Kaspersky Security Center 14.2 Windows
- Kaspersky Security Center 14.2 Help
- What's new
- Kaspersky Security Center 14.2
- About Kaspersky Security Center
- Hardware and software requirements
- Compatible Kaspersky applications and solutions
- Licenses and features of Kaspersky Security Center 14.2
- About compatibility of Administration Server and Kaspersky Security Center Web Console
- Comparison of Kaspersky Security Center: Windows-based vs. Linux-based
- About Kaspersky Security Center Cloud Console
- Basic concepts
- Administration Server
- Hierarchy of Administration Servers
- Virtual Administration Server
- Mobile Device Server
- Web Server
- Network Agent
- Administration groups
- Managed device
- Unassigned device
- Administrator's workstation
- Management plug-in
- Management web plug-in
- Policies
- Policy profiles
- Tasks
- Task scope
- How local application settings relate to policies
- Distribution point
- Connection gateway
- Architecture
- Main installation scenario
- Ports used by Kaspersky Security Center
- Certificates for work with Kaspersky Security Center
- About Kaspersky Security Center certificates
- About Administration Server certificate
- Requirements for custom certificates used in Kaspersky Security Center
- Scenario: Specifying the custom Administration Server certificate
- Replacing the Administration Server certificate by using the klsetsrvcert utility
- Connecting Network Agents to Administration Server by using the klmover utility
- Reissuing the Web Server certificate
- Schemas for data traffic and port usage
- Administration Server and managed devices on LAN
- Primary Administration Server on LAN and two secondary Administration Servers
- Administration Server on LAN, managed devices on internet, reverse proxy in use
- Administration Server on LAN, managed devices on internet, connection gateway in use
- Administration Server in DMZ, managed devices on internet
- Interaction of Kaspersky Security Center components and security applications: more information
- Conventions used in interaction schemas
- Administration Server and DBMS
- Administration Server and Administration Console
- Administration Server and client device: Managing the security application
- Upgrading software on a client device through a distribution point
- Hierarchy of Administration Servers: primary Administration Server and secondary Administration Server
- Hierarchy of Administration Servers with a secondary Administration Server in DMZ
- Administration Server, a connection gateway in a network segment, and a client device
- Administration Server and two devices in DMZ: a connection gateway and a client device
- Administration Server and Kaspersky Security Center Web Console
- Activating and managing the security application on a mobile device
- Deployment best practices
- Hardening Guide
- Preparation for deployment
- Planning Kaspersky Security Center deployment
- Typical schemes of protection system deployment
- About planning Kaspersky Security Center deployment in an organization's network
- Selecting a structure for protection of an enterprise
- Standard configurations of Kaspersky Security Center
- Selecting a DBMS
- Configuring the MariaDB x64 server for working with Kaspersky Security Center 14.2
- Configuring the MySQL x64 server for working with Kaspersky Security Center 14.2
- Configuring the PostgreSQL or Postgres Pro server for working with Kaspersky Security Center 14.2
- Managing mobile devices with Kaspersky Endpoint Security for Android
- Providing internet access to Administration Server
- About distribution points
- Increasing the limit of file descriptors for the klnagent service
- Calculating the number and configuration of distribution points
- Hierarchy of Administration Servers
- Virtual Administration Servers
- Information about limitations of Kaspersky Security Center
- Network load
- Preparing to mobile device management
- Information about Administration Server performance
- Network settings for interaction with external services
- Planning Kaspersky Security Center deployment
- Deploying Network Agent and the security application
- Initial deployment
- Configuring installers
- Installation packages
- MSI properties and transform files
- Deployment with third-party tools for remote installation of applications
- About remote installation tasks in Kaspersky Security Center
- Deployment by capturing and copying the image of a device
- Incorrect copying of a hard drive image
- Deployment using group policies of Microsoft Windows
- Forced deployment through the remote installation task of Kaspersky Security Center
- Running stand-alone packages created by Kaspersky Security Center
- Options for manual installation of applications
- Creating an MST file
- Remote installation of applications on devices with Network Agent installed
- Managing device restarts in the remote installation task
- Suitability of databases updating in an installation package of a security application
- Using tools for remote installation of applications in Kaspersky Security Center for running relevant executable files on managed devices
- Monitoring the deployment
- Configuring installers
- Virtual infrastructure
- Support of file system rollback for devices with Network Agent
- Local installation of applications
- Local installation of Network Agent
- Installing Network Agent in silent mode
- Installing Network Agent for Linux in silent mode (with an answer file)
- Installing Network Agent for Linux in interactive mode
- Preparing a device running Astra Linux in the closed software environment mode for installation of Network Agent
- Local installation of the application management plug-in
- Installing applications in silent mode
- Installing applications by using stand-alone packages
- Network Agent installation package settings
- Viewing the Privacy Policy
- Initial deployment
- Deploying mobile device management systems
- Deploying a system for management via Exchange ActiveSync protocol
- Deploying a system for management using iOS MDM protocol
- Installing iOS MDM Server
- Installing iOS MDM Server in silent mode
- iOS MDM Server deployment scenarios
- Simplified deployment scheme
- Deployment scheme involving Kerberos constrained delegation (KCD)
- Receiving an APNs certificate
- Renewing an APNs certificate
- Configuring a reserve iOS MDM Server certificate
- Installing an APNs certificate on an iOS MDM Server
- Configuring access to Apple Push Notification service
- Issuing and installing a shared certificate on a mobile device
- Adding a KES device to the list of managed devices
- Connecting KES devices to the Administration Server
- Integration with Public Key Infrastructure
- Kaspersky Security Center Web Server
- Installation of Kaspersky Security Center
- Preparing for installation
- Accounts for work with the DBMS
- Scenario: Authenticating Microsoft SQL Server
- Recommendations on Administration Server installation
- Creating accounts for the Administration Server services on a failover cluster
- Defining a shared folder
- Remote installation with Administration Server tools through Active Directory group policies
- Remote installation through delivery of the UNC path to a stand-alone package
- Updating from the Administration Server shared folder
- Installing images of operating systems
- Specifying the address of the Administration Server
