Configuring Kaspersky Security Center Cloud Console for export of events to a SIEM system

Expand all | Collapse all

To export events to a SIEM system, you have to configure the process of export in Kaspersky Security Center Cloud Console.

To configure export to SIEM systems in the Kaspersky Security Center Cloud Console:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the SIEM section.
3. Click the Settings link.

   The Export settings section opens.

4. Specify the settings in the Export settings section:
   • SIEM system server address

     The IP address of the server on which the currently used SIEM system is installed. Check this value in your SIEM system settings.

   • SIEM system port

     Port number used to establish a connection between Kaspersky Security Center Cloud Console and your SIEM system server. You specify this value in the Kaspersky Security Center Cloud Console settings and in the receiver settings of your SIEM system.

   • Protocol

     You can use only TLS over TCP protocol for transferring messages to the SIEM system. To do this, specify the TLS settings:

     • Server authentication

       In the Server authentication field, you can select the Trusted certificates or SHA fingerprints values:

       • Trusted certificates. You can receive a complete certificate chain (including the root certificate) from a trusted certification authority (CA) and upload the file to Kaspersky Security Center Cloud Console. Kaspersky Security Center Cloud Console checks whether the certificate chain of the SIEM system server is also signed by a trusted CA or not.

         To add a trusted certificate, click the Browse for CA certificates file button, and then upload the certificate.

       • SHA fingerprints. You can specify SHA1 thumbprints of the complete certificate chain of the SIEM system (including the root certificate) in Kaspersky Security Center Cloud Console. To add a SHA1 thumbprint, enter it in the Thumbprints field, and then click the Add button.

       By using the Add client authentication setting, you can generate a certificate to authenticate Kaspersky Security Center Cloud Console. Thus, you will use a self-signed certificate issued by Kaspersky Security Center Cloud Console. In this case, you can use both a trusted certificate and a SHA fingerprint to authenticate the SIEM system server.

     • Add Subject name/Subject alternative name

       Subject name is a domain name for which the certificate is received. Kaspersky Security Center Cloud Console cannot connect to the SIEM system server if the domain name of the SIEM system server does not match the subject name of the SIEM system server certificate. However, the SIEM system server can change its domain name if the name has changed in the certificate. In this case, you can specify subject names in the Add Subject name/Subject alternative name field. If any of the specified subject names matches the subject name of the SIEM system certificate, Kaspersky Security Center Cloud Console validates the SIEM system server certificate.

     • Add client authentication

       For client authentication, you can insert your certificate or generate it in Kaspersky Security Center Cloud Console.

       • Insert certificate. You can use a certificate that you received from any source, for example, from any trusted CA. You must specify the certificate and its private key by using one of the following certificate types:
         • X.509 certificate PEM. Upload a file with a certificate in the File with certificate field, and a file with a private key in the File with key field. Both files do not depend on each other and the order of loading the files is not significant. When both files are uploaded, specify the password for decoding the private key in the Password or certificate verification field. The password can have an empty value if the private key is not encoded.
         • X.509 certificate PKCS12. Upload a single file that contains a certificate and its private key in the File with certificate field. When the file is uploaded, specify the password for decoding the private key in the Password or certificate verification field. The password can have an empty value if the private key is not encoded.
       • Generate key. You can generate a self-signed certificate in Kaspersky Security Center Cloud Console. As a result, Kaspersky Security Center Cloud Console stores the generated self-signed certificate, and you can pass the public part of the certificate or SHA1-fingerprint to the SIEM system.
5. If you want, you can export archived events from the Administration Server database and set the start date from which you want to start the export of archived events:
   1. Click the Set the export start date link.
   2. In the section that opens, specify the start date in the Date to start export from field.
   3. Click the OK button.
6. Switch the option to the Automatically export events to SIEM system database Enabled position.
7. To check that the SIEM system connection is successfully configured, click the Check connection button.

   The connection status will be displayed.

8. Click the Save button.

Export to a SIEM system is configured. From now on, if you configured the receiving of events in a SIEM system, Administration Server exports the marked events to a SIEM system. If you set the start date of export, Administration Server also exports the marked events stored in the Administration Server database from the specified date.