Managing assets

Assets represent the computers of the organization. After adding assets to KUMA, their IDs are added to enriched events, and, when analyzing events, you get additional information about your organization's computers.

You can view information about assets, search for assets by specified criteria, edit or delete assets, and export asset data to a CSV file.

Asset categories

You can categorize the assets and then use the categories in filter conditions or correlation rules. For example, you can create alerts of a higher severity level for assets from a higher-severity category. By default, all assets fall into the Uncategorized assets category. A device can be added to multiple categories.

By default, KUMA asset categories have the following severity levels: Low, Medium, High, Critical. You can create custom categories, categories can be nested.

Categories can be populated in the following ways:

• Manually
• Active: dynamic if the asset meets the specified conditions. For example, the moment the asset is upgraded to a specified OS version or placed in a specified subnet, the asset is moved to the specified category. If you specified a relative period and selected the frequency of categorization, for example, hourly, every time categorization starts, the condition will consider asset information that is up-to-date at the time of starting the categorization.
  1. In the Repeat categorization every drop-down list, specify how often assets will be linked to a category. You can select values ranging from once per hour to once per 24 hours.

     You can forcibly start categorization by selecting Start categorization in the category context menu.

  2. In the Conditions settings block, specify the filter for matching assets to attach to an asset category.

     You can add conditions by clicking the Add condition buttons. Groups of conditions can be added by using the Add group buttons. Group operators can be switched between AND, OR, and NOT values.

     Categorization filter operands and operators

     Operand	Operators	Comment
     Build number	=, ilike
     OS	=, ilike	The "ilike" operator makes the search case-insensitive.
     IP address	inSubnet, inRange	The IP address is indicated in CIDR notation (for example: 192.168.0.0/24). When the inRange operator is selected, you can indicate only addresses from private ranges of IP addresses (for example: 10.0.0.0–10.255.255.255). Both addresses must be in the same range.
     FQDN	=, ilike	The "ilike" operator makes the search case-insensitive.
     CVE	=, in	The "in" operator lets you specify an array of CVE (Common Vulnerabilities and Exposures) IDs.
     CVSS	>, >=, =, <=,<	Severity level of CVE vulnerabilities on the asset. The CVSS parameter takes values from 0 to 10. Not applicable to vulnerabilities from Open Single Management Platform.
     CVE count	>, >=, =, <=, <	The number of unique vulnerabilities with the CVE attribute for the asset. Vulnerabilities without CVEs do not count towards this figure. For categorization by the number of CVEs of a certain severity level, you can use a combined condition. For example: CVE count >= 1 AND CVSS >= 6.5
     Software	=, ilike	Categorization by software installed on the asset. The "ilike" operator makes the search case-insensitive.
     Software version	=, ilike, in	Categorization by version (build) number of the software installed on the asset. The "ilike" operator makes the search case-insensitive.
     CII	in	More than one value can be selected.
     KSC group	=, ilike	Categorization by the name of the Open Single Management Platform administration group in which the asset is placed.
     Anti-virus databases last updated	>=,<=	For categorization The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below. A relative period for repeated categorization takes into account asset information that is current at the time when categorization is started.
     Last update of the information	>=,<=	For categorization The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below. A relative period for repeated categorization takes into account asset information that is up-to-date at the time when categorization is started.
     Protection last updated	>=,<=	For categorization The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below. A relative period for repeated categorization takes into account asset information that is up-to-date at the time when categorization is started.
     System last started	>=,<=	For categorization The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below. A relative period for repeated categorization takes into account asset information that is up-to-date at the time when categorization is started.
     KSC extended status	in	Extended status of the device. More than one value can be selected.
     Real-time protection status	=	Status of Kaspersky applications installed on the managed device.
     Encryption status	=
     Spam protection status	=
     Anti-virus protection status of mail servers	=
     Data Leakage Prevention status	=
     KSC extended status ID	=
     Endpoint Sensor status	=
     Last visible	>=,<=	For categorization The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below. A relative period for repeated categorization takes into account asset information that is up-to-date at the time when categorization is started.
     Score ML	>,>=,=,<=,<	Categorization by asset score assigned by AI services.
     Status	=, in	Categorization by predefined asset statuses assigned by AI services.
     Custom asset field	=, ilike	Categorization by values of custom asset fields.

     Using time values

     Some conditions, for example, Anti-virus databases last updated or System last started, use date and time as the operand value. For these conditions, you can use an exact date and time or a relative period.

     To specify a date and time value:

     1. Select an operand, an operator and click the date field.
     2. Do one of the following:
        • Select the exact date in the calendar.

          By default, the current time is automatically added to the selected date, with millisecond precision. Changing the date in the calendar does not change the specified time. The date and time are displayed in the time zone of the browser. If necessary, you can edit the date and time in the field.

        • In the Relative period list, select a relative period.

          The period is calculated relative to the start time of the current categorization and takes into account asset information that is up-to-date at that moment. For example, for the condition Anti-virus databases last updated, you can select 1 hour and the >= operator to periodically link to the category those assets for which the anti-virus databases have not been updated for more than 1 hour before the start of categorization.

        • In the date and time field, enter a value manually.

          You can enter an exact date and time in the DD.MM.YYYY HH:mm:ss.SSS format for the Russian localization and YYYY-MM-DD HH:mm:ss.SSS for the English localization or a relative period as a formula. You can also combine these methods if necessary.

          If you do not specify milliseconds when entering the exact date, 000 is substituted automatically.

          In the relative period formulas, you can use the now parameter for the current date and time and the interval parameterization language: +, -, / (rounding to the nearest), as well as time units: y (year), M (month), w (week), d (day), h (hour), m (minute), s (second).

          For example, for the Information last updated condition, you can specify the value now-2d with the operator >= operator and the value now-1d with the >= operator to regularly link assets to the category if those assets had information updated during the day before the categorization was started; alternatively, you can specify the value now/w with the <= operator to regularly link assets to the category if those assets had information updated between the beginning of the first day of the current week (00:00:00:000 UTC) and now.

          KUMA stores time values in UTC, but in the user interface time is converted to the time zone of your browser. This is relevant to the relative periods: Today, Yesterday, This week, and This month. For example, if the time zone in your browser is UTC+3, and you select Today as the period, the category will cover assets from 03:00:00.000 until now, not from 00:00:00.000 until now.

          If you want to take your time zone into account when selecting a relative period, such as Today, Yesterday, This week, or This month, you need to manually add a time offset in the date and time field by adding or subtracting the correct number of hours. For example, if your browser's time zone is UTC+3 and you want the categorization to cover the Yesterday period, you need to change the value to now-1d/d-3h. If you want the categorization to cover the Today period, change the value to now/d-3h.

  3. Use the Test conditions button to make sure that the specified filter is correct. When you click the button, you should see the Assets for given conditions window containing a list of assets that satisfy the search conditions.
• Reactive—When a correlation rule is triggered, the asset is moved to the specified group.

In KUMA, assets are categorized by tenant and by category. Assets are arranged in a tree structure, where the tenants are located at the root, and the asset categories branch from them. You can view the tree of tenants and categories in the Assets → All assets section of the KUMA Console. When a tree node is selected, the assets assigned to it are displayed in the right part of the window. Assets from the subcategories of the selected category are displayed if you specify that you want to display assets recursively. You can select the check boxes next to the tenants whose assets you want to view.

To open the context menu of a category, hover the mouse cursor over the category and click the ellipsis icon that is displayed to the right of the category name. The following actions are available in the context menu:

Category context menu items

Adding an asset category

To add an asset category:

1. Open the Assets section in the KUMA Console.
2. Open the category creation window:
   • Click the Add category button.
   • If you want to create a subcategory, select Add subcategory in the context menu of the parent category.

   The Add category details area appears in the right part of the web interface window.

3. Add information about the category:
   • In the Name field, enter the name of the category. The name must contain 1 to 128 Unicode characters.
   • In the Parent field, indicate the position of the category within the categories tree hierarchy:
     1. Click the button.

        This opens the Select categories window showing the categories tree. If you are creating a new category and not a subcategory, the window may show multiple asset category trees, one for each tenant that you can access. Your tenant selection in this window cannot be undone.