- Standard installation
- Step 1. Reviewing the License Agreement and Privacy Policy
- Step 2. Selecting an installation method
- Step 3. Installing Kaspersky Security Center Web Console
- Step 4. Selecting network size
- Step 5. Selecting a database
- Step 6. Configuring the SQL Server
- Step 7. Selecting an authentication mode
- Step 8. Unpacking and installing files on the hard drive
- Custom installation
- Step 1. Reviewing the License Agreement and Privacy Policy
- Step 2. Selecting an installation method
- Step 3. Selecting the components to be installed
- Step 4. Installing Kaspersky Security Center Web Console
- Step 5. Selecting network size
- Step 6. Selecting a database
- Step 7. Configuring the SQL Server
- Step 8. Selecting an authentication mode
- Step 9. Selecting the account to start Administration Server
- Step 10. Selecting the account for running the Kaspersky Security Center services
- Step 11. Selecting a shared folder
- Step 12. Configuring the connection to Administration Server
- Step 13. Defining the Administration Server address
- Step 14. Administration Server address for connection of mobile devices
- Step 15. Selecting application management plug-ins
- Step 16. Unpacking and installing files on the hard drive
- Deployment of the Kaspersky Security Center failover cluster
- Scenario: Deployment of a Kaspersky Security Center failover cluster
- About the Kaspersky Security Center failover cluster
- Preparing a file server for a Kaspersky Security Center failover cluster
- Preparing nodes for a Kaspersky Security Center failover cluster
- Installing Kaspersky Security Center on the Kaspersky Security Center failover cluster nodes
- Starting and stopping cluster nodes manually
- Installing Administration Server on a Windows Server failover cluster
- Step 1. Reviewing the License Agreement and Privacy Policy
- Step 2. Selecting the type of installation on a cluster
- Step 3. Specifying the name of the virtual Administration Server
- Step 4. Specifying the network details of the virtual Administration Server
- Step 5. Specifying a cluster group
- Step 6. Selecting a cluster data storage
- Step 7. Specifying an account for remote installation
- Step 8. Selecting the components to be installed
- Step 9. Selecting network size
- Step 10. Selecting a database
- Step 11. Configuring the SQL Server
- Step 12. Selecting an authentication mode
- Step 13. Selecting the account to start Administration Server
- Step 14. Selecting the account for running the Kaspersky Security Center services
- Step 15. Selecting a shared folder
- Step 16. Configuring the connection to Administration Server
- Step 17. Defining the Administration Server address
- Step 18. Administration Server address for connection of mobile devices
- Step 19. Unpacking and installing files on the hard drive
- Installing Administration Server in silent mode
- Installing Administration Console on the administrator's workstation
- Changes in the system after Kaspersky Security Center installation
- Removing the application
- About upgrading Kaspersky Security Center
- Initial setup of Kaspersky Security Center
- Hardening Guide
- Administration Server quick start wizard
- About quick start wizard
- Starting Administration Server quick start wizard
- Step 1. Configuring a proxy server
- Step 2. Selecting the application activation method
- Step 3. Selecting the protection areas and operating systems
- Step 4. Selecting plug-ins for managed applications
- Step 5. Downloading distribution packages and creating installation packages
- Step 6. Configuring Kaspersky Security Network usage
- Step 7. Configuring email notifications
- Step 8. Configuring update management
- Step 9. Creating an initial protection configuration
- Step 10. Connecting mobile devices
- Step 11. Downloading updates
- Step 12. Device discovery
- Step 13. Closing the quick start wizard
- Configuring the connection of Administration Console to Administration Server
- Configuring the internet access settings for Administration Server
- Connecting out-of-office devices
- Scenario: Connecting out-of-office devices through a connection gateway
- Scenario: Connecting out-of-office devices through a secondary Administration Server in DMZ
- About connecting out-of-office devices
- Connecting external desktop computers to Administration Server
- About connection profiles for out-of-office users
- Creating a connection profile for out-of-office users
- About switching Network Agent to other Administration Servers
- Creating a Network Agent switching rule by network location
- Encrypt communication with TLS
- Notifications of events
- Configuring the interface
- Discovering networked devices
- Scenario: Discovering networked devices
- Unassigned devices
- Device discovery
- Working with Windows domains. Viewing and changing the domain settings
- Configuring retention rules for unassigned devices
- Working with IP ranges
- Working with the Active Directory groups. Viewing and modifying group settings
- Creating rules for moving devices to administration groups automatically
- Using VDI dynamic mode on client devices
- Equipment inventory
- Licensing
- Kaspersky applications. Centralized deployment
- Replacing third-party security applications
- Installing applications using a remote installation task
- Installing applications using Remote installation wizard
- Viewing a protection deployment report
- Working with the management plug-ins
- Remote removal of applications
- Working with installation packages
- Creating an installation package
- Creating stand-alone installation packages
- Creating custom installation packages
- Viewing and editing properties of custom installation packages
- Obtaining the Network Agent installation package from the Kaspersky Security Center distribution kit
- Distributing installation packages to secondary Administration Servers
- Distributing installation packages through distribution points
- Transferring application installation results to Kaspersky Security Center
- Defining the KSN proxy server address for installation packages
- Receiving up-to-date versions of applications
- Preparing a Windows device for remote installation
- Preparing a Linux device and installing Network Agent on a Linux device remotely
- Preparing a macOS device for remote installation of Network Agent
- Kaspersky applications: licensing and activation
- Licensing of managed applications
- Viewing information about license keys in use
- Adding a license key to the Administration Server repository
- Adding an Administration Server license key
- Deleting an Administration Server license key
- Deploying a license key to client devices
- Automatic distribution of a license key
- Creating and viewing a license key usage report
- Viewing information about the application license keys
- Exporting a license key file
- Configuring network protection
- Scenario: Configuring network protection
- Policy setup and propagation: Device-centric approach
- About device-centric and user-centric security management approaches
- Manual setup of the Kaspersky Endpoint Security policy
- Manual setup of the group update task for Kaspersky Endpoint Security
- Manual setup of the group task for scanning a device with Kaspersky Endpoint Security
- Scheduling the Find vulnerabilities and required updates task
