Configuring integration with SIEM systems

Kaspersky Container Security allows connecting to SIEM systems to send event messages for analysis and subsequent response to potential threats. The messages contain data for the same types and categories of events that are logged in the security event log. The transmission of data about cluster node monitoring events is also achieved by integrating with SIEM systems and linking agent groups to them.

Messages are sent to a SIEM system in the CEF format, for example:

CEF:0|Kaspersky|Kaspersky Container Security|2.0|PM-002|Process management|7|dpid=1846367 spid=1845879 flexString2=0ce05246346b6687cb754cf716c57f20f226e159397e8e5985e55b448cb92e3f flexString2Label=Container ID cs6=alpine cs6Label=Container name outcome=Success

The transmitted message consists of the following components:

• The Syslog header, which specifies the date, time, and host name.

  A standard for sending and logging system event messages used for the UNIX™ and GNU/Linux platforms.

• Prefix and CEF version number.
• Device vendor.
• Solution name.
• Solution version.
• Solution-generated unique event type code.
• Event description.
• Event severity assessment.
• Additional information, such as device IP address, event reason, event result, and event status.

For detailed information about the components, refer to the CEF message value matching table.

In this Help section Matching of CEF message fields Creating an integration with a SIEM system Linking agent groups with a SIEM system Viewing and editing SIEM integration settings Deleting an integration with a SIEM system

Page top