Kaspersky Unified Monitoring and Analysis Platform

Configuring integration in KUMA

This section describes integration of KUMA with R-Vision SOAR from the KUMA side.

Integration in KUMA is configured in the web interface under Settings → Integrations → IRP/SOAR.

To configure integration with R-Vision SOAR:

  1. Open the Resources section of the KUMA web interface and under Resources configuration, select Secrets.

    The list of available secrets will be displayed.

  2. Click the Add button to create a new secret. This resource is used to store token for R-Vision SOAR API requests.

    The secret window is displayed.

  3. Enter information about the secret:
    1. In the Name field, enter a name for the added secret. The name must contain 1 to 128 Unicode characters.
    2. In the Tenant drop-down list, select the tenant that will own the created resource.
    3. In the Type drop-down list, select token.
    4. In the Token field, enter your R-Vision SOAR API token.

      You can obtain the token in the R-Vision SOAR web interface under SettingsCommonAPI.

    5. If necessary, select the tags for the secret from the Tags drop-down list.
    6. If necessary, in the Description field, add up to 4,000 Unicode characters describing the secret.
  4. Click Create.

    The R-Vision SOAR API token is now saved and can be used in other KUMA resources.

  5. In the KUMA web interface, go to the Settings → IntegrationsIRP / SOAR section.

    The window containing R-Vision SOAR integration settings opens.

  6. Use the State toggle switch to enable the integration of the R-Vision SOAR with KUMA. The integration is disabled by default.
  7. In the Secret drop-down list, select the previously created secret.

    You can create a new secret by selecting Create. The created secret is saved in the Resources → Resources configuration → Secrets.

  8. In the URL specify the URL of the R-Vision SOAR server host.
  9. In the Field name where KUMA alert IDs must be placed, specify the name of the R-Vision SOAR field where the ID of the KUMA alert must be written.
  10. In the Field name where KUMA alert URLs must be placed field, specify the name of the R-Vision SOAR field where the link to the KUMA alert must be written.
  11. In the Category field, specify the category of the R-Vision SOAR incident that is created after alert information is received from KUMA.
  12. In the KUMA event fields that must be sent to IRP / SOAR drop-down list, select the KUMA event fields to be sent to R-Vision SOAR.
  13. Under Severity, specify the thresholds for mapping KUMA severity levels to R-Vision SOAR severity levels.
  14. Click Save.

In KUMA integration with R-Vision SOAR is now configured. If integration is also configured in R-Vision SOAR, when alerts appear in KUMA, information about those alerts will be sent to R-Vision SOAR to create an incident. The Details on alert section in the KUMA web interface displays a link to R-Vision SOAR.

If you are working with multiple tenants and want to integrate with R-Vision SOAR, the names of tenants must match the abbreviated names of companies in R-Vision SOAR.