SIEM

Expand all | Collapse all

Kaspersky Security Center Integration

  • 1.  Kaspersky Security Center Integration

    Posted May 28, 2020 03:13 AM
    Hi,

    I would like to know whether FortiSIEM supports Kaspersky Security Center Syslog collection. I haven't seen anything related to Kaspersky in External Systems Configuration Guide (FortiSIEM Documentation) but configured the syslog forwarding as mentioned in Kaspersky online help (https://help.kaspersky.com/KSC/11/en-US/151333.htm) since there was a parser,


    But when I look into the parser it is referring to CEF or it is looking for 2 Keywords,


    Moreover, in the Kaspersky Security Center it only shows these CEF Formats and Syslog format which I have configured with.

    What would be the correct format to choose?

    Regards,
    Isuru





  • 2.  RE: Kaspersky Security Center Integration

    GROUP ADMIN
    Posted May 28, 2020 04:19 AM
    Hi Isuru

    FortiSIEM does not contain a parser for the syslog format as of now, only CEF is supported. I don't know what the difference between ArcSight CEF and Splunk CEF is.
    Be aware that Kaspersky CEF log export requires an advanced license from Kaspersky (cf. https://media.kaspersky.com/en/business-security/kaspersky-endpoint-security-for-business-datasheet.pdf). With the select license, Kaspersky will only send out in default "Syslog" format, i.e. non-CEF, and FortiSIEM won't be able to parse it.

    Regards,
    Gabriel


  • 3.  RE: Kaspersky Security Center Integration

    Posted May 28, 2020 08:33 PM
    Hi Gabriel,

    Thanks for the insight. I will check on the license as well.

    Regards,
    Isuru


  • 4.  RE: Kaspersky Security Center Integration

    GROUP ADMIN
    Posted May 28, 2020 04:31 AM
      |   view attached
    Hi Isru,

    You should be able to send Kaspersky CEF format syslog to FortiSIEM.

    The default parser should work, however, this is a slightly modified version and parsing some more fields. Clone the existing parser, paste this new one in. Then make sure you Apply it.

    Let me know how you get on.

    Thanks

    Dan

    Attachment(s)

    xml
    kaspersky1.xml   3K 1 version


  • 5.  RE: Kaspersky Security Center Integration

    Posted May 28, 2020 08:34 PM
    Hi Daniel,

    Thanks for the updated parser. I will check on this and let you know how it goes.

    Regards,
    Isuru


  • 6.  RE: Kaspersky Security Center Integration

    Posted May 31, 2020 08:42 PM
    Hi Daniel,

    The parser is working. Thanks for the support.

    Regards,
    Isuru


  • 7.  RE: Kaspersky Security Center Integration

    Posted Aug 03, 2020 11:49 PM
    Hi Daniel,
    Can you please share the parser again, I cannot access the attached
    Thanks


  • 8.  RE: Kaspersky Security Center Integration

    GROUP ADMIN
    Posted Aug 10, 2020 03:20 PM
    Hi Alaa, I just downloaded it again from here, it does open in the browser which means you may need to view the page source as it is XML.

    Let me know if you are still having issues and I will send you a separate link.

    Thanks

    Dan

    ------------------------------
    Daniel
    ------------------------------