- Manual setup of the group task for updates installation and vulnerabilities fix
- Setting the maximum number of events in the event repository
- Setting the maximum storage period for the information about fixed vulnerabilities
- Managing tasks
- Creating a task
- Creating the Administration Server task
- Creating a task for specific devices
- Creating a local task
- Displaying an inherited group task in the workspace of a nested group
- Automatically turning on devices before starting a task
- Automatically turning off a device after a task is completed
- Limiting task run time
- Exporting a task
- Importing a task
- Converting tasks
- Starting and stopping a task manually
- Pausing and resuming a task manually
- Monitoring task execution
- Viewing task run results stored on the Administration Server
- Configuring filtering of information about task run results
- Modifying a task. Rolling back changes
- Comparing tasks
- Accounts to start tasks
- Exporting task execution history
- Change tasks password wizard
- Creating a hierarchy of administration groups subordinate to a virtual Administration Server
- Policies and policy profiles
- Hierarchy of policies, using policy profiles
- Managing policies
- Creating a policy
- Displaying inherited policy in a subgroup
- Activating a policy
- Activating a policy automatically at the Virus outbreak event
- Applying an out-of-office policy
- Modifying a policy. Rolling back changes
- Viewing the policy distribution status chart
- Comparing policies
- Deleting a policy
- Copying a policy
- Exporting a policy
- Importing a policy
- Converting policies
- Managing policy profiles
- Device moving rules
- Cloning device moving rules
- Software categorization
- Prerequisites for installing applications on devices of a client organization
- Viewing and editing local application settings
- Updating Kaspersky Security Center and managed applications
- Scenario: Regular updating Kaspersky databases and applications
- About updating Kaspersky databases, software modules, and applications
- About using diff files for updating Kaspersky databases and software modules
- Enabling the Downloading diff files feature
- Creating the task for downloading updates to the repository of the Administration Server
- Creating the Download updates to the repositories of distribution points task
- Configuring the Download updates to the repository of the Administration Server task
- Verifying downloaded updates
- Configuring test policies and auxiliary tasks
- Viewing downloaded updates
- Automatic installation of Kaspersky Endpoint Security updates on devices
- Offline model of update download
- Enabling and disabling the offline model of update download
- Automatic updating and patching for Kaspersky Security Center components
- Enabling and disabling automatic updating and patching for Kaspersky Security Center components
- Automatic distribution of updates
- Distributing updates to client devices automatically
- Distributing updates to secondary Administration Servers automatically
- Assigning distribution points automatically
- Assigning a device a distribution point manually
- Removing a device from the list of distribution points
- Downloading updates by distribution points
- Deleting software updates from the repository
- Patch installation for a Kaspersky application in cluster mode
- Managing third-party applications on client devices
- Installing third-party software updates
- Scenario: Updating third-party software
- Viewing information about available updates for third-party applications
- Approving and declining software updates
- Synchronizing updates from Windows Update with Administration Server
- Installing updates on devices manually
- Configuring Windows updates in a Network Agent policy
- Fixing third-party software vulnerabilities
- Scenario: Finding and fixing third-party software vulnerabilities
- About finding and fixing software vulnerabilities
- Viewing information about software vulnerabilities
- Viewing statistics of vulnerabilities on managed devices
- Scanning applications for vulnerabilities
- Fixing vulnerabilities in applications
- Fixing vulnerabilities in an isolated network
- Scenario: Fixing third-party software vulnerabilities in an isolated network
- About fixing third-party software vulnerabilities in an isolated network
- Configuring the Administration Server with internet access to fix vulnerabilities in an isolated network
- Configuring isolated Administration Servers to fix vulnerabilities in an isolated network
- Transmitting patches and installing updates in an isolated network
- Disabling the option to transmit patches and install updates in an isolated network
- Ignoring software vulnerabilities
- Selecting user fixes for vulnerabilities in third-party software
- Rules for update installation
- Groups of applications
- Obtaining and viewing a list of executable files stored on client devices
- Using Application Control to manage executable files
- Creating application categories for Kaspersky Endpoint Security for Windows policies
- Creating an application category with content added manually
- Creating an application category that includes executable files from selected devices
- Creating an application category that includes executable files from a specific folder
- Adding event-related executable files to the application category
- Configuring application startup management on client devices
- Viewing the results of static analysis of startup rules applied to executable files
- Viewing the applications registry
- Changing the software inventory start time
- About license key management of third-party applications
- Creating licensed applications groups
- Managing license keys for licensed applications groups
- Inventory of executable files
- Viewing information about executable files
- Installing third-party software updates
- Monitoring and reporting
- Scenario: Monitoring and reporting
- Monitoring traffic lights and logged events in Administration Console
- Working with reports, statistics, and notifications
- Working with reports
- Managing statistics
- Configuring event notification
- Creating a certificate for an SMTP server
- Event selections
- Device selections
- Monitoring of applications installation and uninstallation
- Events of Kaspersky Security Center components
- Blocking frequent events
- Controlling changes in the status of virtual machines
- Monitoring the anti-virus protection status using information from the system registry
- Viewing and configuring the actions when devices show inactivity
- Disabling Kaspersky announcements
- Adjustment of distribution points and connection gateways
- Standard configuration of distribution points: Single office
- Standard configuration of distribution points: Multiple small remote offices
- Assigning a managed device to act as a distribution point
- Connecting a Linux device as a gateway in the demilitarized zone
- Connecting a Linux device to the Administration Server via a connection gateway
- Adding a connection gateway in the DMZ as a distribution point
- Assigning distribution points automatically
- About local installation of Network Agent on a device selected as distribution point
- About using a distribution point as connection gateway
- Adding IP ranges to the list of ranges polled by a distribution point
- Using a distribution point as a push server
- Other routine work
