Configuring the display of a link to a Kaspersky Endpoint Detection and Response detection in KUMA event details

You can configure the creation of an alert or each received Kaspersky Endpoint Detection and Response detection. You can configure the display of a link to a Kaspersky Endpoint Detection and Response detection in KUMA alert information.

You can configure the display of a detection link if you use only one Central Node server in Kaspersky Endpoint Detection and Response. If Kaspersky Endpoint Detection and Response is used in a distributed solution mode, it is impossible to configure the display of the links to Kaspersky Endpoint Detection and Response detections in KUMA.

To configure the display of a link to a detection in KUMA alert details, you need to complete steps in the Kaspersky Endpoint Detection and Response web interface and KUMA.

In the Kaspersky Endpoint Detection and Response web interface, you need to configure the integration of the application with KUMA as a SIEM system. For details on configuring integration, refer to the Kaspersky Anti Targeted Attack Platform documentation, Configuring integration with a SIEM system section.

Configuring the display of a link in the KUMA web interface includes the following steps:

Adding an asset that contains information about the Kaspersky Endpoint Detection and Response Central Node server from which you want to receive detections, and assigning a category to that asset.
Creating a correlation rule.
Creating a correlator.
Adding a collector, taking into account the following:
- At the Transport step, specify the connector type (TCP or UDP) and the connection port (must be the same as the port configured in the SIEM connection settings in Kaspersky Anti Targeted Attack Platform).
- At the Parsing step, when selecting a normalizer, you need to specify mappings for KEDR event fields or select the [OOTB] KATA normalizer.
- After adding the correlator, in the collector, you need to specify a destination pointing to the correlator.

You can use a pre-configured correlation rule. In this case configuring the display of a link in the KUMA web interface includes the following steps:

Creating a correlator.
Select the [OOTB] KATA Alert correlation rule.
Adding an asset that contains information about the Kaspersky Endpoint Detection and Response Central Node server from which you want to receive detections and assigning a category KATA standAlone to that asset.

Step 1. Adding an asset and assigning a category to it

First, you need to create a category that will be assigned to the asset being added.

To add a category:

In the KUMA web interface, select the Assets section.
On the All assets tab, expand the list of tenant categories by doing one of the following:
- Under All tenants, click the menu icon () and select Expand all.
- In the All tenants object tree, click the arrow icon () next to the name of the tenant.
Select a category or subcategory and do one of the following:
Click the add icon ().
Click the menu icon () and select Add subcategory.
The Add category sidebar is dispalyed in the right part of the web interface window.

Define the category settings:

In the Name field, enter the name of the category.
In the Parent drop-down list, select categories from the tree of categories.
In the Tenant drop-down list, select a tenant if it is not automatically specified.

In the Categorization kind drop-down list, select how the category will be populated with assets. Depending on your selection, you may need to specify additional settings:

Manually—assets can only be manually linked to a category.

Active—assets will be assigned to a category at regular intervals if they satisfy the defined filter.

In the Repeat categorization every drop-down list, specify how often assets will be linked to a category. You can select values ranging from once per hour to once per 24 hours.
You can forcibly start categorization by selecting Start categorization in the category context menu.

Under Conditions, specify the filter for matching assets to attach to an asset category.

You can add conditions by clicking the Add condition buttons. Groups of conditions can be added by using the Add group buttons. Group operators can be switched between AND, OR, and NOT values.

