Integrating with SIEM

Kaspersky Industrial CyberSecurity for Nodes allows connecting to SIEM systems to send events for the purposes of analysis and response to potential threats. A SIEM system allows you to detect, analyze, and eliminate security threats before they harm an organization.

Integration with a SIEM system implies that Kaspersky Industrial CyberSecurity for Nodes, installed on computers running Windows operating systems that are part of an organization's IT infrastructure, sends data about security events and Windows Event Log events to the SIEM server.

Setting up SIEM Integration involves the following steps:

1. Installing the SIEM Integration component

   In installation package settings or in the Setup Wizard, or by changing the set of application components in the Windows Control Panel, at the step when you must select application components for installation, select the following: Full functionality → Endpoint Agent → SIEM Integration.

2. Enabling and configuring the SIEM Integration component

   By default, SIEM integration is not used. You can enable and disable SIEM integration, and configure relevant settings.

   You can reduce the risk of events failing to be sent to the SIEM server by configuring connections to multiple SIEM servers. Kaspersky Industrial CyberSecurity for Nodes connects to the first SIEM server in the list. If a connection attempt fails, Kaspersky Industrial CyberSecurity for Nodes attempts to connect to other servers from the list, one by one. Kaspersky Industrial CyberSecurity for Nodes also uses system audit events to notify you about unsuccessful attempts to connect to the SIEM server and about errors while sending events to the SIEM server.

   How to configure SIEM integration in the Kaspersky Security Center Administration Console

   1. In the Kaspersky Security Center Administration Console tree, select the Policies folder.
   2. Select the necessary policy and double-click to open the policy properties.
   3. Select the Telemetry collection servers section.
   4. In the SIEM Integration block, click the Settings button.

      The SIEM Integration window opens.

   5. Select the SIEM Integration check box.
   6. Configure the SIEM server connection to send security events:
      1. Go to the Security events transmission settings tab.
      2. Click Add.
      3. This opens the Add server window; in that window, enter the SIEM server address (IPv4, DNS), port, and connection protocol.
      4. Click TCP connection security settings.
      5. This opens the TCP connection security settings window; in that window, manage the SIEM server connection settings (see the table below).
      6. If necessary, select the Remove local copies for events that have been sent to a remote syslog server check box in the Settings for event transmission to a SIEM server block. If the check box is selected, the application deletes the local copies of events after they have been successfully published to the SIEM server. This mode is recommended on low-performance devices. If the check box is cleared, the application only sends events to the SIEM server. Copies of logs continue to be stored locally. By default, the check box is cleared.

         The application never deletes local versions of the security log.

      7. In the Events format block, select the format to which you want to convert application events so that they can be sent to the SIEM server. The Convert events to STRUCTURED-DATA option is selected by default. We recommend that you select the format of events based on the configuration of the utilized SIEM server.
   7. Configure the SIEM server connection to send Windows Event Log events:
      1. Go to the Windows events transmission settings tab.
      2. If you need to enable the encryption of the connection between Kaspersky Industrial CyberSecurity for Nodes and SIEM servers, under Settings for connecting to SIEM servers, select the Use TLS encryption check box.
      3. Click Add.
      4. This opens the SIEM server window; in that window, enter the SIEM server address (IPv4, DNS), port, and connection protocol.
      5. Click Settings for connecting to SIEM servers.
      6. This opens the Settings for connecting to SIEM servers window; in that window, manage the SIEM server connection settings (see the table below).
      7. If necessary, configure the Maximum events transmission delay (sec) setting in the Data transmission settings block. When the specified time expires, Kaspersky Industrial CyberSecurity for Nodes tries to connect to the same server again or connects to the next server in the list, if there are multiple servers. The default setting is 30 seconds.
   8. Close the padlock to apply the policy to computers.
   9. Click OK to save the changes.

   How to configure SIEM integration in the Kaspersky Security Center Web Console

   1. In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
   2. Click the name of the Kaspersky Industrial CyberSecurity for Nodes policy.

      The policy properties window opens.

   3. Select the Application settings tab.
   4. Select the Telemetry collection servers section.
   5. In the SIEM Integration block, click the Configure button.

      The SIEM Integration window opens.