     2. Select the parent category for the category you are creating.
     3. Click Save.

     Selected category appears in Parent fields.

   • The Tenant field displays the tenant whose structure contains your selected parent category. The tenant category cannot be changed.
   • Assign a severity to the category in the Priority drop-down list.
   • If necessary, in the Description field, you can add a note consisting of up to 256 Unicode characters.
4. In the Categorization kind drop-down list, select how the category will be populated with assets. Depending on your selection, you may need to specify additional settings:
   • Manually—assets can only be manually linked to a category.
   • Active—assets will be assigned to a category at regular intervals if they satisfy the defined filter.

     Active category of assets

     1. In the Repeat categorization every drop-down list, specify how often assets will be linked to a category. You can select values ranging from once per hour to once per 24 hours.

        You can forcibly start categorization by selecting Start categorization in the category context menu.

     2. In the Conditions settings block, specify the filter for matching assets to attach to an asset category.

        You can add conditions by clicking the Add condition buttons. Groups of conditions can be added by using the Add group buttons. Group operators can be switched between AND, OR, and NOT values.

        Categorization filter operands and operators

        Operand	Operators	Comment
        Build number	=, ilike
        OS	=, ilike	The "ilike" operator makes the search case-insensitive.
        IP address	inSubnet, inRange	The IP address is indicated in CIDR notation (for example: 192.168.0.0/24). When the inRange operator is selected, you can indicate only addresses from private ranges of IP addresses (for example: 10.0.0.0–10.255.255.255). Both addresses must be in the same range.
        FQDN	=, ilike	The "ilike" operator makes the search case-insensitive.
        CVE	=, in	The "in" operator lets you specify an array of CVE (Common Vulnerabilities and Exposures) IDs.
        CVSS	>, >=, =, <=,<	Severity level of CVE vulnerabilities on the asset. The CVSS parameter takes values from 0 to 10. Not applicable to vulnerabilities from Open Single Management Platform.
        CVE count	>, >=, =, <=, <	The number of unique vulnerabilities with the CVE attribute for the asset. Vulnerabilities without CVEs do not count towards this figure. For categorization by the number of CVEs of a certain severity level, you can use a combined condition. For example: CVE count >= 1 AND CVSS >= 6.5
        Software	=, ilike	Categorization by software installed on the asset. The "ilike" operator makes the search case-insensitive.
        Software version	=, ilike, in	Categorization by version (build) number of the software installed on the asset. The "ilike" operator makes the search case-insensitive.
        CII	in	More than one value can be selected.
        KSC group	=, ilike	Categorization by the name of the Open Single Management Platform administration group in which the asset is placed.
        Anti-virus databases last updated	>=,<=	For categorization The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below. A relative period for repeated categorization takes into account asset information that is current at the time when categorization is started.
        Last update of the information	>=,<=	For categorization The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below. A relative period for repeated categorization takes into account asset information that is up-to-date at the time when categorization is started.
        Protection last updated	>=,<=	For categorization The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below. A relative period for repeated categorization takes into account asset information that is up-to-date at the time when categorization is started.
        System last started	>=,<=	For categorization The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below. A relative period for repeated categorization takes into account asset information that is up-to-date at the time when categorization is started.
        KSC extended status	in	Extended status of the device. More than one value can be selected.
        Real-time protection status	=	Status of Kaspersky applications installed on the managed device.
        Encryption status	=
        Spam protection status	=
        Anti-virus protection status of mail servers	=
        Data Leakage Prevention status	=
        KSC extended status ID	=
        Endpoint Sensor status	=
        Last visible	>=,<=	For categorization The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below. A relative period for repeated categorization takes into account asset information that is up-to-date at the time when categorization is started.
        Score ML	>,>=,=,<=,<	Categorization by asset score assigned by AI services.
        Status	=, in	Categorization by predefined asset statuses assigned by AI services.
        Custom asset field	=, ilike	Categorization by values of custom asset fields.

        Using time values

        Some conditions, for example, Anti-virus databases last updated or System last started, use date and time as the operand value. For these conditions, you can use an exact date and time or a relative period.

        To specify a date and time value:

        1. Select an operand, an operator and click the date field.
        2. Do one of the following:
           • Select the exact date in the calendar.

             By default, the current time is automatically added to the selected date, with millisecond precision. Changing the date in the calendar does not change the specified time. The date and time are displayed in the time zone of the browser. If necessary, you can edit the date and time in the field.

           • In the Relative period list, select a relative period.

             The period is calculated relative to the start time of the current categorization and takes into account asset information that is up-to-date at that moment. For example, for the condition Anti-virus databases last updated, you can select 1 hour and the >= operator to periodically link to the category those assets for which the anti-virus databases have not been updated for more than 1 hour before the start of categorization.

           • In the date and time field, enter a value manually.

             You can enter an exact date and time in the DD.MM.YYYY HH:mm:ss.SSS format for the Russian localization and YYYY-MM-DD HH:mm:ss.SSS for the English localization or a relative period as a formula. You can also combine these methods if necessary.

             If you do not specify milliseconds when entering the exact date, 000 is substituted automatically.

             In the relative period formulas, you can use the now parameter for the current date and time and the interval parameterization language: +, -, / (rounding to the nearest), as well as time units: y (year), M (month), w (week), d (day), h (hour), m (minute), s (second).

             For example, for the Information last updated condition, you can specify the value now-2d with the operator >= operator and the value now-1d with the >= operator to regularly link assets to the category if those assets had information updated during the day before the categorization was started; alternatively, you can specify the value now/w with the <= operator to regularly link assets to the category if those assets had information updated between the beginning of the first day of the current week (00:00:00:000 UTC) and now.

             KUMA stores time values in UTC, but in the user interface time is converted to the time zone of your browser. This is relevant to the relative periods: Today, Yesterday, This week, and This month. For example, if the time zone in your browser is UTC+3, and you select Today as the period, the category will cover assets from 03:00:00.000 until now, not from 00:00:00.000 until now.

             If you want to take your time zone into account when selecting a relative period, such as Today, Yesterday, This week, or This month, you need to manually add a time offset in the date and time field by adding or subtracting the correct number of hours. For example, if your browser's time zone is UTC+3 and you want the categorization to cover the Yesterday period, you need to change the value to now-1d/d-3h. If you want the categorization to cover the Today period, change the value to now/d-3h.

     3. Use the Test conditions button to make sure that the specified filter is correct. When you click the button, you should see the Assets for given conditions window containing a list of assets that satisfy the search conditions.
   • Reactive—the category will be filled with assets by using correlation rules.
5. Click Save.

The new category will be added to the asset categories tree.

Configuring the table of assets

In KUMA, you can configure the contents and order of columns displayed in the assets table. These settings are stored locally on your machine.

To configure the settings for displaying the assets table:

1. Open the Assets section in the KUMA Console.
2. Click the icon in the upper-right corner of the assets table.
3. In the drop-down list, select the check boxes next to the parameters that you want to view in the table:
   • FQDN
   • IP address
   • Asset source
   • Owner
   • MAC address
   • Created by
   • Updated
   • Tenant
   • CII category
   • Archived
   • Status
   • Score ML

   When you select a check box, the assets table is updated and a new column is added. When a check box is cleared, the column disappears. The table can be sorted based on multiple columns.

4. If you need to change the order of columns, click the left mouse button on the column name and drag it to the desired location in the table.

The assets table display settings are configured.

Searching assets

KUMA has two asset search modes. You can switch between the search modes using the buttons in the upper left part of the window:

• – simple search by the following asset settings: Name, FQDN, IP address, MAC address, and Owner.
• – advanced search for assets using filters by conditions and condition groups.

You can select the check boxes next to the found assets to export their data to a CSV file.

Simple search

To find an asset using simple search:

1. In the Assets section of the KUMA Console, click the button.

   The Search field is displayed at the top of the window.

2. Enter your search query in the Search field and press ENTER or click the icon.

The table displays the assets with the Name, FQDN, IP address, MAC address, and Owner settings matching the search criteria.

Advanced search

To find an asset using advanced search:

1. In the Assets section of the KUMA Console, click the button.

   The asset filtering settings are displayed in the upper part of the window.

