Exporting events to SIEM systems

This section describes how to configure export of events to the SIEM systems.

Configuring event export to SIEM systems

This section provides a scenario for configuring the export of events from Administration Server to external SIEM systems. Exporting information about events to external SIEM systems enables administrators of SIEM systems to respond promptly to security system events that occur on a managed device or groups of devices.

Prerequisites

Before you start configuring the export of events in the Kaspersky Security Center Cloud Console:

• Learn more about the methods of event export.
• Make sure that you know the values of the system settings.

You can perform the steps of this scenario in any order.

Stages

The process of the export of events to a SIEM system consists of the following stages:

• Configuring the SIEM system to receive events from Kaspersky Security Center Cloud Console

  You have to configure receiving events from Kaspersky Security Center Cloud Console in the SIEM system.

• Marking events for export

  You have to mark which events you want to export to the SIEM system. First of all, mark the general events that occur in all managed Kaspersky applications. Additionally, you can mark the events for specific managed Kaspersky applications.

• Configuring Kaspersky Security Center Cloud Console for export of events to a SIEM system

  You have to configure Kaspersky Security Center Cloud Console to start export of events to a SIEM system.

Results

After configuring the export of events to a SIEM system, you can view the export results if you selected events that you want to export.

Before you begin

Expand all | Collapse all

When setting up the automatic export of events in the Kaspersky Security Center Cloud Console, you must specify some of the SIEM system settings. It is recommended that you check these settings in advance in order to prepare for setting up Kaspersky Security Center Cloud Console.

To successfully configure automatic sending of events to a SIEM system, you must know the following settings:

• SIEM system server address

  The IP address of the server on which the currently used SIEM system is installed. Check this value in your SIEM system settings.

• SIEM system server port

  Port number used to establish a connection between Kaspersky Security Center Cloud Console and your SIEM system server. You specify this value in the Kaspersky Security Center Cloud Console settings and in the receiver settings of your SIEM system.

• Protocol

  Protocol used for transferring messages from Kaspersky Security Center Cloud Console to your SIEM system. You specify this value in the Kaspersky Security Center Cloud Console settings and in the receiver settings of your SIEM system.

About event export

Kaspersky Security Center Cloud Console allows you to receive information about events that occur during the operation of Administration Server and Kaspersky applications installed on managed devices. Information about events is saved in the Administration Server database.

You can use event export within centralized systems that deal with security issues on an organizational and technical level, provide security monitoring services, and consolidate information from different solutions. These are SIEM systems, which provide real-time analysis of security alerts and events generated by network hardware and applications, or Security Operation Centers (SOCs).

These systems receive data from many sources, including networks, security, servers, databases, and applications. SIEM systems also provide functionality to consolidate monitored data in order to help you avoid missing critical events. In addition, the systems perform automated analysis of correlated events and alerts in order to notify the administrators of immediate security issues. Alerting can be implemented through a dashboard or can be sent through third-party channels such as email.

The process of exporting events from Kaspersky Security Center Cloud Console to external SIEM systems involves two parties: an event sender, Kaspersky Security Center Cloud Console, and an event receiver, a SIEM system. To successfully export events, you must configure this in your SIEM system and in the Kaspersky Security Center Cloud Console. It does not matter which side you configure first. You can either configure the transmission of events in the Kaspersky Security Center Cloud Console, and then configure the receipt of events by the SIEM system, or vice versa.

Syslog format of event export

You can send events in the Syslog format to any SIEM system. Using the Syslog format, you can relay any events that occur on the Administration Server and in Kaspersky applications that are installed on managed devices. When exporting events in the Syslog format, you can select exactly which types of events will be relayed to the SIEM system.

Receipt of events by the SIEM system

The SIEM system must receive and correctly parse the events received from Kaspersky Security Center Cloud Console. For these purposes, you must properly configure the SIEM system. The configuration depends on the specific SIEM system utilized. However, there are a number of general steps in the configuration of all SIEM systems, such as configuring the receiver and the parser.

Configuring an event export in a SIEM system

The process of exporting events from Kaspersky Security Center Cloud Console to external SIEM systems involves two parties: an event sender, Kaspersky Security Center Cloud Console, and an event receiver, a SIEM system. You must configure the export of events in your SIEM system and in the Kaspersky Security Center Cloud Console.

The settings that you specify in the SIEM system depend on the particular system that you are using. Generally, for all SIEM systems you must set up a receiver and, optionally, a message parser to parse received events.

Setting up the receiver

To receive events sent by Kaspersky Security Center Cloud Console, you must set up the receiver in your SIEM system. In general, the following settings must be specified in the SIEM system:

• Port

  Specify the port number to connect to Kaspersky Security Center Cloud Console. This port must be the same as the port you specify in Kaspersky Security Center Cloud Console during configuration with a SIEM system.

