Kaspersky Container Security

Creating an integration with a SIEM system

To add a SIEM integration:

1. In the Administration → Integrations → SIEM section, click Add SIEM.

   A sidebar is displayed, in which you can enter the parameters of SIEM system.

2. On the General tab, specify the following required parameters:
   • Name of the SIEM system.
   • Protocol for connecting to the SIEM system. TCP is selected by default.
   • Address of the SIEM system server in one of the following formats:
     • IPv4
     • IPv6
     • FQDN
   • Port for connecting to the SIEM system. You can specify ports 1 through 65535. The default setting is 514.
   • Event categories for which you want messages to be exported to the SIEM system. To configure this, select the check boxes next to one or more event categories from the following list:
     • Administration.
     • Alert.
     • CI/CD.
     • Policies.
     • Resources.
     • Scanners.
     • Admission controller.
     • Forensic data.
     • API.

       An advanced license is required to view events in the Resources, Scanners, Admission controller, and Forensic data categories.

     By default, all statuses are selected.

     Messages about selected event categories are sent to the specified SIEM system, regardless of whether it is linked to agent groups.

3. On the Agent group logs tab, select the check boxes next to one or more event types as part of node monitoring in the runtime.

   The log of event messages sent to the runtime environment can be very large, which can impact available disk space and network load.

4. If you want to verify the correctness of the specified SIEM integration parameters, click Test connection.

   The solution tests the connection to the SIEM system if the TCP connection protocol is selected. If the UDP connection protocol is selected, the Test connection button is disabled.

5. Click Save.