Importing events from the Kaspersky Security Center database

In KUMA, you can receive events directly from the Kaspersky Security Center SQL database. Events are received by using a collector, which utilizes the provided resources of the connector [Example] KSC SQL and normalizer [Example] KSC from SQL.

To create a collector to receive Kaspersky Security Center events:

Follow the instructions under Creating a collector to select the preconfigured resources in the Installation Wizard:

At step 2 of the Installation Wizard, select the [Example] KSC SQL connector:
- In the URL field, specify the server connection string in the following format:
  sqlserver://user:password@kscdb.example.com:1433/KAV
  
  where:
  - user—user account with public and db_datareader rights to the required database.
  - password—user account password.
  - kscdb.example.com:1433—address and port of the database server.
  - KAV—name of the database.
- In the Query field, specify a database query based on the need to receive certain events.
  An example of a query to the Kaspersky Security Center SQL database
  
  SELECT ev.event_id AS externalId, ev.severity AS severity, ev.task_display_name AS taskDisplayName,
  
          ev.product_name AS product_name, ev.product_version AS product_version,
  
           ev.event_type As deviceEventClassId, ev.event_type_display_name As event_subcode, ev.descr As msg,
  
  CASE
  
          WHEN ev.rise_time is not NULL THEN DATEADD(hour,DATEDIFF(hour,GETUTCDATE(),GETDATE()),ev.rise_time )
  
              ELSE ev.rise_time
  
          END
  
      AS endTime,
  
      CASE
  
          WHEN ev.registration_time is not NULL
  
              THEN DATEADD(hour,DATEDIFF(hour,GETUTCDATE(),GETDATE()),ev.registration_time )
  
              ELSE ev.registration_time
  
          END
  
      AS kscRegistrationTime,
  
      cast(ev.par7 as varchar(4000)) as sourceUserName,
  
      hs.wstrWinName as dHost,
  
      hs.wstrWinDomain as strNtDom, serv.wstrWinName As kscName,
  
          CAST(hs.nIp / 256 / 256 / 256 % 256 AS VARCHAR) + '.' +
  
      CAST(hs.nIp / 256 / 256 % 256 AS VARCHAR) + '.' +
  
      CAST(hs.nIp / 256 % 256 AS VARCHAR) + '.' +
  
      CAST(hs.nIp % 256 AS VARCHAR) AS sourceAddress,
  
      serv.wstrWinDomain as kscNtDomain,
  
          CAST(serv.nIp / 256 / 256 / 256 % 256 AS VARCHAR) + '.' +
  
      CAST(serv.nIp / 256 / 256 % 256 AS VARCHAR) + '.' +
  
      CAST(serv.nIp / 256 % 256 AS VARCHAR) + '.' +
  
      CAST(serv.nIp % 256 AS VARCHAR) AS kscIP,
  
      CASE
  
      WHEN virus.tmVirusFoundTime is not NULL
  
              THEN DATEADD(hour,DATEDIFF(hour,GETUTCDATE(),GETDATE()),virus.tmVirusFoundTime )
  
              ELSE ev.registration_time
  
          END
  
      AS virusTime,
  
      virus.wstrObject As filePath,
  
      virus.wstrVirusName as virusName,
  
      virus.result_ev as result
  
  FROM KAV.dbo.ev_event as ev
  
  LEFT JOIN KAV.dbo.v_akpub_host as hs ON ev.nHostId = hs.nId
  
  INNER JOIN KAV.dbo.v_akpub_host As serv ON serv.nId = 1
  
  Left Join KAV.dbo.rpt_viract_index as Virus on ev.event_id = virus.nEventVirus
  
  where registration_time >= DATEADD(minute, -191, GetDate())
At step 3 of the Installation Wizard, select the [Example] KSC from SQL normalizer.
Specify other parameters in accordance with your collector requirements.

Page top