跳至正文
KYRA MDR KYRA MDR Docs

Kaspersky Endpoint Security Integration

Overview

Kaspersky Endpoint Security provides multi-layered threat protection with behavioral detection and exploit prevention. KYRA MDR collects Kaspersky events via Kaspersky Security Center syslog integration. Supports KSC 14.x and KES 12.x.

Prerequisites

  • A KYRA MDR Collector installed and running
  • Kaspersky Security Center (KSC) with administrative access
  • KSC 14.0 or later
  • Network connectivity from KSC to the collector on port 514

Configuration

Configure SIEM integration in Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console
  2. Navigate to Administration Server > Properties > SIEM
  3. Enable Export events to SIEM system
  4. Configure:
SettingValue
SIEM ServerYour KYRA Collector IP
Port514
ProtocolTCP
FormatCEF
  1. Select event categories: Critical, Functional failure, Warning
  2. Click OK and restart the administration server if prompted

KSC Web Console (14.2+)

For KSC 14.2 and later with the Web Console:

  1. Navigate to Settings > SIEM Integration
  2. Toggle Export to SIEM to On
  3. Configure the connection parameters as shown above
  4. Click Save

KSC klscflag Configuration (CLI)

You can also enable SIEM export via the command line on the KSC server:

Terminal window
# Enable SIEM integration via klscflag
klscflag -fset -pv ".core/.independent" -s KLEVP -n KLEVP_SRV_SIEM_ENABLED -v 1 -t d


# Set syslog server address
klscflag -fset -pv ".core/.independent" -s KLEVP -n KLEVP_SRV_SIEM_HOST -v "<COLLECTOR_IP>" -t s


# Set syslog server port
klscflag -fset -pv ".core/.independent" -s KLEVP -n KLEVP_SRV_SIEM_PORT -v 514 -t d


# Set format to CEF
klscflag -fset -pv ".core/.independent" -s KLEVP -n KLEVP_SRV_SIEM_FORMAT -v 1 -t d


# Restart the KSC service to apply changes
sudo systemctl restart kladminserver

KSC OpenAPI: Query Events

Terminal window
# Authenticate and get a session token
curl -s -X POST \
  "https://<KSC_HOST>:13299/api/v1.0/Session.StartSession" \
  -H "Content-Type: application/json" \
  -H "Authorization: KSCBasic user=admin, pass=<BASE64_PASS>" \
  --insecure | jq .


# Retrieve recent security events
curl -s -X POST \
  "https://<KSC_HOST>:13299/api/v1.0/EventProcessing.GetEvents" \
  -H "Content-Type: application/json" \
  -b "session-cookie" \
  -d '{
    "strIteratorId": "",
    "nStart": 0,
    "nEnd": 50
  }' --insecure | jq .

Verify Log Reception

Terminal window
# On the KYRA Collector, check for Kaspersky CEF events
sudo tcpdump -i any port 514 -A | grep -i "kaspersky\|KES\|KSC"


# Check rsyslog
tail -f /var/log/syslog | grep -i "kaspersky"

Collected Log Types

Log TypeDescriptionSecurity Use
Threat DetectionMalware and suspicious activityEndpoint threat protection
Exploit PreventionExploit block eventsVulnerability defense
FirewallEndpoint firewall eventsHost network security
Device ControlPeripheral and USB eventsData loss prevention
Application ControlApplication launch eventsApplication whitelisting
EncryptionFull disk encryption eventsData protection monitoring

Troubleshooting

No events exported: Verify SIEM integration is enabled in KSC properties. The administration server may need a restart.

Event filtering: By default, KSC exports all event categories. Select only Critical and Functional Failure to reduce volume.

CEF format issues: Ensure the export format is set to CEF. KYRA MDR includes a dedicated Kaspersky CEF parser.

Contact kyra@seekerslab.com for support.