Kaspersky Next XDR Expert

Searching assets

KUMA has two asset search modes. You can switch between the search modes using the buttons in the upper left part of the window:

• – simple search by the following asset settings: Name, FQDN, IP address, MAC address, and Owner.
• – advanced search for assets using filters by conditions and condition groups.

You can select the check boxes next to the found assets to export their data to a CSV file.

Simple search

To find an asset using simple search:

1. In the Assets section of the KUMA Console, click the button.

   The Search field is displayed at the top of the window.

2. Enter your search query in the Search field and press ENTER or click the icon.

The table displays the assets with the Name, FQDN, IP address, MAC address, and Owner settings matching the search criteria.

Advanced search

To find an asset using advanced search:

1. In the Assets section of the KUMA Console, click the button.

   The asset filtering settings are displayed in the upper part of the window.

2. Specify the asset filtering settings and click the Search button.

   For details on asset filtering settings, see the table below.

The table displays the assets that meet the search criteria.

An advanced asset search is performed using the filtering conditions that can be specified in the upper part of the window:

• You can use the Add condition button to add a string containing fields for identifying the condition.
• You can use the Add group button to add a group of filters. Group operators can be switched between AND, OR, and NOT.
• Conditions and condition groups can be dragged with the mouse.
• Conditions, groups, and filters can be deleted by using the button.
• You can collapse the filtering options by clicking the Collapse button. In this case, the resulting search expression is displayed. Clicking it displays the search criteria in full again.
• The filtering options can be reset by clicking the Clear button.
• The condition operators and available values of the right operand depend on the selected left operand:

  Left operand	Available operators	Right operand
  Build number	=, ilike	An arbitrary value.
  OS	=, ilike	An arbitrary value.
  IP address	inSubnet, inRange	An arbitrary value or a range of values. The filtering condition for the inSubnet operator is met if the IP address in the left operand is included in the subnet that is specified in the right operand. For example, the subnet for the IP address 10.80.16.206 should be specified in the right operand using slash notation as follows: 10.80.16.206/25.
  FQDN	=, ilike	An arbitrary value.
  CVE	=, in	An arbitrary value.
  CVSS	>, >=, =, <=, <	A number from 0 to 10 (possible severity levels of the asset's CVE vulnerability). Not applicable to vulnerabilities from Open Single Management Platform.
  CVE count	>, >=, =, <=, <	Number. The number of unique vulnerabilities with the CVE attribute for the asset. Vulnerabilities without CVEs do not count towards this figure. For searching by the number of CVEs of a certain severity level, you can use a combined condition. For example: CVE count >= 1 CVSS >= 6.5
  Software	=, ilike	An arbitrary value.
  Software version	=, ilike, in	An arbitrary value. Version (build) number of the software installed on the asset.
  Asset source	in	Open Single Management Platform. KICS/KATA. Created manually.
  CII	in	Information resource is not a CII object. CII object without a significance category. CII object of the third category of significance. CII object of the second category of significance. CII object of the first category of significance.
  RAM (bytes)	=, >, >=, <, <=	Number.
  Number of disks	=, >, >=, <, <=	Number.
  Number of network cards	=, >, >=, <, <=	Number.
  Disk free bytes	=, >, >=, <, <=	Number.
  KSC group	=, ilike	An arbitrary value. Name of the Open Single Management Platform administration group in which the asset is placed.
  Anti-virus databases last updated	>=, <=	For search The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below.
  Last update of the information	>=, <=	For search The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below.
  Protection last updated	>=, <=	For search The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below.
  System last started	>=, <=	For search The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below.
  KSC extended status	in	Host with Network Agent installed is online, but Network Agent is inactive. Anti-virus application is installed, but real-time protection is not running. Anti-virus application is installed but not running. Number of viruses detected is too high. Anti-virus application is installed but the real-time protection status differs from the one set by the security administrator. Anti-virus application is not installed. Full scan for viruses performed too long ago. Anti-virus bases were updated too long ago. Network Agent has been inactive too long. Old license. Number of uncured objects is too high. Reboot is required. One or more incompatible applications are installed on the host. Host has one or more vulnerabilities. Last search for operating system updates was performed too long ago on the host. The host does not have the proper encryption status. Mobile device settings do not meet the requirements of the security policy. There are unhandled incidents. Host status was suggested by the managed product (HSDP). Host is out of disk space, either synchronization errors occur, or disk space is running out.
  Real-time protection status	=	Suspended. Starting. Running (if anti-virus application does not support categories of state Running). Running with maximum protection. Running for maximum speed. Running with recommended settings. Running with custom settings. Error.
  Encryption status	=	Encryption rules are not configured on the host. Encryption is in progress. Encryption was canceled by the user. Encryption error occurred. All host encryption rules are met. Encryption is in progress, the host must be restarted. Encrypted files without specified encryption rules are detected on the host.
  Spam protection status	=	Unknown. Stopped. Suspended. Starting. Running. Error. Not installed. No license.
  Anti-virus protection status of mail servers	=	Unknown. Stopped. Suspended. Starting. Running. Error. Not installed. No license.
  Data Leakage Prevention status	=	Unknown. Stopped. Suspended. Starting. Running. Error. Not installed. No license.
  KSC extended status ID	=	OK. Critical. Warning.
  Endpoint Sensor status	=	Unknown. Stopped. Suspended. Starting. Running. Error. Not installed. No license.
  Last visible	>=, <=	For search The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below.
  Score ML	=, >, >=, <, <=	Number. Asset score assigned by AI services.
  Status	=, in	Asset status assigned by AI services: Low. Medium. High. Critical.
  Custom asset field	=, ilike	An arbitrary value. Search custom fields of assets.

