Kaspersky Next XDR Expert
1.2

Contents

Adding assets

You can add asset information to KUMA in the following ways:

  • Manually.

    You can add an asset using the KUMA Console or the API. In this case, you must manually specify the following information: address, FQDN, name and version of the operating system, hardware information. Information about the vulnerabilities of assets cannot be added through the web interface. You can provide information about vulnerabilities if you add assets using the API.

  • Import assets.

    You can import assets from Open Single Management Platform, KICS/KATA, and MaxPatrol reports.

  • Import assets.

When adding assets, assets that already exist in KUMA can be merged with the assets being added.

Asset merging algorithm:

  1. Checking the uniqueness of assets in Open Single Management Platform or KICS/KATA assets.
    • The uniqueness of an asset imported from Open Single Management Platform is determined by the Host ID parameter, which contains the Open Single Management Platform Network Agent Network Agent identifier. If two assets' IDs differ, they are considered to be separate assets and are not merged.
    • The uniqueness of an asset imported from KICS/KATA is determined by the combination of the IP address, KICS/KATA server IP address, and KICS/KATA connector ID parameters. If any of the parameters of two assets differ they are considered to be separate assets and are not merged.

    If the compared assets match, the algorithm is performed further.

  2. Make sure that the values in the IP, MAC, and FQDN fields match.

    If at least two of the specified fields match, the assets are combined, provided that the other fields are blank.

    Possible matches:

    • The FQDN and IP address of the assets match. The MAC field is blank.

      The check is performed against the entire array of IP address values. If the IP address of an asset is included in the FQDN, the values are considered to match.

    • The FQDN and MAC address of the assets match. The IP field is blank.

      The check is performed against the entire array of MAC address values. If at least one value of the array fully matches the FQDN, the values are considered to match.

    • The IP address and MAC address of the assets match. The FQDN field is blank.

      The check is performed against the entire array of IP- and MAC address values. If at least one value in the arrays is fully matched, the values are considered to match.

  3. Make sure that the values of at least one of the IP, MAC, or FQDN fields match, provided that the other two fields are not filled in for one or both assets.

    Assets are merged if the values in the field match. For example, if the FQDN and IP address are specified for a KUMA asset, but only the IP address with the same value is specified for an imported asset, the fields match. In this case, the assets are merged.

    For each field, verification is performed separately and ends on the first match.

You can see examples of asset field comparison here.

Information about assets can be generated from various sources. If the added asset and the KUMA asset contain data received from the same source, this data is overwritten. For example, a Open Single Management Platform asset receives a fully qualified domain name, software information, and host ID when imported into KUMA. When importing an asset from Open Single Management Platform with an equivalent fully qualified domain name, all this data will be overwritten (if it has been defined for the added asset). All fields in which the data can be refreshed are listed in the Updatable data table.

Updatable data

Field name

Update procedure

Name

Selected according to the following priority:

  • Manually defined.
  • Received from Open Single Management Platform.
  • Received by KICS/KATA.

Owner

The first value from the sources is selected according to the following priority:

  • Received from Open Single Management Platform.
  • Manually defined.

IP address

The data is merged. If the array of addresses contains identical addresses, the copy of the duplicate address is deleted.

FQDN

The first value from the sources is selected according to the following priority:

  • Received from Open Single Management Platform.
  • Received by KICS/KATA.
  • Manually defined.

MAC address

The data is merged. If the array of addresses contains identical addresses, one of the duplicate addresses is deleted.

Operating system

The first value from the sources is selected according to the following priority:

  • Received from Open Single Management Platform.
  • Received by KICS/KATA.
  • Manually defined.

Vulnerabilities

KUMA asset data is supplemented with information from the added assets. In the asset details, data is grouped by the name of the source.

Vulnerabilities are eliminated for each source separately.

Software info

Data from KICS/KATA is always recorded (if available).

For other sources, the first value is selected according to the following priority:

  • Received from Open Single Management Platform.
  • Manually defined.