- Managing Administration Servers
- Creating a hierarchy of Administration Servers: adding a secondary Administration Server
- Connecting to an Administration Server and switching between Administration Servers
- Conditions of connection to an Administration Server over the internet
- Encrypted connection to an Administration Server
- Configuring an allowlist of IP addresses to connect to Administration Server
- Using the klscflag utility to close port 13291
- Disconnecting from an Administration Server
- Adding an Administration Server to the console tree
- Removing an Administration Server from the console tree
- Adding a virtual Administration Server to the console tree
- Changing an Administration Server service account. Utility tool klsrvswch
- Changing DBMS credentials
- Resolving issues with Administration Server nodes
- Viewing and modifying the settings of an Administration Server
- Adjusting the general settings of Administration Server
- Administration Console interface settings
- Event processing and storage on the Administration Server
- Viewing log of connections to the Administration Server
- Control of virus outbreaks
- Limiting traffic
- Configuring Web Server
- Working with internal users
- Backup and restoration of Administration Server settings
- Backup copying and restoration of Administration Server data
- Backup of Administration Server data task
- Data backup and recovery utility (klbackup)
- Data backup and recovery in interactive mode
- Data backup and recovery in silent mode
- Using the klbackup utility to switch managed devices under management of another Administration Server
- Backup and restoring Administration Server data when using MySQL or MariaDB
- Migration to Kaspersky Security Center Linux by using Administration Server data backup
- Moving Administration Server to another device
- Avoiding conflicts between multiple Administration Servers
- Two-step verification
- About two-step verification
- Scenario: configuring two-step verification for all users
- Enabling two-step verification for your own account
- Enabling two-step verification for all users
- Disabling two-step verification for a user account
- Disabling required two-step verification for all users
- Excluding accounts from two-step verification
- Editing the name of a security code issuer
- Configuring two-step verification for your own account
- Changing the Administration Server shared folder
- Managing administration groups
- Managing client devices
- Connecting client devices to the Administration Server
- Manually connecting a client device to the Administration Server. Klmover utility
- Tunneling the connection between a client device and the Administration Server
- Remotely connecting to the desktop of a client device
- Connecting to devices through Windows Desktop Sharing
- Configuring the restart of a client device
- Auditing actions on a remote client device
- Checking the connection between a client device and the Administration Server
- Identifying client devices on the Administration Server
- Moving devices to an administration group
- Changing the Administration Server for client devices
- Moving devices connected to Administration Server through connection gateways to another Administration Server
- Clusters and server arrays
- Turning on, turning off, and restarting client devices remotely
- About the usage of the continuous connection between a managed device and the Administration Server
- About forced synchronization
- About connection schedule
- Sending messages to device users
- Managing Kaspersky Security for Virtualization
- Configuring the switching of device statuses
- Tagging devices and viewing assigned tags
- Remote diagnostics of client devices. Kaspersky Security Center remote diagnostics utility
- Connecting the remote diagnostics utility to a client device
- Generating a dump file for an application
- Enabling and disabling tracing, downloading the trace file
- Downloading application settings
- Downloading event logs
- Downloading multiple diagnostic information items
- Starting diagnostics and downloading the results
- Starting, stopping, and restarting applications
- UEFI protection devices
- Settings of a managed device
- General policy settings
- Network Agent policy settings
- Managing user accounts
- Working with user accounts
- Adding an account of an internal user
- Editing an account of an internal user
- Changing the number of allowed password entry attempts
- Configuring the check of the name of an internal user for uniqueness
- Adding a security group
- Adding a user to a group
- Configuring access rights to application features. Role-based access control
- Assigning the user as a device owner
- Delivering messages to users
- Viewing the list of user mobile devices
- Installing a certificate for a user
- Viewing the list of certificates issued to a user
- About the administrator of a virtual Administration Server
- Remote installation of operating systems and applications
- Creating images of operating systems
- Installing images of operating systems
- Configuring the KSN proxy server address
- Adding drivers for Windows Preinstallation Environment (WinPE)
- Adding drivers to an installation package with an operating system image
- Configuring sysprep.exe utility
- Deploying operating systems on new networked devices
- Deploying operating systems on client devices
- Creating installation packages of applications
- Issuing a certificate for installation packages of applications
- Installing applications on client devices
- Managing object revisions
- Deletion of objects
- Mobile Device Management
- Scenario: Mobile Device Management deployment
- About group policy for managing EAS and iOS MDM devices
- Enabling Mobile Device Management
- Modifying the Mobile Device Management settings
- Disabling Mobile Device Management
- Working with commands for mobile devices
- Working with certificates of mobile devices
- Starting the Certificate installation wizard
- Step 1. Selecting certificate type
- Step 2. Selecting device type
- Step 3. Selecting a user
- Step 4. Selecting certificate source
- Step 5. Assigning a tag to the certificate
- Step 6. Specifying certificate publishing settings
- Step 7. Selecting user notification method
- Step 8. Generating the certificate
- Configuring certificate issuance rules
- Integration with public key infrastructure
- Enabling support of Kerberos Constrained Delegation
- Adding iOS mobile devices to the list of managed devices
- Adding Android mobile devices to the list of managed devices
- Managing Exchange ActiveSync mobile devices
- Managing iOS MDM devices
- Signing an iOS MDM profile by a certificate
- Adding a configuration profile
- Installing a configuration profile on a device
- Removing the configuration profile from a device
- Adding a new device by publishing a link to a profile
- Adding a new device through profile installation by the administrator
- Adding a provisioning profile
- Installing a provisioning profile to a device
- Removing a provisioning profile from a device
- Adding a managed application
- Installing an app on a mobile device
- Removing an app from a device
- Configuring roaming on an iOS MDM mobile device
- Viewing information about an iOS MDM device
- Disconnecting an iOS MDM device from management
- Sending commands to a device