2. Specify the asset filtering settings and click the Search button.

   For details on asset filtering settings, see the table below.

The table displays the assets that meet the search criteria.

An advanced asset search is performed using the filtering conditions that can be specified in the upper part of the window:

• You can use the Add condition button to add a string containing fields for identifying the condition.
• You can use the Add group button to add a group of filters. Group operators can be switched between AND, OR, and NOT.
• Conditions and condition groups can be dragged with the mouse.
• Conditions, groups, and filters can be deleted by using the button.
• You can collapse the filtering options by clicking the Collapse button. In this case, the resulting search expression is displayed. Clicking it displays the search criteria in full again.
• The filtering options can be reset by clicking the Clear button.
• The condition operators and available values of the right operand depend on the selected left operand:

  Left operand	Available operators	Right operand
  Build number	=, ilike	An arbitrary value.
  OS	=, ilike	An arbitrary value.
  IP address	inSubnet, inRange	An arbitrary value or a range of values. The filtering condition for the inSubnet operator is met if the IP address in the left operand is included in the subnet that is specified in the right operand. For example, the subnet for the IP address 10.80.16.206 should be specified in the right operand using slash notation as follows: 10.80.16.206/25.
  FQDN	=, ilike	An arbitrary value.
  CVE	=, in	An arbitrary value.
  CVSS	>, >=, =, <=, <	A number from 0 to 10 (possible severity levels of the asset's CVE vulnerability). Not applicable to vulnerabilities from Open Single Management Platform.
  CVE count	>, >=, =, <=, <	Number. The number of unique vulnerabilities with the CVE attribute for the asset. Vulnerabilities without CVEs do not count towards this figure. For searching by the number of CVEs of a certain severity level, you can use a combined condition. For example: CVE count >= 1 CVSS >= 6.5
  Software	=, ilike	An arbitrary value.
  Software version	=, ilike, in	An arbitrary value. Version (build) number of the software installed on the asset.
  Asset source	in	Open Single Management Platform. KICS/KATA. Created manually.
  CII	in	Information resource is not a CII object. CII object without a significance category. CII object of the third category of significance. CII object of the second category of significance. CII object of the first category of significance.
  RAM (bytes)	=, >, >=, <, <=	Number.
  Number of disks	=, >, >=, <, <=	Number.
  Number of network cards	=, >, >=, <, <=	Number.
  Disk free bytes	=, >, >=, <, <=	Number.
  KSC group	=, ilike	An arbitrary value. Name of the Open Single Management Platform administration group in which the asset is placed.
  Anti-virus databases last updated	>=, <=	For search The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below.
  Last update of the information	>=, <=	For search The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below.
  Protection last updated	>=, <=	For search The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below.
  System last started	>=, <=	For search The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below.
  KSC extended status	in	Host with Network Agent installed is online, but Network Agent is inactive. Anti-virus application is installed, but real-time protection is not running. Anti-virus application is installed but not running. Number of viruses detected is too high. Anti-virus application is installed but the real-time protection status differs from the one set by the security administrator. Anti-virus application is not installed. Full scan for viruses performed too long ago. Anti-virus bases were updated too long ago. Network Agent has been inactive too long. Old license. Number of uncured objects is too high. Reboot is required. One or more incompatible applications are installed on the host. Host has one or more vulnerabilities. Last search for operating system updates was performed too long ago on the host. The host does not have the proper encryption status. Mobile device settings do not meet the requirements of the security policy. There are unhandled incidents. Host status was suggested by the managed product (HSDP). Host is out of disk space, either synchronization errors occur, or disk space is running out.
  Real-time protection status	=	Suspended. Starting. Running (if anti-virus application does not support categories of state Running). Running with maximum protection. Running for maximum speed. Running with recommended settings. Running with custom settings. Error.
  Encryption status	=	Encryption rules are not configured on the host. Encryption is in progress. Encryption was canceled by the user. Encryption error occurred. All host encryption rules are met. Encryption is in progress, the host must be restarted. Encrypted files without specified encryption rules are detected on the host.
  Spam protection status	=	Unknown. Stopped. Suspended. Starting. Running. Error. Not installed. No license.
  Anti-virus protection status of mail servers	=	Unknown. Stopped. Suspended. Starting. Running. Error. Not installed. No license.
  Data Leakage Prevention status	=	Unknown. Stopped. Suspended. Starting. Running. Error. Not installed. No license.
  KSC extended status ID	=	OK. Critical. Warning.
  Endpoint Sensor status	=	Unknown. Stopped. Suspended. Starting. Running. Error. Not installed. No license.
  Last visible	>=, <=	For search The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser. You can specify the date and time for this operand in one of the following ways: Select the exact date in the calendar. Select a period relative to the present time in the Relative period list. Enter a value manually: an exact date and time or a relative period, or a combination of both. For details, see the Using time values subsection below.
  Score ML	=, >, >=, <, <=	Number. Asset score assigned by AI services.
  Status	=, in	Asset status assigned by AI services: Low. Medium. High. Critical.
  Custom asset field	=, ilike	An arbitrary value. Search custom fields of assets.

Using time values

Some conditions, for example, Anti-virus databases last updated or System last started, use date and time as the operand value. For these conditions, you can use an exact date and time or a relative period.

To specify a date and time value:

1. Select an operand, an operator and click the date field.
2. Do one of the following:
   • Select the exact date in the calendar.

     By default, the current time is automatically added to the selected date, with millisecond precision. Changing the date in the calendar does not change the specified time. The date and time are displayed in the time zone of the browser. If necessary, you can edit the date and time in the field.

   • In the Relative period list, select a relative period.

     The period is calculated relative to the start time of the current search and takes into account asset information that is up-to-date at that moment. For example, for the condition Anti-virus databases last updated, you can select 1 hour and the >= operator to find those assets for which the anti-virus databases have not been updated for more than 1 hour.

   • In the date and time field, enter a value manually.

     You can enter an exact date and time in the DD.MM.YYYY HH:mm:ss.SSS format for the Russian localization and YYYY-MM-DD HH:mm:ss.SSS for the English localization or a relative period as a formula. You can also combine these methods if necessary.

     If you do not specify milliseconds when entering the exact date, 000 is substituted automatically.

     In the relative period formulas, you can use the now parameter for the current date and time and the interval parameterization language: +, -, / (rounding to the nearest), as well as time units: y (year), M (month), w (week), d (day), h (hour), m (minute), s (second).

     For example, for the Information last updated condition, you can specify the value now-2d with the operator >= operator and the value now-1d with the >= operator to find assets whose information was updated during the day before the search was started; alternatively, you can specify the value now/w with the <= operator to find assets whose information was updated between the beginning of the first day of the current week (00:00:00:000 UTC) and now.

     KUMA stores time values in UTC, but in the user interface time is converted to the time zone of your browser. This is relevant to the relative periods: Today, Yesterday, This week, and This month. For example, if the time zone in your browser is UTC+3, and you select Today as the period, the category will cover assets from 03:00:00.000 until now, not from 00:00:00.000 until now.

     If you want to take your time zone into account when selecting a relative period, such as Today, Yesterday, This week, or This month, you need to manually add a time offset in the date and time field by adding or subtracting the correct number of hours. For example, if your browser's time zone is UTC+3 and you want the categorization to cover the Yesterday period, you need to change the value to now-1d/d-3h. If you want the categorization to cover the Today period, change the value to now/d-3h.

Exporting asset data

You can export data about the assets displayed in the assets table as a CSV file.

To export asset data:

1. Configure the assets table.

   Only the data specified in the table is written to the file. The display order of the asset table columns is preserved in the exported file.

2. Find the desired assets and select the check boxes next to them.

   You can select all the assets in the table at a time by selecting the check box in the left part of the assets table header.

3. Click the Export CSV button.

The asset data is written to the assets_<export date>_<export time>.csv file. The file is downloaded according to your browser settings.

Viewing asset details

To view information about an asset, open the asset information window in one of the following ways:

• In the KUMA Console, select Assets → select a category with the relevant assets → select an asset.
• In the KUMA Console, select Alerts → click the link with the relevant alert → select the asset in the Related endpoints section.
• In the KUMA Console, select Events → search and filter events → select the relevant event → click the link in one of the following fields: SourceAssetID, DestinationAssetID, or DeviceAssetID.

