For a lot of InfoSec groups, safety info and occasion administration (SIEM) is on the coronary heart of what they do. An organization’s safety relies upon to a big extent on how properly its SIEM system permits consultants to focus immediately on combating threats and keep away from routine duties. That’s why nearly each replace of our Kaspersky Unified Monitoring and Evaluation Platform is aimed toward bettering the person interface, automating routine processes and including options to make the work of safety groups simpler. Lots of the enhancements are primarily based on suggestions from our prospects’ InfoSec consultants. Particularly, the newest model of the platform (3.0.3) introduces the next options and enhancements.
Writing filter situations and correlation guidelines as code
Beforehand, analysts needed to set filters and write correlation guidelines by clicking the situations they wanted. On this replace, the redesigned interface now permits superior customers to write down guidelines and situations as code. Builder mode stays: filter and selector situations are routinely translated between builder and code modes.
Identical rule situation in builder and code modes
What’s extra, builder mode additionally helps you to write situations utilizing the keyboard. As quickly as you begin coming into a filter situation, Kaspersky Unified Monitoring and Evaluation Platform will recommend appropriate choices from occasion fields, dictionaries, energetic sheets, and so on. To slender down the vary of choices, merely enter the suitable prefix. In your comfort, situation varieties are highlighted in several colours.
Code mode helps you to rapidly edit correlation rule situations, in addition to choose and replica situations as code and simply switch them between totally different guidelines or totally different selectors inside a rule. The identical code blocks may also be moved to filters (a separate system useful resource), which tremendously simplifies their creation.
Prolonged occasion schema
Kaspersky Unified Monitoring and Evaluation Platform retains Widespread Occasion Format (CEF) as the idea for the occasion schema, however we now have added the power to create customized fields, which suggests now you can implement any taxonomy. No extra being restricted to vendor-defined fields, you possibly can identify occasion fields something you need to make it simpler to write down search queries. Customized fields are typed and should start with a prefix that determines each its kind and the array kind. Fields with arrays can solely be utilized in JSON and KV normalizers.
Instance of normalization utilizing CEF fields and customized fields
Computerized identification of occasion supply
Kaspersky Unified Monitoring and Evaluation Platform directors now not have to arrange a separate collector for every occasion kind or open ports for every collector on the firewall – within the new model we now have carried out the power to gather occasions of various codecs with a single collector. The collector selects the proper normalizer primarily based on the supply IP deal with. Utilizing a series of normalizers is permitted. For instance, the [OOTB] Syslog header normalizer accepts occasions from a number of servers and means that you can outline a DeviceProcessName and direct bind occasions to the [OOTB] BIND Syslog normalizer and squid occasions to the [OOTB] Squid entry Syslog normalizer.
Kaspersky Unified Monitoring and Evaluation Platform: Occasion parsing
The next occasion normalization choices at the moment are accessible:
1 collector – 1 normalizer. We suggest utilizing this methodology in case you have many occasions of the identical kind or many IP addresses from which occasions of the identical kind might originate. By way of SIEM efficiency, configuring a collector with just one normalizer can be optimum.
1 collector – a number of normalizers, primarily based on IP addresses. This methodology is obtainable for collectors with a UDP, TCP or HTTP connector. If a UDP, TCP or HTTP connector is specified within the collector on the Transport step, then on the Occasion Parsing step, on the Parsing settings tab, you possibly can specify a number of IP addresses and choose which normalizer to make use of for occasions arriving from these addresses. The next forms of normalizers can be found: JSON, CEF, regexp, Syslog, CSV, KV, XML. For Syslog or regexp normalizers, you possibly can specify extra normalization situations relying on the worth of the DeviceProcessName area.
These are under no circumstances the one updates to Kaspersky Unified Monitoring and Evaluation Platform. There are additionally modifications associated to context tables, simplified binding of guidelines to correlators and different enhancements. All of them are designed to enhance the person expertise for InfoSec professionals – see the complete checklist right here. To study extra about our SIEM system, Kaspersky Unified Monitoring and Evaluation Platform, please go to the official product web page.
