How to configure receiving events from Kaspersky Anti Targeted Attack Platform to Kaspersky Unified Monitoring and Analysis Platform
Latest update: June 18, 2024
ID: 16056
Show applications and versions that this article concerns
- Kaspersky Anti Targeted Attack Platform 6.1
- Kaspersky Anti Targeted Attack Platform 6.0
- Kaspersky Anti Targeted Attack Platform 5.1
- Kaspersky Unified Monitoring and Analysis Platform 3.0.3
- Kaspersky Unified Monitoring and Analysis Platform 3.0.2
You can configure receiving events from Kaspersky Anti Targeted Attack Platform (KATA) to the Kaspersky Unified Monitoring and Analysis Platform (KUMA) SIEM system.
To do this, configure forwarding events from KATA and create a KUMA collector for KATA/EDR events using the instructions below.
With this method, you can forward:
- Information about user's actions in the application web interface
- Information about alerts
- Application component status
You can configure receiving original events (not processed by KATA) using these instructions.
How to configure KATA
To configure forwarding events from KATA to the KUMA SIEM system:
- Open the Web Console of the KATA Central Node: select the Local administrator check box and enter the administrator credentials.
- Go to Settings → SIEM system.
- Fill in the required fields:
- Data to send: select the Activity log and Alerts check boxes.
- Host/IP: enter the IP address or FQDN address of the KUMA collector.
- Port: enter the port of the KUMA collector.
- Protocol: select the TCP or UDP.
- Host ID: enter the server host ID that will be specified in the SIEM system log as an alert source.
- Heartbeat: specify the number of minutes from 1 to 59.
- TLS decryption: this setting is disabled by default. Enable if required.
- Click Apply.
How to configure KUMA
After configuring event forwarding to KATA, create a collector in KUMA:
- Open KUMA, go to the Resources section and select Collectors.
- Select the required folder and click Add.
- Fill in the fields in the Connect sources section at your discretion.
- Go to the Transport section and specify the type (also referred to as kind in KUMA) and port of the collector according to the KATA settings.
- Go to the Event parsing and click Add event parsing.
- In the Normalizer drop-down menu, select [OOTB] KATA and click OK.
- Check that the Storage and Correlator destination points are added to the resource set in the Routing section.
If the points are absent, add them.
- Go to the Setup validation section and click Create and save service.
- Copy the command for KUMA collector installation.
- Type sudo in the beginning of the copied command and run it on the server with the Collector role.
# sudo /opt/kaspersky/kuma/kuma collector --core <server address to which the collector must receive its parameters> --id <ID of the service to be installed> --api.port <port> --install
Example:
# sudo /opt/kaspersky/kuma/kuma collector --core https://kuma.some.local:7210 --id f81aad2b-3d24-469c-93b4-2e5d0a2729b7 --api.port 7240 --install