IBM Security QRadar

 View Only
  • 1.  Kaspersky Security Center Log Source

    Posted Fri April 26, 2019 08:51 AM

    All,

     

    I am currently integrating Kaspersky into our SIEM, but cannot find a list of messages their security center provides.  If anyone has that list, I would sure appreciate a copy. I can't find it anywhere.

     

    Specifically I want to develop an offense for the following issues:

    ·         The service is disabled abnormally on an endpoint. There is a message generated when the system stops at shutdown, but that is not useful.

    ·         Malware found but not cleaned or deleted.

    ·         Kaspersky terminates a process it detects as malicious.

     

    Any help would be much appreciated.

     

    Daniel Sichel, Info Security Analyst, Sr.,CISSP #422810

    Community Medical Centers

    Corporate Compliance Office – Information Systems Security

    1540 E. Shaw, Suite 101, Fresno Cal. 93710

    Phone: (559) 724-4265 ext. 24265 | Fax: 559-724-4271

    Cell: (559) 230-9444

    dsichel@communitymedical.org

     

     



    ------------------------------- WARNING/CONFIDENTIAL: -------------------------------

    This email, including attachments, may contain information that is privileged, confidential,
    and/or exempt from disclosure under applicable law (including, but not limited to, protected
    health information). It is not intended for transmission to, or receipt by, any unauthorized
    persons. If the reader of this message is not the intended recipient you are hereby notified
    that any dissemination, distribution or copying of this communication is strictly prohibited.
    If you believe this email was sent to you in error, do not read it. Reply to the sender informing
    them of the error and then destroy all copies and attachments of the message from your system.
    Thank you.


  • 2.  RE: Kaspersky Security Center Log Source

    Posted Mon April 29, 2019 02:15 AM
    ​Hi Daniel

    You find a list of all events, when you open the DSM edior and load the Kaspersky DSM.
    (Log Activity --> select single log event --> Actions --> DSM Editor)

    Hope this helps you.

    Regards
    Rouven

    ------------------------------
    Rouven Schierscher
    Senior Security Officer
    LGT
    ------------------------------