• Message protocol or source type

  Specify the Syslog format.

Depending on the SIEM system used, you may have to specify some additional receiver settings.

Message parsers

Exported events are passed to SIEM systems as messages. These messages must be properly parsed so that information on the events can be used by the SIEM system. Message parsers are a part of the SIEM system—they are used to split the contents of the message into the relevant fields, such as event ID, severity, description, parameters, and so on. This enables the SIEM system to process events received from Kaspersky Security Center Cloud Console so that they can be stored in the SIEM system database.

Marking of events for export to SIEM systems in Syslog format

After enabling automatic export of events, you must select which events will be exported to the external SIEM system.

You can configure export of events in the Syslog format to an external system based on one of the following conditions:

• Marking general events. If you mark events to export in a policy, in the settings of an event, or in the Administration Server settings, the SIEM system will receive the marked events that occurred in all applications managed by the specific policy. If exported events were selected in the policy, you will not be able to redefine them for an individual application managed by this policy.
• Marking events for a managed application. If you mark events to export for a managed application installed on a managed device, the SIEM system will receive only the events that occurred in this application.

Marking events of a Kaspersky application for export in the Syslog format

If you want to export events that occurred in a specific managed application installed on the managed devices, mark the events for export in the application policy. In this case, the marked events are exported from all of the devices included in the policy scope.

To mark events for export for a specific managed application:

1. In the main menu, go to Assets (Devices) → Policies & profiles.
2. Click the policy of the application for which you want to mark events.

   The policy settings window opens.

3. Go to the Event configuration section.
4. Select the check boxes next to the events that you want to export to a SIEM system.
5. Click the Mark for export to SIEM system by using Syslog button.

   You can also mark an event for export to a SIEM system in the Event registration section, which opens by clicking the link of the event.

6. A check mark () appears in the Syslog column of the event or events that you marked for export to the SIEM system.
7. Click the Save button.

The marked events from the managed application are ready to be exported to a SIEM system.

You can mark which events to export to a SIEM system for a specific managed device. If previously exported events were marked in an application policy, you will not be able to redefine the marked events for a managed device.

To mark events for export for a managed device:

1. In the main menu, go to Assets (Devices) → Managed devices.

   The list of managed devices is displayed.

2. Click the link with the name of the required device in the list of managed devices.

   The properties window of the selected device is displayed.

3. Go to the Applications section.
4. Click the link with the name of the required application in the list of applications.
5. Go to the Event configuration section.
6. Select the check boxes next to the events that you want to export to SIEM.
7. Click the Mark for export to SIEM system by using Syslog button.

   Also, you can mark an event for export to a SIEM system in the Event registration section, that opens by clicking the link of the event.

8. A check mark () appears in the Syslog column of the event or events that you marked for export to the SIEM system.

From now on, Administration Server sends the marked events to the SIEM system if export to the SIEM system is configured.

Marking general events for export in Syslog format

You can mark general events that Administration Server will export to SIEM systems by using the Syslog format.

To mark general events for export to a SIEM system:

1. Do one of the following:
   • In the main menu, click the settings icon () next to the name of the required Administration Server.
   • In the main menu, go to Assets (Devices) → Policies & profiles, and then click a link of a policy.
2. In the window that opens, go to the Event configuration tab.
3. Click Mark for export to SIEM system by using Syslog.

   Also, you can mark an event for export to SIEM system in the Event registration section, that opens by clicking the link of the event.

4. A check mark () appears in the Syslog column of the event or events that you marked for export to the SIEM system.

From now on, Administration Server sends the marked events to the SIEM system if export to the SIEM system is configured.

About exporting events using Syslog format

You can use the Syslog format to export to SIEM systems the events that occur in Administration Server and other Kaspersky applications installed on managed devices.

Syslog is a standard for message logging protocol. It permits separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the software type that generates the message, and is assigned a severity level.

The Syslog format is defined by Request for Comments (RFC) documents published by the Internet Engineering Task Force (internet standards). The RFC 5424 standard is used to export the events from Kaspersky Security Center Cloud Console to external systems.

In Kaspersky Security Center Cloud Console, you can configure export of the events to the external systems using the Syslog format.

The export process consists of two steps:

1. Enabling automatic event export. At this step, Kaspersky Security Center Cloud Console is configured so that it sends events to the SIEM system. Kaspersky Security Center Cloud Console starts sending events immediately after you enable automatic export.
2. Selecting the events to be exported to the external system. At this step, you select which event to export to the SIEM system.

