In the Kaspersky Security Center Administration Console tree, select the Policies folder.
Select the necessary policy and double-click to open the policy properties.
Select the Telemetry collection servers section.
In the SIEM Integration block, click the Settings button.
The SIEM Integration window opens.
Select the SIEM Integration check box.
Configure the SIEM server connection to send security events:
Go to the Security events transmission settings tab.
Click Add.
This opens the Add server window; in that window, enter the SIEM server address (IPv4, DNS), port, and connection protocol.
Click TCP connection security settings.
This opens the TCP connection security settings window; in that window, manage the SIEM server connection settings (see the table below).
If necessary, select the Remove local copies for events that have been sent to a remote syslog server check box in the Settings for event transmission to a SIEM server block.If the check box is selected, the application deletes the local copies of events after they have been successfully published to the SIEM server. This mode is recommended on low-performance devices. If the check box is cleared, the application only sends events to the SIEM server. Copies of logs continue to be stored locally. By default, the check box is cleared.
The application never deletes local versions of the security log.
In the Events format block, select the format to which you want to convert application events so that they can be sent to the SIEM server. The Convert events to STRUCTURED-DATA option is selected by default. We recommend that you select the format of events based on the configuration of the utilized SIEM server.
Configure the SIEM server connection to send Windows Event Log events:
Go to the Windows events transmission settings tab.
If you need to enable the encryption of the connection between Kaspersky Industrial CyberSecurity for Nodes and SIEM servers, under Settings for connecting to SIEM servers, select the Use TLS encryption check box.
Click Add.
This opens the SIEM server window; in that window, enter the SIEM server address (IPv4, DNS), port, and connection protocol.
Click Settings for connecting to SIEM servers.
This opens the Settings for connecting to SIEM servers window; in that window, manage the SIEM server connection settings (see the table below).
If necessary, configure the Maximum events transmission delay (sec) setting in the Data transmission settings block. When the specified time expires, Kaspersky Industrial CyberSecurity for Nodes tries to connect to the same server again or connects to the next server in the list, if there are multiple servers. The default setting is 30 seconds.
Close the padlock to apply the policy to computers.
In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
Click the name of the Kaspersky Industrial CyberSecurity for Nodes policy.
The policy properties window opens.
Select the Application settings tab.
Select the Telemetry collection servers section.
In the SIEM Integration block, click the Configure button.
The SIEM Integration window opens.
Select the Enable SIEM Integration check box.
Configure the SIEM server connection to send security events:
Go to the Security events transmission settings tab.
Click Add.
This opens the SIEM server window; in that window, enter the SIEM server address (IPv4, DNS), port, and connection protocol.
In the Connection protection block, click the Settings for connecting to SIEM servers link.
This opens the Settings for connecting to SIEM servers window; in that window, manage the SIEM server connection settings (see the table below).
In the Events format section, specify the format to which you want to convert application events so that they can be sent to the SIEM server. The Convert events to STRUCTURED-DATA option is selected by default. We recommend that you select the format of events based on the configuration of the utilized SIEM server.
If necessary, select the Remove local copies for events that have been sent to a remote syslog server check box in the Connection settings block. If the check box is selected, the application deletes the local copies of events after they have been successfully published to the SIEM server. This mode is recommended on low-performance devices. If the check box is cleared, the application only sends events to the SIEM server. Copies of logs continue to be stored locally. By default, the check box is cleared.
The application never deletes local versions of the security log.
Configure the SIEM server connection to send Windows Event Log events:
Go to the Windows events transmission settings tab.
Click Add.
This opens the SIEM server window; in that window, enter the SIEM server address (IPv4, DNS), port, and connection protocol.
In the Connection protection block, click the Settings for connecting to SIEM servers link.
This opens the Settings for connecting to SIEM servers window; in that window, manage the SIEM server connection settings (see the table below).
If necessary, configure the Maximum events transmission delay (sec) setting in the Connection settings block. When the specified time expires, Kaspersky Industrial CyberSecurity for Nodes tries to connect to the same server again or connects to the next server in the list, if there are multiple servers. The default setting is 30 seconds.
In the Application Console tree, select the Endpoint Agent telemetry → SIEM Integration section.
Click the Properties link in the results pane.
The Properties: SIEM Integration window opens.
Select the SIEM Integration check box.
Configure the SIEM server connection to send security events:
Go to the Security events transmission settings tab.
Click Add.
This opens the Add server window; in that window, enter the SIEM server address (IPv4, DNS), port, and connection protocol.
Click TCP connection security settings.
This opens the TCP connection security settings window; in that window, manage the SIEM server connection settings (see the table below).
If necessary, select the Remove local copies for events that have been sent to a remote syslog server check box in the Settings for event transmission to a SIEM server block.If the check box is selected, the application deletes the local copies of events after they have been successfully published to the SIEM server. This mode is recommended on low-performance devices. If the check box is cleared, the application only sends events to the SIEM server. Copies of logs continue to be stored locally. By default, the check box is cleared.
The application never deletes local versions of the security log.
In the Events format block, select the format to which you want to convert application events so that they can be sent to the SIEM server. The Convert events to STRUCTURED-DATA option is selected by default. We recommend that you select the format of events based on the configuration of the utilized SIEM server.
Configure the SIEM server connection to send Windows Event Log events:
Go to the Windows events transmission settings tab.
If you need to enable the encryption of the connection between Kaspersky Industrial CyberSecurity for Nodes and SIEM servers, under Settings for connecting to SIEM servers, select the Use TLS encryption check box.
Click Add.
This opens the SIEM server window; in that window, enter the SIEM server address (IPv4, DNS), port, and connection protocol.
Click Settings for connecting to SIEM servers.
This opens the Settings for connecting to SIEM servers window; in that window, manage the SIEM server connection settings (see the table below).
If necessary, configure the Maximum events transmission delay (sec) setting in the Data transmission settings block. When the specified time expires, Kaspersky Industrial CyberSecurity for Nodes tries to connect to the same server again or connects to the next server in the list, if there are multiple servers. The default setting is 30 seconds.
Click OK to save the changes.
SIEM server connection settings
Parameter
Description
Timeout (sec)
Maximum SIEM server response timeout. When the timeout runs out, Kaspersky Industrial CyberSecurity for Nodes tries to connect to a different SIEM server.
Server TLS certificate
TLS certificate for establishing a trusted connection with the SIEM server. You can get a TLS certificate using the SIEM management interface.
Use two-way authentication
Two-way authentication when establishing a secure connection between Kaspersky Industrial CyberSecurity for Nodes and SIEM. To use two-way authentication, you need to enable two-way authentication in the SIEM settings, then get a crypto-container and set a password to protect the crypto-container. A crypto-container is a PFX archive with a certificate and a private key. After configuring SIEM settings, you need to enable two-way authentication in Kaspersky Industrial CyberSecurity for Nodes settings using a check box and load a password-protected crypto-container.
The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.
Reliability settings
You can reduce the risk of events failing to be sent to the SIEM server by configuring connections to multiple SIEM servers.
Kaspersky Industrial CyberSecurity for Nodes connects to the first SIEM server in the list. If a connection attempt fails, Kaspersky Industrial CyberSecurity for Nodes attempts to connect to other servers from the list, one by one.
Kaspersky Industrial CyberSecurity for Nodes also uses system audit events to notify you about unsuccessful attempts to connect to the SIEM server and about errors while sending events to the SIEM server.
to apply the policy to computers.