Kaspersky Machine Learning for Anomaly Detection

Configuring the CEF Connector

Kaspersky MLAD uses the CEF Connector to receive data from external sources of events (such as the Industrial Internet of Things, network devices and applications) and to send incident registration messages to an external system.

You can also use the CEF Connector to send information security event logs of Kaspersky MLAD to an external system. Information security event logs are automatically written to the Kaspersky MLAD database.

To receive events from external sources using the CEF Connector, configure the Event Processor service.
Before configuring the CEF Connector settings in the Kaspersky MLAD web interface, the IP address and port number to be used for connecting the external event source to the CEF Connector must be specified in the .env file. The settings of the configuration file can be changed only by a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator.

System administrators can configure the CEF Connector.

To configure the CEF Connector:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select System parameters → CEF Connector.

   A list of options appears on the right.

3. Use the Receive events for the Event Processor service toggle switch to enable or disable use of the CEF Connector for receiving events from an external system.
4. Toggle Send registered incidents to SIEM system switch to enable or disable forwarding of messages about incidents registered by the application to the external system.
5. Toggle Send registered events to SIEM system switch to enable or disable forwarding of messages about events registered by Event Processor service to the external system.
6. In the IP address for sending events and incidents to SIEM system field, specify the IP address for connecting an external system to the CEF Connector and forwarding events processed by the Event Processor service and incidents.
7. In the Port for sending events and incidents to SIEM system field, specify the port number for connecting an external system to the CEF Connector and forwarding events processed by the Event Processor service and incidents.
8. If you need to send information security event logs of Kaspersky MLAD to an external system, turn on the Send information security event logs to a Syslog server toggle switch and do the following:
   1. In the Transport protocol for sending information security events to a Syslog server drop-down list, select the protocol that you want to use for sending information security event logs.

      Kaspersky MLAD supports the TCP and UDP protocols for sending information security event logs to an external system.

   2. In the Syslog server address for sending information security events field, specify the IP address or host name of the external system to which the information security event logs must be sent.
   3. In the Syslog server port for sending information security events field, specify the port number of the external system to which the information security event logs must be sent.
9. Use the Use TLS connection toggle switch to enable or disable the use of a secure TLS connection when using Kaspersky MLAD as a client.

   By default, use of a secure TLS connection is enabled.

   To avoid compromising the received and/or sent data, it is recommended to keep the use of a secure TLS connection enabled.

10. If you have enabled the use of a secure TLS connection, use the Use the recommended TLS connection settings toggle switch to enable or disable use of the recommended TLS connection settings.

    When the toggle switch is on, a secure TLS connection is used via the TLS-1.2 or TLS-1.3 protocol with a cipher suite from the list of recommended ciphers.

11. If you need to use a secure TLS connection for the server side of the CEF Connector, do the following:
    1. Add the server certificate and the certificate key by using the Browse button under the Server certificate and Private key to the server certificate settings.

       It is recommended to use a certificate with a certificate key length of at least 4096 bits when using the RSA algorithm, or 256 bits when using the ECDH algorithm.

    2. If you are using client certificates, add the root certificate to verify the signature of the client certificate by using the Browse button under the CA certificate for verifying the client certificate signature setting.

    Certificates and certificate keys can be uploaded only as files in DER or PEM format.

    To delete the certificate file or certificate key, click the button in the corresponding field. To save the certificate file or certificate key on your computer, click the button in the corresponding field.

12. If you need to use a secure TLS connection for the server side of the CEF Connector, do the following (if necessary):
    1. Add the client certificate and the certificate key by using the Browse button under the Client certificate and Private key to the client certificate settings.

       It is recommended to use a certificate with a certificate key length of at least 4096 bits when using the RSA algorithm, or 256 bits when using the ECDH algorithm.

    2. If you are using server certificates, add the root certificate to verify the signature of the server certificate by using the Browse button under the CA certificate for verifying the server certificate signature setting.

    Certificates and certificate keys can be uploaded only as files in DER or PEM format.

    To delete the certificate file or certificate key, click the button in the corresponding field. To save the certificate file or certificate key on your computer, click the button in the corresponding field.

13. Click the Save button.