Kaspersky Anti Targeted Attack Platform
5.0
English

Contents

Configuring integration with an SIEM system

Kaspersky Anti Targeted Attack Platform can publish information about user actions in the program web interface as well as alerts to a

SIEM system
already in use at your organization using the
Syslog
protocol.

You can use

TLS encryption
for data transmission.

If you have deployed the Central Node and Sensor components as a cluster, you can configure fault-tolerant integration with an external system using one of the following options:

  • Using the Round Robin function.
  • Configure the settings of the external system so that the external system switches between the IP addresses of the cluster servers if a network error occurs.

To configure the fault-tolerant integration with the external system:

  1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
  2. Specify this domain name in the mail server settings.

Integration with the mail server will be configured based on the domain name. The mail server will communicate with a random server in the cluster. If this server fails, the mail server will communicate with another healthy server in the cluster.

In this section

Enabling and disabling information logging to a remote log

Configuring the main settings for SIEM system integration

Uploading a TLS certificate

Enabling and disabling TLS encryption of the connection with the SIEM system

Content and properties of syslog messages about alerts
Page top
[Topic 175283]

Enabling and disabling information logging to a remote log

You can configure the logging of information about user actions in the web interface and alerts to a remote log. The log file is stored on the server on which the SIEM system is installed. To write to the remote log, you must configure the integration with the SIEM system.

To enable or disable the logging of information about user actions in the web interface and alerts to the remote log:

  1. In the window of the program web interface, select the Settings section, SIEM system subsection.
  2. If you want to enable / disable the recording of information about user actions in the web interface to the remote log, do one of the following:
    • If you want to enable recording of information about user actions in the web interface, select the Activity log check box.
    • If you want to disable the recording of information about user actions in the web interface, clear the Activity log check box.
  3. If you want to enable / disable the recording of information about alerts to the remote log, do one of the following:
    • If you want to enable recording of alert information, select the Alerts check box.
    • If you want to disable recording of alert information, clear the Alerts check box.

    You can select both check boxes simultaneously.

  4. Click Apply in the lower part of the window.

Information logging in the remote log is enabled or disabled.

Users with the Security auditor role can only view information about remote logging settings.

Page top
[Topic 175287]

Configuring the main settings for SIEM system integration

To configure the main settings for SIEM system integration:

  1. In the window of the program web interface, select the Settings section, SIEM system subsection.
  2. Select the Activity log and/or Alerts check boxes.

    You can select one check box or both check boxes.

  3. In the Host/IP field, enter the IP address or host name of the server of your SIEM system.
  4. In the Port field, enter the port number used for connecting to your SIEM system.
  5. In the Protocol field, select TCP or UDP.
  6. In the Host ID field, enter the host ID. The host with that ID is specified as the alert source in the log of the SIEM system.
  7. In the Heartbeat field, enter the interval for sending messages to the SIEM system.
  8. Click Apply in the lower part of the window.

The main settings of integration with the SIEM system will be configured.

Users with the Security auditor role can only view information about the SIEM system integration settings.

Page top
[Topic 175288]

Uploading a TLS certificate

To upload a TLS certificate for encrypting the connection with the SIEM system:

  1. In the window of the program web interface, select the Settings section, SIEM system subsection.
  2. In the TLS encryption section, click the Upload button.

    This opens the file selection window.

  3. Select a TLS certificate file to download and click the Open button.

    This closes the file selection window.

    The TLS certificate will be added to the program.

  4. Click Apply in the lower part of the window.

The uploaded TLS certificate will be used to encrypt the connection with the SIEM system.

Page top
[Topic 175290]

Enabling and disabling TLS encryption of the connection with the SIEM system

To enable or disable TLS encryption of the connection with the SIEM system:

  1. In the window of the program web interface, select the Settings section, SIEM system subsection.
  2. Select the Activity log and/or Alerts check boxes.

    You can select one check box or both check boxes.

  3. In the TLS encryption section, perform one of the following actions:
    • Turn on the toggle switch next to the name of the TLS encryption parameter if you want to enable TLS encryption of the connection with the SIEM system.
    • Turn off the toggle switch next to the name of the TLS encryption parameter if you want to disable TLS encryption of the connection with the SIEM system.

    The toggle switch next to the name of the TLS encryption setting can be used only if a TLS certificate is loaded.

  4. Click Apply in the lower part of the window.

TLS encryption of the connection with the SIEM system will be enabled or disabled.

Page top
[Topic 175289]

Content and properties of syslog messages about alerts

Information about each alert is transmitted in a separate syslog category (syslog facility) that is not used by the system to deliver messages from other sources. Information about each alert is transmitted as a separate syslog message in CEF format. If the alert was generated by the Targeted Attack Analyzer module, information about that alert is transmitted as multiple separate syslog messages in CEF format.