The following information may be displayed in the asset details window:

• Name—asset name.

  Assets imported into KUMA retain the names that were assigned to them at the source. You can change these names in the KUMA Console.

• Tenant—the name of the tenant that owns the asset.
• Asset source—source of information about the asset. There may be several sources. For instance, information can be added in the KUMA Console or by using the API, or it can be imported from Open Single Management Platform, KICS/KATA, and MaxPatrol reports.

  When using multiple sources to add information about the same asset to KUMA, you should take into account the rules for merging asset data.

• Created—date and time when the asset was added to KUMA.
• Updated—date and time when the asset information was most recently modified.
• Owner—owner of the asset, if provided.
• IP address—IP address of the asset (if any).

  If there are several assets with identical IP addresses in KUMA, the asset that was added the latest is returned in all cases when assets are searched by IP address. If assets with identical IP addresses can coexist in your organization's network, plan accordingly and use additional attributes to identify the assets. For example, this may become important during correlation.

• FQDN—Fully Qualified Domain Name of the asset, if provided.
• MAC address—MAC address of the asset (if any).
• Operating system—operating system of the asset.
• Related alerts—alerts associated with the asset (if any).

  To view the list of alerts related to an asset, click the Find in Alerts link. This opens the Alerts tab with the search expression set to filter all assets with the corresponding asset ID.

• Software info and Hardware info—if the asset software and hardware parameters are provided, they are displayed in this section.
• Asset vulnerability information:
  • Open Single Management Platform vulnerabilities—vulnerabilities of the asset, if provided. This information is available for the assets imported from Open Single Management Platform.

    You can learn more about the vulnerability by clicking the icon, which opens the Kaspersky Threats portal. You can also update the vulnerabilities list by clicking the Update link and requesting updated information from Open Single Management Platform.

  • KICS/KATA vulnerabilities—vulnerabilities of the asset, if any. This information is available for the assets imported from KICS/KATA.
• Asset source information:
  • Last visible—time when information about the asset was last received from Open Single Management Platform. This information is available for the assets imported from Open Single Management Platform.
  • Host ID—ID of the Open Single Management Platform Network Agent from which the asset information was received. This information is available for the assets imported from Open Single Management Platform. This ID is used to determine the uniqueness of the asset in Open Single Management Platform.
  • KICS/KATA server IP address and KICS/KATA connector ID—data on the KICS/KATA instance from which the asset was imported.
• Custom fields—data written to the asset custom fields.
• Additional information about the protection settings of an asset with Kaspersky Endpoint Security for Windows or Kaspersky Endpoint Security for Linux installed:
  • KSC extended status ID – asset status. It can have the following values:
    • OK
    • Critical
    • Warning
  • KSC extended status – information about the asset status. For example, "The anti-virus databases were updated too long ago".
  • Real-time protection status – status of Kaspersky applications installed on the asset. For example: "Running (if the anti-virus application does not support the Running status categories)".
  • Encryption status – information about asset encryption. For example: "Encryption rules are not configured on the host".
  • Spam protection status – status of anti-spam protection. For example, "Started".
  • Anti-virus protection status of mail servers – status of the virus protection of mail servers. For example, "Started".
  • Data Leakage Prevention status – status of data leak protection. For example, "Started".
  • Endpoint Sensor status – status of data leak protection. For example, "Started".
  • Anti-virus databases last updated – the version of the downloaded anti-virus databases.
  • Protection last updated – the time when the anti-virus databases were last updated.
  • System last started – the time when the system was last started.

  This information is displayed if the asset was imported from Open Single Management Platform.

• Categories—categories associated with the asset (if any).
• CII category—information about whether an asset is a critical information infrastructure (CII) object.

By clicking the Move to KSC group button, you can move the asset that you are viewing between Open Single Management Platform administration groups. You can also click the Start task drop-down list to run tasks available on the asset:

• By clicking the KSC response button, you can start a Open Single Management Platform task on the asset.
• By clicking the KEDR response button, you can run a Kaspersky Endpoint Detection and Response task on the asset.
• By clicking the Refresh KSC asset button, you can run a task to refresh information about the asset from Open Single Management Platform.

The tasks are available when integrated with Open Single Management Platform and when integrated with Kaspersky Endpoint Detection and Response.

Adding assets

You can add asset information to KUMA in the following ways:

• Manually.

  You can add an asset using the KUMA Console or the API. In this case, you must manually specify the following information: address, FQDN, name and version of the operating system, hardware information. Information about the vulnerabilities of assets cannot be added through the web interface. You can provide information about vulnerabilities if you add assets using the API.

• Import assets.

  You can import assets from Open Single Management Platform, KICS/KATA, and MaxPatrol reports.

• Import assets.

When adding assets, assets that already exist in KUMA can be merged with the assets being added.

Asset merging algorithm:

1. Checking the uniqueness of assets in Open Single Management Platform or KICS/KATA assets.
   • The uniqueness of an asset imported from Open Single Management Platform is determined by the Host ID parameter, which contains the Open Single Management Platform Network Agent Network Agent identifier. If two assets' IDs differ, they are considered to be separate assets and are not merged.
   • The uniqueness of an asset imported from KICS/KATA is determined by the combination of the IP address, KICS/KATA server IP address, and KICS/KATA connector ID parameters. If any of the parameters of two assets differ they are considered to be separate assets and are not merged.

   If the compared assets match, the algorithm is performed further.

2. Make sure that the values in the IP, MAC, and FQDN fields match.

   If at least two of the specified fields match, the assets are combined, provided that the other fields are blank.

   Possible matches:

   • The FQDN and IP address of the assets match. The MAC field is blank.

     The check is performed against the entire array of IP address values. If the IP address of an asset is included in the FQDN, the values are considered to match.

   • The FQDN and MAC address of the assets match. The IP field is blank.

     The check is performed against the entire array of MAC address values. If at least one value of the array fully matches the FQDN, the values are considered to match.

   • The IP address and MAC address of the assets match. The FQDN field is blank.

     The check is performed against the entire array of IP- and MAC address values. If at least one value in the arrays is fully matched, the values are considered to match.

3. Make sure that the values of at least one of the IP, MAC, or FQDN fields match, provided that the other two fields are not filled in for one or both assets.

   Assets are merged if the values in the field match. For example, if the FQDN and IP address are specified for a KUMA asset, but only the IP address with the same value is specified for an imported asset, the fields match. In this case, the assets are merged.

   For each field, verification is performed separately and ends on the first match.

You can see examples of asset field comparison here.

Information about assets can be generated from various sources. If the added asset and the KUMA asset contain data received from the same source, this data is overwritten. For example, a Open Single Management Platform asset receives a fully qualified domain name, software information, and host ID when imported into KUMA. When importing an asset from Open Single Management Platform with an equivalent fully qualified domain name, all this data will be overwritten (if it has been defined for the added asset). All fields in which the data can be refreshed are listed in the Updatable data table.

Updatable data

The updated data is displayed in the asset details. You can view asset details in the KUMA Console.

This data may be overwritten when new assets are added. If the data used to generate asset information is not updated from sources for more than 30 days, the asset is deleted. The next time you add an asset from the same sources, a new asset is created.

If the KUMA Console is used to edit asset information that was received from Open Single Management Platform or KICS/KATA, you can edit the following asset information:

• Name.
• Category.

If asset information was added manually, you can edit the following asset data when editing these assets in the KUMA Console:

• Name.
• Name of the tenant that owns the asset.
• IP address.
• Fully qualified domain name.
• MAC address.
• Owner.
• Category.
• Operating system.
• Hardware info.

Asset data cannot be edited via the REST API. When importing from the REST API, the data is updated according to the rules for merging asset details provided above.

Adding asset information in the KUMA Console

To add an asset in the KUMA Console:

1. In the Assets section of the KUMA Console, click the Add asset button.

   The Add asset details area opens in the right part of the window.

2. Enter the asset parameters:
   • Asset name (required).
   • Tenant (required).
   • IP address and/or FQDN (required). You can specify multiple FQDNs separated by commas.
   • MAC address.
   • Owner.
3. If required, assign one or multiple categories to the asset:
   1. Click the button.