- Checking the execution status of commands sent
- Managing KES devices
- Data encryption and protection
- Data repositories
- Kaspersky Security Network (KSN)
- About KSN
- Setting up access to Kaspersky Security Network
- Enabling and disabling KSN
- Viewing the accepted KSN Statement
- Viewing the KSN proxy server statistics
- Accepting an updated KSN Statement
- Enhanced protection with Kaspersky Security Network
- Checking whether the distribution point works as KSN proxy server
- Switching between Online Help and Offline Help
- Managing Administration Servers
- Export of events to SIEM systems
- Configuring event export to SIEM systems
- Before you begin
- About events in Kaspersky Security Center
- About event export
- About configuring event export in a SIEM system
- Marking of events for export to SIEM systems in Syslog format
- About exporting events using Syslog format
- About exporting events using CEF and LEEF formats
- Converting events to the CEF or LEEF format
- Configuring Kaspersky Security Center for export of events to a SIEM system
- Exporting events directly from the database
- Viewing export results
- Using SNMP for sending statistics to third-party applications
- Working in a cloud environment
- About work in a cloud environment
- Scenario: Deployment for a cloud environment
- Prerequisites for deploying Kaspersky Security Center in a cloud environment
- Hardware requirements for the Administration Server in a cloud environment
- Licensing options in a cloud environment
- Database options for work in a cloud environment
- Working in Amazon Web Services cloud environment
- About work in Amazon Web Services cloud environment
- Creating IAM roles and IAM user accounts for Amazon EC2 instances
- Ensuring that the Kaspersky Security Center Administration Server has the permissions to work with AWS
- Creating an IAM role for the Administration Server
- Creating an IAM user account for work with Kaspersky Security Center
- Creating an IAM role for installation of applications on Amazon EC2 instances
- Working with Amazon RDS
- Working in Microsoft Azure cloud environment
- Working in Google Cloud
- Prerequisites for client devices in a cloud environment necessary for work with Kaspersky Security Center
- Creating installation packages required to configure cloud environment
- Configuring cloud environment
- About the Configure cloud environment wizard
- Step 1. Selecting the application activation method
- Step 2. Selecting the cloud environment
- Step 3. Authorization in the cloud environment
- Step 4. Configuring synchronization with Cloud and choosing further actions
- Step 5. Configuring Kaspersky Security Network in the cloud environment
- Step 6. Configuring email notifications in the cloud environment
- Step 7. Creating an initial configuration of the protection of the cloud environment
- Step 8. Selecting the action when the operating system must be restarted during installation (for the cloud environment)
- Step 9. Receiving updates by the Administration Server
- Checking configuration
- Cloud device group
- Network segment polling
- Installing applications on devices in a cloud environment
- Viewing the properties of cloud devices
- Synchronization with cloud
- Using deployment scripts for deploying security applications
- Deployment of Kaspersky Security Center in Yandex.Cloud
- Appendices
- Advanced features
- Kaspersky Security Center operation automation. klakaut utility
- Custom tools
- Network Agent disk cloning mode
- Preparing a reference device with Network Agent installed for creating an image of operating system
- Configuring receipt of messages from File Integrity Monitor
- Administration Server maintenance
- Access to public DNS servers
- User notification method window
- General section
- Device selection window
- Define the name of the new object window
- Application categories section
- Features of using the management interface
- Reference information
- Searching and exporting data
- Settings of tasks
- Global list of subnets
- Usage of Network Agent for Windows, macOS, and Linux: Comparison
- Comparison of Network Agent settings by operating systems
- Advanced features
- About Kaspersky Security Center
- Kaspersky Security Center Web Console
- About Kaspersky Security Center Web Console
- Hardware and software requirements for Kaspersky Security Center Web Console
- Deployment diagram of Kaspersky Security Center Administration Server and Kaspersky Security Center Web Console
- Ports used by Kaspersky Security Center Web Console
- Scenario: Installation and initial setup of Kaspersky Security Center Web Console
- Installation
- Installing Kaspersky Security Center Web Console
- Installation of Kaspersky Security Center Web Console on Linux platforms
- Installing Kaspersky Security Center Web Console connected to Administration Server installed on failover cluster nodes
- Upgrading Kaspersky Security Center Web Console
- Certificates for work with Kaspersky Security Center Web Console
- Migration from Kaspersky Security Center Windows
- About migration to Kaspersky Security Center Cloud Console
- About migration to Kaspersky Security Center Linux
- About migration to Kaspersky XDR Expert
- Exporting group objects from Kaspersky Security Center Windows
- Importing the export file to Kaspersky Security Center Linux
- Switching managed devices to be under management of Kaspersky Security Center Linux
- Signing in to Kaspersky Security Center Web Console and signing out
- Identity and Access Manager in Kaspersky Security Center Web Console
- About Identity and Access Manager
- Enabling Identity and Access Manager: scenario
- Configuring Identity and Access Manager in Kaspersky Security Center Web Console
- Registering Kaspersky Industrial CyberSecurity for Networks application in Kaspersky Security Center Web Console
- Lifetime of tokens and authorization timeout for Identity and Access Manager
- Downloading and distributing the IAM certificates
- Disabling Identity and Access Manager
- Configuring domain authentication by using the NTLM and Kerberos protocols
- Configuring Administration Server
- Configuring the connection of Kaspersky Security Center Web Console to Administration Server
- Configuring Administration Server connection events logging
- Configuring internet access settings for Administration Server
- Setting the maximum number of events in the event repository
- Connection settings of UEFI protection devices
- Creating a hierarchy of Administration Servers: adding a secondary Administration Server
- Viewing the list of secondary Administration Servers
- Deleting a hierarchy of Administration Servers
- Administration Server maintenance
- Configuring the interface
- Managing virtual Administration Servers
- Enabling account protection from unauthorized modification
- Two-step verification
- About two-step verification
- Scenario: Configuring two-step verification for all users
- Enabling two-step verification for your own account
- Enabling required two-step verification for all users
- Disabling two-step verification for a user account
- Disabling required two-step verification for all users
- Excluding accounts from two-step verification
- Generating a new secret key
- Editing the name of a security code issuer
- Configuring two-step verification for your own account
- Backup copying and restoration of Administration Server data
