Kaspersky Endpoint Security Integration
Overview
Kaspersky Endpoint Security provides multi-layered threat protection with behavioral detection and exploit prevention. KYRA MDR collects Kaspersky events via Kaspersky Security Center syslog integration. Supports KSC 14.x and KES 12.x.
Prerequisites
- A KYRA MDR Collector installed and running
- Kaspersky Security Center (KSC) with administrative access
- KSC 14.0 or later
- Network connectivity from KSC to the collector on port 514
Configuration
Configure SIEM integration in Kaspersky Security Center:
- Open Kaspersky Security Center Administration Console
- Navigate to Administration Server > Properties > SIEM
- Enable Export events to SIEM system
- Configure:
| Setting | Value |
|---|---|
| SIEM Server | Your KYRA Collector IP |
| Port | 514 |
| Protocol | TCP |
| Format | CEF |
- Select event categories: Critical, Functional failure, Warning
- Click OK and restart the administration server if prompted
KSC Web Console (14.2+)
For KSC 14.2 and later with the Web Console:
- Navigate to Settings > SIEM Integration
- Toggle Export to SIEM to On
- Configure the connection parameters as shown above
- Click Save
KSC klscflag Configuration (CLI)
You can also enable SIEM export via the command line on the KSC server:
# Enable SIEM integration via klscflagklscflag -fset -pv ".core/.independent" -s KLEVP -n KLEVP_SRV_SIEM_ENABLED -v 1 -t d
# Set syslog server addressklscflag -fset -pv ".core/.independent" -s KLEVP -n KLEVP_SRV_SIEM_HOST -v "<COLLECTOR_IP>" -t s
# Set syslog server portklscflag -fset -pv ".core/.independent" -s KLEVP -n KLEVP_SRV_SIEM_PORT -v 514 -t d
# Set format to CEFklscflag -fset -pv ".core/.independent" -s KLEVP -n KLEVP_SRV_SIEM_FORMAT -v 1 -t d
# Restart the KSC service to apply changessudo systemctl restart kladminserverKSC OpenAPI: Query Events
# Authenticate and get a session tokencurl -s -X POST \ "https://<KSC_HOST>:13299/api/v1.0/Session.StartSession" \ -H "Content-Type: application/json" \ -H "Authorization: KSCBasic user=admin, pass=<BASE64_PASS>" \ --insecure | jq .
# Retrieve recent security eventscurl -s -X POST \ "https://<KSC_HOST>:13299/api/v1.0/EventProcessing.GetEvents" \ -H "Content-Type: application/json" \ -b "session-cookie" \ -d '{ "strIteratorId": "", "nStart": 0, "nEnd": 50 }' --insecure | jq .Verify Log Reception
# On the KYRA Collector, check for Kaspersky CEF eventssudo tcpdump -i any port 514 -A | grep -i "kaspersky\|KES\|KSC"
# Check rsyslogtail -f /var/log/syslog | grep -i "kaspersky"Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Threat Detection | Malware and suspicious activity | Endpoint threat protection |
| Exploit Prevention | Exploit block events | Vulnerability defense |
| Firewall | Endpoint firewall events | Host network security |
| Device Control | Peripheral and USB events | Data loss prevention |
| Application Control | Application launch events | Application whitelisting |
| Encryption | Full disk encryption events | Data protection monitoring |
Troubleshooting
No events exported: Verify SIEM integration is enabled in KSC properties. The administration server may need a restart.
Event filtering: By default, KSC exports all event categories. Select only Critical and Functional Failure to reduce volume.
CEF format issues: Ensure the export format is set to CEF. KYRA MDR includes a dedicated Kaspersky CEF parser.
Contact kyra@seekerslab.com for support.