Kaspersky Unified Monitoring and Analysis Platform
- Kaspersky Unified Monitoring and Analysis Platform Help
- About Kaspersky Unified Monitoring and Analysis Platform
- Program architecture
- Program licensing
- About the End User License Agreement
- About the license
- About the License Certificate
- About the license key
- About the key file
- Adding a license key to the program web interface
- Viewing information about an added license key in the program web interface
- Removing a license key in the program web interface
- Administrator's guide
- Installing and removing KUMA
- Program installation requirements
- Ports used by KUMA during installation
- Synchronizing time on servers
- About the inventory file
- Installation on a single server
- Distributed installation
- Distributed installation in a fault-tolerant configuration
- KUMA backup
- Modifying the configuration of KUMA
- Updating previous versions of KUMA
- Troubleshooting update errors
- Delete KUMA
- Working with tenants
- Managing users
- KUMA services
- Services tools
- Service resource sets
- Creating a storage
- Creating a correlator
- Creating a collector
- Predefined collectors
- Creating an agent
- Configuring event sources
- Configuring receipt of Auditd events
- Configuring receipt of KATA/EDR events
- Configuring Kaspersky Security Center event receiving in CEF format
- Configuring receiving Kaspersky Security Center event from MS SQL
- Creating an account in the MS SQL database
- Configuring the SQL Server Browser service
- Creating a secret in KUMA
- Configuring a connector
- Configuring the KUMA Collector for receiving Kaspersky Security Center events from an MS SQL database
- Installing the KUMA Collector for receiving Kaspersky Security Center events from the MS SQL database
- Configuring receipt of events from Windows devices using KUMA Agent (WEC)
- Configuring audit of events from Windows devices
- Configuring centralized receipt of events from Windows devices using the Windows Event Collector service
- Granting permissions to view Windows events
- Granting permissions to log on as a service
- Configuring the KUMA Collector for receiving events from Windows devices
- Installing the KUMA Collector for receiving events from Windows devices
- Configuring forwarding of events from Windows devices to KUMA using KUMA Agent (WEC)
- Configuring receipt of events from Windows devices using KUMA Agent (WMI)
- Configuring receipt of PostgreSQL events
- Configuring receipt of IVK Kolchuga-K events
- Configuring receipt of CryptoPro NGate events
- Configuring receipt of Ideco UTM events
- Configuring receipt of KWTS events
- Configuring receipt of KLMS events
- Configuring receipt of KSMG events
- Configuring receipt of PT NAD events
- Configuring receipt of events using the MariaDB Audit Plugin
- Configuring receipt of Apache Cassandra events
- Configuring receipt of FreeIPA events
- Configuring receipt of VipNet TIAS events
- Configuring receipt of Sendmail events
- Configuring receipt of Nextcloud events
- Configuring receipt of Snort events
- Configuring receipt of Suricata events
- Configuring receipt of FreeRADIUS events
- Configuring receipt of zVirt events
- Configuring receipt of Zeek IDS events
- Monitoring event sources
- Managing assets
- Adding an asset category
- Configuring the table of assets
- Searching assets
- Exporting asset data
- Viewing asset details
- Adding assets
- Assigning a category to an asset
- Editing the parameters of assets
- Deleting assets
- Updating third-party applications and fixing vulnerabilities on Kaspersky Security Center assets
- Moving assets to a selected administration group
- Asset audit
- Custom asset fields
- Critical information infrastructure assets
- Integration with other solutions
- Integration with Kaspersky Security Center
- Configuring Kaspersky Security Center integration settings
- Adding a tenant to the list for Kaspersky Security Center integration
- Creating Kaspersky Security Center connection
- Editing Kaspersky Security Center connection
- Deleting Kaspersky Security Center connection
- Importing events from the Kaspersky Security Center database
- Kaspersky Endpoint Detection and Response integration
- Integration with Kaspersky CyberTrace
- Integration with Kaspersky Threat Intelligence Portal
- Integration with R-Vision Security Orchestration, Automation and Response
- Integration with Active Directory, Active Directory Federation Services and FreeIPA
- Connecting over LDAP
- Enabling and disabling LDAP integration
- Adding a tenant to the LDAP server integration list
- Creating an LDAP server connection
- Creating a copy of an LDAP server connection
- Changing an LDAP server connection
- Changing the data update frequency
- Changing the data storage period
- Starting account data update tasks
- Deleting an LDAP server connection
- Authentication using domain accounts
- Connecting over LDAP
- RuCERT integration
- Integration with Security Vision Incident Response Platform
- Kaspersky Industrial CyberSecurity for Networks integration
- Kaspersky Automated Security Awareness Platform
- Sending notifications to Telegram
- UserGate integration
- Integration with Kaspersky Web Traffic Security
- Integration with Kaspersky Secure Mail Gateway
- Importing asset information from RedCheck
- Integration with Kaspersky Security Center
- Managing KUMA
- Working in hierarchy mode
- Working with geographic data
- Installing and removing KUMA
- User guide
- KUMA resources
- Operations with resources
- Destinations
- Working with events
- Filtering and searching events
- Selecting Storage
- Generating an SQL query using a builder
- Manually creating an SQL query
- Filtering events by period
- Displaying names instead of IDs