   6. Select the Enable SIEM Integration check box.
   7. Configure the SIEM server connection to send security events:
      1. Go to the Security events transmission settings tab.
      2. Click Add.
      3. This opens the SIEM server window; in that window, enter the SIEM server address (IPv4, DNS), port, and connection protocol.
      4. In the Connection protection block, click the Settings for connecting to SIEM servers link.
      5. This opens the Settings for connecting to SIEM servers window; in that window, manage the SIEM server connection settings (see the table below).
      6. In the Events format section, specify the format to which you want to convert application events so that they can be sent to the SIEM server. The Convert events to STRUCTURED-DATA option is selected by default. We recommend that you select the format of events based on the configuration of the utilized SIEM server.
      7. If necessary, select the Remove local copies for events that have been sent to a remote syslog server check box in the Connection settings block. If the check box is selected, the application deletes the local copies of events after they have been successfully published to the SIEM server. This mode is recommended on low-performance devices. If the check box is cleared, the application only sends events to the SIEM server. Copies of logs continue to be stored locally. By default, the check box is cleared.

         The application never deletes local versions of the security log.

   8. Configure the SIEM server connection to send Windows Event Log events:
      1. Go to the Windows events transmission settings tab.
      2. Click Add.
      3. This opens the SIEM server window; in that window, enter the SIEM server address (IPv4, DNS), port, and connection protocol.
      4. In the Connection protection block, click the Settings for connecting to SIEM servers link.
      5. This opens the Settings for connecting to SIEM servers window; in that window, manage the SIEM server connection settings (see the table below).
      6. If necessary, configure the Maximum events transmission delay (sec) setting in the Connection settings block. When the specified time expires, Kaspersky Industrial CyberSecurity for Nodes tries to connect to the same server again or connects to the next server in the list, if there are multiple servers. The default setting is 30 seconds.
   9. Click OK to save the changes.

   How to configure SIEM integration in the Application Console

   1. In the Application Console tree, select the Endpoint Agent telemetry → SIEM Integration section.
   2. Click the Properties link in the results pane.

      The Properties: SIEM Integration window opens.

   3. Select the SIEM Integration check box.
   4. Configure the SIEM server connection to send security events:
      1. Go to the Security events transmission settings tab.
      2. Click Add.
      3. This opens the Add server window; in that window, enter the SIEM server address (IPv4, DNS), port, and connection protocol.
      4. Click TCP connection security settings.
      5. This opens the TCP connection security settings window; in that window, manage the SIEM server connection settings (see the table below).
      6. If necessary, select the Remove local copies for events that have been sent to a remote syslog server check box in the Settings for event transmission to a SIEM server block. If the check box is selected, the application deletes the local copies of events after they have been successfully published to the SIEM server. This mode is recommended on low-performance devices. If the check box is cleared, the application only sends events to the SIEM server. Copies of logs continue to be stored locally. By default, the check box is cleared.

         The application never deletes local versions of the security log.

   5. In the Events format block, select the format to which you want to convert application events so that they can be sent to the SIEM server. The Convert events to STRUCTURED-DATA option is selected by default. We recommend that you select the format of events based on the configuration of the utilized SIEM server.
   6. Configure the SIEM server connection to send Windows Event Log events:
      1. Go to the Windows events transmission settings tab.
      2. If you need to enable the encryption of the connection between Kaspersky Industrial CyberSecurity for Nodes and SIEM servers, under Settings for connecting to SIEM servers, select the Use TLS encryption check box.
      3. Click Add.
      4. This opens the SIEM server window; in that window, enter the SIEM server address (IPv4, DNS), port, and connection protocol.
      5. Click Settings for connecting to SIEM servers.
      6. This opens the Settings for connecting to SIEM servers window; in that window, manage the SIEM server connection settings (see the table below).

      If necessary, configure the Maximum events transmission delay (sec) setting in the Data transmission settings block. When the specified time expires, Kaspersky Industrial CyberSecurity for Nodes tries to connect to the same server again or connects to the next server in the list, if there are multiple servers. The default setting is 30 seconds.

   7. Click OK to save the changes.

   SIEM server connection settings

   Parameter	Description
   Timeout (sec)	Maximum SIEM server response timeout. When the timeout runs out, Kaspersky Industrial CyberSecurity for Nodes tries to connect to a different SIEM server.
   Server TLS certificate	TLS certificate for establishing a trusted connection with the SIEM server. You can get a TLS certificate using the SIEM management interface.
   Use two-way authentication	Two-way authentication when establishing a secure connection between Kaspersky Industrial CyberSecurity for Nodes and SIEM. To use two-way authentication, you need to enable two-way authentication in the SIEM settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. After configuring SIEM settings, you need to enable two-way authentication in Kaspersky Industrial CyberSecurity for Nodes settings using a check box and load a password-protected crypto-container. The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.

In this Help section Filtering events to be sent to SIEM Exporting and importing telemetry event filtering rules

Page top