

• Kaspersky Unified Monitoring and Analysis Platform
• Splunk
• ArcSight
• QRadar
• RSA NetWitness
• LogRhythm

Adding a tenant

To add a tenant:

1. Click the Add tenant button.

   The Add tenant window opens.

2. Specify a name for the tenant in the Tenant name field.

   The tenant name must be 1 to 64 characters long. It can contain Latin letters, digits, special characters (" ', . @ # $ % & * № / \), or space characters.

   You cannot change the name of the General tenant.

3. Specify a description for this tenant in the Description field.

   The tenant description must be 0 to 2048 characters long. It can contain Latin letters, digits, special characters (" ', . @ # $ % & * № / \), space characters, or line breaks.

4. Select the SIEM system with which you want to integrate the tenant.

   You can select a SIEM system supported by Kaspersky CyberTrace or a custom one (a non-supported SIEM).

   This SIEM system will be used in the tenant for sending events to Kaspersky CyberTrace.

   Depending on the selected SIEM system, Kaspersky CyberTrace will specify the sets of regular expressions, detection alerts formats, and service alerts formats that are used in integration with this SIEM system.

5. Under Tenant EPS limit, configure the events per second (EPS) limit of the tenant:
   1. Enable the toggle switch.
   2. In EPS limit, enter the required EPS limit value.

   When the EPS value is close to the threshold, a warning is displayed in the web interface, and generates a warning alert. When the limit is exceeded within a tenant, the traffic for this tenant is dropped in excess of the limit, a warning is also displayed, and generates a warning alert. If the tenant EPS is not limited, this may affect other tenants (if any).

6. Under Incoming events, define the parameters of the socket specific for the tenant that Kaspersky CyberTrace will use to listen to incoming events:
   1. Select the type of connection that you want to use: IP address and port or UNIX socket.
   2. Depending on the type of connection, do one of the following:
      • In the IP address and Port fields, specify an IP address and port.
      • In the UNIX socket field, specify a UNIX™ socket.
7. Under Detection alerts, specify an IP address and port specific for the tenant that Kaspersky CyberTrace will use for outgoing alerts about detections.
8. Click Save.

The new tenant appears in the list of tenants.

Editing a tenant

After you create a tenant, you can edit its settings, including those settings that you did not define during the creation.

To edit a tenant,

Next to the tenant that you want to edit, click Go to the settings, and then select the required menu item:

• General

  On the Settings → General page of the Data management mode that opens, you can edit the general settings of the tenant.

• Feeds

  On the Settings → Feeds page of the Data management mode that opens, you can edit the feeds to which the tenant has access.

• Event sources

  On the Settings → Event sources page of the Data management mode that opens, you can edit the event sources to which the tenant has access.

• Service alerts

  On the Settings → Service alerts page of the Data management mode that opens, you can edit settings of service alerts that inform another software (for example, the SIEM system) about the status of the tenant.

• Detections

  On the Settings → Detections page of the Data management mode that opens, you can edit settings of storing detection alerts for further analysis and investigation.

Deleting a tenant

You cannot delete the General tenant.

To delete a tenant:

1. In the list of tenants, click the (Delete) button next to the tenant that you want to delete.
2. In the confirmation window that opens, click the Delete button.

The deleted tenant disappears from the list of tenants.

Page top