- Presets
- Limiting the complexity of queries in alert investigation mode
- Saving and selecting events filter configuration
- Deleting event filter configurations
- Supported ClickHouse functions
- Viewing event detail areas
- Exporting events
- Configuring the table of events
- Refreshing events table
- Getting events table statistics
- Viewing correlation event details
- Filtering and searching events
- Normalizers
- Aggregation rules
- Enrichment rules
- Correlation rules
- Filters
- Active lists
- Viewing the table of active lists
- Adding active list
- Viewing the settings of an active list
- Changing the settings of an active list
- Duplicating the settings of an active list
- Deleting an active list
- Viewing records in the active list
- Searching for records in the active list
- Adding a record to an active list
- Duplicating records in the active list
- Changing a record in the active list
- Deleting records from the active list
- Import data to an active list
- Exporting data from the active list
- Predefined active lists
- Dictionaries
- Response rules
- Notification templates
- Connectors
- Secrets
- Segmentation rules
- Example of incident investigation with KUMA
- Incident conditions
- Step 1. Preliminary steps
- Step 2. Assigning an alert to a user
- Step 3. Check if the triggered correlation rule matches the data of the alert events
- Step 4. Analyzing alert information
- Step 5. False positive check
- Step 6. Determining alert severity
- Step 7. Incident creation
- Step 8. Investigation
- Step 9. Searching for related assets
- Step 10. Searching for related events
- Step 11. Recording the causes of the incident
- Step 12. Incident response
- Step 13. Restoring assets operability
- Step 14. Closing the incident
- Analytics
- Dashboard
- Reports
- Widgets
- Working with alerts
- Working with incidents
- About the incidents table
- Saving and selecting incident filter configuration
- Deleting incident filter configurations
- Viewing information about an incident
- Incident creation
- Incident processing
- Changing incidents
- Automatic linking of alerts to incidents
- Categories and types of incidents
- Interaction with RuCERT
- Special consideration for successful export from the KUMA hierarchical structure to RuCERT
- Exporting data to RuCERT
- Supplementing incident data on request
- Sending files to RuCERT
- Sending incidents involving personal information leaks to RuCERT
- Communication with RuCERT experts
- Supported categories and types of RuCERT incidents
- Notifications about the incident status change in RuCERT
- Retroscan
- KUMA resources
- Contacting Technical Support
- REST API
- Creating a token
- Configuring permissions to access the API
- Authorizing API requests
- Standard error
- Operations
- Viewing a list of active lists on the correlator
- Import entries to an active list
- Searching alerts
- Closing alerts
- Searching assets
- Importing assets
- Deleting assets
- Searching events
- Viewing information about the cluster
- Resource search
- Loading resource file
- Viewing the contents of a resource file
- Importing resources
- Exporting resources
- Downloading the resource file
- Search for services
- Tenant search
- View token bearer information
- Dictionary updating in services
- Dictionary retrieval
- Viewing custom fields of the assets
- Creating a backup of the KUMA Core
- Restoring the KUMA Core from the backup
- Appendices
- Commands for components manual starting and installing
- Integrity check of KUMA files
- Normalized event data model
- Alert data model
- Asset data model
- User account data model
- KUMA audit events
- Event fields with general information
- User was successfully signed in or failed to sign in
- User login successfully changed
- User role was successfully changed
- Other data of the user was successfully changed
- User successfully logged out
- User password was successfully changed
- User was successfully created
- User role was successfully assigned
- User role was successfully revoked
- User access token was successfully changed
- Service was successfully created
- Service was successfully deleted
- Service was successfully reloaded
- Service was successfully restarted
- Service was successfully started
- Service was successfully paired
- Service status was changed
- Storage partition was deleted by user
- Storage partition was deleted automatically due to expiration
- Active list was successfully cleared or operation failed
- Active list item was successfully changed, or operation was unsuccessful
- Active list item was successfully deleted or operation was unsuccessful
- Active list was successfully imported or operation failed
- Active list was exported successfully
- Resource was successfully added
- Resource was successfully deleted
- Resource was successfully updated
- Asset was successfully created
- Asset was successfully deleted
- Asset category was successfully added
- Asset category was deleted successfully
- Settings were updated successfully
- Tenant was successfully created
- Tenant was successfully enabled
- Tenant was successfully disabled
- Other tenant data was successfully changed
- Updated data retention policy after changing drives
- The dictionary was successfully updated on the service or operation was unsuccessful
- Response in Active Directory
- Response via KICS for Networks
- Kaspersky Automated Security Awareness Platform response
- KEDR response
- Correlation rules
- Sending test events to KUMA
- Information about third-party code
- Trademark notices
- Glossary
Event parsing settings
You can configure the rules for converting incoming events to the KUMA format when creating event parsing rules in the normalizer settings window, on the Normalization scheme tab.