Categorization filter operands and operators

Operand	Operators	Comment
Build number	=, ilike
OS	=, ilike	The ilike operator makes the search case-insensitive.
IP address	inSubnet, inRange	The IP address is indicated in CIDR notation (for example: 192.168.0.0/24). When the inRange operator is selected, you can indicate only addresses from private ranges of IP addresses (for example: 10.0.0.0–10.255.255.255). Both addresses must be in the same range.
FQDN	=, ilike	The ilike operator makes the search case-insensitive.
CVE	=, in	The in operator lets you specify an array of CVE (Common Vulnerabilities and Exposures) IDs.
CVSS	>, >=, =, <=,<	Severity level of CVE vulnerabilities on the asset. The CVSS parameter takes values from 0 to 10. Not applicable to vulnerabilities from Kaspersky Security Center.
CVE count	>, >=, =, <=, <	The number of unique vulnerabilities with the CVE attribute for the asset. Vulnerabilities without CVEs do not count towards this figure. For categorization by the number of CVEs of a certain severity level, you can use a combined condition. For example: CVE count >= 1 AND CVSS >= 6.5
Software	=, ilike	Categorization by software installed on the asset. The ilike operator makes the search case-insensitive.
Software version	=, ilike, in	Categorization by version (build) number of the software installed on the asset. The ilike operator makes the search case-insensitive.
CII	in	More than one value can be selected.
KSC group	=, ilike	Categorization by the name of the Kaspersky Security Center administration group in which the asset is placed.
Anti-virus databases last updated	>=,<=	For categorization, the time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, check the Using time values subsection below. A relative period for repeated categorization takes into account asset information that is current at the time when categorization is started.
Last update of the information	>=,<=	For categorization, the time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, check the Using time values subsection below. A relative period for repeated categorization takes into account asset information that is up-to-date at the time when categorization is started.
Protection last updated	>=,<=	For categorization, the time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, check the Using time values subsection below. A relative period for repeated categorization takes into account asset information that is up-to-date at the time when categorization is started.
System last started	>=,<=	For categorization, the time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, check the Using time values subsection below. A relative period for repeated categorization takes into account asset information that is up-to-date at the time when categorization is started.
KSC extended status	in	Extended status of the device. More than one value can be selected.
Real-time protection status	=	Status of Kaspersky applications installed on the managed device.
Encryption status	=
Spam protection status	=
Anti-virus protection status of mail servers	=
Data Leakage Prevention status	=
KSC extended status ID	=
Endpoint Sensor status	=
Last visible	>=,<=	For categorization, the time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, check the Using time values subsection below. A relative period for repeated categorization takes into account asset information that is up-to-date at the time when categorization is started.
Score ML	>,>=,=,<=,<	Categorization by asset score assigned by AI services.
Status	=, in	Categorization by predefined asset statuses assigned by AI services.
Custom asset field	=, ilike	Categorization by values of custom asset fields.

Using time values

Some conditions, for example, Anti-virus databases last updated or System last started, use date and time as the operand value. For these conditions, you can use an exact date and time or a relative period.

To specify a date and time value:

Select an operand, an operator and click the date field.
Do one of the following:
- Select the exact date in the calendar.
  By default, the current time is automatically added to the selected date, with millisecond precision. Changing the date in the calendar does not change the specified time. The date and time are displayed in the time zone of the browser. If necessary, you can edit the date and time in the field.
- In the Relative period list, select a relative period.
  The period is calculated relative to the start time of the current categorization and takes into account asset information that is up-to-date at that moment. For example, for the condition Anti-virus databases last updated, you can select 1 hour and the >= operator to periodically link to the category those assets for which the anti-virus databases have not been updated for more than 1 hour before the start of categorization.
- In the date and time field, enter a value manually.
  You can enter an exact date and time in the DD.MM.YYYY HH:mm:ss.SSS format for the Russian localization and YYYY-MM-DD HH:mm:ss.SSS for the English localization or a relative period as a formula. You can also combine these methods if necessary.
  
  If you do not specify milliseconds when entering the exact date, 000 is substituted automatically.
  
  In the relative period formulas, you can use the now parameter for the current date and time and the interval parameterization language: +, -, / (rounding to the nearest), as well as time units: y (year), M (month), w (week), d (day), h (hour), m (minute), s (second).
  
  For example, for the Information last updated condition, you can specify the value now-2d with the operator >= operator and the value now-1d with the >= operator to regularly link assets to the category if those assets had information updated during the day before the categorization was started; alternatively, you can specify the value now/w with the <= operator to regularly link assets to the category if those assets had information updated between the beginning of the first day of the current week (00:00:00:000 UTC) and now.
  
  KUMA stores time values in UTC, but in the user interface time is converted to the time zone of your browser. This is relevant to the relative periods: Today, Yesterday, This week, and This month. For example, if the time zone in your browser is UTC+3, and you select Today as the period, the category will cover assets from 03:00:00.000 until now, not from 00:00:00.000 until now.
  
  If you want to take your time zone into account when selecting a relative period, such as Today, Yesterday, This week, or This month, you need to manually add a time offset in the date and time field by adding or subtracting the correct number of hours. For example, if your browser's time zone is UTC+3 and you want the categorization to cover the Yesterday period, you need to change the value to now-1d/d-3h. If you want the categorization to cover the Today period, change the value to now/d-3h.

Use the Test conditions button to make sure that the specified filter is correct. When you click the button, the Assets for given conditions window containing a list of assets that satisfy the search conditions will be displayed.

Reactive—the category will be filled with assets by using correlation rules.

If required, define the values for the following settings:
- Assign a severity to the category in the Severity drop-down list.
  The specified severity is assigned to correlation events and alerts associated with the asset.
- Add a description for the category in the Description field.

Click the Save button.

