You can use the kata-alert-export utility to get NDR detection and event data in a format that is valid for import into the GosSOPKA system. The utility is included in the Kaspersky Anti Targeted Attack Platform distribution kit.
For each NDR detection or event, the utility creates a separate XML 1.0 file (UTF-8) with information about this detection or event for the specified period.
Preparing detection data for GosSOPKA
To prepare detection data that you want to send to GosSOPKA, you just need to run the utility.
Preparing NDR event data for GosSOPKA
Preparing NDR event data that you want to send to the GosSOPKA system involves the following steps:
Create a connector of the Generic type and save the communication data package for it.
If you are using the distributed solution or multitenancy mode, at step 4c of the instructions for creating a connector, you need to specify the IP address of the PCN or SCN server from which you want to receive data. If you want to receive data from multiple Central Node servers, you must create a connector for each of these servers.
If the Central Node component is deployed as a cluster, you can enter the IP address of any server in the cluster when creating a connector.
Run the utility on the Central Node server whose IP address you specified when creating the connector at step 4c of the instructions for creating a connector.
Special considerations involved in recording NDR detection and event data
Aggregated Alerts is specified as the scan technology for alerts that are created based on events registered as a result of an EXT scan.
Page top