      Select categories window opens.

   2. Select the check boxes next to the categories that should be assigned to the asset. You can use the and icons to expand or collapse the lists of categories.
   3. Click Save.

   The selected categories appear in the Categories fields.

4. If required, add information about the operating system installed on the asset in the Software section.
5. If required, add information about asset hardware in the Hardware info section.
6. Click Add.

The asset is created and displayed in the assets table in the category assigned to it or in the Uncategorized assets category.

Importing asset information and asset vulnerability information from Open Single Management Platform

Expand all | Collapse all

All assets that are protected by Open Single Management Platform are registered in it. You can import into KUMA the information about assets or vulnerabilities of assets that Open Single Management Platform protects. To do so, you need to configure integration between the applications in advance.

In Open Single Management Platform integration settings, you can configure the frequency of automatic import of information about assets, and, if necessary, import assets manually. Importing assets manually does not affect the time of the next scheduled import. From the Open Single Management Platform database, KUMA imports information about devices with installed Open Single Management Platform Network Agent that has connected to Open Single Management Platform, that is, has a non-empty 'Connection time' field in the SQL database.

KUMA imports the following device information received from Open Single Management Platform Network Agents:

• Basic information about the asset: name, address, time of connection to Open Single Management Platform, hardware information, protection status, anti-virus database versions
• Information about asset attributes: vulnerabilities; software, including the operating system; owners of the asset

By default, basic asset information is imported every hour, and information about asset attributes is imported every 12 hours. Attribute information is imported only for existing assets, not for new or deleted assets.

If Open Single Management Platform encounters errors while running the import tasks, KUMA displays such errors. If basic asset information is not available in KUMA during the import of asset attribute information (for example, if the assets were deleted during the import), the task completes without errors, but the attribute information for these assets is not loaded.

KUMA provides the following ways of importing information about assets or asset vulnerabilities from KSC:

• Importing asset information and asset vulnerability information for assets of all KSC Servers.

  To import information about assets or asset vulnerabilities of all Open Single Management Platform Servers:

  1. In the KUMA Console, go to the Assets section.
  2. Import asset information and asset vulnerability information for assets in one of the following ways:
     • If you want to import information about the basic parameters of assets (protection status, versions of anti-virus databases, hardware), click the Import KSC assets button.
     • If you want to import information about other parameters of assets (vulnerabilities, software, owners), click the Import KSC assets attributes.
  3. In the displayed window, select the tenant for which you want to perform the import. By default, All tenants is selected, which means the import is performed for all tenants.
  4. Click OK.

  Information about the assets or asset vulnerabilities of Open Single Management Platform servers is imported into KUMA.

• Importing asset information and asset vulnerability information for assets of an individual KSC Server.

  To import information about assets or asset vulnerabilities of an individual Open Single Management Platform Server:

  1. In the KUMA Console, go to the Settings → Open Single Management Platform section.

     The Open Single Management Platform integration by tenant window opens.

  2. Select the tenant for which you want to perform the import.

     The Open Single Management Platform integration window opens.

  3. In the Connections table, click the connection to the selected Open Single Management Platform Server.

     This opens the connection settings window.

  4. If the Open Single Management Platform Server has secondary servers or groups, and you do not want to import information about their assets or vulnerabilities:
     1. Click the Load hierarchy button.
     2. Clear the check boxes next to the secondary Servers or groups for which you do not want to perform the import. By default, the check boxes are selected.
     3. If you want to import asset information or asset vulnerability information from new groups, select the Import assets from new groups check box. This check box is cleared by default.
     4. Click the Save button.
  5. Import asset information and asset vulnerability information for assets in one of the following ways:
     • If you want to import information about the basic parameters of assets (protection status, versions of anti-virus databases, hardware), click the Import KSC assets button.
     • If you want to import information about other parameters of assets (vulnerabilities, software, owners), click the Import KSC assets attributes.

  Information about the assets or asset vulnerabilities of the selected Open Single Management Platform Server is imported into KUMA.

Importing asset information from MaxPatrol

You can import asset information from the MaxPatrol system into KUMA.

You can use the following import arrangements:

• Importing from reports about scan results of network devices of the MaxPatrol 8 system.

  The import is performed through the API by using the maxpatrol-tool. The tool is located in the /opt/kaspersky/kuma/utils directory.

• Importing data from MaxPatrol VM 1.1.

  Data is imported via the API by using the kuma_pvtm utility. The archive containing the tool is located in the /opt/kaspersky/kuma/utils directory.

Imported assets are displayed in the KUMA Console in the Assets section. If necessary, you can edit the settings of assets.

Importing data from MaxPatrol reports

Importing asset information form a report is supported for MaxPatrol 8.

To import asset information from a MaxPatrol report:

1. In MaxPatrol, generate a network asset scan report in XML file format and copy the report file to the KUMA Core server. For more details about scan tasks and output file formats, refer to the MaxPatrol documentation.

   Data cannot be imported from reports in SIEM integration file format. The XML file format must be selected.

2. Create a file with the token for accessing the KUMA REST API. For convenience, it is recommended to place it into the MaxPatrol report folder. The file must not contain anything except the token.

   Requirements imposed on accounts for which the API token is generated:

   • General administrator, Tenant administrator, Tier 2 analyst, or Tier 1 analyst role.
   • Access to the tenant into which the assets will be imported.
   • Permissions for using API requests GET /users/whoami and POST /api/v1/assets/import have been configured.

     To import assets from MaxPatrol, it is recommended to create a separate user with the minimum necessary set of rights to use API requests.

3. Copy the maxpatrol-tool to the server hosting the KUMA Core and make the tool's file executable by running the following command:

   chmod +x <path to the maxpatrol-tool file on the server hosting the KUMA Core>

4. Run the maxpatrol-tool:

   ./maxpatrol-tool --kuma-rest <KUMA REST API server address and port> --token <path and name of API token file> --tenant <name of tenant where assets will reside> <path and name of MaxPatrol report file> --cert <path to the KUMA Core certificate file>

   You can download the Core certificate in the KUMA Console.

   Example: ./maxpatrol-tool --kuma-rest example.kuma.com:7223 --token token.txt --tenant Main example.xml --cert /tmp/ca.cert

   You can use additional flags and commands for import operations. For example, the command --verbose, -v will display a full report on the received assets. A detailed description of the available flags and commands is provided in the table titled Flags and commands of maxpatrol-tool. You can also use the --help command to view information on the available flags and commands.

The asset information will be imported from the MaxPatrol report to KUMA. The console displays information on the number of new and updated assets.

The tool works as follows when importing assets:

• KUMA overwrites the data of assets imported through the API, and deletes information about their resolved vulnerabilities.
• KUMA skips assets with invalid data. Error information is displayed when using the --verbose flag.
• If there are assets with identical IP addresses and fully qualified domain names (FQDN) in the same MaxPatrol report, these assets are merged. The information about their vulnerabilities and software is also merged into one asset.

  When uploading assets from MaxPatrol, assets that have equivalent IP addresses and fully qualified domain names (FQDN) that were previously imported from Open Single Management Platform are overwritten.

  To avoid this problem, you must configure range-based asset filtering by running the following command:

  --ignore <IP address ranges> or -i <IP address ranges>

  Assets that satisfy the filtering criteria are not uploaded. For a description of this command, please refer to the table titled Flags and commands of maxpatrol-tool.

Flags and commands of maxpatrol-tool

Examples:

• ./maxpatrol-tool --kuma-rest example.kuma.com:7223 --token token.txt --tenant Main example.xml --cert /example-directory/ca.cert – import assets to KUMA from MaxPatrol report example.xml.
• ./maxpatrol-tool help—get reference information on the tool.

Possible errors

Importing asset information from MaxPatrol VM

The KUMA distribution kit includes the kuma-ptvm utility, which consists of an executable file and a configuration file. The utility is supported on Windows and Linux operating systems. The utility allows you to connect to the MaxPatrol VM API to get data about devices and their attributes, including vulnerabilities, and also lets you edit asset data and import data using the KUMA API. Importing data is supported for MaxPatrol VM 2.6.