  • 3.  RE: Kaspersky Security Center Log Source

    Posted Mon April 29, 2019 10:08 AM
    Not Sure If this is helpful but here is info from DSM GUIDE
    81 Kaspersky
    IBM Security QRadar supports a range of Kaspersky DSMs.
    Kaspersky Security Center The IBM Security QRadar DSM for Kaspersky Security Center can retrieve events directly from a database on your Kaspersky Security Center appliance or receive events from the appliance by using syslog.
    The following table identifies the specifications for the Kaspersky Security Center DSM: Table 302. Kaspersky Security Center DSM specifications Specification Value Manufacturer Kaspersky DSM name Kaspersky Security Center RPM file name DSM-KasperskySecurityCenter-QRadar_versionbuild_number.noarch.rpm Protocol JDBC: Versions 9.2-10.1
    Syslog LEEF: Version 10.1 Recorded event types Antivirus
    Server
    Audit Automatically discovered? No, if you use the JDBC protocol.
    Yes, if you use the syslog protocol. Includes identity? Yes Includes custom properties? No More information Kaspersky website (http://www.kaspersky.com)
    To send Kaspersky Security Center events to QRadar, complete the following steps: 1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your QRadar Console: v DSMCommon RPM v Kaspersky Security Center DSM 2. Choose one of the following options: v If you use syslog, configure your Kaspersky Security Center to forward events to QRadar. v If you use the JDBC protocol, configure a JDBC log source to poll events from your Kaspersky Security Center database. 3. Create a Kaspersky Security Center log source on the QRadar Console. Configure all required parameters, and use the following tables to configure the specific values that are required for Kaspersky Security Center event collection. v If you use syslog, configure the following parameters:
    © Copyright IBM Corp. 2005, 2018 559
    Table 303. Kaspersky Security Center syslog log source parameters Parameter Value Log Source type Kaspersky Security Center Protocol Configuration Syslog Log Source Identifier Type the IP address or host name for the log source as an identifier for events that are collected from your Kaspersky Security Center appliance.
    v If you use JDBC, configure the following parameters: Table 304. Kaspersky Security Center JDBC log source parameters Parameter Value Log Source type Kaspersky Security Center Protocol Configuration JDBC Log Source Identifier Use the following format:
    <Kaspersky_Database>@<Server_Address>
    Where the <Server_Address> is the IP address or host name of the Kaspersky Security Center database server. Database Type MSDE Database Name KAV IP or Hostname The IP address or host name of the SQL server that hosts the Kaspersky Security Center database. Port Type the port number that is used by the database server. The default port for MSDE is 1433. You must enable and verify that you can communicate by using the port that you specified in the Port field.
    The JDBC configuration port must match the listener port of the Kaspersky Security Center database. To be able to communicate with QRadar, the Kaspersky Security Center database must have incoming TCP connections enabled.
    If you define a database instance that uses MSDE as the database type, you must leave the Port parameter blank in your configuration. Username Type the user name the log source can use to access the Kaspersky Security Center database. Password Type the password the log source can use to access the Kaspersky Security Center database.
    The password can be up to 255 characters in length. Confirm Password Confirm the password that is used to access the database. The confirmation password must be identical to the password entered in the Password field. Authentication Domain If you select MSDE as the Database Type and the database is configured for Windows Authentication, you must populate the Authentication Domain field. Otherwise, leave this field blank.
    560 QRadar DSM Configuration Guide
    Table 304. Kaspersky Security Center JDBC log source parameters (continued) Parameter Value Database Instance If you have multiple SQL server instances on your database server, type the database instance.
    If you use a non-standard port in your database configuration, or block access to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration. Predefined Query From the list, select Kaspersky Security Center. Use Prepared Statements Select the Use Prepared Statements check box.
    Prepared statements allow the JDBC protocol source to set up the SQL statement one time, then run the SQL statement many times with different parameters. For security and performance reasons, it is suggested that you use prepared statements.
    Clearing this check box requires you to use an alternative method of querying that does not use pre-compiled statements. Start Date and Time Optional. Type the start date and time for database polling.
    The Start Date and Time parameter must be formatted as yyyy-MM-dd HH: mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval. Polling Interval Type the polling interval, which is the amount of time between queries to the view you created. The default polling interval is 10 seconds.
    You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values that are entered without an H or M poll in seconds. EPS Throttle Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The default value is 20000 EPS. Use Named Pipe Communication If you are using Windows authentication, enable this parameter to allow authentication to the AD server. If you are using SQL authentication, disable Named Pipe Communication. Database Cluster Name If you select the Use Named Pipe Communication check box, the Database Cluster Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name to ensure Named Pipe communication functions properly.
    81 Kaspersky 56
    Table 304. Kaspersky Security Center JDBC log source parameters (continued) Parameter Value Use NTLMv2 Select the Use NTLMv2 check box.
