This section contains information about managing connectors in Kaspersky Anti Targeted Attack Platform. Connectors are special software modules that handle communication with Kaspersky Anti Targeted Attack Platform and can allow to perform management tasks in the application itself or with the help of the application.
Connectors extend the functionality of the application letting it interact with third-party systems. Depending on their functional purpose, connectors can send data to third-party systems (for example, events, application messages, and audit records to a SIEM system) or fetch data from third-party systems. The application can also use connectors for active polling of devices.
Computers on which the connector software modules are running are called connector deployment nodes. You can deploy the connector on any computer that has network access to the Central Node server (including nodes with installed application components, including the Central Node server itself).
The table of connectors and the table of connector types are displayed in the Settings section, Connectors subsection in the application web interface. Only users with the Administrator role can manage connectors and connector types. Users with the Security auditor, Security officer, and Senior security officer roles can view connectors and connector types.
The functionality of the connector depends on the selected connector type. You can select a connector type when adding the connector to the application. The following types of connectors are built into the application out of the box:
This connector type enables data forwarding to a Syslog server.
When adding a Syslog connector or editing its settings, configure both the general settings of the connector, and the additional settings under Details:
This connector type enables data forwarding to a SIEM system.
When adding a SIEM connector or editing its settings, configure both the general settings of the connector, and the additional settings under Details:
This connector type allows connecting applications that use the Kaspersky Anti Targeted Attack Platform API NDR.
This connector type provides the capabilities for forwarding data by email.
When adding an Email connector or editing its settings, configure both the general settings of the connector, and the additional settings under Details:
For the Email connector to work, you must first configure the mail server connection.
This connector type provides the capabilities for active device polling with configuration control and active polling jobs.
When adding an Active poll connector or editing its settings, configure both the general settings of the connector, and the additional settings under Details:
0.0.0.0
address matches all possible IP addresses. If an address is included among allowed as well as denied IP addresses, Kaspersky Anti Targeted Attack Platform classifies it as a denied IP address.
If you select an address space that differs from the Default one, add a new rule for this address space (or edit an existing rule). The rule must specify the connector for which this address space is selected. The rules settings are configured when the address space is changed.
This connector type provides integration with Kaspersky Unified Monitoring and Analysis Platform (KUMA). Software modules for connectors of this type are distributed separately from Kaspersky Anti Targeted Attack Platform. A connector of this type lets you send information about devices and risks to KUMA, as well as run commands in KUMA to change device statuses. After adding a connector, you must configure the integration in KUMA (create a connection to Kaspersky Anti Targeted Attack Platform). The KUMA connector interacts with the Central Node server using the Kaspersky Anti Targeted Attack Platform API.
The integration provided by the KUMA connector involves sending information about devices and risks, and applying commands to change device statuses. To send events to KUMA, you can add a Syslog or SIEM connector to Kaspersky Anti Targeted Attack Platform and specify the settings for connection to the KUMA server for this connector. After adding the connector, you need to configure a collector on the KUMA side.
This connector type provides support for automatic network access control for devices via Cisco network switches.
When adding a Cisco Switch connector or editing its settings, configure both the general settings of the connector, and the additional settings under Details:
To use the method of disabling Ethernet ports, configure the switch connections to prevent multiple devices from being connected to one port. Otherwise, disabling an Ethernet port to block one device will also block network access for all devices that connect to the network using that port.
If necessary, you can add other connector types that will facilitate data exchange or provide the capabilities for performing management tasks when the application interacts with other recipient systems.
Certain ports and protocols are used for the connections of connectors to the Central Node server.
Third-party systems are connected through the connector on behalf one of the application users. We recommend using a separate user account for each connector. This will help you analyze actions performed through the connectors using audit records.
The maximum number of connectors in the application is 20. The maximum number of connector types is 100.