The default maximum size of a syslog message about an alert is 32 KB. Messages that exceed the maximum size are truncated at the end.

The header of each syslog message about an alert contains the following information:

  • Format version.

    Current version number: 0. Current field value: CEF:0.

  • Vendor.

    Current field value: AO Kaspersky Lab.

  • Program name.

    Current field value: Kaspersky Anti Targeted Attack Platform.

  • Program version.

    The current value of the field is 5.0.0-5201.

  • Alert type.

    See the table below.

  • Event name.

    See the table below.

  • Alert importance.

    Allowed field values: Low, Medium, High or 0 (for heartbeat messages).

  • Additional information.

    Example:

    CEF:0|AO Kaspersky Lab| Kaspersky Anti Targeted Attack Platform |5.0.0-5201|url_web| URL from web detected|Low|

The body of a syslog message about an alert matches the information about that alert that is displayed in the program web interface. All fields are presented in the format "<key>=<value>". Depending on whether the alert occurred in network traffic or mail traffic, and depending on the technology that generated the alert, various keys may be transmitted in the body of a syslog message. If the value is empty, the key is not transmitted.

The keys, as well as their values contained in a message, are presented in the table below.

Information about an alert in syslog messages

Alert type

Alert name and description

Key and description of its value

file_web

File from web detected

A file was detected in network traffic.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • dst = <destination IP address>.
  • dpt = <destination port>.
  • src = <source IP address>.
  • spt = <source port>.
  • shost = <name of the host on which the file was detected>.
  • suser = <user name>.
  • fName = <name of the file within the compound object>.
  • fsize = <size of the file within the compound object (in bytes)>.
  • fileType = <format of the file within the compound object>.
  • fileHash = <MD5 hash of the file within the compound object>.
  • KasperskyLabKATAcompositeFilePath = <name of the compound object>.
  • KasperskyLabKATAcompositeFileSize = <total size of the compound object (in bytes)>.
  • KasperskyLabKATAcompositeFileHash = <MD5 hash of the compound object>.
  • KasperskyLabKATAfileSHA256 = <SHA256 hash of the compound object>.
  • cs2 = <technology that was used to detect the file>.
  • cs3Label = <name of the virtual machine on which the file was detected> (only for the Sandbox component).
  • cs1 = <list of types of the detected objects according to the Kaspersky Lab classification>.
  • cs3 = <version of databases used to scan the file>.
  • app = <name of the application-level protocol> (HTTP(S) or FTP).
  • requestMethod = <HTTP request method> (only for the HTTP(S) protocol).
  • requestClientApplication = <User Agent of the client computer> (only for the HTTP(S) protocol).
  • request = <URL of the detected object> (only for the HTTP(S) protocol).
  • requestContext = <HTTP Referer header> (only for the HTTP(S) protocol).

file_mail

File from mail detected

A file was detected in mail traffic.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • fName = <name of the file within the compound object>.
  • fsize = <size of the file within the compound object (in bytes)>.
  • fileType = <format of the file within the compound object>.
  • fileHash = <MD5 hash of the file within the compound object>.
  • KasperskyLabKATAcompositeFilePath = <name of the compound object>.
  • KasperskyLabKATAcompositeFileSize = <total size of the compound object (in bytes)>.
  • KasperskyLabKATAcompositeFileHash = <MD5 hash of the compound object>.
  • KasperskyLabKATAfileSHA256 = <SHA256 hash of the compound object>.
  • KasperskyLabKATAmailEnvelopeFrom = <sender email address> (from the Received header).
  • KasperskyLabKATAmailFor = <recipient email address> (from the Received header).
  • KasperskyLabKATAmailRecievedFromIp = <IP address of the first server in the message delivery chain> (from the Received header).
  • cs2 = <technology that was used to detect the file>.
  • cs3Label = <name of the virtual machine on which the file was detected> (only for the Sandbox component).
  • cs1 = <list of types of the detected objects according to the Kaspersky Lab classification>.
  • cs3 = <version of databases used to scan the file>.
  • externalId = <Email message ID>.
  • suser = <email address of sender>.
  • duser = <email addresses of recipients>.
  • msg = <message subject>.

ids

IDS event detected

An alert was generated by the Intrusion Detection System module.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • requestMethod = <HTTP request method> (only for the HTTP(S) protocol).
  • requestClientApplication = <User Agent of the client computer> (only for the HTTP(S) protocol).
  • rt = <date and time of alert>.
  • dst = <destination IP address>.
  • dpt = <destination port>.
  • src = <source IP address>.
  • spt = <source port>.
  • proto = <name of the network-level protocol> (TCP or UDP).
  • cs1 = <type of the detected object according to the Kaspersky Lab classification>.
  • cs2Label = <name of the IDS rule>.
  • cs2 = <number of the IDS rule>.
  • cs3 = <Intrusion Detection System module database version>.
  • requestMethod = <HTTP request method> (only for the HTTP protocol).
  • requestClientApplication = <User Agent of the client computer> (only for the HTTP protocol).
  • request = <URL of the detected object>.

