Kaspersky Next XDR Expert
1.2
Managing Kaspersky Unified Monitoring and Analysis Platform  >  About Kaspersky Unified Monitoring and Analysis Platform  >  What's new

What's new

Kaspersky Unified Monitoring and Analysis Platform introduces the following features and improvements:

  • KUMA now also supports the following operating systems:
    • Astra Linux 1.7.6
  • Now you can visualize the dependencies of resources on each other and on other objects in the interactive graph. Now, when editing resources, you can figure out to which linked resources the change will be applied. You can display certain types of resources on the graph and save the resulting graph in SVG format.
  • Now you can add tags to resources, which makes it easier to search for resources that have the same tag.
  • Added resource versioning (except dictionaries and tables), which allows storing change history for resources.

    When you save changes in resource settings, a new version of the resource is created. You can restore a previous version of a resource, for example, to recover its functionality; you can also compare resource versions to keep track of the changes.

    After upgrading KUMA to version 3.4, existing resources will acquire versions only after they are changed and the changes are saved.

  • Now you can search for resources by their content using full-text search. You can find resources in which at least one field contains a specific word, for example, if you need to find rules with a certain word in a condition.
  • Introducing a new type of KUMA resource, Data collection and analysis rules, which allow you to schedule SQL queries to the storage and perform correlation based on the received data.
  • Now you can pass the values of unique fields to the fields of correlation events when creating correlation rules of the standard type.
  • New SQL function sets, enrich and lookup, allow using the attributes of assets and accounts, as well as data from dictionaries and tables, in search queries to filter events, generate reports and widgets (graph type: table). You can use the enrich and lookup function sets in an SQL query in data collection and analysis rules.
  • Now you can save the search history. Now you can refer to the history of queries and quickly find a query you have used in the past.
  • Now you can organize saved queries in a folder tree for structured storage and quick search of queries. Now you can edit previously saved queries, rename them, hierarchically arrange queries in groups (folders). and search for previously saved queries in the search bar. You can also edit the queries and create links to frequently used queries by adding them to favorites.
  • Now you can create a temporary list of exclusions (for example, create exclusions for false positives when managing alerts or incidents). You can create a list of exclusions for each correlation rule.
  • When creating a collector, at the Event parsing step, you now can pass the name or path of the file being processed by the collector to the KUMA event field.
  • The following settings have been added to the connector of the file type:
    • The Modification timeout, sec field. This field lets you specify the time in seconds for which the file must not be updated for KUMA to apply the action specified in the Action after timeout drop-down list to the file: delete, add suffix, leave unchanged.
    • The Action after timeout drop-down list. This drop-down list lets you specify the action that KUMA applies to the file after the time specified in the Modification timeout, sec field.
  • The following settings have been added to connectors of the file, 1с-xml, and 1c-log types:
    • The File/folder polling mode drop-down list. This drop-down list lets you specify the mode in which the connector rereads files in the directory.
    • The Poll interval, ms field. This field lets you specify the interval in milliseconds at which the connector rereads files in the directory.
  • A new approach is taken to determining the retention period for events when using cold storage, because you can now configure the storage conditions in the ClickHouse cluster and the amount of disk space (absolute in GB and percentage) when creating the storage or space. The new Event retention time setting lets you configure the total duration retention time of events in KUMA, counting from the time when the event is received. This setting replaces the Cold retention period.

    When upgrading KUMA to version 3.4, if you have previously configured cold storage disks, the value of the Event retention time setting will be calculated as the sum of the previously specified values of the Retention period and Cold retention period settings.

  • Now you can make the storage more stable by flexibly configuring event storage conditions in the ClickHouse cluster using the Event storage options setting: by storage period, storage size in GB, or the ratio of the storage size to the total available disk space. When a specified condition is triggered, events are moved to a cold storage disk or deleted.

    You can configure storage conditions for the whole storage or for each storage space individually. The Event storage options setting replaces the Retention period setting.