- Reissuing the certificate for Kaspersky Security Center Web Console
- Creating a data backup task
- Moving Administration Server to another device
- Initial setup of Kaspersky Security Center Web Console
- Quick start wizard (Kaspersky Security Center Web Console)
- Step 1. Specifying the internet connection settings
- Step 2. Downloading required updates
- Step 3. Selecting the assets to secure
- Step 4. Selecting encryption in solutions
- Step 5. Configuring installation of plug-ins for managed applications
- Step 6. Downloading distribution packages and creating installation packages
- Step 7. Configuring Kaspersky Security Network
- Step 8. Selecting the application activation method
- Step 9. Specifying the third-party update management settings
- Step 10. Creating a basic network protection configuration
- Step 11. Configuring email notifications
- Step 12. Performing a network poll
- Step 13. Closing the quick start wizard
- Connecting out-of-office devices
- Scenario: Connecting out-of-office devices through a connection gateway
- Scenario: Connecting out-of-office devices through a secondary Administration Server in DMZ
- About connecting out-of-office devices
- Connecting external desktop computers to Administration Server
- About connection profiles for out-of-office users
- Creating a connection profile for out-of-office users
- About switching Network Agent to other Administration Servers
- Creating a Network Agent switching rule by network location
- Quick start wizard (Kaspersky Security Center Web Console)
- Protection deployment wizard
- Starting Protection deployment wizard
- Selecting the installation package
- Selecting a method for distribution of key file or activation code
- Selecting Network Agent version
- Selecting devices
- Step 5. Specifying the remote installation task settings
- Step 6. Restart management
- Step 7. Removing incompatible applications before installation
- Step 8. Moving devices to Managed devices
- Step 9. Selecting accounts to access devices
- Step 10. Starting installation
- Kaspersky applications deployment through Kaspersky Security Center Web Console
- Scenario: Kaspersky applications deployment through Kaspersky Security Center Web Console
- Getting plug-ins for Kaspersky applications
- Downloading and creating installation packages for Kaspersky applications
- Changing the limit on the size of custom installation package data
- Downloading distribution packages for Kaspersky applications
- Checking that Kaspersky Endpoint Security is deployed successfully
- Creating stand-alone installation packages
- Viewing the list of stand-alone installation packages
- Creating custom installation packages
- Distributing installation packages to secondary Administration Servers
- Installing applications using a remote installation task
- Specifying settings for remote installation on Unix devices
- Starting and stopping Kaspersky applications
- Mobile Device Management
- Replacing third-party security applications
- Discovering networked devices
- Kaspersky applications: licensing and activation
- Licensing of managed applications
- Adding a license key to the Administration Server repository
- Deploying a license key to client devices
- Automatic distribution of a license key
- Viewing information about license keys in use
- Deleting a license key from the repository
- Revoking consent with an End User License Agreement
- Renewing licenses for Kaspersky applications
- Using Kaspersky Marketplace to choose Kaspersky business solutions
- Configuring network protection
- Scenario: Configuring network protection
- About device-centric and user-centric security management approaches
- Policy setup and propagation: Device-centric approach
- Policy setup and propagation: User-centric approach
- Network Agent policy settings
- Manual setup of the Kaspersky Endpoint Security policy
- Configuring Kaspersky Security Network
- Checking the list of the networks protected by Firewall
- Disabling the scan of network drives
- Excluding software details from the Administration Server memory
- Configuring access to the Kaspersky Endpoint Security for Windows interface on workstations
- Saving important policy events in the Administration Server database
- Manual setup of the group update task for Kaspersky Endpoint Security
- Granting offline access to the external device blocked by Device Control
- Removing applications or software updates remotely
- Rolling back an object to a previous revision
- Tasks
- Managing client devices
- Settings of a managed device
- Creating administration groups
- Adding devices to an administration group manually
- Moving devices to an administration group manually
- Creating device moving rules
- Copying device moving rules
- Conditions for a device moving rule
- Viewing and configuring the actions when devices show inactivity
- About device statuses
- Configuring the switching of device statuses
- Remotely connecting to the desktop of a client device
- Connecting to devices through Windows Desktop Sharing
- Device selections
- Device tags
- Device tags
- Creating a device tag
- Renaming a device tag
- Deleting a device tag
- Viewing devices to which a tag is assigned
- Viewing tags assigned to a device
- Tagging a device manually
- Removing an assigned tag from a device
- Viewing rules for tagging devices automatically
- Editing a rule for tagging devices automatically
- Creating a rule for tagging devices automatically
- Running rules for auto-tagging devices
- Deleting a rule for tagging devices automatically
- Managing device tags by using the klscflag utility
- Policies and policy profiles
- About policies and policy profiles
- About lock and locked settings
- Inheritance of policies and policy profiles
- Managing policies
- Viewing the list of policies
- Creating a policy
- Modifying a policy
- General policy settings
- Enabling and disabling a policy inheritance option
- Copying a policy
- Moving a policy
- Exporting a policy
- Importing a policy
- Viewing the policy distribution status chart
- Activating a policy automatically at the Virus outbreak event
- Deleting a policy
- Managing policy profiles
- Data encryption and protection
- Users and user roles
- About user roles
- Viewing user accounts and sessions
- Configuring access rights to application features. Role-based access control
- Adding an account of an internal user
- Creating a security group
- Editing an account of an internal user
- Editing a security group
- Adding user accounts to an internal group
- Assigning a user as a device owner
- Deleting a user or a security group
- Creating a user role
- Editing a user role
- Editing the scope of a user role
- Deleting a user role
- Associating policy profiles with roles
- Managing objects in Kaspersky Security Center Web Console
- Adding a revision description
- Deletion of objects
- Kaspersky Security Network (KSN)
- Updating Kaspersky databases and applications
- Scenario: Regular updating Kaspersky databases and applications
- About updating Kaspersky databases, software modules, and applications
- Creating the Download updates to the Administration Server repository task
- Verifying downloaded updates
- Creating the Download updates to the repositories of distribution points task
- Enabling and disabling automatic updating and patching for Kaspersky Security Center components