Hardware info

The first value from the sources is selected according to the following priority:

  • Received from Open Single Management Platform.
  • Defined via the API.

The updated data is displayed in the asset details. You can view asset details in the KUMA Console.

This data may be overwritten when new assets are added. If the data used to generate asset information is not updated from sources for more than 30 days, the asset is deleted. The next time you add an asset from the same sources, a new asset is created.

If the KUMA Console is used to edit asset information that was received from Open Single Management Platform or KICS/KATA, you can edit the following asset information:

  • Name.
  • Category.

If asset information was added manually, you can edit the following asset data when editing these assets in the KUMA Console:

  • Name.
  • Name of the tenant that owns the asset.
  • IP address.
  • Fully qualified domain name.
  • MAC address.
  • Owner.
  • Category.
  • Operating system.
  • Hardware info.

Asset data cannot be edited via the REST API. When importing from the REST API, the data is updated according to the rules for merging asset details provided above.

In this section

Adding asset information in the KUMA Console

Importing asset information and asset vulnerability information from Open Single Management Platform

Importing asset information from MaxPatrol

Importing asset information from KICS for Networks

Examples of asset field comparison during import

Settings of the kuma-ptvm-config.yaml configuration file
Page top
[Topic 233855]

Adding asset information in the KUMA Console

To add an asset in the KUMA Console:

  1. In the Assets section of the KUMA Console, click the Add asset button.

    The Add asset details area opens in the right part of the window.

  2. Enter the asset parameters:
    • Asset name (required).
    • Tenant (required).
    • IP address and/or FQDN (required). You can specify multiple FQDNs separated by commas.
    • MAC address.
    • Owner.
  3. If required, assign one or multiple categories to the asset:
    1. Click the parent-category button.

      Select categories window opens.

    2. Select the check boxes next to the categories that should be assigned to the asset. You can use the plus and minus icons to expand or collapse the lists of categories.
    3. Click Save.

    The selected categories appear in the Categories fields.

  4. If required, add information about the operating system installed on the asset in the Software section.
  5. If required, add information about asset hardware in the Hardware info section.
  6. Click Add.

The asset is created and displayed in the assets table in the category assigned to it or in the Uncategorized assets category.

Page top
[Topic 217798]

Importing asset information and asset vulnerability information from Open Single Management Platform

Expand all | Collapse all

All assets that are protected by Open Single Management Platform are registered in it. You can import into KUMA the information about assets or vulnerabilities of assets that Open Single Management Platform protects. To do so, you need to configure integration between the applications in advance.

In Open Single Management Platform integration settings, you can configure the frequency of automatic import of information about assets, and, if necessary, import assets manually. Importing assets manually does not affect the time of the next scheduled import. From the Open Single Management Platform database, KUMA imports information about devices with installed Open Single Management Platform Network Agent that has connected to Open Single Management Platform, that is, has a non-empty 'Connection time' field in the SQL database.

KUMA imports the following device information received from Open Single Management Platform Network Agents:

  • Basic information about the asset: name, address, time of connection to Open Single Management Platform, hardware information, protection status, anti-virus database versions
  • Information about asset attributes: vulnerabilities; software, including the operating system; owners of the asset

By default, basic asset information is imported every hour, and information about asset attributes is imported every 12 hours. Attribute information is imported only for existing assets, not for new or deleted assets.

If Open Single Management Platform encounters errors while running the import tasks, KUMA displays such errors. If basic asset information is not available in KUMA during the import of asset attribute information (for example, if the assets were deleted during the import), the task completes without errors, but the attribute information for these assets is not loaded.

KUMA provides the following ways of importing information about assets or asset vulnerabilities from KSC:

  • Importing asset information and asset vulnerability information for assets of all KSC Servers.

