Kaspersky Container Security
2.0
English

Contents

Configuring integration with SIEM systems

Kaspersky Container Security allows connecting to

SIEM systems
to send event messages for analysis and subsequent response to potential threats. The messages contain data for the same types and categories of events that are logged in the security event log. The transmission of data about cluster node monitoring events is also achieved by integrating with SIEM systems and linking agent groups to them.

Messages are sent to a SIEM system in the

CEF
format, for example:

CEF:0|Kaspersky|Kaspersky Container Security|2.0|PM-002|Process management|7|dpid=1846367 spid=1845879 flexString2=0ce05246346b6687cb754cf716c57f20f226e159397e8e5985e55b448cb92e3f flexString2Label=Container ID cs6=alpine cs6Label=Container name outcome=Success

The transmitted message consists of the following components:

  • The
    Syslog
    header, which specifies the date, time, and host name.
  • Prefix and CEF version number.
  • Device vendor.
  • Solution name.
  • Solution version.
  • Solution-generated unique event type code.
  • Event description.
  • Event severity assessment.
  • Additional information, such as device IP address, event reason, event result, and event status.

For detailed information about the components, refer to the CEF message value matching table.

In this Help section

Matching of CEF message fields

Creating an integration with a SIEM system

Linking agent groups with a SIEM system

Viewing and editing SIEM integration settings

Deleting an integration with a SIEM system
Page top
[Topic 293678]

Matching of CEF message fields

CEF messages are sent in the English language.

The table below lists the man components of the header and body of CEF messages sent by Kaspersky Container Security.

Components and values of CEF message components

Component

Value

Example

Standard header of the CEF message (syslog header)

The header is sent in the following format: <date> <time> <host name of the server>.

Feb 18 10:07:28 host

CEF format prefix and version

<CEF>:<version>

CEF:0

Event ID

Device Vendor

Device Product

Device Version

Kaspersky

Kaspersky Container Security

2.0

Unique ID of the event type (Signature ID)

Kaspersky Container Security sends the following event type IDs:

  • ADM-ХХХ: Administration event.
  • CVE-XXX: Risk acceptance with regard to a vulnerability or expiration of such risk acceptance.
  • MLW-XXX: Risk acceptance with regard to a piece of malware or for expiration of such risk acceptance.
  • NCMP-001: Non-compliance of an image with requirements.
  • CMP-001: Compliance of an image with requirements.
  • SD-XXX: Risk acceptance with regard to sensitive data or for expiration of such risk acceptance.
  • MS-XXX: Risk acceptance with regard to misconfigurations or for expiration of such risk acceptance.
  • CI-ХХХ: Event in the CI/CD process.
  • PLC-ХХХ: Event when applying a secuity policy.
  • BNCH-ХХХ: Event when scanning the cluster and nodes.
  • AG-ХХХ: Event related to an agent.
  • SJ-ХХХ: Event of the scanner.
  • RT-ХХХ: Event of a best practice check.
  • API-ХХХ: Request to API server.
  • PM-ХХХ: Event when implementing processes.
  • FM-ХХХ: Event involving access to objects in the container file system.
  • NT-ХХХ: Network connection.
  • FPM-XXX – an event of a runtime policy violation during a process
  • FNT-XXX – an event of a runtime policy violation related to a network connection
  • FFM-XXX – an event of a runtime policy violation related to an access to objects in the container file system
  • FFTP-XXX – an event of a runtime policy violation related to File Threat Protection

Some of the event type IDs sent by the solution:

  • ADM-001: User 1 added user 2.
  • CVE-001: User 1 accepted risk for image XXX
  • AG-002: Agent XXX is disconnected
  • BNCH-003: YYY was passed while scanning XXX
  • PLC-001: YYY was applied to image XXX
  • NCMP-001: Image XXX was marked as non-compliant
  • SD-008: XXX risk acceptance expires

Event description (Name)

The description must be user-readable and relevant to the event type ID. For example, 'Administration' for ADM or 'Process management' for PM.

Some of the event names sent by the solution:

  • Process management
  • File management
  • Networking

Importance of the event (Severity)

The severity of the event on a scale from 0 to 10 is determined as follows:

  • 0–3: Low
  • 4–6: Medium
  • 7–8: High
  • 9–10: Very high

The severity score of an event depends on the event type and status (Success or Failure).

For example, the severity score can be determined as follows:

  • For PM (Process management) and NT (Networking) events:
    • If event status is Audited or Blocked, the severity is 7.
    • For any other status, the severity is 3.
  • For AG (Agents) events:
    • If the event is successful, the severity is 5.
    • If an error occurred, the severity is 10.
  • For API events:
    • If the event is successful, the severity is 3.
    • If an error occurred, the severity is 8.

Additional information about the event (Extension)

Additional information may include one or more sets of key-value pairs.

Information about the key-value pairs that Kaspersky Container Security transfers is provided below.