    This option forces MSDE connections to use the NTLMv2 protocol when they communicate with SQL servers that require NTLMv2 authentication. The default value of the check box is selected.
    If the Use NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers that do not require NTLMv2 authentication. Use SSL If your connection supports SSL communication, select Use SSL. This option requires extra configuration on your Kaspersky Security Center database and also requires administrators to configure certificates on both appliances.
    Note: Selecting a parameter value greater than 5 for the Credibility parameter weights your Kaspersky Security Center log source with a higher importance that is compared to other log sources in QRadar. Related concepts: "JDBC protocol configuration options" on page 16 QRadar uses the JDBC protocol to collect information from tables or views that contain event data from several database types. Related tasks: "Adding a DSM" on page 4 If your system is disconnected from the Internet, you might need to install a DSM RPM manually. "Adding a log source" on page 4 If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances. "Adding a DSM" on page 4 If your system is disconnected from the Internet, you might need to install a DSM RPM manually. "Exporting syslog to QRadar from Kaspersky Security Center" on page 563 Configure Kaspersky Security Center to forward syslog events to your IBM Security QRadar Console or Event Collector. "Creating a Database View for Kaspersky Security Center" To collect audit event data, you must create a database view on your Kaspersky server that is accessible to IBM Security QRadar. "Adding a log source" on page 4 If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances. Creating a Database View for Kaspersky Security Center To collect audit event data, you must create a database view on your Kaspersky server that is accessible to IBM Security QRadar. About this task
    To create a database view, you can download the klsql2.zip tool, which is available from Kaspersky or use another program that allows you to create database views. The instructions provided below define the steps required to create the dbo.events view using the Kaspersky Labs tool.
    562 QRadar DSM Configuration Guide
    Procedure 1. From the Kaspersky Labs website, download the klsql2.zip file: http://support.kaspersky.com/9284 2. Copy klsql2.zip to your Kaspersky Security Center Administration Server. 3. Extract klsql2.zip to a directory. 4. The following files are included: v klsql2.exe v src.sql v start.cmd 5. In any text editor, edit the src.sql file. 6. Clear the contents of the src.sql file. 7. Type the following Transact-SQL statement to create the dbo.events database view: create view dbo.events as select e.nId, e.strEventType as 'EventId', e.wstrDescription as 'EventDesc', e.tmRiseTime as 'DeviceTime', h.nIp as 'SourceInt', e.wstrPar1, e.wstrPar2, e.wstrPar3, e.wstrPar4, e.wstrPar5, e.wstrPar6, e.wstrPar7, e.wstrPar8, e.wstrPar9 from dbo.v_akpub_ev_event e, dbo.v_akpub_host h where e.strHostname = h.strName; 8. Save the src.sql file. 9. From the command line, navigate to the location of the klsql2 files. 10. Type the following command to create the view on your Kaspersky Security Center appliance: klsql2 -i src.sql -o result.xml The dbo.events view is created. You can now configure the log source in QRadar to poll the view for Kaspersky Security Center events.
    Note: Kaspersky Security Center database administrators should ensure that QRadar is allowed to poll the database for events using TCP port 1433 or the port configured for your log source. Protocol connections are often disabled on databases by default and additional configuration steps might be required to allow connections for event polling. Any firewalls located between Kaspersky Security Center and QRadar should also be configured to allow traffic for event polling. Exporting syslog to QRadar from Kaspersky Security Center Configure Kaspersky Security Center to forward syslog events to your IBM Security QRadar Console or Event Collector. About this task
    Kaspersky Security Center can forward events that are registered on the Administration Server, Administration Console, and Network Agent appliances. Procedure 1. Log in to Kaspersky Security Center. 2. In the console tree, expand the Reports and notifications folder. 3. Right-click Events and select Properties. 4. In the Exporting events pane, select the Automatically export events to SIEM system database check box. 5. In the SIEM system list, select QRadar. 6. Type the IP address and port for the QRadar Console or Event Collector. 7. Optional: To forward historical data to QRadar, click Export archive to export historical data. 8. Click OK.
    81 Kaspersky 563
    Kaspersky Threat Feed Service The IBM Security QRadar DSM for Kaspersky Threat Feed Service collects events from Kaspersky Feed Service.
    The following table describes the specifications for the Kaspersky Threat Feed Service DSM: Table 305. Kaspersky Threat Feed Service DSM specifications Specification Value Manufacturer Kaspersky Lab DSM name KasperskyThreatFeedService RPM file name DSM-KasperskyThreatFeedService-QRadar_versionbuild_number.noarch.rpm Supported versions 2.0 Protocol Syslog Event format LEEF Recorded event types Detect, Status, Evaluation Automatically discovered? Yes Includes identity? No Includes custom properties? No More information Kaspersky website (http://www.kaspersky.com/)
    To integrate Kaspersky Threat Feed Service with QRadar, complete the following steps: 1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your QRadar Console, in the order that they are listed: v DSMCommon RPM v Kaspersky Threat Feed Service DSM RPM 2. Configure Kaspersky Threat Feed Service to send syslog events to QRadar. 3. If QRadar does not automatically detect the log source, add a Kaspersky Threat Feed Service log source on the desired event collector. The following table describes the parameters that require specific values for Kaspersky Threat Feed Service event collection: Table 306. Kaspersky Threat Feed Service log source parameters Parameter Value Log Source type Kaspersky Threat Feed Service Protocol Configuration Syslog Log Source Identifier KL_Threat_Feed_Service_V2
