[OOTB] KSMG package - ENG
<html lang="en">
<body>
  
  <p>
	The correlation rules package for monitoring Kaspersky Security Mail Gateway (KSMG) events allows to identify potentially dangerous actions in the mail traffic protection system based on internal audit events.<br>
	Application events are used to detect anomalies in the behavior of privileged users, such as failed administrator login attempts, connections from non-standard IP addresses and the use of previously unknown accounts. Critical changes in application settings are also monitored, including modifications to audit tasks, protection components and configuration settings exports. These changes may indicate an attempt to gain unauthorized access or bypass security mechanisms for further attacks on the company's infrastructure. In mail processing events the rules detect phishing attacks, the distribution of malicious attachments to internal recipients, including messages from previously blocked senders.<br>
	<br>
	For the rules to function correctly, the audit settings must be verified to ensure the event logs contain a sufficient level of detail.<br>
	The application audit settings are located in "Settings" → "Logs and Events" → "Events". In the "Audit Events" section, need to select "Audit log level" → "Log audit events and modified parameters". Detailed information is available in the documentation.<br>
	The rules package operates on events in CEF format. Sending events to a SIEM system requires the Kaspersky Secure Mail Gateway log in CEF format (local2). Detailed information is available in the documentation.
  </p>

</body>
</html>