Detection of unknown assets

By processing events, KUMA lets you detect unknown assets in the infrastructure that are not included in the list of added KUMA assets. The asset must have an IP address or host name. An unknown asset being detected can be normal or it may indicate an information security incident.

The following predefined correlation rules are used to detect unknown assets:

These correlation rules use filters to configure the monitored network segment and exclusion filters. You can use filters to customize the rule logic that suits your particular network infrastructure. Triggered rules add detected unknown assets to the "[OOTB][Net] Detection unknown assets" list.

The "[OOTB][Net] Detection unknown assets" active list retains a record about a detected asset for 7 days. If any rule is triggered again, no duplicate record about the previously added asset is added to the active list.

Correlation rules

[OOTB][Net] Detection unknown assets in device fields

This rule analyzes the data in the DeviceAddress and DeviceHostName fields of events. If the IP address or host name from these fields is not found in the list of KUMA assets, the rule is triggered.

The following conditions must be satisfied for the rule to trigger:

[OOTB][Net] Detection unknown assets in source fields

This rule analyzes the data in the SourceAddress and SourceHostName fields of events. If the IP address or host name from these fields is not found in the list of KUMA assets, the rule is triggered.

The following conditions must be satisfied for the rule to trigger:

[OOTB][Net] Detection unknown assets in destination fields

This rule analyzes the data in the DestinationAddress and DestinationHostName fields of events. If the IP address or host name from these fields is not found in the list of KUMA assets, the rule is triggered.

The following conditions must be satisfied for the rule to trigger:

Filters

Exclusion filters

Exclusion filters contain lists of IP addresses and host names of assets which prevent correlation rules from triggering when detected. Add IP addresses and host names to exclusion filters before using correlation rules. For the rules to work correctly, filters must not be empty.

Exclusion filters include:

Exclusion filters are located in the OOTB/Integration directory.

Monitored subnet filters

Subnet filters contain lists of subnets which correlation rules monitor for new assets. Add subnets to filters before using correlation rules. Without a list of subnets, correlation rules are never triggered.

Subnet filters include:

Subnet filters are located in the OOTB/Integration directory.

Configuring the detection of unknown assets in your network

To configure the detection of unknown assets:

  1. In the KUMA web interface, go to the Resources → Filters section.
  2. In the list of filters, select the following filters one by one and specify the IP addresses or host names that you want to exclude from correlation rules:
    • [OOTB][Net] Exceptions from the device addresses.
    • [OOTB][Net] Exceptions from the source addresses.
    • [OOTB][Net] Exceptions from the destination addresses.
  3. In the list of filters, select each of the following filters one by one and specify the subnets that you want to be monitored for unknown assets:
    • [OOTB][Net] Controlled network device.
    • [OOTB][Net] Controlled network source.
    • [OOTB][Net] Controlled network destination.

Unknown asset detection is configured for the specified subnets. Information about detected assets will be added to the "[OOTB][Net] Detection unknown assets" active list.

Page top