Importing events from the Kaspersky Security Center database

In KUMA, you can receive events from the Kaspersky Security Center SQL database. Events are received using the collector, which uses the following resources:

Predefined [OOTB] KSC MSSQL, [OOTB] KSC MySQL, or [OOTB] KSC PostgreSQL connector.
Predefined [OOTB] KSC from SQL normalizer.

Configuring the import of events from Kaspersky Security Center involves the following steps:

Create a copy of the predefined connector.
The settings of the predefined connector are not editable, therefore, to configure the connection to the database server, you must create a copy of the predefined connector.
Creating a collector:
- In the web interface.
- On the server.

To configure the import of events from Kaspersky Security Center:

Create a copy of the predefined connector corresponding to the type of database used by Kaspersky Security Center:
1. In the KUMA web interface, in the Resources → Connectors section, find the relevant predefined connector in the folder hierarchy, select the check box next to that connector, and click Duplicate.
2. This opens the Create connector window; in that window, on the Basic settings tab, in the Default query field, if necessary, replace the KAV database name with the name of the Kaspersky Security Center database you are using.
  An example of a query to the Kaspersky Security Center SQL database
  
  SELECT ev.event_id AS externalId, ev.severity AS severity, ev.task_display_name AS taskDisplayName,
  
          ev.product_name AS product_name, ev.product_version AS product_version,
  
           ev.event_type As deviceEventClassId, ev.event_type_display_name As event_subcode, ev.descr As msg,
  
  CASE
  
          WHEN ev.rise_time is not NULL THEN DATEADD(hour,DATEDIFF(hour,GETUTCDATE(),GETDATE()),ev.rise_time )
  
              ELSE ev.rise_time
  
          END
  
      AS endTime,
  
      CASE
  
          WHEN ev.registration_time is not NULL
  
              THEN DATEADD(hour,DATEDIFF(hour,GETUTCDATE(),GETDATE()),ev.registration_time )
  
              ELSE ev.registration_time
  
          END
  
      AS kscRegistrationTime,
  
      cast(ev.par7 as varchar(4000)) as sourceUserName,
  
      hs.wstrWinName as dHost,
  
      hs.wstrWinDomain as strNtDom, serv.wstrWinName As kscName,
  
          CAST(hs.nIp / 256 / 256 / 256 % 256 AS VARCHAR) + '.' +
  
      CAST(hs.nIp / 256 / 256 % 256 AS VARCHAR) + '.' +
  
      CAST(hs.nIp / 256 % 256 AS VARCHAR) + '.' +
  
      CAST(hs.nIp % 256 AS VARCHAR) AS sourceAddress,
  
      serv.wstrWinDomain as kscNtDomain,
  
          CAST(serv.nIp / 256 / 256 / 256 % 256 AS VARCHAR) + '.' +
  
      CAST(serv.nIp / 256 / 256 % 256 AS VARCHAR) + '.' +
  
      CAST(serv.nIp / 256 % 256 AS VARCHAR) + '.' +
  
      CAST(serv.nIp % 256 AS VARCHAR) AS kscIP,
  
      CASE
  
      WHEN virus.tmVirusFoundTime is not NULL
  
              THEN DATEADD(hour,DATEDIFF(hour,GETUTCDATE(),GETDATE()),virus.tmVirusFoundTime )
  
              ELSE ev.registration_time
  
          END
  
      AS virusTime,
  
      virus.wstrObject As filePath,
  
      virus.wstrVirusName as virusName,
  
      virus.result_ev as result
  
  FROM KAV.dbo.ev_event as ev
  
  LEFT JOIN KAV.dbo.v_akpub_host as hs ON ev.nHostId = hs.nId
  
  INNER JOIN KAV.dbo.v_akpub_host As serv ON serv.nId = 1
  
  Left Join KAV.dbo.rpt_viract_index as Virus on ev.event_id = virus.nEventVirus
  
  where registration_time >= DATEADD(minute, -191, GetDate())
3. Place the cursor in the URL field and in the displayed list, click in the line of the secret that you are using.
4. This opens the Secret window; in that window, in the URL field, specify the server connection address in the following format:
  sqlserver://user:password@kscdb.example.com:1433/database
  
  where:
  - user—user account with public and db_datareader rights to the required database.
  - password—user account password.
  - kscdb.example.com:1433—address and port of the database server.
  - database—name of the Kaspersky Security Center database. 'KAV' by default.
  Click Save.
5. In the Create connector window, in the Connection section, in the Query field, replace the 'KAV' database name with the name of the Kaspersky Security Center database you are using.
  You must do this if you want to use the ID column to which the query refers.
  
  Click Save.
Install the collector in the web interface:
1. Start the Collector Installation Wizard in one of the following ways:
  - In the KUMA web interface, in the Resources section, click Add event source.
  - In the KUMA web interface in the Resources → Collectors section click Add collector.
2. At step 1 of the installation wizard, Connect event sources, specify the collector name and select the tenant.
3. At step 2 of the installation wizard, Transport, select the copy of the connector that you created at step 1.
4. At step 3 of the installation wizard, Event parsing, on the Parsing schemes tab, click Add event parsing.
5. This opens the Basic event parsing window; in that window, on the Normalization scheme tab, select [OOTB] KSC from SQL in the Normalizer drop-down list and click OK.
6. If necessary, specify the other settings in accordance with your requirements for the collector. For the purpose of importing events, editing settings at the remaining steps of the Installation Wizard is optional.
7. At step 8 of the installation wizard, Setup validation, click Create and save service.
  The lower part of the window displays the command that you must use to install the collector on the server. Copy this command to the clipboard.
8. Close the Collector Installation Wizard by clicking Save collector.
Install the collector on the server.
To do so, on the server on which you want to receive Kaspersky Security Center events, run the command that you copied to the clipboard after creating the collector in the web interface.

As a result, the collector is installed and can receive events from the SQL database of Kaspersky Security Center.

You can view Kaspersky Security Center events in the Events section of the web interface.

Page top