Contents
Importing asset information from MaxPatrol
You can import asset information from the MaxPatrol system into KUMA.
You can use the following import arrangements:
- Importing from reports about scan results of network devices of the MaxPatrol 8 system.
The import is performed through the API by using the maxpatrol-tool. The tool is located in the /opt/kaspersky/kuma/utils directory.
- Importing data from MaxPatrol VM 1.1.
Data is imported via the API by using the kuma_pvtm utility. The archive containing the tool is located in the /opt/kaspersky/kuma/utils directory.
Imported assets are displayed in the KUMA Console in the Assets section. If necessary, you can edit the settings of assets.
Page topImporting data from MaxPatrol reports
Importing asset information form a report is supported for MaxPatrol 8.
To import asset information from a MaxPatrol report:
- In MaxPatrol, generate a network asset scan report in XML file format and copy the report file to the KUMA Core server. For more details about scan tasks and output file formats, refer to the MaxPatrol documentation.
Data cannot be imported from reports in SIEM integration file format. The XML file format must be selected.
- Create a file with the token for accessing the KUMA REST API. For convenience, it is recommended to place it into the MaxPatrol report folder. The file must not contain anything except the token.
Requirements imposed on accounts for which the API token is generated:
- General administrator, Tenant administrator, Tier 2 analyst, or Tier 1 analyst role.
- Access to the tenant into which the assets will be imported.
- Permissions for using API requests GET /users/whoami and POST /api/v1/assets/import have been configured.
To import assets from MaxPatrol, it is recommended to create a separate user with the minimum necessary set of rights to use API requests.
- Copy the maxpatrol-tool to the server hosting the KUMA Core and make the tool's file executable by running the following command:
chmod +x <path to the maxpatrol-tool file on the server hosting the KUMA Core> - Run the maxpatrol-tool:
./maxpatrol-tool --kuma-rest <KUMA REST API server address and port> --token <path and name of API token file> --tenant <name of tenant where assets will reside> <path and name of MaxPatrol report file> --cert <path to the KUMA Core certificate file>You can download the Core certificate in the KUMA Console.
Example:
./maxpatrol-tool --kuma-rest example.kuma.com:7223 --token token.txt --tenant Main example.xml --cert /tmp/ca.certYou can use additional flags and commands for import operations. For example, the command
--verbose, -vwill display a full report on the received assets. A detailed description of the available flags and commands is provided in the table titled Flags and commands of maxpatrol-tool. You can also use the--helpcommand to view information on the available flags and commands.
The asset information will be imported from the MaxPatrol report to KUMA. The console displays information on the number of new and updated assets.
Example: inserted 2 assets; updated 1 asset; errors occurred: [] |
The tool works as follows when importing assets:
- KUMA overwrites the data of assets imported through the API, and deletes information about their resolved vulnerabilities.
- KUMA skips assets with invalid data. Error information is displayed when using the
--verboseflag. - If there are assets with identical IP addresses and fully qualified domain names (FQDN) in the same MaxPatrol report, these assets are merged. The information about their vulnerabilities and software is also merged into one asset.
When uploading assets from MaxPatrol, assets that have equivalent IP addresses and fully qualified domain names (FQDN) that were previously imported from Open Single Management Platform are overwritten.
To avoid this problem, you must configure range-based asset filtering by running the following command:
--ignore <IP address ranges> or -i <IP address ranges>Assets that satisfy the filtering criteria are not uploaded. For a description of this command, please refer to the table titled Flags and commands of maxpatrol-tool.
Flags and commands of maxpatrol-tool
Flags and commands |
Description |
|---|---|
|
Address (with the port) of KUMA Core server where assets will be imported. For example, Port 7223 is used for API requests by default. You can change the port if necessary. |
|
Path and name of the file containing the token used to access the REST API. This file must contain only the token. The account for which you are generating an API token must have the General administrator, Tenant administrator, Tier 2 administrator, or Tier 1 administrator role. |
|
Name of the KUMA tenant in which the assets from the MaxPatrol report will be imported. |
|
This command uses DNS to enrich IP addresses with FQDNs from the specified ranges if the FQDNs for these addresses were not already specified. Example: |
|
Address of the DNS server that the tool must contact to receive FQDN information. Example: |
|
Address ranges of assets that should be skipped during import. Example: |
|
Output of the complete report on received assets and any errors that occurred during the import process. |
|
Get reference information on the tool or a command. Examples:
|
|
Get information about the version of the maxpatrol-tool. |
|
Creation of an autocompletion script for the specified shell. |
|
Path to the KUMA Core certificate. By default, the certificate is located in the folder with the application installed: /opt/kaspersky/kuma/core/certificates/ca.cert. |
Examples:
./maxpatrol-tool --kuma-rest example.kuma.com:7223 --token token.txt --tenant Main example.xml --cert /example-directory/ca.cert– import assets to KUMA from MaxPatrol report example.xml../maxpatrol-tool help—get reference information on the tool.
