Kaspersky Industrial CyberSecurity for Nodes allows connecting to SIEM systems to send events for the purposes of analysis and response to potential threats. A SIEM system allows you to detect, analyze, and eliminate security threats before they harm an organization.
Integration with a SIEM system implies that Kaspersky Industrial CyberSecurity for Nodes, installed on computers running Windows operating systems that are part of an organization's IT infrastructure, continuously monitors processes, open network connections, and modified files and sends data about events on computers to the SIEM server.
Setting up SIEM Integration involves the following steps:
In installation package settings or in the Setup Wizard, or by changing the set of application components in the Windows Control Panel, at the step when you must select application components for installation, select the following: Full functionality → Endpoint Agent → SIEM Integration.
You must restart your computer to finish upgrading the application with the new component.
To send telemetry to SIEM servers, you need an active Kaspersky Industrial CyberSecurity for Nodes license key with the XDR Telemetry license object.
Make sure that the SIEM Integration functionality is included in the license
You can establish a trusted connection between Kaspersky Industrial CyberSecurity for Nodes and SIEM servers. To configure a trusted connection, you must use a TLS certificate. You can get a TLS certificate in the SIEM. Then you must add the TLS certificate to Kaspersky Industrial CyberSecurity for Nodes (see instructions below).
To make the connection more secure, you can additionally enable the verification of the computer in SIEM (two-way authentication). To enable this verification, you must turn on two-way authentication in SIEM and Kaspersky Industrial CyberSecurity for Nodes settings. To use two-way authentication, you will also need a crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You must generate a certificate with the private key in the PKCS#12 container format in an external certification authority. Next, you must add the PFX archive to the SIEM and to Kaspersky Industrial CyberSecurity for Nodes.