About event export
Nov 27, 2023
You can use event export within centralized systems that deal with security issues on an organizational and technical level, provide security monitoring services, and consolidate information from different solutions. These are SIEM systems, which provide real-time analysis of security alerts and events generated by network hardware and applications, or Security Operation Centers (SOCs).
These systems receive data from many sources, including networks, security, servers, databases, and applications. SIEM systems also provide functionality to consolidate monitored data in order to help you avoid missing critical events. In addition, the systems perform automated analysis of correlated events and alerts in order to notify the administrators of immediate security issues. Alerting can be implemented through a dashboard or can be sent through third-party channels such as email.
The process of exporting events from Kaspersky Security Center to external SIEM systems involves two parties: an event sender—Kaspersky Security Center and an event receiver—SIEM system. To successfully export events, you must configure this in your SIEM system and in the Kaspersky Security Center Administration Console. It does not matter which side you configure first. You can configure the transmission of events in the Kaspersky Security Center and then configure the receipt of events by the SIEM system, or vice versa.
Methods for sending events from Kaspersky Security Center
There are three methods for sending events from Kaspersky Security Center to external systems:
- Sending events over the Syslog protocol to any SIEM system
Using the Syslog protocol, you can relay any events that occur on the Kaspersky Security Center Administration Server and in Kaspersky applications that are installed on managed devices. The Syslog protocol is a standard message-logging protocol. You can use it to export events to any SIEM system.
For this purpose, you need to mark the events that you want to relay to the SIEM system. You can mark the events in Administration Console or Kaspersky Security Center Web Console. Only marked events will be relayed to the SIEM system. If you marked nothing, no events will be relayed.
- Sending events over the CEF and LEEF protocols to QRadar, Splunk, and ArcSight systems
You can use the CEF and LEEF protocols to export general events. When exporting events over the CEF and LEEF protocols, you do not have the capability to select specific events to export. Instead, all general events are exported. Unlike the Syslog protocol, the CEF and LEEF protocols are not universal. CEF and LEEF are intended for the appropriate SIEM systems (QRadar, Splunk, and ArcSight). Therefore, when you choose to export events over one of these protocols, you use the required parser in the SIEM system.
To export events over the CEF and LEEF protocols, the Integration with the SIEM systems feature must be activated in Administration Server by using an active license key or valid activation code.
- Directly from the Kaspersky Security Center database to any SIEM system
This method of exporting events can be used to receive events directly from public views of the database by means of SQL queries. The results of a query are saved to an XML file that can be used as input data for an external system. Only events available in public views can be exported directly from the database.
Receipt of events by the SIEM system
The SIEM system must receive and correctly parse events received from Kaspersky Security Center. For these purposes, you must properly configure the SIEM system. The configuration depends on the specific SIEM system utilized. However, there are a number of general steps in the configuration of all SIEM systems, such as configuring the receiver and the parser.