Kaspersky Unified Monitoring and Analysis Platform
2.0
English
Integration with other solutions  >  Integration with R-Vision Incident Response Platform  >  Configuring integration in KUMA

Configuring integration in KUMA

This section describes integration of KUMA with R-Vision IRP from the KUMA side.

Integration in KUMA is configured in the web interface under SettingsIRP / SOAR.

To configure integration with R-Vision IRP:

  1. In the KUMA web interface, open ResourcesSecrets.

    The list of available secrets will be displayed.

  2. Click the Add secret button to create a new secret. This resource is used to store token for R-Vision IRP API requests.

    The secret window is displayed.

  3. Enter information about the secret:
    1. In the Name field, enter a name for the added secret. The name must contain from 1 to 128 Unicode characters.
    2. In the Tenant drop-down list, select the tenant that will own the created resource.
    3. In the Type drop-down list, select token.
    4. In the Token field, enter your R-Vision IRP API token.

      You can obtain the token in the R-Vision IRP web interface under SettingsGeneralAPI.

    5. If required, add the secret description in the Description field. The description must contain from 1 to 256 Unicode characters.
  4. Click Save.

    The R-Vision IRP API token is now saved and can be used in other KUMA resources.

  5. In the KUMA web interface, go to SettingsIRP / SOAR.

    The window containing R-Vision IRP integration settings opens.

  6. Make the necessary changes to the following parameters:
    • Disabled—select this check box if you want to disable R-Vision IRP integration with KUMA.
    • In the Secret drop-down list, select the previously created Secret resource.

      You can create a new secret by clicking the button with the plus sign. The created secret will be saved in the ResourcesSecrets section.

    • URL (required)—URL of the R-Vision IRP server host.
    • Field name where KUMA alert IDs must be placed (required)—name of the R-Vision IRP field where the ID of the KUMA alert must be written.
    • Field name where KUMA alert URLs must be placed (required)—name of the R-Vision IRP field where the link for accessing the KUMA alert should be written.
    • Category (required)—category of R-Vision IRP incident that is created after KUMA alert is received.
    • KUMA event fields that must be sent to IRP / SOAR (required)—drop-down list for selecting the KUMA event fields that should be sent to R-Vision IRP.
    • Severity group of settings (required)—used to map KUMA severity values to R-Vision IRP severity values.
  7. Click Save.

In KUMA integration with R-Vision IRP is now configured. If integration is also configured in R-Vision IRP, when alerts appear in KUMA, information about those alerts will be sent to R-Vision IRP to create an incident. The Details on alert section in the KUMA web interface displays a link to R-Vision IRP.

If you are working with multiple tenants and want to integrate with R-Vision IRP, the names of tenants must match the abbreviated names of companies in R-Vision IRP.

Article ID: 224436, Last review: Mar 27, 2024
Page top