  • Users with different rights can have granular access to events. Access to events is controlled at the level of storage space. After upgrading KUMA to version 3.4, the 'All spaces' space set is assigned to all existing users, that is, access to all spaces is unrestricted. To differentiate access, you must configure space sets, and adjust access permissions. Also, after the update, all available storage spaces become selected in all widgets where storages had been selected. If a new space is created, this space is not automatically selected in widget settings. You must select the new space manually in the widget settings.
  • Now you can manage extended event schema fields in the Settings → Extended event schema fields section. You can view existing extended event schema fields and the resources in which they are used, edit fields, create new fields manually or import them from a file, and export fields and information about fields.

    When upgrading KUMA, the previously created extended event schema fields are automatically migrated and displayed in the Settings → Extended event schema fields section, with the following special considerations:

    • If you had multiple fields of the same type with the same name, only one such field is migrated to KUMA.
    • All fields with the KL prefix in the name are migrated to KUMA with the Enabled status. If any of these fields become service fields, you will not be able to delete, edit, disable, or export them.
    • Extended event schema fields that do not satisfy the requirements that current version imposes on fields, are migrated to KUMA with the Disabled status.

    After the upgrade, we recommend checking such fields and manually fixing any problems or change the configurations of the resources that use such fields.

  • Now you can filter and display data for a relative time range.

    This functionality is available for filtering events by period and for customizing the display of data in reports, the dashboard layout, and in widgets. You can use this functionality to display events or other data for which the selected filtering option has been updated within a time span defined relative to current time.

    For data filtering, the time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser.

  • Added support for autocomplete when typing functions of variables in correlators and correlation rules.

    Now, when you start typing the name of a function when describing a local or global variable, a list of possible options is shown in the input field, and to the left of it a window is displayed with the description of the corresponding function and usage examples. You can select a function from the list and insert it together with arguments into the input field.

  • Now you can apply multiple monitoring policies to multiple event sources or disable monitoring policies for multiple sources at the same time.
  • Monitoring policies get a new Schedule setting that allows you to configure how often you want to apply monitoring policies to event sources.
  • Now you can manage connections created for an agent, which improves ease of use. You can rename connections (which lets you know from which connection and from which agent the event arrived) duplicate connections to create new connections based on existing ones, and delete connections. The functionality that allows using one agent to read multiple files has also been restored.
  • KUMA agents now have the ability to trace event route if at least one internal destination is specified in the agent connection and if a connector of the internal type is configured in the collector that receives events from the agent. After configuring the agent, information about the event route is added to in the event card, the alert card, and the correlation event card in the Event tracing log section. For events with route tracing, the Event tracing log section displays information about the services through which the event passes; the information is displayed in converted form. Service names are clickable links. Clicking a link with the service name opens the service card in a new browser tab. If you rename the service, the new name of the service is displayed in the cards of new events and in the cards of already processed events. If you delete a service in the Active services section, the Event tracing log section displays Deleted instead of the link. The rest of the event route data is not deleted and continues to be displayed.
  • The Sigma rule converter converts rules to a filter selector, an SQL query for event search, or a KUMA correlation rule of the 'simple' type. Available under the LGPL 2.1 license.
  • Now you can install the AI score and asset status service if your license covers the AI module.

    The AI service helps with precisely assessing the severity of correlation events generated as a result of correlation rules triggering. The AI service gets correlation events that connect linked assets from the available storage clusters, constructs the expected sequence of events, and trains the AI model. Based on the chain of triggered correlation rules, the AI service calculates whether such a sequence of events is typical for this infrastructure. Non-typical patterns increase the score of the asset. The AI service calculates the AI score and the Status, which are displayed in the asset card. You can apply a filter by the AI score and Status fields when searching for assets. You can also set up proactive categorization of assets by the AI score and Status fields, which moves the asset to the category corresponding to the risk level as soon as the AI service assigns a score to the asset. You can also track the changes of asset categories and the distribution of assets by status on the dashboard.

  • In the RU region, if you have the AI license module, you can use the Kaspersky Investigation and Response Assistant (KIRA) to analyze the command that triggered the correlation rule. This analysis helps with the investigation of alerts and incidents by offering an easy to understand description of the command line options.

    You can send a request to KIRA from card of the event or correlation event. If the command is obfuscated, KIRA deobfuscates it and displays the result: the conclusion, summary, and detailed analysis. The results of the query are stored in the cache for 14 days and are can be viewed in the event card on the KIRA analysis tab by all users with access rights. You can also view the result in the properties of the Request to KIRA task, or restart the task and perform the analysis from scratch.