Configuring the import of asset information from MaxPatrol VM to KUMA proceeds in stages:

1. Preparing KUMA and MaxPatrol VM.

   You must create user accounts and a KUMA token for API operations.

2. Creating a configuration file with data export and import settings.
3. Importing asset data into KUMA using the kuma-ptvm utility:
   1. The data is exported from MaxPatrol VM and saved in the directory of the utility. Information for each tenant is saved to a separate file in JSON format.

      If necessary, you can edit the received files.

   2. Information from files is imported into KUMA.

When re-importing existing assets, assets that already exist in KUMA are overwritten. In this way, fixed vulnerabilities are removed.

Known limitations

If the same IP address is specified for two assets with different FQDNs, KUMA imports such assets as two different assets; the assets are not combined.

If an asset has two softwares with the same data in the name, version, vendor fields, KUMA imports this data as one software, despite the different software installation paths in the asset.

If the FQDN of an asset contains a space or underscore ("_"), data for such assets is not imported into KUMA, and the log indicates that the assets were skipped during import.

If an error occurs during import, error details are logged and the import stops.

Preparatory actions

1. Create a separate user account in KUMA and in MaxPatrol VM with the minimum necessary set of permissions to use API requests.
2. Create user accounts for which you will lager generate an API token.

   Requirements imposed on accounts for which the API token is generated:

   • General administrator, Tenant administrator, Tier 2 analyst, or Tier 1 analyst role.
   • Access to the tenant into which the assets will be imported.
   • In the user account, under API access rights, the check box is selected for POST/api/v1/assets/import.
3. Generate a token for access to the KUMA REST API.

Creating the configuration file

To create the configuration file:

1. Go to the KUMA installer folder by executing the following command:

   cd kuma-ansible-installer

2. Copy the kuma-ptvm-config-template.yaml template to create a configuration file named kuma-ptvm-config.yaml:

   cp kuma-ptvm-config-template.yaml kuma-ptvm-config.yaml

3. Edit the settings in the kuma-ptvm-config.yaml configuration file.
4. Save the changes to the file.

The configuration file will be created. Go to the Importing asset data step.

Importing asset data

To import asset information:

1. If you want to import asset information from MaxPatrol VM into KUMA without intermediate verification of the exported data, run the kuma-ptvm utility with the following options:

   kuma-ptvm --config <path to the kuma-ptvm-config.yaml file> --download --upload

2. If you want to check the correctness of data exported from MaxPatrol VM before importing it into KUMA:
   1. Run the kuma-ptvm utility with the following options:

      kuma-ptvm --config <path to the kuma-ptvm-config.yaml file> --download

      For each tenant specified in the configuration file, a separate file is created with a name of the form <KUMA tenant ID>.JSON. Also, during export, a 'tenants' file is created, containing a list of JSON files to be uploaded to KUMA. All files are saved in the utility's directory.

   2. Review the exported asset files and if necessary, make the following edits:
      • Assign assets to their corresponding tenants.
      • Manually transfer asset data from the 'default' tenant file to the files of the relevant tenants.
      • In the 'tenants' file, edit the list of tenants whose assets you want to import into KUMA.
   3. Import asset information into KUMA:

      kuma-ptvm --config <path to the kuma-ptvm-config.yaml file> --upload

   To view information about the available commands of the utility, run the --help command.

The asset information is imported from MaxPatrol VM to KUMA. The console displays information on the number of new and updated assets.

Possible errors

When running the kuma-ptvm utility, the "tls: failed to verify certificate: x509: certificate is valid for localhost" error may be returned.

Solution.

• Issue a certificate in accordance with the MaxPatrol documentation. We recommend resolving the error in this way.
• Disable certificate validation.

  To disable certificate validation, add the following line to the configuration file in the 'MaxPatrol settings' section:

  ignore_server_cert: true

As a result, the utility is started without errors.

The table lists the settings that you can specify in the kuma-ptvm-config.yaml file.

Description of settings in the kuma-ptvm-config.yaml configuration file

Importing asset information from KICS for Networks

After configuring KICS for Networks integration, tasks to obtain data about KICS for Networks assets are created automatically. This occurs:

• Immediately after creating a new integration.
• Immediately after changing the settings of an existing integration.
• According to a regular schedule every several hours. Every 12 hours by default. The schedule can be changed.

Account data update tasks can be created manually.

To start a task to update KICS/KATA asset information for a tenant:

1. In the KUMA Console, open the Settings → KICS/KATA section.
2. Select the relevant tenant.

   This opens the KICS/KATA server integration window.

3. Click the Import assets button.

A task to receive account data from the selected tenant is added to the Task manager section of the KUMA Console.

Examples of asset field comparison during import

Each imported asset is compared to the matching KUMA asset.

Checking for two-field value match in the IP, MAC, and FQDN fields

Comparison results:

• Imported asset 1 and KUMA asset: the FQDN and IP fields are filled in and match, no conflict in the MAC fields between the two assets. The assets are merged.
• Imported asset 2 and KUMA asset: the FQDN and IP fields are filled in and match. The assets are merged.
• Imported asset 3 and KUMA asset: the FQDN and MAC fields are filled in and match, no conflict in the IP fields between the two assets. The assets are merged.
• Imported asset 4 and KUMA asset: the IP fields are filled in and match, no conflict in the FQDN and MAC fields between the two assets. The assets are merged.
• Imported asset 5 and KUMA asset: the FQDN fields are filled in and match, no conflict in the IP and MAC fields between the two assets. The assets are merged.
• Imported asset 6 and KUMA asset: no matching fields. The assets are not merged.

Checking for single-field value match in the IP, MAC, and FQDN fields

Comparison results:

• Imported asset 1 and KUMA asset: the IP fields are filled in and match, no conflict in the FQDN and MAC fields between the two assets. The assets are merged.
• Imported asset 2 and KUMA asset: the IP fields are filled in and match, no conflict in the FQDN and MAC fields between the two assets. The assets are merged.
• Imported asset 3 and KUMA asset: no matching fields. The assets are not merged.
• Imported asset 4 and KUMA asset: no matching fields. The assets are not merged.

Settings of the kuma-ptvm-config.yaml configuration file

The table lists the settings that you can specify in the kuma-ptvm-config.yaml file.

Assigning a category to an asset

To assign a category to one asset:

1. In the KUMA Console, go to the Assets section.
2. Select the category with the relevant assets.

   The assets table is displayed.

3. Select an asset.
4. In the opened window, click the Edit button.
5. In the Categories field, click the button.
6. Select a category.

   If you want to move an asset to the Uncategorized assets section, you must delete the existing categories for the asset by clicking the button.

7. Click the Save button.

The category will be assigned.

To assign a category to multiple assets:

1. In the KUMA Console, go to the Assets section.
2. Select the category with the relevant assets.

   The assets table is displayed.

3. Select the check boxes next to the assets for which you want to change the category.
4. Click the Link to category button.
5. In the opened window, select a category.
6. Click the Save button.

The category will be assigned.

Do not assign the Categorized assets category to assets.

Linking a group of assets to a category

To link a group of assets to a category:

1. In the Assets section of the KUMA Console, select the check box in the heading of the table of assets.
2. Select all assets visible on the page or all assets that match the selection condition.

   The Link to category button becomes active and opens the available categories.

3. Click the Link to category button and select one or more categories to link to.
4. Click OK.

   Assets are linked to the selected categories or folder.

Unlinking a group of assets from a category

To unlink a group of assets from a category:

1. Select one category (tenant) in the navigation pane.

   The list of assets in that category is displayed.

   The Clean category button is added to the folder properties.

2. In the context menu of the category, select Clean category.

   A dialog box is displayed with a confirmation prompt and the number of assets that will be unlinked.

   This option lets you unlink all assets in the selected category, not only those that are visible on the page. Assets in child categories are not unlinked.

3. In the dialog box, click OK.

   All selected assets aer unlinked from the selected category.

Editing the parameters of assets

In KUMA, you can edit asset parameters. All the parameters of manually added assets can be edited. For assets imported from Open Single Management Platform, you can only change the name of the asset and its category.

To change the parameters of an asset:

1. In the Assets section of the KUMA Console, click the asset that you want to edit.

   The Asset details area opens in the right part of the window.

2. Click the Edit button.

   The Edit asset window opens.