    The following table provides a sample event message for Kaspersky Threat Feed Service.
    Table 307. Kaspersky Threat Feed Service sample event message Event name Low level category Sample log message KL_Mobile_BotnetCnc_URL Botnet address Jul 10 10:10:14 KL_Threat_Feed_Service_v2 LEEF:1.0|Kaspersky Lab|Threat Feed Service |2.0|KL_Mobile_ BotnetCnc_URL| url=example.com/ xxxxxxxxxxxxxxxx/xxx md5=sha1=- sha256=- usrName= TestUser mask= xxxxxxxxxxxx.xxxx type=2 first_seen=04.01.2016 16:40 last_seen=27.01.2016 10:46 popularity=5
    Related tasks: "Adding a DSM" on page 4 If your system is disconnected from the Internet, you might need to install a DSM RPM manually. "Adding a log source" on page 4 If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances. Configuring Kaspersky Threat Feed Service to communicate with QRadar Before you begin
    Before you install the Threat Feed Service on a device, ensure that your device meets the hardware and software requirements. The requirements are specified in the Kaspersky Threat Feed Service for QRadar distribution kit documentation. Procedure 1. Unpack the contents of the installation archive, Kaspersky_Threat_Feed_Service-Linux-x86_642.0.x.y-Release_for_Qradar.tar.gz, to any directory on the computer that you want to use for running the service.
    Note: The installation directory is denoted by the variable <service_dir> in the following configuration steps. 2. Configure the Threat Feed Service. a. Edit <service_dir>/etc/kl_feed_service.conf b. Modify the ConnectionString element nested within the InputSettings element to specify the IP and Port where the Threat Feed Service listens for events from QRadar: The IP address is from the server that the Thread Feed Service runs from. <InputSettings> ... <ConnectionString>Server_IP:Port</ConnectionString> </InputSettings> The following table identifies the Input Settings parameters that need to be modified in the kl_feed_service.conf file.
    81 Kaspersky 565
    Table 308. Input Settings parameters Parameter Value QRadar_IP The IP address of the system the Threat Feed Service is running on. Port An available port where the Threat Feed Service listens for events from QRadar. The default is 9995.
    c. Modify the ConnectionString element nested within the OutputSettings element to specify the QRadar event collector IP and Port that the threat Feed Service sends events to. <OutputSettings> ... <ConnectionString>QRadar_IP:Port</ConnectionString> </OutputSettings> The following table identifies the Output Settings parameters that need to be modified in the kl_feed_service.conf file. Table 309. Output Settings parameters Parameter Value QRadar_IP The IP address of the QRadar Event Collector. Port 514
    3. Save the changes. 4. Type the following command from the <service_dir> directory to start the Threat Feed Service. etc/init.d/kl_feed_service start The following message is displayed when the Threat Feed Service starts. Starting kl_feed_service: Config file: ../etc/kl_feed_service.conf
    [ OK ]
    Note: If the configuration file is missing or if its contents do not conform to the specified rules, the feed service does not start and an error message appears.
    Note: To stop the Feed Service, type the following command from the <service_dir> directory. etc/init.d/kl_feed_service stop 5. Verify the communication between the Threat Feed Service and QRadar is working by sending a set of test events by entering the following command: /usr/bin/python <service_dir>/tools/tcp_client.py -a <QRadar_IP> -p 514 <service_dir>/ integration/sample_initiallog.txt
    Note: The <QRadar_IP> test parameter is the IP address of your QRadar Event Collector. Configuring QRadar to forward events to the Kaspersky Threat Feed Service To have the Threat Feed Service check events that arrive in QRadar, you must configure QRadar to forward events to the Threat Feed Service. Procedure 1. Log in to the QRadar Console UI. 2. Click the Admin tab, and select System Configuration > Forwarding Destinations. 3. In the Forwarding Destinations window, click Add. 4. In the Forwarding Destination Properties pane, configure the Forwarding Destination Properties.
    566 QRadar DSM Configuration Guide
    Table 310. Forwarding Destination parameters. Parameter Value Name An identifier for the destination. For example,
    KL Threat Feed Service v2 Destination Address IP address of the host that runs the Threat Feed Service. Event Format JSON Destination Port The port that is specified in
    kl_feed_service.conf InputSetting > ConnectionString.
    The default value is 9995. Protocol TCP Profile Default profile
    5. Click Save. 6. Click the Admin tab, and then select System Configuration > Routing Rule. 7. In the Routing Rules window, click Add. 8. In the Routing Rules window, configure the routing rule parameters. Table 311. Routing Rules parameters Parameter Value Name An identifier for the rule name. For example,
    KL Threat Feed Service v2 Rule. Description Create a description for the routing rule that you are creating. Mode Online Forwarding Event Collector Select the event collector that is used to forward events to the Threat Feed Service. Data Source Events Event Filters Create a filter for the events that are going to be forwarded to the Threat Feed Service. To achieve maximum performance of the Threat Feed Service, only forward events that contain a URL or hash. Routing Options Enable Forward, and then select the <forwarding_destination> that you created in Step 1.
    9. Click Save.
    81 Kaspersky 567






    ------------------------------
    Richard Gingras
    QRadar SME
    IBM Security
    Cambridge MA
    ------------------------------