  • Now you can categorize assets by a relative time range.

    You can set up active categorization of assets to have assets moved to a category from the moment when the categorization condition has been satisfied for a certain time span defined relative to the current time.

    For categorization, the time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser.

  • Added new types of custom notification templates:
    • Report generated.
    • Task finished (only one template of this type can exist).
    • KASAP group changed.

    All types of templates are available when creating a template for the Shared tenant. For all other tenants, the Monitoring policy violation notification template is available.

  • A new graph type: Stacked bar chart.

    You can use the new graph type when creating Events and Assets widgets to visualize the relative quantities or percentages for selected parameters. Values of individual parameters values are displayed in each bar in a different color.

  • Now you can select multiple assets using a filter and delete all selected assets. Now you can also select all assets in a category, link them to a category, or unlink assets from a category.
  • Now you can select multiple resources and delete them. You can delete all resources or specific types of resources.
  • New predefined widgets are available in the Assets group, as well as a new type, Custom widget, which lets you get custom analytics for assets.
  • Improved export of widgets to PDF. Now, if the data displayed in a widget continues beyond the visible area, when such a widget is exported to PDF, it is split into multiple widgets, and vertical bar charts are converted to horizontal bar charts.
  • New unified normalizer for different versions of NetFlow (NetFlow v5, NetFlow v9, IPFIX/NetFlow v10) lets you replace several normalizers with just one. The NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10) normalizers remain available.

    In addition, the last NetFlow template is now saved to disk for each event source, which allows to immediately parse the netflow from an already known event source when the collector is restarted.

  • The End User License Agreement can now be accepted automatically when installing the KUMA agent on Linux devices and Windows devices using the --accept-eula option. Also, for the Windows agent, you now use the command line to set the password for the agent's user account.
  • In the Resources → Active services section, a new column of the table of services, UUID, displays the unique identifier of the service.

    This column is hidden by default. Identifying KUMA services by UUID can facilitate troubleshooting at the operating system level.

  • KUMA supports the UNION operator for connections to an Oracle database as an event source.
  • To optimize asset management, the process of importing information about assets from Open Single Management Platform is divided into two tasks:
    • Importing information about the basic parameters of assets (protection status, versions of anti-virus databases, hardware information), which takes less time and is presumed to be performed more frequently.
    • Importing information about other assets parameters (vulnerabilities, software, owners), which can involve downloading a large amount of information and which takes a longer time to complete.

    Each of the import tasks can be started independently of the other, and you can configure a separate schedule for each task when configuring the integration with Open Single Management Platform.

  • Now you can display separate incoming events graphs for multiple event sources at the same time, as well as create an incoming events chart based on graphs for multiple event sources, which lets you compare the amount of events received from multiple event sources and how this figure changes in time.
  • New filtering criteria added to the conditions for active categorization and search of assets: Software version, KSC group, CVSS (severity level of CVE vulnerability on the asset), CVE count (number of unique vulnerabilities with the CVE attribute on the asset), as well as filtering by custom fields of assets.
  • Now you can receive resource updates through a proxy server.
  • Now you can generate resource utilization reports (CPU, RAM, etc) in the form of dumps at the request of Technical Support.
  • For resources, the table displays the number of resources from the tenants available to you in the table: the total number or the number with the filter or search applied, as well as the number of selected resources.
  • The new office365 connector lets you configure the reception of events from the Microsoft 365 (Office 365) solution using the API.
  • Certain obsolete resources are no longer supported or provided:
    • [OOTB] Linux audit and iptables syslog
    • [OOTB] Linux audit.log file
    • [OOTB] Checkpoint Syslog CEF by CheckPoint
    • [OOTB] Eltex MES Switches
    • [OOTB] PTsecurity NAD
    • [OOTB][AD] Granted TGS without TGT (Golden Ticket)
    • [OOTB][AD] Possible Kerberoasting attack
    • [OOTB][AD][Technical] 4768. TGT Requested
    • [OOTB][AD] List of requested TGT. EventID 4768
Article ID: 220925, Last review: Apr 14, 2025
Page top