Available settings:
- Name (required)—name of the parsing rules. Must contain 1 to 128 Unicode characters. The name of the main parsing rule is used as the name of the normalizer.
- Tenant (required)—name of the tenant that owns the resource.
This setting is not available for extra parsing rules.
- Parsing method (required)—drop-down list for selecting the type of incoming events. Depending on your choice, you can use the preconfigured rules for matching event fields or set your own rules. When you select some parsing methods, additional parameter fields required for filling in may become available.
Available parsing methods:
- json
This parsing method is used to process JSON data where each object, including its nested objects, occupies a single line in a file.
When processing files with hierarchically arranged data, you can access the fields of nested objects by specifying the names of the parameters dividing them by a period. For example, the
usernameparameter from the string"user": {"username": "system: node: example-01"}can be accessed by using theuser.usernamequery.Files are processed line by line. Multi-line objects with nested structures may be normalized incorrectly.
In complex normalization schemes where additional normalizers are used, all nested objects are processed at the first normalization level, except for cases when the extra normalization conditions are not specified and, therefore, the event being processed is passed to the additional normalizer in its entirety.
Newline characters can be
\nand\r\n. Strings must be UTF-8 encoded. - cef
This parsing method is used to process CEF data.
When choosing this method, you can use the preconfigured rules for converting events to the KUMA format by clicking the Apply default mapping button.
- regexp
This parsing method is used to create custom rules for processing data in a format using regular expressions.
In the Normalization parameter block field, add a regular expression (RE2 syntax) with named capture groups. The name of a group and its value will be interpreted as the field and the value of the raw event, which can be converted into an event field in KUMA format.
To add event handling rules:
- Copy an example of the data you want to process to the Event examples field. This is an optional but recommended step.
- In the Normalization parameter block field add a regular expression with named capture groups in RE2 syntax, for example "(?P<name>regexp)". The regular expression added to the Normalization parameter must exactly match the event. Also, when developing the regular expression, it is recommended to use special characters that match the starting and ending positions of the text: ^, $.
You can add multiple regular expressions by using the Add regular expression button. If you need to remove the regular expression, use the
button. - Click the Copy field names to the mapping table button.
Capture group names are displayed in the KUMA field column of the Mapping table. Now you can select the corresponding KUMA field in the column next to each capture group. Otherwise, if you named the capture groups in accordance with the CEF format, you can use the automatic CEF mapping by selecting the Use CEF syntax for normalization check box.
Event handling rules were added.
- syslog
This parsing method is used to process data in syslog format.
When choosing this method, you can use the preconfigured rules for converting events to the KUMA format by clicking the Apply default mapping button.
- csv
This parsing method is used to create custom rules for processing CSV data.
When choosing this method, you must specify the separator of values in the string in the Delimiter field. Any single-byte ASCII character can be used as a delimiter.
- kv
This parsing method is used to process data in key-value pair format.
If you select this method, you must provide values in the following required fields:
- Pair delimiter—specify a character that will serve as a delimiter for key-value pairs. You can specify any one-character (1 byte) value, provided that the character does not match the value delimiter.
- Value delimiter—specify a character that will serve as a delimiter between the key and the value. You can specify any one-character (1 byte) value, provided that the character does not match the delimiter of key-value pairs.
- xml
This parsing method is used to process XML data in which each object, including its nested objects, occupies a single line in a file. Files are processed line by line.