3. Make the changes you need in the available fields:
   • Asset name (required) This is the only field available for editing if the asset was imported from Open Single Management Platform or KICS/KATA.
   • IP address and/or FQDN (required). You can specify multiple FQDNs separated by commas.
   • MAC address
   • Owner
   • Software info:
     • OS name
     • OS build
   • Hardware info:

     Hardware parameters

     You can add information about asset hardware to the Hardware info section:

     Available fields for describing the asset CPU:

     • CPU name
     • CPU frequency
     • CPU core count

     You can add CPUs to the asset by using the Add CPU link.

     Available fields for describing the asset disk:

     • Disk free bytes
     • Disk volume

     You can add disks to the asset by using the Add disk link.

     Available fields for describing the asset RAM:

     • RAM frequency
     • RAM total bytes

     Available fields for describing the asset network card:

     • Network card name
     • Network card manufacture
     • Network card driver version

     You can add network cards to the asset by using the Add network card link.

   • Custom fields.
   • CII category.
4. Assign or change the category of the asset:
   1. Click the button.

      Select categories window opens.

   2. Select the check boxes next to the categories that should be assigned to the asset.
   3. Click Save.

   The selected categories appear in the Categories fields.

   You can also select the asset and then drag and drop it into the relevant category. This category will be added to the list of asset categories.

   Do not assign the Categorized assets category to assets.

5. Click the Save button.

Asset parameters have been changed.

Archiving assets

In KUMA, the archival functionality is available for the following types of assets:

• For assets imported from KSC and KICS.

  If KUMA did not receive information about the asset, at the time of import, the asset is automatically archived and is stored in the database for the time specified in the Archived assets retention period setting. The default setting is 0 days. This means that archived assets are stored indefinitely. An archived asset becomes active if KUMA receives information about the asset from the source before the retention period for archived assets expires.

• Combined assets

  When importing, KUMA performs a check for uniqueness among assets imported from KSC and KICS, and among manually added assets. If the fields of an imported asset and a manually added asset match, the assets are combined into a single asset, which is considered imported and can become archived.

Assets added manually in the console or using the API are not archived.

An asset becomes archived under the following conditions:

• KUMA did not receive information about the asset from Open Single Management Platform or KICS/KATA.
• Disabled integration with Open Single Management Platform.

  If you disable integration with Open Single Management Platform, the asset is considered active for 30 days. After 30 days, the asset is automatically archived and is stored in the database for the time specified in the Archived assets retention period.

An asset is not updated in the following cases:

• Information about the Open Single Management Platform asset has not been updated for more than the retention period of archived assets.
• Information about the asset does not exist in Open Single Management Platform or KICS/KATA.
• Connection with the Open Single Management Platform server has not been established for more than 30 days.

Archived assets that participate in dynamic categorization remain archived. An archived asset can have its CII category assigned or changed. If such an asset ends up in an alert or incident, the CII category of the alert or incident also changes, which may affect the visibility of the alert or incident for users with restricted CII access.

To configure the archived assets retention period:

1. In the KUMA Console, select the Settings → Assets section.

   This opens the Assets window.

2. Enter the new value in the Archived assets retention period field.

   The default setting is 0 days. This means that archived assets are stored indefinitely.

3. Click Save.

The retention period for archived assets is configured.

Information about the archived asset remains available for viewing in the alert and incident card.

To view an archived asset card:

1. In the KUMA Console, select the Alerts or Incidents section.

   A list of alerts or incidents is displayed.

2. Open the alert or incident card linked to the archived asset.

   You can view the information in the archived asset card.

Deleting assets

If you no longer need to receive information from an asset or information about the asset has not been updated for a long time, you can have KUMA delete the asset. Deletion can be performed by the General administrator, Tenant administrator, Tier 2 analysts, and Tier 1 analysts. If an asset was deleted, but KUMA once again begins receiving information about that asset from Open Single Management Platform, KUMA recreates the asset with a new ID.

In KUMA, you can delete assets in the following ways:

• Automatically.

  KUMA automatically deletes only archived assets. KUMA deletes an archived asset if the information about the asset has not been updated for longer than the retention period of archived assets.

• Manually.

To delete an asset manually:

1. In KUMA Console, in the Assets section, click the asset that you want to delete.

   This opens the Asset information window in the right-hand part of the web interface.

2. Click the Delete button.

   A confirmation window opens.

3. Click OK.

The asset is deleted and no longer appears in the alert or incident card.

Bulk deletion of assets

In the KUMA Console, you can select multiple assets using a filter and delete all selected assets.

To delete assets, you must have rights to delete assets.

Bulk deletion of assets

To delete all selected assets:

1. In the Assets section of the KUMA Console, select the category that contains the relevant assets.

   A table of assets is displayed.

2. Select the check box in the heading of the table of assets.

   You can delete all assets or all assets currently displayed on the page.

3. Click Select all in page or Select all.

   The Delete button becomes active.

4. Click the Delete button.

   This opens a window prompting you to confirm deletion and telling you that deleted assets will not be available in alerts, incidents, and widgets.

   In the lower part of the page, the number of assets selected for deletion is displayed.

5. Click OK.

   If you clicked Select all, you must enter the displayed generated string into the text box in the window to confirm deletion.

All selected assets are deleted.

Deleting asset folders

To delete a folder, you can either unlink all assets from the folder (which unlinks the assets but not does not delete them) and then delete the folder itself, or delete all assets and then delete the folder.

Updating third-party applications and fixing vulnerabilities on Open Single Management Platform assets

You can update third-party applications (including Microsoft applications) that are installed on Open Single Management Platform assets, and fix vulnerabilities in these applications.

First you need to create the Install required updates and fix vulnerabilities task on the selected Open Single Management Platform Administration Server with the following settings:

• Application—Open Single Management Platform.
• Task type—Install required updates and fix vulnerabilities.
• Devices to which the task will be assigned—you need to assign the task to the root administration group.
• Rules for installing updates:
  • Install approved updates only.
  • Fix vulnerabilities with a severity level equal to or higher than (optional setting).

    If this setting is enabled, updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

• Scheduled start—the task run schedule.

For details on how to create a task, please refer to the Open Single Management Platform Help Guide.

The Install required updates and fix vulnerabilities task is available with a Vulnerability and Patch Management license.

Next, you need to install updates for third-party applications and fix vulnerabilities on assets in KUMA.

To install updates and fix vulnerabilities in third-party applications on an asset in KUMA:

1. Open the asset details window in one of the following ways:
   • In the KUMA Console, select Assets → select a category with the relevant assets → select an asset.
   • In the KUMA Console, select Alerts → click the link with the relevant alert → select the asset in the Related endpoints section.
   • In the KUMA Console, select Events → search and filter events → select the relevant event → click the link in one of the following fields: SourceAssetID, DestinationAssetID, or DeviceAssetID.
2. In the asset details window, expand the list of Open Single Management Platform vulnerabilities.
3. Select the check boxes next to the applications that you want to update.
4. Click the Upload updates link.
5. In the opened window, select the check box next to the ID of the vulnerability that you want to fix.
6. If No is displayed in the EULA accepted column for the selected ID, click the Approve updates button.
7. Click the link in the EULA URL column and carefully read the text of the End User License Agreement.
8. If you agree to it, click the Accept selected EULAs button in the KUMA Console.

   The ID of the vulnerability for which the EULA was accepted shows Yes in the EULA accepted successfully column.

9. Repeat steps 7–10 for each required vulnerability ID.
10. Click OK.

Updates will be uploaded and installed on the assets managed by the Administration Server where the task was started, and on the assets of all secondary Administration Servers.

The terms of the End User License Agreement for updates and vulnerability patches must be accepted on each secondary Administration Server separately.

Updates are installed on assets where the vulnerability was detected.

You can update the list of vulnerabilities for an asset in the asset details window by clicking the Update link.

Moving assets to a selected administration group

You can move assets to a selected administration group of Open Single Management Platform. In this case, the group policies and tasks will be applied to the assets. For more details on Open Single Management Platform tasks and policies, please refer to the Open Single Management Platform Help Guide.

