Managing connectors

This section contains information about managing connectors in Kaspersky Anti Targeted Attack Platform. Connectors are special software modules that handle communication with Kaspersky Anti Targeted Attack Platform and can allow to perform management tasks in the application itself or with the help of the application.

Connectors extend the functionality of the application letting it interact with third-party systems. Depending on their functional purpose, connectors can send data to third-party systems (for example, events, application messages, and audit records to a SIEM system) or fetch data from third-party systems. The application can also use connectors for active polling of devices.

Computers on which the connector software modules are running are called connector deployment nodes. You can deploy the connector on any computer that has network access to the Central Node server (including nodes with installed application components, including the Central Node server itself).

The table of connectors and the table of connector types are displayed in the Settings section, Connectors subsection in the application web interface. Only users with the Administrator role can manage connectors and connector types. Users with the Security auditor, Security officer, and Senior security officer roles can view connectors and connector types.

The functionality of the connector depends on the selected connector type. You can select a connector type when adding the connector to the application. The following types of connectors are built into the application out of the box:

• Syslog

  This connector type enables data forwarding to a Syslog server.

  When adding a Syslog connector or editing its settings, configure both the general settings of the connector, and the additional settings under Details:

  • Syslog server address
  • Syslog server port
  • Data Transfer Systems
• SIEM

  This connector type enables data forwarding to a SIEM system.

  When adding a SIEM connector or editing its settings, configure both the general settings of the connector, and the additional settings under Details:

  • SIEM system server address
  • SIEM system server port
  • Data Transfer Systems
• Generic

  This connector type allows connecting applications that use the Kaspersky Anti Targeted Attack Platform API NDR.

• Email

  This connector type provides the capabilities for forwarding data by email.

  When adding an Email connector or editing its settings, configure both the general settings of the connector, and the additional settings under Details:

  • Address to be used as the sender of email messages.
  • Recipient addresses of email messages.
  • Email subject lines for events, application messages, and audit records.
  • Text description templates for events, application messages, audit records, descriptions of network interactions, and the whole notification email message. You can use variables in templates.
  • The subject and body of the email message sent when the maximum number of sent notifications is reached.
  • Maximum number of email messages sent per day.
  • Maximum number of notifications in each message. Specifies the maximum number of registered notifications of the same type (events, application messages, or audit records) that can be put in a single email message. If there more registered notifications exist, an additional email message is generated (within the daily limit).

  For the Email connector to work, you must first configure the mail server connection.

• Active poll

  This connector type provides the capabilities for active device polling with configuration control and active polling jobs.

  When adding an Active poll connector or editing its settings, configure both the general settings of the connector, and the additional settings under Details:

  • Active polling methods that will be available to the application user when using the connector.
  • The ranges of allowed and denied IP addresses of the devices for which active polls are allowed or denied. The 0.0.0.0 address matches all possible IP addresses.

    If an address is included among allowed as well as denied IP addresses, Kaspersky Anti Targeted Attack Platform classifies it as a denied IP address.

  • Names of address spaces whose corresponding devices will be available for active polling. If necessary, select the address spaces for IP addresses in the L3 address space field and select the address spaces for MAC addresses in the L2 address space field.

    If you select an address space that differs from the Default one, add a new rule for this address space (or edit an existing rule). The rule must specify the connector for which this address space is selected. The rules settings are configured when the address space is changed.

• KUMA

  This connector type provides integration with Kaspersky Unified Monitoring and Analysis Platform (KUMA). Software modules for connectors of this type are distributed separately from Kaspersky Anti Targeted Attack Platform. A connector of this type lets you send information about devices and risks to KUMA, as well as run commands in KUMA to change device statuses. After adding a connector, you must configure the integration in KUMA (create a connection to Kaspersky Anti Targeted Attack Platform). The KUMA connector interacts with the Central Node server using the Kaspersky Anti Targeted Attack Platform API.

  The integration provided by the KUMA connector involves sending information about devices and risks, and applying commands to change device statuses. To send events to KUMA, you can add a Syslog or SIEM connector to Kaspersky Anti Targeted Attack Platform and specify the settings for connection to the KUMA server for this connector. After adding the connector, you need to configure a collector on the KUMA side.

• Cisco Switch

  This connector type provides support for automatic network access control for devices via Cisco network switches.

  When adding a Cisco Switch connector or editing its settings, configure both the general settings of the connector, and the additional settings under Details:

  • Name of the switch that you want to be specified in events for actions that the application performed using the connector.
  • Addressing information for connecting the connector to the switch: IP address and SSH port.
  • Credentials for connecting to the switch via SSH.
  • Public key to be matched against the public key received from network switch before establishing an SSH connection; this is done to protect against spoofing of this device in the network. If the value is empty, the check is not performed.
  • Method used to restrict network access for devices. The application provides methods for creating deny rules in switch access control lists based on MAC addresses (MAC ACL), IP addresses (IP ACL), and by disabling Ethernet ports to which devices are connected.

    To use the method of disabling Ethernet ports, configure the switch connections to prevent multiple devices from being connected to one port. Otherwise, disabling an Ethernet port to block one device will also block network access for all devices that connect to the network using that port.

  • This setting resets deny rules when changing the network access restriction method. If this setting is enabled, changing the method resets the rules that have been set for blocking devices.
  • This setting excludes network devices from the network access restriction method. If this setting is enabled, the method is not applied to devices of the Network device, Firewall, Switch, Virtual switch, Router, Virtual router, Wi-Fi.
  • This setting applies deny rules only to new devices. If this setting is enabled, the method is applied only to those unauthorized devices for which a new device detection event with event type code 4000005003 has been registered.
  • Polling interval for Authorized and Unauthorized devices in the device table.
  • This setting lets you configure notifications about blocked devices when the connector is restarted. If this setting is enabled, after enabling or restarting the connector, a list of devices for which network access restrictions have been previously applied is sent to the Central Node server.

If necessary, you can add other connector types that will facilitate data exchange or provide the capabilities for performing management tasks when the application interacts with other recipient systems.

Certain ports and protocols are used for the connections of connectors to the Central Node server.

Third-party systems are connected through the connector on behalf one of the application users. We recommend using a separate user account for each connector. This will help you analyze actions performed through the connectors using audit records.

The maximum number of connectors in the application is 20. The maximum number of connector types is 100.

In this section Managed and unmanaged connectors Sending events, application messages, and audit records to third-party systems Automatic network access control for devices via Cisco Switch connectors Adding a connector Viewing the table of connectors Enabling or disabling a connector Editing connector settings Creating a new communication data package for a connector Deleting a connector Adding and deleting connector types

Page top