When importing events from Kaspersky Endpoint Detection and Response, telemetry is transmitted in clear text and may be intercepted by an intruder.
Kaspersky Endpoint Detection and Response 4.0, 4.1, and 5.0 events can be imported to KUMA using a Kafka connector.
Several limitations are applicable to the import of events from Kaspersky Endpoint Detection and Response 4.0 and 4.1:
To import events, perform the actions in Kaspersky Endpoint Detection and Response and in KUMA.
Importing events from Kaspersky Endpoint Detection and Response 4.0 or 4.1
To import Kaspersky Endpoint Detection and Response 4.0 or 4.1 events to KUMA:
In Kaspersky Endpoint Detection and Response:
The program component administrator menu is displayed.
The Technical Support Mode confirmation window opens.
sudo -i
/etc/sysconfig/apt-services
configuration file, in the KAFKA_PORTS
field, delete the value 10000
.If Secondary Central Node servers or the Sensor component installed on a separate server are connected to the Central Node server, you need to allow the connection with the server where you modified the configuration file via port 10000.
It is strongly not recommended to use this port for any external connections other than KUMA. To restrict connections over port 10000 only for KUMA, run the following command:
iptables -I INPUT -p tcp ! -s KUMA_IP_address --dport 10000 -j DROP
/usr/bin/apt-start-sedr-iptables
add the value 10000
in the WEB_PORTS
field, separated by a comma without a space.sudo sh /usr/bin/apt-start-sedr-iptables
Preparations for exporting events on the Kaspersky Endpoint Detection and Response side are now complete.
In KUMA:
<IP address> centralnode
to one of the following files:%WINDIR%\System32\drivers\etc\hosts
—for Windows./etc/hosts file
—for Linux.When creating a connector, specify the following parameters:
<Central Node server IP address>:10000
.EndpointEnrichedEventsTopic
.Use the connector created at the previous step as the transport for the collector. Use "[OOTB] KEDR telemetry" as the normalizer for the collector.
If the collector is successfully created and installed, Kaspersky Endpoint Detection and Response events will be imported into KUMA. You can find and view these events in the events table.
Importing events from Kaspersky Endpoint Detection and Response 5.0
Several limitations are applicable to the import of events from Kaspersky Endpoint Detection and Response 5.0:
To import Kaspersky Endpoint Detection and Response 5.0 events to KUMA:
In Kaspersky Endpoint Detection and Response:
The program component administrator menu is displayed.
The Technical Support Mode confirmation window opens.
/usr/local/lib/python3.8/dist-packages/firewall/create_iptables_rules.py
configuration file, specify the additional port 10000
for the WEB_PORTS
constant:WEB_PORTS = f'10000,80,{AppPort.APT_AGENT_PORT},{AppPort.APT_GUI_PORT}'
kata-firewall stop
kata-firewall start --cluster-subnet <network mask for addressing cluster servers>
Preparations for exporting events on the Kaspersky Endpoint Detection and Response side are now complete.
In KUMA:
<IP address> kafka.services.external.dyn.kata
to one of the following files:%WINDIR%\System32\drivers\etc\hosts
—for Windows./etc/hosts file
—for Linux.When creating a connector, specify the following parameters:
<Central Node server IP address>:10000
.EndpointEnrichedEventsTopic
.Use the connector created at the previous step as the transport for the collector. It is recommended to use the [OOTB] KEDR telemetry normalizer as the normalizer for the collector.
If the collector is successfully created and installed, Kaspersky Endpoint Detection and Response events will be imported into KUMA. You can find and view these events in the events table.
Page top