url_web

URL from web detected

An alert was generated by URL Reputation technology or Sandbox in network traffic.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • dst = <destination IP address>.
  • dpt = <destination port>.
  • src = <source IP address>.
  • spt = <source port>.
  • shost = <name of the host on which the file was detected>.
  • suser = <user name>.
  • cs1 = <list of categories to which the URL of the detected object belongs>.
  • requestMethod = <HTTP request method>.
  • requestClientApplication = <User Agent of the client computer>.
  • request = <URL of the detected object>.
  • requestContext = <HTTP Referer header>.
  • reason = <HTTP response code>.

url_mail

URL from mail detected

An alert was generated by URL Reputation technology or Sandbox in mail traffic.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • externalId = <Email message ID>.
  • suser = <email address of sender>.
  • duser = <email addresses of recipients>.
  • KasperskyLabKATAmailEnvelopeFrom = <sender email address> (from the Received header).
  • KasperskyLabKATAmailFor = <recipient address> (from the Received header).
  • KasperskyLabKATAmailRecievedFromIp = <IP address of the first server in the message delivery chain> (from the Received header).
  • msg = <message subject>.
  • request = <URL of the detected object>.
  • cs2 = <technology that was used to generate the alert> (Sandbox or URL Reputation).
  • cs3Label = <name of the virtual machine on which the file was detected> (only for Sandbox).
  • cs1 = <list of types of the detected objects according to the Kaspersky Lab classification> (for the Sandbox component) or <list of categories> (for URL Reputation).
  • cs3 = <version of databases used to scan the file> (only for Sandbox).

dns

DNS request detected

An alert was generated by URL Reputation technology in DNS traffic.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • dst = <destination IP address>.
  • dpt = <destination port>.
  • src = <source IP address>.
  • spt = <source port>.
  • shost = <name of the host on which the file was detected>.
  • suser = <user name>.
  • cs2 = <list of URL categories to which the domain names belong>.
  • requestMethod = <type of DNS message> (request or response).
  • flexString1 = <type of record from the DNS request>.
  • dhost = <host name from the DNS request>.
  • cs1 = <list of domain names from the DNS response>.

file_endpoint

File from endpoint detected

The alert was generated by the Kaspersky Endpoint Agent component on the user's computer and contains a file.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • src = <source IP address>.
  • shost = <name of the host on which the file was detected>.
  • fName = <name of the file within the compound object>.
  • fsize = <size of the file within the compound object (in bytes)>.
  • fileType = <format of the file within the compound object>.
  • fileHash = <MD5 hash of the file within the compound object>.
  • KasperskyLabKATAcompositeFilePath = <name of the compound object>.
  • KasperskyLabKATAcompositeFileSize = <total size of the compound object (in bytes)>.
  • KasperskyLabKATAcompositeFileHash = <MD5 hash of the compound object>.
  • KasperskyLabKATAfileSHA256 = <SHA256 hash of the compound object>.
  • cs2 = <technology that was used to detect the file>.
  • cs3Label = <name of the virtual machine on which the file was detected> (only for the Sandbox component).
  • cs1 = <list of types of the detected objects according to the Kaspersky Lab classification>.
  • cs3 = <version of databases used to scan the file>.
  • app = <name of the application-level protocol> (HTTP(S) or FTP).
  • FilePath = <path to the file on the computer with the Endpoint Sensors component>.

iocScanning

IOC has tripped on endpoint

The alert was generated while carrying out an IOC scan of Kaspersky Endpoint Agent for Windows hosts.

This type of alert is available if you are using KEDR functionality.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • src = <source IP address>.
  • shost = <name of the host on which the file was detected>.
  • cs1 = <name of the IOC file by which the alert was generated>.

taaScanning

TAA has tripped on events database

Alert resulting from the IOA analysis of events.

This type of alert is available if you are using KEDR functionality.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • shost = <name of the host on which the alert was generated>.
  • cs1 = <name of the IOA rule by which the alert was generated>.

yaraScanningEP

YARA has tripped on endpoint

The alert was generated while carrying out a YARA scan of Kaspersky Endpoint Agent for Windows hosts.

This type of alert is available if you are using KEDR functionality.
  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • src = <source IP address>.
  • shost = <name of the host on which the alert was generated>.
  • cs1 = <name of the YARA rule by which the alert was generated>.

heartbeat

Periodic message containing the state of components.
  • dvchost = <name of server with the Central Node component>.
  • rt = <event date and time>.
  • KasperskyLabKATAcomponentName = <name of the component>.
  • KasperskyLabKATAcomponentState = <status of the component> (0 – OK, >0 – Error).

Page top

[Topic 175942]