Configuring Kaspersky Security Center Cloud Console for export of events to a SIEM system

Expand all | Collapse all

To export events to a SIEM system, you have to configure the process of export in Kaspersky Security Center Cloud Console.

To configure export to SIEM systems in the Kaspersky Security Center Cloud Console:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the SIEM section.
3. Click the Settings link.

   The Export settings section opens.

4. Specify the settings in the Export settings section:
   • SIEM system server address

     The IP address of the server on which the currently used SIEM system is installed. Check this value in your SIEM system settings.

   • SIEM system port

     Port number used to establish a connection between Kaspersky Security Center Cloud Console and your SIEM system server. You specify this value in the Kaspersky Security Center Cloud Console settings and in the receiver settings of your SIEM system.

   • Protocol

     You can use only TLS over TCP protocol for transferring messages to the SIEM system. To do this, specify the TLS settings:

     • Server authentication

       In the Server authentication field, you can select the Trusted certificates or SHA fingerprints values:

       • Trusted certificates. You can receive a complete certificate chain (including the root certificate) from a trusted certification authority (CA) and upload the file to Kaspersky Security Center Cloud Console. Kaspersky Security Center Cloud Console checks whether the certificate chain of the SIEM system server is also signed by a trusted CA or not.

         To add a trusted certificate, click the Browse for CA certificates file button, and then upload the certificate.

       • SHA fingerprints. You can specify SHA1 thumbprints of the complete certificate chain of the SIEM system (including the root certificate) in Kaspersky Security Center Cloud Console. To add a SHA1 thumbprint, enter it in the Thumbprints field, and then click the Add button.

       By using the Add client authentication setting, you can generate a certificate to authenticate Kaspersky Security Center Cloud Console. Thus, you will use a self-signed certificate issued by Kaspersky Security Center Cloud Console. In this case, you can use both a trusted certificate and a SHA fingerprint to authenticate the SIEM system server.

     • Add Subject name/Subject alternative name

       Subject name is a domain name for which the certificate is received. Kaspersky Security Center Cloud Console cannot connect to the SIEM system server if the domain name of the SIEM system server does not match the subject name of the SIEM system server certificate. However, the SIEM system server can change its domain name if the name has changed in the certificate. In this case, you can specify subject names in the Add Subject name/Subject alternative name field. If any of the specified subject names matches the subject name of the SIEM system certificate, Kaspersky Security Center Cloud Console validates the SIEM system server certificate.

     • Add client authentication

       For client authentication, you can insert your certificate or generate it in Kaspersky Security Center Cloud Console.

       • Insert certificate. You can use a certificate that you received from any source, for example, from any trusted CA. You must specify the certificate and its private key by using one of the following certificate types:
         • X.509 certificate PEM. Upload a file with a certificate in the File with certificate field, and a file with a private key in the File with key field. Both files do not depend on each other and the order of loading the files is not significant. When both files are uploaded, specify the password for decoding the private key in the Password or certificate verification field. The password can have an empty value if the private key is not encoded.
         • X.509 certificate PKCS12. Upload a single file that contains a certificate and its private key in the File with certificate field. When the file is uploaded, specify the password for decoding the private key in the Password or certificate verification field. The password can have an empty value if the private key is not encoded.
       • Generate key. You can generate a self-signed certificate in Kaspersky Security Center Cloud Console. As a result, Kaspersky Security Center Cloud Console stores the generated self-signed certificate, and you can pass the public part of the certificate or SHA1-fingerprint to the SIEM system.
5. If you want, you can export archived events from the Administration Server database and set the start date from which you want to start the export of archived events:
   1. Click the Set the export start date link.
   2. In the section that opens, specify the start date in the Date to start export from field.
   3. Click the OK button.
6. Switch the option to the Automatically export events to SIEM system database Enabled position.
7. To check that the SIEM system connection is configured, click the Check connection button.

   The connection status will be displayed.

8. Click the Save button.

Export to a SIEM system is configured. From now on, if you configured the receiving of events in a SIEM system, Administration Server exports the marked events to a SIEM system. If you set the start date of export, Administration Server also exports the marked events stored in the Administration Server database from the specified date.

Viewing export results

You can control for successful completion of the event export procedure. To do this, check whether messages with export events are received by your SIEM system.

If the events sent from Kaspersky Security Center Cloud Console are received and properly parsed by your SIEM system, configuration on both sides is done properly. Otherwise, check the settings you specified in Kaspersky Security Center Cloud Console against the configuration in your SIEM system.

The figure below shows the events exported to ArcSight. For example, the first event is a critical Administration Server event: "Device status is Critical".

The representation of export events in the SIEM system varies according to the SIEM system you use.

Example of events