Administration groups are added to KUMA when the hierarchy is loaded during import of assets from Open Single Management Platform. First, you need to configure KUMA integration with Open Single Management Platform.

To move an asset to a selected administration group:

1. Open the asset details window in one of the following ways:
   • In the KUMA Console, select Assets → select a category with the relevant assets → select an asset.
   • In the KUMA Console, select Alerts → click the link with the relevant alert → select the asset in the Related endpoints section.
2. In the asset details window, click the Move to KSC group button.
3. Click the Move to KSC group button.
4. Select the group in the opened window.

   The selected group must be owned by the same tenant as the asset.

5. Click the Save button.

The selected asset will be moved.

To move multiple assets to a selected administration group:

1. In the KUMA Console, select the Assets section.
2. Select the category with the relevant assets.
3. Select the check boxes next to the assets that you want to move to the group.
4. Click the Move to KSC group button.

   The button is active if all selected assets belong to the same Administration Server.

5. Select the group in the opened window.
6. Click the Save button.

The selected assets will be moved.

You can see the specific group of an asset in the asset details.

Open Single Management Platform assets information is updated in KUMA when information about assets is imported from Open Single Management Platform. This means that a situation may arise when assets have been moved between administration groups in Open Single Management Platform, but this information is not yet displayed in KUMA. When an attempt is made to move such an asset to an administration group in which it is already located, KUMA returns the Failed to move assets to another KSC group error.

Asset audit

KUMA can be configured to generate asset audit events under the following conditions:

• Asset was added to KUMA. The application monitors manual asset creation, as well as creation during import via the REST API and during import from Open Single Management Platform or KICS/KATA.
• Asset parameters have been changed. A change in the value of the following asset fields is monitored:
  • Name
  • IP address
  • MAC address
  • FQDN
  • Operating system

  Fields may be changed when an asset is updated during import.

• Asset was deleted from KUMA. The program monitors manual deletion of assets, as well as automatic deletion of assets imported from Open Single Management Platform and KICS/KATA, whose data stopped coming.
• Vulnerability info was added to the asset. The program monitors the appearance of new vulnerability data for assets. Information about vulnerabilities can be added to an asset, for example, when importing assets from Open Single Management Platform or KICS/KATA.
• Asset vulnerability was resolved. The program monitors the removal of vulnerability information from an asset. A vulnerability is considered to be resolved if data about this vulnerability is no longer received from any sources from which information about its occurrence was previously obtained.
• Asset was added to a category. The program monitors the assignment of an asset category to an asset.
• Asset was removed from a category. The program monitors the deletion of an asset from an asset category.

By default, if asset audit is enabled, under the conditions described above, KUMA creates not only audit events (Type = 4), but also base events (Type = 1).

Asset audit events can be sent to storage or to correlators, for example.

Configuring an asset audit

To configure an asset audit:

1. In the KUMA Console, open Settings → Asset audit.
2. Perform one of the following actions with the tenant for which you want to configure asset audit:
   • Add the tenant by using the Add tenant button if this is the first time you are configuring asset audit for the relevant tenant.

     In the opened Asset audit window, select a name for the new tenant.

   • Select an existing tenant in the table if asset audit has already been configured for the relevant tenant.

     In the opened Asset audit window, the tenant name is already defined and cannot be edited.

   • Clone the settings of an existing tenant to create a copy of the conditions configuration for the tenant for which you are configuring asset audit for the first time. To do so, select the check box next to the tenant whose configuration you need to copy and click Clone. In the opened Asset audit window, select the name of the tenant to use the copied configuration.
3. For each condition for generating asset audit events, select the destination to where the created events will be sent:
   1. In the group of settings for the relevant type of asset audit events, use the Add destination drop-down list to select the type of destination to which you want to send the created events:
      • Select Storage if you want events to be sent to storage.
      • Select Correlator if you want events to be sent to the correlator.
      • Select Other if you want to select a different destination.

        This type of resource includes correlator and storage services that were created in previous versions of the program.

      In the Add destination window that opens you must define the settings for event forwarding.

   2. Use the Destination drop-down list to select an existing destination or select Create if you want to create a new destination.

      If you are creating a new destination, fill in the settings as indicated in the destination description.

   3. Click Save.

   A destination has been added to the condition for generating asset audit events. Multiple destinations can be added for each condition.

4. Click Save.

The asset audit has been configured. Asset audit events will be generated for those conditions for which destinations have been added. Click Save.

Storing and searching asset audit events

Asset audit events are considered to be base events and do not replace audit events. Asset audit events can be searched based on the following parameters:

Enabling and disabling an asset audit

You can enable or disable asset audit for a tenant:

To enable or disable an asset audit for a tenant:

1. In the KUMA Console, open Settings → Asset audit and select the tenant for which you want to enable or disable an asset audit.

   The Asset audit window opens.

2. Select or clear the Disabled check box in the upper part of the window.
3. Click Save.

By default, when asset audit is enabled in KUMA, when an audit condition occurs, two types of events are simultaneously created: a base event and an audit event.

You can disable the generation of base events with audit events.

To enable or disable the creation of base events for an individual condition:

1. In the KUMA Console, open Settings → Asset audit and select the tenant for which you want to enable or disable a condition for generating asset audit events.

   The Asset audit window opens.

2. Select or clear the Disabled check box next to the relevant conditions.
3. Click Save.

For conditions with the Disabled check box selected, only audit events are created, and base events are not created.

Custom asset fields

In addition to the existing fields of the asset data model, you can create custom asset fields. Data from the custom asset fields is displayed when you view information about the asset. Custom fields can be filled in with data either manually or using the API.

You can create or edit the custom fields in the KUMA Console in the Settings → Assets section, in the Custom fields table. The table has the following columns:

• Name – the name of the custom field that is displayed when you view information about the asset.
• Default value – the value that is written to the custom field when an asset is added to KUMA.
• Mask – a regular expression to which the value in the custom field must match.

To create a custom asset field:

1. In the KUMA Console, in the Settings → Assets section, click the Add field button.

   An empty row is added to the Custom fields table. You can add multiple rows with the custom field settings at once.

2. Fill in the columns with the settings of the custom field:
   • Name (required)–from 1 to 128 characters in Unicode encoding.
   • Default value–from 1 to 1,024 Unicode characters.
   • Mask–from 1 to 1,024 Unicode characters.
3. Click Save.

A custom field is added to the asset data model.

To delete or edit a custom asset field:

1. In the KUMA Console, open Settings → Assets.
2. Make the necessary changes in the Custom fields table:
   • To delete a custom field, click the icon next to the row with the settings of the required field. Deleting a field also deletes the data written in this field for all assets.
   • You can change the values of the field settings. Changing the default value does not affect the data written in the asset fields before.
   • To change the display order of the fields, drag the lines with the mouse by the .
3. Click Save.

The changes are made.

Critical information infrastructure assets

In KUMA, you can tag assets related to the critical information infrastructure (CII) of the Russian Federation. This allows you to restrict the KUMA users capabilities to handle alerts and incidents, which are associated with the assets related to the CII objects.

You can assign the CII category to assets if the license with the GosSOPKA module is active in KUMA.

General administrators and users with the Access to CII facilities check box selected in their profiles can assign the CII category to an asset. If none of these conditions are met, the following restrictions apply to the user:

• The CII category group of settings is not displayed in the Asset details and Edit asset windows. You cannot view or change the CII category of an asset.
• Alerts and incidents associated with the assets of the CII category are not available for viewing. You cannot perform any actions on such alerts and incidents; they are not displayed in the table of alerts and incidents.
• The CII column is not displayed in the Alerts and Incidents tables.
• Search and closing of the alerts using the REST API is not available.

The CII category of an asset is displayed in the Asset details window in the CII category group of settings.

To change the CII category of an asset:

1. In the KUMA Console, in the Assets section, select the required asset.

   The Asset details window opens.

2. Click the Edit button and select one of the available values in the drop-down list:
   • Information resource is not a CII object – default value, indicating that the asset does not have a CII category. The users with the Access to CII facilities check box cleared in their profiles can work with such assets and the alerts and incidents related to these assets.
   • CII object without a significance category.
   • CII object of the third category of significance.
   • CII object of the second category of significance.
   • CII object of the first category of significance.
3. Click Save.