    To import information about assets or asset vulnerabilities of all Open Single Management Platform Servers:

    1. In the KUMA Console, go to the Assets section.
    2. Import asset information and asset vulnerability information for assets in one of the following ways:
      • If you want to import information about the basic parameters of assets (protection status, versions of anti-virus databases, hardware), click the Import KSC assets button.
      • If you want to import information about other parameters of assets (vulnerabilities, software, owners), click the Import KSC assets attributes.
    3. In the displayed window, select the tenant for which you want to perform the import. By default, All tenants is selected, which means the import is performed for all tenants.
    4. Click OK.

    Information about the assets or asset vulnerabilities of Open Single Management Platform servers is imported into KUMA.

  • Importing asset information and asset vulnerability information for assets of an individual KSC Server.

    To import information about assets or asset vulnerabilities of an individual Open Single Management Platform Server:

    1. In the KUMA Console, go to the Settings → Open Single Management Platform section.

      The Open Single Management Platform integration by tenant window opens.

    2. Select the tenant for which you want to perform the import.

      The Open Single Management Platform integration window opens.

    3. In the Connections table, click the connection to the selected Open Single Management Platform Server.

      This opens the connection settings window.

    4. If the Open Single Management Platform Server has secondary servers or groups, and you do not want to import information about their assets or vulnerabilities:
      1. Click the Load hierarchy button.
      2. Clear the check boxes next to the secondary Servers or groups for which you do not want to perform the import. By default, the check boxes are selected.
      3. If you want to import asset information or asset vulnerability information from new groups, select the Import assets from new groups check box. This check box is cleared by default.
      4. Click the Save button.
    5. Import asset information and asset vulnerability information for assets in one of the following ways:
      • If you want to import information about the basic parameters of assets (protection status, versions of anti-virus databases, hardware), click the Import KSC assets button.
      • If you want to import information about other parameters of assets (vulnerabilities, software, owners), click the Import KSC assets attributes.

    Information about the assets or asset vulnerabilities of the selected Open Single Management Platform Server is imported into KUMA.

Page top
[Topic 217893]

Importing asset information from MaxPatrol

You can import asset information from the MaxPatrol system into KUMA.

You can use the following import arrangements:

Imported assets are displayed in the KUMA Console in the Assets section. If necessary, you can edit the settings of assets.

Page top
[Topic 228184]

Importing data from MaxPatrol reports

Importing asset information form a report is supported for MaxPatrol 8.

To import asset information from a MaxPatrol report:

  1. In MaxPatrol, generate a network asset scan report in XML file format and copy the report file to the KUMA Core server. For more details about scan tasks and output file formats, refer to the MaxPatrol documentation.

    Data cannot be imported from reports in SIEM integration file format. The XML file format must be selected.

  2. Create a file with the token for accessing the KUMA REST API. For convenience, it is recommended to place it into the MaxPatrol report folder. The file must not contain anything except the token.

    Requirements imposed on accounts for which the API token is generated:

    • General administrator, Tenant administrator, Tier 2 analyst, or Tier 1 analyst role.
    • Access to the tenant into which the assets will be imported.
    • Permissions for using API requests GET /users/whoami and POST /api/v1/assets/import have been configured.

      To import assets from MaxPatrol, it is recommended to create a separate user with the minimum necessary set of rights to use API requests.

  3. Copy the maxpatrol-tool to the server hosting the KUMA Core and make the tool's file executable by running the following command:

    chmod +x <path to the maxpatrol-tool file on the server hosting the KUMA Core>

  4. Run the maxpatrol-tool:

    ./maxpatrol-tool --kuma-rest <KUMA REST API server address and port> --token <path and name of API token file> --tenant <name of tenant where assets will reside> <path and name of MaxPatrol report file> --cert <path to the KUMA Core certificate file>

    You can download the Core certificate in the KUMA Console.

    Example: ./maxpatrol-tool --kuma-rest example.kuma.com:7223 --token token.txt --tenant Main example.xml --cert /tmp/ca.cert

    You can use additional flags and commands for import operations. For example, the command --verbose, -v will display a full report on the received assets. A detailed description of the available flags and commands is provided in the table titled Flags and commands of maxpatrol-tool. You can also use the --help command to view information on the available flags and commands.

