Getting incidents from NCIRCC
After upgrading to version 3.4.1, at each startup, KUMA Core sends a request to get new incident cards to the address specified in the URL field in KUMA's NCIRCC integration settings, and then continues sending requests every 10 minutes. If a new incident appears in the NCIRCC user account dashboard, KUMA registers the incident with the ALRT* prefix and further interaction with NCIRCC is carried out in context of the created incident.
Interaction with NCIRCC is available even if the incident in KUMA has the Closed status: you can edit the value of the NCIRCC status field and chat with NCIRCC.
Notifications about messages from NCIRCC are sent to the email addresses of users with the General administrator role.
Fields of a new incident are populated as shown in the following table.
Field values of an incident received from NCIRCC.
Field name |
Value |
|---|---|
Created by |
When an incident is created in KUMA, creation date and time are automatically specified. Example: 2024-10-08 05:32:39 |
Name |
ID or registration number of the incident (message) in GosSOPKA. Example: ALRT-xx-xx-xxx |
Tenant |
The tenant in which incidents received from NCIRCC must be created. By default, all incidents are created in the Main tenant. You can change the incident creation tenant in the NCIRCC integration settings. Example: Main. |
Status |
Initial status of the KUMA incident. Example: Open. |
Severity |
Degree of significance of the potential security threat. Default: Critical. Possible values: Critical, High, Medium, Low. |
Affected asset categories |
Empty. This value can be filled in manually. |
First event time |
Empty. This value can be filled in manually. |
Last event time |
Empty. This value can be filled in manually. |
Description |
The value from the event_description field of the message sent by NCIRCC. Can be edited. Example: message from NCIRCC. |
Related tenants |
Same as the Tenant field. Example: Main. |
Available tenants |
Same as the Tenant field. Example: Main. |
Related alerts |
Empty. This value can be filled in manually. |
Related endpoints |
Empty. This value can be filled in manually. |
Related users |
Empty. This value can be filled in manually. |
Change log |
Empty. This value can be filled in manually. |
NCIRCC integration section |
|
Category |
Category of the message card. Dictionary value. Possible values: Message from NCIRCC. This field is not editable. |
Type |
Type of the information security event. Value from the dictionary. Possible values: Infected resource, Source of malware email messages, Source of malware modules, Malware C&C center, Element of malware infrastrucure, Resource slowdown, Source of exploit, Source of user account compromise, Participant of network traffic capture, Source of unauthorized access, Source of unauthorized modification of information, Source of spam, Publication of information illegal in the Russian Federation, Hosting of a phishing resource, Unauthorized content, Participant of DDoS attack, Compromised user account, Network Scan Source, Participant of fraud, Source of social engineering threat, Vulnerable resource, Suspected phishing resource, Threat of personal data compromise, Threat of computer attack. This field is not editable.
|
Status of export to NCIRCC |
Imported from NCIRCC. This field is not editable. |
NCIRCC message processing progress section |
|
NCIRCC status |
NCIRCC message processing status. Value from the dictionary. This field is editable. Possible values: New, In progress, Decision made, Interaction completed, Archived. |
Result |
Result of the decision made. Value from the dictionary. This field is editable. Possible values: Measures taken, Information taken into account, Information not confirmed. |
Chat with NCIRCC section |
|
UUID |
Unique ID of the NCIRCC message. |
Company |
Short name of the GosSOPKA subject organization. |
Category |
Category of the message card. Dictionary value. Example: message from NCIRCC. |
Type |
Type of the information security event. Value from the dictionary. Example: infected resource. |
Creation time |
Date and time when the NCIRCC message was registered. Follows the ISO 8601 standard. UTC time is used. |
Time of detection |
Date and time when the incident was detected. Follows the ISO 8601 standard. UTC time is used. |
Incident end time |
Date and time when the incident ended. Follows the ISO 8601 standard. UTC time is used. |
Updated |
Date and time when the message card was last updated. Follows the ISO 8601 standard. UTC time is used. |
Event description |
Brief description of the information security event. Up to 5000 Unicode characters. |
Owner name |
Owner of the information resource. Up to 5000 Unicode characters. |
Incident ID in NCIRCC |
Registration number of the message. Example: ALRT-20-12-2914. |
TLP |
TLP limitation marker. Dictionary value. Possible values: TLP:WHITE, TLP:GREEN, TLP:AMBER, TLP:RED. |
Technical details section |
|
The Technical details group of fields is displayed with the field values obtained from the message. Which NCIRCC message fields are present in the Technical details group depends on the Information security event type, and the set of fields may differ depending on the incident. Pay close attention to the field values in your NCIRCC account. Values are not editable. |
|