To improve performance and optimize data transmission to the SIEM server, you can manually add or exclude individual events from telemetry. For example you can exclude Sysmon events.
Kaspersky Industrial CyberSecurity for Nodes supports up to 1500 inclusion and exclusion rules for filtering telemetry events in total.
In the Kaspersky Security Center Administration Console tree, select the Policies folder.
Select the necessary policy and double-click to open the policy properties.
In the policy properties window, go to the Supplementary section.
In the SIEM telemetry block, click the Settings button.
In the window that is displayed, configure the event filter to be sent to SIEM.
You can configure an event filter for the standard Application, Security, System logs or manually add another log.
Click Add or open log properties by clicking Edit.
Select an event sending mode:
Send all events. In this mode, the application sends all events from the Windows log except events added to exclusion rules.
Send only selected events. In this mode, the application sends only events added in inclusion rules.
Create lists of exclusion rules or inclusion rules for the relevant event sending mode.
To add rules, you need to specify the ID of the event in the Windows event log. You can list multiple event IDs in a rule. To specify multiple event IDs, use the comma character (,).
Save your changes. To apply the policy on computers, close the locks .
In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
Click the name of the Kaspersky Industrial CyberSecurity for Nodes policy.
The policy properties window opens.
Select the Application settings tab.
Select the Supplementary section.
In the Telemetry settings block, click the Configure button.
The Telemetry settings window opens.
Go to the SIEM Telemetry tab.
Configure the event filter for sending to SIEM.
You can configure an event filter for the standard Application, Security, System logs:
Click the name of the journal for which you want to configure rules.
This opens a window; in that window, select an event sending mode:
Send all events. In this mode, the application sends all events from the Windows log except events added to exclusion rules.
Send only selected events. In this mode, the application sends only events added in inclusion rules.
Create lists of exclusion rules or inclusion rules for the relevant event sending mode.
To add rules, you need to specify the name of the rule and the ID of the event in the Windows event log. You can list multiple event IDs in a rule. To specify multiple event IDs, use the comma character (,). If necessary, you can add a description of the rule.
Save your changes. To apply the policy on computers, close the locks .
.
.