Additional information about an event which is transferred by Kaspersky Container Security

Key

Value

Usage

source

The domain (pod name) of the event source ( Source name)

In all events

src

One of the following IP addresses in an IPv4 network (Source IP):

  • for network traffic – the IP address of the connection source
  • for administration events – the IP address of the action initiator

In all events

reason

Description of the reason for the Error status ( Reason)

In all events with the Error status, except PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

fname

Image (artifact) name ( Artifact name)

CI-ХХХ, SJ-ХХХ, ADM-ХХХ, CVE-ХХХ, MLW-ХХХ, SD-ХХХ, MS-ХХХ, CMP-001, PLC-ХХХ, NCMP-001

suser

The name of the user who initiated the action ( Username)

In all events except PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

dpid

Process ID (PID)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

spid

Parent process ID (PPID)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

flexString1

Effective Group ID (EGID)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

flexString2

Container identifier Container ID

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

outcome

Execution status or mode (Status) The value is defined as follows:

  • For runtime events (PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX), the execution mode (Audit, Enforce, or Other) is specified.
  • For other events, the execution status is specified (Success or Error). If the status is Error, the solution also transfers the error text or code (reason).

In all events

request

The name of an image (Image name)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

fileHash

Image hash (Image digest)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

act

One of the following operation types (Operation):

  • for file operations – the type of operation (open, close, read, write, create, delete, chmod, chown, rename)
  • for network traffic – direction and type of traffic (egress, ingress, egress_response, ingress_response)
  • for processes – the exec value
  • for File Threat Protection operations – the ftp value

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

spt

Port of the connection source (Source port)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

dst

IP address of the destination in the IPv4 network (Destination IP)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

dpt

Port of the destination (Destination port)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

dproc

Process name (command) (Process name)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

duid

Effective User ID (EUID)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

filePermission

File access permissions (mode_t mode).

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

oldFilePath

The previously used path to the file (Old File Path)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

filePath

Path to the file (Path)

For events involving access to objects in the file system of a container, filePath is used to pass information about the new path to the file (New File Path).

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

deviceDirection

Connection direction type (Traffic type)

0 for ingress connections, 1 for egress connections.

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

cn1

New process identifier (New PID)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

cs1

Name of a cluster (Cluster name)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

cs2

Name of a node (Node name)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

cs3

Name of a namespace (Namespace name)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

cs4

Executed command (Command)

For events involving access to objects in the file system of a container, cs4 is used to pass information about the new owner of the file (NewOwner).

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

cs5

Name of the pod (Pod name)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

cs6

Name of the container (Container name)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

cs7

IP address of the node (Node IP)

PM-ХХХ, FM-ХХХ, NT-ХХХ, FPM-XXX, FNT-XXX, FFM-XXX, FFTP-XXX

Page top

[Topic 293652]

Creating an integration with a SIEM system

To add a SIEM integration:

  1. In the Administration → Integrations → SIEM section, click Add SIEM.

    A sidebar is displayed, in which you can enter the parameters of SIEM system.

  2. On the General tab, specify the following required parameters:
    • Name of the SIEM system.
    • Protocol for connecting to the SIEM system. TCP is selected by default.
    • Address of the SIEM system server in one of the following formats:
      • IPv4
      • IPv6
      • FQDN
    • Port for connecting to the SIEM system. You can specify ports 1 through 65535. The default setting is 514.
    • Event categories for which you want messages to be exported to the SIEM system. To configure this, select the check boxes next to one or more event categories from the following list:
      • Administration.
      • Alert.
      • CI/CD.
      • Policies.
      • Resources.
      • Scanners.
      • Admission controller.
      • Forensic data.
      • API.

        An advanced license is required to view events in the Resources, Scanners, Admission controller, and Forensic data categories.

      By default, all statuses are selected.

      Messages about selected event categories are sent to the specified SIEM system, regardless of whether it is linked to agent groups.

  3. On the Agent group logs tab, select the check boxes next to one or more event types as part of node monitoring in the runtime.

    The log of event messages sent to the runtime environment can be very large, which can impact available disk space and network load.

  4. If you want to verify the correctness of the specified SIEM integration parameters, click Test connection.

    The solution tests the connection to the SIEM system if the TCP connection protocol is selected. If the UDP connection protocol is selected, the Test connection button is disabled.

  5. Click Save.

Page top

[Topic 282786]

Linking agent groups with a SIEM system

You can link agent groups to SIEM systems while creating agent groups or editing their parameters in the Components → Agents section.

To link an agent group in Kaspersky Container Security, you must have sufficient rights to manage agent groups; you must also create and configure at least one SIEM integration.

Page top

[Topic 283037]

Viewing and editing SIEM integration settings

To view a SIEM integration:

  1. Open the list of SIEM integrations in the Administration → Integrations → SIEM section.
  2. Click the integration name in the list of integrations.

To edit SIEM integration settings:

  1. In the Administration → Integrations → SIEM section, click the integration name in the list of integrations.
  2. If necessary, in the displayed sidebar, edit the integration parameters as follows:
    1. On the General tab, edit the following required parameters:
      • Name of the SIEM system
      • Protocol for connecting to the SIEM system
      • SIEM system server address
      • SIEM system connection port
      • Categories of events to be exported
    2. If necessary, on the Agent group logs tab, you can edit the list of network node monitoring event types selected for the runtime.
  3. If TCP is used for the connection, click Test connection to see if the connection to the SIEM system is can be established.
  4. Click Save.
Page top
[Topic 283085]

Deleting an integration with a SIEM system

To delete a SIEM integration:

  1. Open the list of configured SIEM integrations in the Administration → Integrations → SIEM section.
  2. Select the integration that you want to delete by selecting the check box in the row with the integration name.
  3. Click Delete above the table.

    The Delete button becomes enabled after you select one or more integrations.

  4. In the window that opens, confirm the deletion.

Page top

[Topic 283084]