Possible errors
Error message |
Description |
|---|---|
must provide path to xml file to import assets |
The path to the MaxPatrol report file was not specified. |
incorrect IP address format |
Invalid IP address format. This error may arise when incorrect IP ranges are indicated. |
no tenants match specified name |
No suitable tenants were found for the specified tenant name using the REST API. |
unexpected number of tenants (%v) match specified name. Tenants are: %v |
KUMA returned more than one tenant for the specified tenant name. |
could not parse file due to error: %w |
Error reading the XML file containing the MaxPatrol report. |
error decoding token: %w |
Error reading the API token file. |
error when importing files to KUMA: %w |
Error transferring asset information to KUMA. |
skipped asset with no FQDN and IP address |
One of the assets in the report did not have an FQDN or IP address. Information about this asset was not sent to KUMA. |
skipped asset with invalid FQDN: %v |
One of the assets in the report had an incorrect FQDN. Information about this asset was not sent to KUMA. |
skipped asset with invalid IP address: %v |
One of the assets in the report had an incorrect IP address. Information about this asset was not sent to KUMA. |
KUMA response: %v |
An error occurred with the specified report when importing asset information. |
unexpected status code %v |
An unexpected HTTP code was received when importing asset information from KUMA. |
Importing asset information from MaxPatrol VM
The KUMA distribution kit includes the kuma-ptvm utility, which consists of an executable file and a configuration file. The utility is supported on Windows and Linux operating systems. The utility allows you to connect to the MaxPatrol VM API to get data about devices and their attributes, including vulnerabilities, and also lets you edit asset data and import data using the KUMA API. Importing data is supported for MaxPatrol VM 2.6.
Configuring the import of asset information from MaxPatrol VM to KUMA proceeds in stages:
- Preparing KUMA and MaxPatrol VM.
You must create user accounts and a KUMA token for API operations.
- Creating a configuration file with data export and import settings.
- Importing asset data into KUMA using the kuma-ptvm utility:
- The data is exported from MaxPatrol VM and saved in the directory of the utility. Information for each tenant is saved to a separate file in JSON format.
If necessary, you can edit the received files.
- Information from files is imported into KUMA.
- The data is exported from MaxPatrol VM and saved in the directory of the utility. Information for each tenant is saved to a separate file in JSON format.
When re-importing existing assets, assets that already exist in KUMA are overwritten. In this way, fixed vulnerabilities are removed.
Known limitations
If the same IP address is specified for two assets with different FQDNs, KUMA imports such assets as two different assets; the assets are not combined.
If an asset has two softwares with the same data in the name, version, vendor fields, KUMA imports this data as one software, despite the different software installation paths in the asset.
If the FQDN of an asset contains a space or underscore ("_"), data for such assets is not imported into KUMA, and the log indicates that the assets were skipped during import.
If an error occurs during import, error details are logged and the import stops.
Preparatory actions
- Create a separate user account in KUMA and in MaxPatrol VM with the minimum necessary set of permissions to use API requests.
- Create user accounts for which you will lager generate an API token.
Requirements imposed on accounts for which the API token is generated:
- General administrator, Tenant administrator, Tier 2 analyst, or Tier 1 analyst role.
- Access to the tenant into which the assets will be imported.
- In the user account, under API access rights, the check box is selected for POST/api/v1/assets/import.
- Generate a token for access to the KUMA REST API.
Creating the configuration file
To create the configuration file:
- Go to the KUMA installer folder by executing the following command:
cd kuma-ansible-installer - Copy the kuma-ptvm-config-template.yaml template to create a configuration file named kuma-ptvm-config.yaml:
cp kuma-ptvm-config-template.yaml kuma-ptvm-config.yaml - Edit the settings in the kuma-ptvm-config.yaml configuration file.
- Save the changes to the file.
The configuration file will be created. Go to the Importing asset data step.