- Automatic installation of updates for Kaspersky Endpoint Security for Windows
- Approving and declining software updates
- Updating Administration Server
- Enabling and disabling the offline model of update download
- Updating Kaspersky databases and software modules on offline devices
- Backing up and restoring web plug-ins
- Adjustment of distribution points and connection gateways
- Standard configuration of distribution points: Single office
- Standard configuration of distribution points: Multiple small remote offices
- About assigning distribution points
- Assigning distribution points automatically
- Assigning distribution points manually
- Modifying the list of distribution points for an administration group
- Forced synchronization
- Enabling a push server
- Managing third-party applications on client devices
- About third-party applications
- Installing third-party software updates
- Installing third-party software updates
- Creating the Find vulnerabilities and required updates task
- Find vulnerabilities and required updates task settings
- Creating the Install required updates and fix vulnerabilities task
- Adding rules for update installation
- Creating the Install Windows Update updates task
- Viewing information about available third-party software updates
- Exporting the list of available software updates to a file
- Approving and declining third-party software updates
- Creating the Perform Windows Update synchronization task
- Updating third-party applications automatically
- Scenario: Updating third-party software
- Fixing third-party software vulnerabilities
- Scenario: Finding and fixing third-party software vulnerabilities
- About finding and fixing software vulnerabilities
- Fixing third-party software vulnerabilities
- Creating the Fix vulnerabilities task
- Creating the Install required updates and fix vulnerabilities task
- Adding rules for update installation
- Selecting user fixes for vulnerabilities in third-party software
- Viewing information about software vulnerabilities detected on all managed devices
- Viewing information about software vulnerabilities detected on the selected managed device
- Viewing statistics of vulnerabilities on managed devices
- Exporting the list of software vulnerabilities to a file
- Ignoring software vulnerabilities
- Managing applications run on client devices
- Using Application Control to manage executable files
- Application Control modes and categories
- Obtaining and viewing a list of applications installed on client devices
- Obtaining and viewing a list of executable files stored on client devices
- Creating application category with content added manually
- Creating an application category that includes executable files from selected devices
- Creating an application category that includes executable files from selected folder
- Viewing the list of application categories
- Configuring Application Control in the Kaspersky Endpoint Security for Windows policy
- Adding event-related executable files to the application category
- Creating an installation package of a third-party application from the Kaspersky database
- Viewing and modifying the settings of an installation package of a third-party application from the Kaspersky database
- Settings of an installation package of a third-party application from the Kaspersky database
- Application tags
- Monitoring and reporting
- Scenario: Monitoring and reporting
- About types of monitoring and reporting
- Dashboard and widgets
- Reports
- Events and event selections
- About Kaspersky Security Center events
- Using event selections
- Viewing details of an event
- Exporting events to a file
- Exporting events to SIEM systems
- Configuring event export to SIEM systems
- Before you begin
- About event export
- About configuring event export in a SIEM system
- Marking of events for export to SIEM systems in Syslog format
- About exporting events using CEF and LEEF formats
- About exporting events using Syslog format
- Configuring Kaspersky Security Center for export of events to a SIEM system
- Exporting events directly from the database
- Viewing export results
- Viewing an object history from an event
- Deleting events
- Setting the storage term for an event
- Events of Kaspersky Security Center components
- Blocking frequent events
- Receiving events from Kaspersky Security for Microsoft Exchange Servers
- Notifications and device statuses
- Kaspersky announcements
- Viewing information about the detects of threats
- Downloading and deleting files from Quarantine and Backup
- Kaspersky Security Center Web Console activity logging
- Integration between Kaspersky Security Center and other solutions
- Working with Kaspersky Security Center Web Console in a cloud environment
- Cloud environment configuration in Kaspersky Security Center Web Console
- Step 1. Checking the required plug-ins and installation packages
- Step 2. Licensing the application
- Step 3. Selecting the cloud environment and authorization
- Step 4. Segment polling, configuring synchronization with Cloud and choosing further actions
- Step 5. Selecting an application to create a policy and tasks for
- Step 6. Configuring Kaspersky Security Network for Kaspersky Security Center
- Step 7. Creating an initial configuration of protection
- Network segment polling via Kaspersky Security Center Web Console
- Adding connections for cloud segment polling
- Deleting a connection for cloud segment polling
- Configuring the polling schedule via Kaspersky Security Center Web Console
- Viewing the results of cloud segment polling via Kaspersky Security Center Web Console
- Viewing the properties of cloud devices via Kaspersky Security Center Web Console
- Synchronization with Cloud: Configuring the moving rule
- Remote installation of applications to the Azure virtual machines
- Creating Backup of the Administration Server data task by using a cloud DBMS
- Cloud environment configuration in Kaspersky Security Center Web Console
- Remote diagnostics of client devices
- Opening the remote diagnostics window
- Enabling and disabling tracing for applications
- Downloading trace files of an application
- Deleting trace files
- Downloading application settings
- Downloading event logs
- Starting, stopping, restarting the application
- Running the remote diagnostics of Kaspersky Security Center Network Agent and downloading the results
- Running an application on a client device
- Generating a dump file for an application
- Changing the language of the Kaspersky Security Center Web Console interface
- API Reference Guide
- Best Practices for Service Providers
- Planning Kaspersky Security Center deployment
- Deployment and initial setup
- Recommendations on Administration Server installation
- Configuring protection on a client organization's network
- Manual setup of the Kaspersky Endpoint Security policy
- Manual setup of the group update task for Kaspersky Endpoint Security
- Manual setup of the group task for scanning a device with Kaspersky Endpoint Security
- Scheduling the Find vulnerabilities and required updates task
- Manual setup of the group task for updates installation and vulnerabilities fix
- Building a structure of administration groups and assigning distribution points
- Hierarchy of policies, using policy profiles
- Tasks
- Device moving rules
- Software categorization