When this method is selected in the parameter block XML attributes you can specify the key attributes to be extracted from tags. If an XML structure has several attributes with different values in the same tag, you can indicate the necessary value by specifying its key in the Source column of the Mapping table.
To add key XML attributes,
Click the Add field button, and in the window that appears, specify the path to the required attribute.
You can add more than one attribute. Attributes can be removed one at a time using the cross icon or all at once using the Reset button.
If XML key attributes are not specified, then in the course of field mapping the unique path to the XML value will be represented by a sequence of tags.
Tag numbering
Tag numbering is available as of KUMA 2.1.3. This functionality allows automatically numbering tags in XML events, which lets you parse an event with identical tags or unnamed tags, such as <Data>.
As an example, we will use the Tag numbering functionality to number the tags of the EventData attribute of Microsoft Windows PowerShell event ID 800.
To parse such events, you must:
- Configure tag numbering.
- Configure data mapping for numbered tags with KUMA event fields.
Simultaneous use of XML attributes and Tag numbering leads to incorrect operation of the normalizer. If an attribute contains unnamed tags or the identical tags, we recommend using the Tag numbering functionality. If the attribute contains only named tags, use XML attributes.
To configure parsing of events with identically named or unnamed tags:
- Create a new normalizer or open an existing normalizer for editing.
- In the Basic event parsing window of the normalizer, in the Parsing method drop-down list, select 'xml' and in the Tag numbering field, click Add field.
In the displayed field, enter the full path to the tag to whose elements you want to assign a number. For example, Event.EventData.Data. The first number to be assigned to a tag is 0. If the tag is empty, for example, <Data />, it is also assigned a number.
- To configure data mapping, under Mapping, click Add row and do the following:
- In the new row, in the Source field, enter the full path to the tag and its index. For the Microsoft Windows event from the example above, the full path with indices look like this:
- Event.EventData.Data.0
- Event.EventData.Data.1
- Event.EventData.Data.2 and so on
- In the KUMA field drop-down list, select the field in the KUMA event that will receive the value from the numbered tag after parsing.
- In the new row, in the Source field, enter the full path to the tag and its index. For the Microsoft Windows event from the example above, the full path with indices look like this:
- To save changes:
- If you created a new normalizer, click Save.
- If you edited an existing normalizer, click Update configuration in the collector to which the normalizer is linked.
Parsing is configured.
- netflow5
This parsing method is used to process data in the NetFlow v5 format.
When choosing this method, you can use the preconfigured rules for converting events to the KUMA format by clicking the Apply default mapping button.
In mapping rules, the protocol type for netflow5 is not indicated in the fields of KUMA events by default. When parsing data in NetFlow format on the Enrichment normalizer tab, you should create a constant data enrichment rule that adds the
netflowvalue to theDeviceProducttarget field. - netflow9
This parsing method is used to process data in the NetFlow v9 format.
When choosing this method, you can use the preconfigured rules for converting events to the KUMA format by clicking the Apply default mapping button.
In mapping rules, the protocol type for netflow9 is not indicated in the fields of KUMA events by default. When parsing data in NetFlow format on the Enrichment normalizer tab, you should create a constant data enrichment rule that adds the
netflowvalue to theDeviceProducttarget field. - sflow5
This parsing method is used to process data in sFlow5 format.
When choosing this method, you can use the preconfigured rules for converting events to the KUMA format by clicking the Apply default mapping button.
- ipfix
This parsing method is used to process IPFIX data.
When choosing this method, you can use the preconfigured rules for converting events to the KUMA format by clicking the Apply default mapping button.
In mapping rules, the protocol type for ipfix is not indicated in the fields of KUMA events by default. When parsing data in NetFlow format on the Enrichment normalizer tab, you should create a constant data enrichment rule that adds the
netflowvalue to theDeviceProducttarget field. - sql
The normalizer uses this method to process data obtained by making a selection from the database.
- json
- Keep raw event (required)—in this drop-down list, indicate whether you need to store the raw event in the newly created normalized event. Available values:
- Don't save—do not save the raw event. This is the default setting.
- Only errors—save the raw event in the
Rawfield of the normalized event if errors occurred when parsing it. This value is convenient to use when debugging a service. In this case, every time an event has a non-emptyRawfield, you know there was a problem.If fields containing the names
*Addressor*Date*do not comply with normalization rules, these fields are ignored. No normalization error occurs in this case, and the values of the fields are not displayed in theRawfield of the normalized event even if the Keep raw event → Only errors option was selected. - Always—always save the raw event in the
Rawfield of the normalized event.