Importing asset data
To import asset information:
- If you want to import asset information from MaxPatrol VM into KUMA without intermediate verification of the exported data, run the kuma-ptvm utility with the following options:
kuma-ptvm --config <path to the kuma-ptvm-config.yaml file> --download --upload - If you want to check the correctness of data exported from MaxPatrol VM before importing it into KUMA:
- Run the kuma-ptvm utility with the following options:
kuma-ptvm --config <path to the kuma-ptvm-config.yaml file> --downloadFor each tenant specified in the configuration file, a separate file is created with a name of the form <KUMA tenant ID>.JSON. Also, during export, a 'tenants' file is created, containing a list of JSON files to be uploaded to KUMA. All files are saved in the utility's directory.
- Review the exported asset files and if necessary, make the following edits:
- Assign assets to their corresponding tenants.
- Manually transfer asset data from the 'default' tenant file to the files of the relevant tenants.
- In the 'tenants' file, edit the list of tenants whose assets you want to import into KUMA.
- Import asset information into KUMA:
kuma-ptvm --config <path to the kuma-ptvm-config.yaml file> --upload
To view information about the available commands of the utility, run the --help command.
- Run the kuma-ptvm utility with the following options:
The asset information is imported from MaxPatrol VM to KUMA. The console displays information on the number of new and updated assets.
Possible errors
When running the kuma-ptvm utility, the "tls: failed to verify certificate: x509: certificate is valid for localhost" error may be returned.
Solution.
- Issue a certificate in accordance with the MaxPatrol documentation. We recommend resolving the error in this way.
- Disable certificate validation.
To disable certificate validation, add the following line to the configuration file in the 'MaxPatrol settings' section:
ignore_server_cert: true
As a result, the utility is started without errors.
Page topThe table lists the settings that you can specify in the kuma-ptvm-config.yaml file.
Description of settings in the kuma-ptvm-config.yaml configuration file
Setting |
Description |
Values |
|---|---|---|
|
An optional setting in the 'General settings' group. Logging level. |
Available values:
Default setting: |
|
An optional setting in the 'General settings' group. Data for assets that have changed during the specified period is exported from MaxPatrol. |
No limitations apply. Default setting: 30d. |
|
Optional setting in the 'General settings' group. When exporting assets from MaxPatrol, check if the required fields for KUMA are filled. Do not export unverified assets from MaxPatrol. |
Available values:
Default setting: We recommend specifying |
|
Required setting in the 'KUMA settings' group. URL of the KUMA API server. For example, kuma-example.com:7223 |
- |
|
Required setting in the 'KUMA settings' group. KUMA API token. |
- |
|
Optional setting in the 'KUMA settings' group. Validation of the KUMA certificate. |
Available values:
This setting is not included in the configuration file template. You can manually add this setting with a true value, which will prevent the kuma-ptvm utility from validating the certificate at startup. |
|
Required setting in the 'MaxPatrol VM' group. URL of the MaxPatrol API server. |
- |
|
Required setting in the 'MaxPatrol VM' group. MaxPatrol API user name. |
- |
|
Required setting in the 'MaxPatrol VM' group. MaxPatrol API user password. |
- |
|
Required setting in the 'MaxPatrol VM settings' group. MaxPatrol API secret. |
- |
|
Optional setting in the 'MaxPatrol VM settings' group. Validation of the MaxPatrol certificate. |
Available values:
This setting is not included in the configuration file template. You can manually add this setting with a true value if the "tls: failed to verify certificate: x509: certificate is valid for localhost" error occurs. In that case, the kuma-ptvm utility does not validate the certificate when it is started. We recommend issuing a certificate in accordance with the MaxPatrol documentation as the preferred way of resolving the error. |
|
Optional setting in the 'Vulnerability filter' group. Export from MaxPatrol only assets with vulnerabilities for which exploits are known. |
Available values:
Default setting: |
|
Optional setting in the 'Vulnerability filter' group. Import only vulnerabilities of the specified level or higher. |
Available values:
Default value: |
|
Required setting in the 'Tenant map' group. Tenant ID in KUMA. Assets are assigned to tenants in the order in which tenants are specified in the configuration file: the higher a tenant is in the list, the higher its priority. This means you can specify overlapping subnets. |
- |
|
Optional setting in the 'Tenant map' group. Regular expression for searching the FQDN of an asset. |
- |
|
Optional setting in the 'Tenant map' group. One or more subnets. |
- |
|
Optional setting. The default KUMA tenant for data about assets that could not be allocated to tenants specified in the 'Tenants' group of settings. |
- |