Using time values

Some conditions, for example, Anti-virus databases last updated or System last started, use date and time as the operand value. For these conditions, you can use an exact date and time or a relative period.

To specify a date and time value:

1. Select an operand, an operator and click the date field.
2. Do one of the following:
   • Select the exact date in the calendar.

     By default, the current time is automatically added to the selected date, with millisecond precision. Changing the date in the calendar does not change the specified time. The date and time are displayed in the time zone of the browser. If necessary, you can edit the date and time in the field.

   • In the Relative period list, select a relative period.

     The period is calculated relative to the start time of the current search and takes into account asset information that is up-to-date at that moment. For example, for the condition Anti-virus databases last updated, you can select 1 hour and the >= operator to find those assets for which the anti-virus databases have not been updated for more than 1 hour.

   • In the date and time field, enter a value manually.

     You can enter an exact date and time in the DD.MM.YYYY HH:mm:ss.SSS format for the Russian localization and YYYY-MM-DD HH:mm:ss.SSS for the English localization or a relative period as a formula. You can also combine these methods if necessary.

     If you do not specify milliseconds when entering the exact date, 000 is substituted automatically.

     In the relative period formulas, you can use the now parameter for the current date and time and the interval parameterization language: +, -, / (rounding to the nearest), as well as time units: y (year), M (month), w (week), d (day), h (hour), m (minute), s (second).

     For example, for the Information last updated condition, you can specify the value now-2d with the operator >= operator and the value now-1d with the >= operator to find assets whose information was updated during the day before the search was started; alternatively, you can specify the value now/w with the <= operator to find assets whose information was updated between the beginning of the first day of the current week (00:00:00:000 UTC) and now.

     KUMA stores time values in UTC, but in the user interface time is converted to the time zone of your browser. This is relevant to the relative periods: Today, Yesterday, This week, and This month. For example, if the time zone in your browser is UTC+3, and you select Today as the period, the category will cover assets from 03:00:00.000 until now, not from 00:00:00.000 until now.

     If you want to take your time zone into account when selecting a relative period, such as Today, Yesterday, This week, or This month, you need to manually add a time offset in the date and time field by adding or subtracting the correct number of hours. For example, if your browser's time zone is UTC+3 and you want the categorization to cover the Yesterday period, you need to change the value to now-1d/d-3h. If you want the categorization to cover the Today period, change the value to now/d-3h.