This article explains how to ingest your on-prem Kaspersky AV Alerts to Hunters. These alerts should come from the Kaspersky Administration Server, and should be shipped using a logs shipping infrastructure, the currently supported format being FluentD.

Note: For Hunters to integrate with your on-premise Kaspersky AV Logs, the logs should be collected to a Storage Service (i.e. to an S3 bucket or Azure Blob Storage) shared with Hunters.

Expected Logs Format

The expected alert format is the Syslog format you can choose to use in Kaspersky Administration Server GUI. However, raw KAV events do not contain the hostname and the event time by default. It is expected to add them using KAV advanced features or shipping tool features such as FluentD.

If more information is needed about Kaspersky's logs formats, please use Kaspersky's support page.

Eventually, logs should contain the relevant host name, the event timestamp and the raw alert itself.

The currently supported timestamp format is the following: YYYY-MM-DDTHH:mm:SS+zz (zz - time difference from UTC, see log example)

Below is an example of a currently supported log, starting with the event timestamp, the log file name and the host name, and containing the raw alert itself in the "message" json attribute:

2021-05-22T09:23:12+00:00   kav_logs.user.warn  {"host":"MyComputer","ident":"KES|","pid":"-","msgid":"000000de","extradata":"[event@32503 et=\"000000de\" tdn=\"Exploit Prevention\" etdn=\"Task stopped\"  gn=\"Tier Two\"]","message":"Event type:     Task stopped\\r\\nApplication:     Kaspersky Endpoint Security for Windows\\r\\nApplication\\Name:     avp.exe\\r\\nApplication\\Path:     C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\\\\r\\nUser:     NT AUTHORITY\\SYSTEM (Initiator)\\r\\nComponent:     Exploit Prevention\\r\\nResult\\Description:     Task stopped\\r\\nObject:     Exploit Prevention\\r\\nObject\\Type:     Subsystem\\r\\nObject\\Name:     Exploit Prevention\\r\\n"}

Hunters Usage of KAV Data

After receiving the KAV alerts in the expected format, Hunters will ingest all KAV events.

Hunters will then detect suspicious behaviours based on security-relevant events only, excluding general and administrative events from all KAV events.

After that, Hunters will run on these events further automatic investigations (such as process and domain analysis) and correlations with other products' detected behaviours.