Importing events from Kaspersky Endpoint Detection and Response

When importing events from Kaspersky Endpoint Detection and Response, telemetry is transmitted in clear text and may be intercepted by an intruder.

Kaspersky Endpoint Detection and Response 4.0 raw events can be imported into KUMA with the help of a Kafka connector.

To import events, you will need to perform actions on the Kaspersky Endpoint Detection and Response side and on the KUMA side.

On the Kaspersky Endpoint Detection and Response side, perform the following actions:

  1. Use SSH or a terminal to log in to the management console of the Central Node server from which you want to export events.
  2. When prompted by the system, enter the administrator account name and the password that was set during installation of Kaspersky Endpoint Detection and Response.

    The program component administrator menu is displayed.

  3. In the program component administrator menu, select Technical Support Mode.
  4. Press Enter.

    The Technical Support Mode confirmation window opens.

  5. Confirm that you want to operate the application in Technical Support Mode. To do so, select Yes and press Enter.
  6. Run the sudo -i command.
  7. In the /etc/sysconfig/apt-services configuration file, in the KAFKA_PORTS field, delete the value 10000.

    If Secondary Central Node servers or the Sensor component installed on a separate server are connected to the Central Node server, you need to allow the connection with the server where you modified the configuration file via port 10000.

    It is strongly not recommended to use this port for any external connections other than KUMA. To restrict connection on port 10000 to KUMA only, run the command iptables -I INPUT -p tcp! -s KUMA_IP_address --dport 10000 -j DROP.

  8. Run the command systemctl restart apt_ipsec.service.
  9. In the configuration file /usr/bin/apt-start-sedr-iptables add the value 10000 in the WEB_PORTS field, separated by a comma without a space.
  10. Run sudo sh /usr/bin/apt-start-sedr-iptables.

Preparations for exporting events on the Kaspersky Endpoint Detection and Response side are now complete.

On the KUMA side, complete the following steps:

  1. On the KUMA server, add the IP address of the Central Node server in the format <IP address> centralnode to one of the following files:
    • %WINDIR%\System32\drivers\etc\hosts—for Windows.
    • /etc/hosts file—for Linux.
  2. In the KUMA web interface, create a connector of the Kafka type.

    When creating the connector, in the URL field, you will need to specify the <Central Node server IP address>:10000.

  3. In the KUMA web interface, create a collector.

    Use the connector created at the previous step as the transport for the collector.

If the collector is successfully created and installed, Kaspersky Endpoint Detection and Response events will be imported into KUMA. You can find and view these events in the events table.

Page top