Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
Kaspersky Security On-Prem Logs | ✅ | ✅ | ✅ | kaspersky_security_on_prem_logs | text | S3 | |
Kaspersky Security Cloud Logs | ✅ | ✅ | ✅ | kaspersky_security_cloud_logs | text | S3 |
Overview
Kaspersky Security Center Cloud Console (KSCCC) is a cloud-based platform that enables centralized management for securing and monitoring devices across an organization. It offers a comprehensive set of tools for administrators to deploy, configure, and oversee endpoint protection across diverse environments. A key feature of KSCCC is its robust logging system, which captures detailed information on security events, administrative actions, and system activities. These logs are essential for:
Maintaining operational visibility
Detecting and responding to threats
Supporting regulatory and internal compliance efforts
Troubleshooting technical and security-related issues
With real-time event tracking and seamless integration with external tools such as Hunters SIEM system, KSCCC enhances an organization’s cybersecurity posture by enabling proactive monitoring and rapid incident response.
After receiving the KSCCC alerts in the expected format, Hunters will ingest KSCCC events.
Hunters will then detect suspicious behaviors based on security-relevant events only, excluding general and administrative events from all KSCCC events.
After that, Hunters will run on these events further automatic investigations (such as process and domain analysis) and correlations with other products' detected behaviors.
Send data to Hunters
Logs should be routed to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
To connect Kaspersky Security Logs:
Connect Kaspersky Security Logs
Hunters supports the connection of Kaspersky logs (On-Prem, Cloud) using AWS S3 as an intermediary storage.
📘Learn more
Before you dive into the process below, take a look at these general AWS S3 guidelines and consolidate the two processes.
Expected format
The expected alert format is the Syslog format you can choose to use in Kaspersky Administration Server GUI. However, raw KSCCC events do not contain the hostname and the event time by default in some cases. It is expected to add them using KSCCC advanced features or shipping tool features such as FluentD (by the customer).
If more information is needed about Kaspersky's logs formats, please use Kaspersky's support page.
Logs should contain the relevant host name, the event timestamp and the raw alert itself.
Sample Data
Kaspersky Security On-Prem Logs (text)
1234|1.0.0.0 - KLSRV_EVENT_HOSTS_NEW_DETECTED [event@23668 p1="ABC123" p2="FH-HOLDING" et="KLSRV_EVENT_HOSTS_NEW_DETECTED" etdn="New device has been detected." hdn="KAS01" hip="123.0.0.0" gn="Managed devices" kscfqdn="abcs01.fh-holding.local"] New device "AB123" has been detected (Windows domain "FH-HOLDING")
Kaspersky Security Cloud Logs (text)
1234|1.0.0.0 - KLAUD_EV_SERVERCONNECT [event@23668 p2="0.0.0.0" p3="TENANT_01\\USR_001" p5="0.0.0.0" p9="::1" et="KLAUD_EV_SERVERCONNECT" etdn="Audit (connection to the Administration Server)" hdn="SERVER_ADMIN" hip="IP_xxx" gn="GROUP_A" kscfqdn="DOM_A.local"] User "TENANT_01\USR_001" has connected to the Administration Server from "0.0.0.0".
kesl|11.1.0.0 - TaskStateChanged [event@12345 et="TaskStateChanged" tdn="Behavior_Detection" etdn="Task state changed" hdn="HOST_17" hip="IP_xxx" gn="GROUP_B" kscfqdn="TENANT_02.example"] Initiator: Product; Runtime task ID: 123; Task state: Stopping; Task type: BehaviorDetection;
KES|01.0.0.0 - 00000123 [event@1234 et="00000123" tdn="Protection" etdn="Participation in KSN enabled" hdn="HOST_05" hip="IP_xxx" gn="GROUP_C" kscfqdn="TENANT_03.example"] Event type: Participation in KSN enabled Name: abc.exe Application path: C:\Program Files (x86)\Kaspersky Lab\KES\... Process ID: 1234 User: SYS_ACC Component: Protection
kesl|02.1.0.0 - TaskStateChanged [event@23668 et="TaskStateChanged" tdn="Update KESL01.1" etdn="Task state changed" hdn="HOST_22" hip="IP_xxx" gn="GROUP_B" kscfqdn="DOM_B.local"] Initiator: SecurityCenter; Runtime task ID: 123; Task state: Starting; Task type: Update; SourceType=KLServers; UseKLServersWhenUnavailable=Yes; ConnectionTimeout=30; ApplicationUpdateMode=DownloadOnly