- About multi-tenant applications
- Backup and restoration of Administration Server settings
- Deploying Network Agent and the security application
- Initial deployment
- Configuring installers
- Installation packages
- MSI properties and transform files
- Deployment with third-party tools for remote installation of applications
- General information about the remote installation tasks in Kaspersky Security Center
- Deployment using group policies of Microsoft Windows
- Forced deployment through the remote installation task of Kaspersky Security Center
- Running stand-alone packages created by Kaspersky Security Center
- Options for manual installation of applications
- Creating an MST file
- Remote installation of applications on devices with Network Agent installed
- Managing device restarts in the remote installation task
- Suitability of databases updating in an installation package of an anti-virus application
- Removing incompatible third-party security applications
- Removing password-protected Network Agent by using the command prompt
- Using tools for remote installation of applications in Kaspersky Security Center for running relevant executable files on managed devices
- Monitoring the deployment
- Configuring installers
- Virtual infrastructure
- Support of file system rollback for devices with Network Agent
- Initial deployment
- About connection profiles for out-of-office users
- Deploying the Mobile Device Management feature
- Other routine work
- Sizing Guide
- About this Guide
- Information about limitations of Kaspersky Security Center
- Calculations for Administration Servers
- Calculations for distribution points and connection gateways
- Logging of information about events for tasks and policies
- Specific considerations and optimal settings of certain tasks
- Details of network load spread among Administration Server and protected devices
- Contact Technical Support
- Sources of information about the application
- Glossary
- Active key
- Additional (or reserve) license key
- Administration Console
- Administration group
- Administration Server
- Administration Server certificate
- Administration Server client (Client device)
- Administration Server data backup
- Administrator rights
- Administrator's workstation
- Amazon EC2 instance
- Amazon Machine Image (AMI)
- Android device
- Anti-virus databases
- Anti-virus protection service provider
- Application Shop
- Authentication Agent
- Available update
- AWS Application Program Interface (AWS API)
- AWS IAM access key
- AWS Management Console
- Backup folder
- Broadcast domain
- Centralized application management
- Client administrator
- Cloud environment
- Configuration profile
- Connection gateway
- Demilitarized zone (DMZ)
- Device owner
- Direct application management
- Distribution point
- EAS device
- Event repository
- Event severity
- Exchange Mobile Device Server
- Forced installation
- Group task
- Home Administration Server
- HTTPS
- IAM role
- IAM user
- Identity and Access Management (IAM)
- Incompatible application
- Installation package
- Internal users
- iOS MDM device
- iOS MDM profile
- iOS MDM Server
- JavaScript
- Kaspersky Private Security Network (KPSN)
- Kaspersky Security Center Administrator
- Kaspersky Security Center Operator
- Kaspersky Security Center System Health Validator (SHV)
- Kaspersky Security Center Web Server
- Kaspersky Security Network (KSN)
- Kaspersky update servers
- KES device
- Key file
- License term
- Licensed applications group
- Local installation
- Local task
- Managed devices
- Management plug-in
- Manual installation
- MITM attack
- Mobile Device Server
- Network Agent
- Network anti-virus protection
- Network protection status
- Patch importance level
- Policy
- Profile
- Program settings
- Protection status
- Provisioning profile
- Remote installation
- Restoration
- Restoration of Administration Server data
- Role group
- Service provider's administrator
- Shared certificate
- SSL
- Task
- Task for specific devices
- Task settings
- UEFI protection device
- Update
- Virtual Administration Server
- Virus activity threshold
- Virus outbreak
- Vulnerability
- Windows Server Update Services (WSUS)
- Information about third-party code
- Trademark notices
- Known issues
Kaspersky Security Center 14.2 > Export of events to SIEM systems > Converting events to the CEF or LEEF format
Converting events to the CEF or LEEF format
Converting events to the CEF or LEEF format
Before sending events to the SIEM system (QRadar, ArcSight, or Splunk), it is necessary to interpret Kaspersky Security Center events to events in the CEF and LEEF format by using the rules specified in the siem_conversion_rules.xml file. This file is included in the Kaspersky Security Center distribution kit.
The siem_conversion_rules.xml file contains the predefined interpretation rules to convert events to the CEF and LEEF format. If you want to use additional event interpretation rules, you can add them to the file manually.
The siem_conversion_rules.xml file includes the <product name="SP_QRADAR" vendor="IBM"> and <product name="SP_QRADAR" vendor="IBM"> sections. The <product name="SP_QRADAR" vendor="IBM"> section contains rules for generating events in the LEEF format, which can be exported to the QRadar SIEM system. The <product name="SP_ARCSIGHT" vendor="HP"> section contains rules for generating events in the CEF format, which can be exported to the ArcSight or Splunk SIEM system.
Each section has the <common> subsection, in which Kaspersky Security Center event attributes and corresponding attributes of events in the LEEF format are located. These common attributes are used for all types of events that can be exported.
Also, each section has the <event> subsections. Each <event> subsection contains additional attributes that are added to those listed in the <common> section.
You can add a new event generation rule to the siem_conversion_rules.xml file manually.
To add a new event generation rule,
Add a new <event> subsection to the <product name="SP_QRADAR" vendor="IBM"> or <product name="SP_QRADAR" vendor="IBM"> section, and then specify the additional event attributes, if needed.
If an event consist only of common attributes, the <event> subsection will be empty.
siem_conversion_rules.xml
<conversion_rules>
<product name="SP_QRADAR" vendor="IBM">
<common> <!-- Common Kaspersky Security Center event attributes and corresponding LEEF event attributes -->
<param name="KLSPLG_HOST_DISP_NAME" type="STRING_T">
<attr name="EVC_EV_DISP_HOST_NAME" type="AT_STRING" limit="255"/>
</param>
...
</common>
<event id="GNRL_EV_VIRUS_FOUND"> <!-- Generation rule for the GNRL_EV_VIRUS_FOUND event with additional attributes -->
<param name="GNRL_EA_PARAM_1" type="STRING_T">
<attr name="EVC_EV_SHA256" type="AT_STRING" limit="255"/>
</param>
...
</event>
...
</product>
<product name="SP_ARCSIGHT" vendor="HP">
<common> <!-- Common Kaspersky Security Center event attributes and corresponding LEEF event attributes -->
<param name="KLSPLG_HOST_DISP_NAME" type="STRING_T">
<attr name="dhost" type="AT_STRING" limit="1023"/>
</param>
...
</common>
<event id="GNRL_EV_VIRUS_FOUND">
<param name="GNRL_EA_PARAM_1" type="STRING_T">
<attr name="cs4" type="AT_STRING" limit="255"/>
<attr name="cs4Label" type="AT_STRING" val="SHA256"/>
</param>
...
</product>
</conversion_rules>
Article ID: 298793, Last review: Mar 23, 2025