Configuring the CEF Connector

Kaspersky MLAD uses the CEF Connector to receive data from external sources of events (such as the Industrial Internet of Things, network devices and applications) and to send incident registration messages to an external system.

You can also use the CEF Connector to send information security event logs of Kaspersky MLAD to an external system. Information security event logs are automatically written to the Kaspersky MLAD database.

To receive events from external sources using the CEF Connector, configure the Event Processor service.
Before configuring the CEF Connector settings in the Kaspersky MLAD web interface, the IP address and port number to be used for connecting the external event source to the CEF Connector must be specified in the .env file. The settings of the configuration file can be changed only by a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator.

System administrators can configure the CEF Connector.

The CEF Connector does not support a secure connection. If you want to use a secure connection to receive and send data, it is recommended to use additional means to secure the network connection (for example, use a VPN) or use another method to prevent unauthorized access to the communication channel.

To configure the CEF Connector:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select System parameters → CEF Connector.

   A list of options appears on the right.

3. If necessary, use the Receive events for Event Processor service toggle switch to enable use of the CEF Connector for receiving events from an external system.
4. If you need to send messages about incidents registered by the application to an external system, turn on the Send registered incidents to SIEM system toggle switch.
5. To send messages about the events registered by the Event Processor service to an external system, enable the Send registered events to SIEM system option.
6. In the IP address for sending events and incidents to SIEM system field, specify the IP address for connecting an external system to the CEF Connector and forwarding events processed by the Event Processor service and incidents.
7. In the Port for sending events and incidents to SIEM system field, specify the port number for connecting an external system to the CEF Connector and forwarding events processed by the Event Processor service and incidents.
8. If you need to send information security event logs of Kaspersky MLAD to an external system, turn on the Send information security event logs to Syslog server toggle switch and do the following:
   1. In the Transport protocol for sending information security events to Syslog server drop-down list, select the protocol that you want to use for sending information security event logs.

      Kaspersky MLAD supports the TCP and UDP protocols for sending information security event logs to an external system.

   2. In the Syslog server address for sending information security events field, specify the IP address or host name of the external system to which the information security event logs must be sent.
   3. In the Syslog server port for sending information security events field, specify the port number of the external system to which the information security event logs must be sent.
9. Click the Save button.