This setting is not available for extra parsing rules.
- Keep extra fields (required)—in this drop-down list, you can choose whether you want to save fields and their values if no mapping rules have been configured for them (see below). This data is saved as an array in the
Extraevent field. Normalized events can be searched and filtered based on the data stored in theExtrafield.Filtering based on data from the Extra event field
Conditions for filters based on data from the Extra event field:
- Condition—If.
- Left operand—event field.
- In this event field, you can specify one of the following values:
- Extra field.
- Value from the Extra field in the following format:
Extra.<field name>For example,
Extra.app.A value of this type is specified manually.
- Value from the array written to the Extra field in the following format:
Extra.<field name>.<array element>For example,
Extra.array.0.The values in the array are numbered starting from 0.
A value of this type is specified manually.
To work with a value from the Extra field at depth 3 and below, use backquotes ``. For example, `Extra.lev1.lev2.lev3`.
- Operator – =.
- Right operand—constant.
- Value—the value by which you need to filter events.
By default, no extra fields are saved.
- Description—resource description: up to 4,000 Unicode characters.
This setting is not available for extra parsing rules.
- Event examples—in this field, you can provide an example of data that you want to process.
This setting is not available for the following parsing methods: netflow5, netflow9, sflow5, ipfix, sql.
The Event examples field is populated with data obtained from the raw event if the event was successfully parsed and the type of data obtained from the raw event matches the type of the KUMA field.
For example, the value "192.168.0.1" enclosed in quotation marks is not displayed in the SourceAddress field, in this case the value 192.168.0.1 is displayed in the Event examples field.
- Mapping settings block—here you can configure mapping of raw event fields to fields of the event in KUMA format:
- Source—column for the names of the raw event fields that you want to convert into KUMA event fields.
Clicking the
button next to the field names in the Source column opens the Conversion window, in which you can use the Add conversion button to create rules for modifying the original data before they are written to the KUMA event fields. In the Conversion window, you can swap the added rules by dragging them by the 
icon; you can also delete them using the 
icon.Conversions are changes that can be applied to a value before it gets written to the event field. The conversion type is selected from a drop-down list.
Available conversions:
- lower—is used to make all characters of the value lowercase
- upper—is used to make all characters of the value uppercase
- regexp – used to convert a value using the regular expression RE2. When this conversion type is selected, the field appears where regular expression should be added.
- substring—is used to extract characters in the position range specified in the Start and End fields. These fields appear when this conversion type is selected.
- replace—is used to replace specified character sequence with the other character sequence. When this type of conversion is selected, new fields appear:
- Replace chars—in this field you can specify the character sequence that should be replaced.
- With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
- trim—used to simultaneously remove the characters specified in the Chars field from the leading and end positions of the value. The field appears when this type of conversion is selected. For example, a trim conversion with the
Micromonvalue applied toMicrosoft-Windows-Sysmonresults insoft-Windows-Sys. - append is used to add the characters specified in the Constant field to the end of the event field value. The field appears when this type of conversion is selected.
- prepend—used to prepend the characters specified in the Constant field to the start of the event field value. The field appears when this type of conversion is selected.
- replace with regexp—is used to replace RE2 regular expression results with the character sequence.
- Expression—in this field you can specify the regular expression which results that should be replaced.
- With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
- Converting encoded strings to text:
- decodeHexString—used to convert a HEX string to text.
- decodeBase64String—used to convert a Base64 string to text.
- decodeBase64URLString—used to convert a Base64url string to text.
When converting a corrupted string or if conversion error occur, corrupted data may be written to the event field.
During event enrichment, if the length of the encoded string exceeds the size of the field of the normalized event, the string is truncated and is not decoded.
If the length of the decoded string exceeds the size of the event field into which the decoded value is to be written, such a string is truncated to fit the size of the event field.
- KUMA field—drop-down list for selecting the required fields of KUMA events. You can search for fields by entering their names in the field.
- Label—in this column, you can add a unique custom label to event fields that begin with
DeviceCustom*andFlex*.
New table rows can be added by using the Add row button. Rows can be deleted individually using the
button or all at once using the Clear all button.If you have loaded data into the Event examples field, the table will have an Examples column containing examples of values carried over from the raw event field to the KUMA event field.
If the size of the KUMA event field is less than the length of the value placed in it, the value is truncated to the size of the event field.
- Source—column for the names of the raw event fields that you want to convert into KUMA event fields.