To add an asset:

In the KUMA web interface, select the Assets section.
Click the Add asset button.
The Add asset details area opens in the right part of the window.
Define the following asset parameters:
1. In the Asset name field, enter a name for the asset.
2. In the Tenant drop-down list, select the tenant that will own the asset.
3. In the IP address field, specify the IP address of the Kaspersky Endpoint Detection and Response Central Node server from which you want to receive detections. If necessary, you can add one or more server IP addresses.
4. If required, define the values for the following fields:
  - In the FQDN field, specify the Fully Qualified Domain Name of the Kaspersky Endpoint Detection and Response server.
  - In the MAC address field, specify the MAC address of the Central Node Kaspersky Endpoint Detection and Response Central Node server.
  - In the Owner field, define the name of the asset owner.
  - In the Categories field, select the category of the tenant.
  - In the CII categories drop-down list, select the critical information infrastructure category of the resource.
If necessary, under Software, specify the name and version of the operating system.
If necessary, in the Hardware info section, specify the following parameters of the hardware:
- Name, core count, and clock rate of the CPU in MHz. If necessary, you can click the Add CPU button specify more CPUs.
- Free disk space and the total size of the disk in bytes. If necessary, you can click the Add disk button specify more disks to be used.
- Name, vendor, and driver version of the network adapter. If necessary, you can click the Add network card button to specify more network adapters.
- The clock rate of the RAM in MHz and the total amount of RAM in bytes.
Click the Save button.

Step 2. Adding a correlation rule

You can create a correlation rule or use the ready-made [OOTB] KATA Alert rule.

To add a correlation rule:

In the KUMA web interface, select the Resources section.
Under Resources configuration, select Correlation rules and click the Add button.
On the General tab, specify the following settings:
1. In the Name field, define the rule name.
2. In the Tenant drop-down list, select a tenant.
3. In the Type drop-down list, select simple.
4. In the Tags drop-down list, select one or more tags to identify the rule.
5. In the Propagated fields field, add the following fields: DeviceProduct, DeviceAddress, EventOutcome, SourceAssetID, DeviceAssetID
6. If required, define the values for the following fields:
  - In the Rate limit field, define the maximum number of times per second that the rule will be triggered.
  - In the Severity field, define the severity of alerts and correlation events that will be created as a result of the rule being triggered.
  - In the Description field, provide any additional information.
  - In the MITRE Techniques drop-down list, select the applicable MITRE ATT&CK techniques.
On the Selectors → Settings tab, specify the following filter settings:
1. In the Filter drop-down list, select Create new.
2. Click Add group.
3. In the operator field for the group you added, select AND.
4. Add a condition for filtering by KATA value:
  1. In the Conditions field, click the Add condition button.
  2. In the condition field, select If.
  3. In the Left operand field, select Event fields.
  4. In the Event fields field, select DeviceProduct.
  5. In the Operator field, select =.
  6. In the Right operand field, select Constant.
  7. In the value field, enter KATA.
5. Add a category filter condition:
  1. In the Conditions field, click the Add condition button.
  2. In the condition field, select If.
  3. In the Left operand field, select Event fields.
  4. In the Event fields field, select DeviceAssetID.
  5. In the Operator field, select inCategory.
  6. In the Right operand field, select Constant.
  7. Click the Builder button.
  8. Select the category in which you placed the Kaspersky Endpoint Detection and Response Central Node server asset.
  9. Click the Save button.
6. In the Conditions field, click the Add group button.
7. In the operator field for the group you added, select OR.
8. Add a condition for filtering by event class identifier:
  1. In the Conditions field, click the Add condition button.
  2. In the condition field, select If.
  3. In the Left operand field, select Event fields.
  4. In the Event fields field, select DeviceEventClassID.
  5. In the Operator field, select =.
  6. In the Right operand field, select Constant.
  7. In the Value field, enter taaScanning.
9. Repeat steps 1 through 7 under (h) for each of the following event class IDs:
  - file_web.
  - file_mail.
  - file_endpoint.
  - file_external.
  - ids.
  - url_web.
  - url_mail.
  - dns.
  - iocScanningEP.
  - yaraScanningEP.
On the Actions tab, specify the following settings:
1. Select the Output check box.
2. In the Enrichment section, click the Add enrichment button.
3. In the Source kind drop-down list, select Template.
4. In the Template field, enter https://{{.DeviceAddress}}:8443/katap/#/alerts?id={{.EventOutcome}}.
5. In the Target field drop-down list, select DeviceExternalID.
6. If necessary, turn on the Debug toggle switch to log information related to the operation of the resource.
Click the Save button.

Step 3. Creating a correlator

You need to launch the Correlator Installation Wizard. At step 3 of the Wizard, you are required to select the correlation rule that you added by following this guide.

After the correlator is created, a link to these detections will be displayed in the details of alerts created when receiving detections from Kaspersky Endpoint Detection and Response. The link is displayed in the correlation event details (Related events section), in the DeviceExternalID field.

If you want the FQDN of the Kaspersky Endpoint Detection and Response Central Node server to be displayed in the DeviceHostName field, in the detection details, you need to create a DNS record for the server and create a DNS enrichment rule at step 4 of the Wizard.

Page top