The asset information will be imported from the MaxPatrol report to KUMA. The console displays information on the number of new and updated assets.

Example:

inserted 2 assets;

updated 1 asset;

errors occurred: []

The tool works as follows when importing assets:

  • KUMA overwrites the data of assets imported through the API, and deletes information about their resolved vulnerabilities.
  • KUMA skips assets with invalid data. Error information is displayed when using the --verbose flag.
  • If there are assets with identical IP addresses and fully qualified domain names (FQDN) in the same MaxPatrol report, these assets are merged. The information about their vulnerabilities and software is also merged into one asset.

    When uploading assets from MaxPatrol, assets that have equivalent IP addresses and fully qualified domain names (FQDN) that were previously imported from Open Single Management Platform are overwritten.

    To avoid this problem, you must configure range-based asset filtering by running the following command:

    --ignore <IP address ranges> or -i <IP address ranges>

    Assets that satisfy the filtering criteria are not uploaded. For a description of this command, please refer to the table titled Flags and commands of maxpatrol-tool.

Flags and commands of maxpatrol-tool

Flags and commands

Description

--kuma-rest <KUMA REST API server port and address>, -a <KUMA REST API server port and address>

Address (with the port) of KUMA Core server where assets will be imported. For example, example.kuma.com:7223.

Port 7223 is used for API requests by default. You can change the port if necessary.

--token <path and name of API token file>, -t <path and name of API token file>

Path and name of the file containing the token used to access the REST API. This file must contain only the token.

The account for which you are generating an API token must have the General administrator, Tenant administrator, Tier 2 administrator, or Tier 1 administrator role.

--tenant <tenant name>, -T <tenant name>

Name of the KUMA tenant in which the assets from the MaxPatrol report will be imported.

--dns <IP address ranges> or -d <IP address ranges>

This command uses DNS to enrich IP addresses with FQDNs from the specified ranges if the FQDNs for these addresses were not already specified.

Example: --dns 0.0.0.0-9.255.255.255,11.0.0.0-255.255.255,10.0.0.2

--dns-server <DNS server IP address>, -s <DNS server IP address>

Address of the DNS server that the tool must contact to receive FQDN information.

Example: --dns-server 8.8.8.8

--ignore <IP address ranges> or -i <IP address ranges>

Address ranges of assets that should be skipped during import.

Example: --ignore 8.8.0.0-8.8.255.255, 10.10.0.1

--verbose, -v

Output of the complete report on received assets and any errors that occurred during the import process.

--help, -h

help

Get reference information on the tool or a command.

Examples:

./maxpatrol-tool help

./maxpatrol-tool <command> --help

version

Get information about the version of the maxpatrol-tool.

completion

Creation of an autocompletion script for the specified shell.

--cert <path to file with the KUMA Core certificate>

Path to the KUMA Core certificate. By default, the certificate is located in the folder with the application installed: /opt/kaspersky/kuma/core/certificates/ca.cert.

Examples:

  • ./maxpatrol-tool --kuma-rest example.kuma.com:7223 --token token.txt --tenant Main example.xml --cert /example-directory/ca.cert – import assets to KUMA from MaxPatrol report example.xml.
  • ./maxpatrol-tool help—get reference information on the tool.

Possible errors

Error message

Description

must provide path to xml file to import assets

The path to the MaxPatrol report file was not specified.

incorrect IP address format

Invalid IP address format. This error may arise when incorrect IP ranges are indicated.

no tenants match specified name

No suitable tenants were found for the specified tenant name using the REST API.

unexpected number of tenants (%v) match specified name. Tenants are: %v

KUMA returned more than one tenant for the specified tenant name.

could not parse file due to error: %w

Error reading the XML file containing the MaxPatrol report.

error decoding token: %w

Error reading the API token file.

error when importing files to KUMA: %w

Error transferring asset information to KUMA.

skipped asset with no FQDN and IP address

One of the assets in the report did not have an FQDN or IP address. Information about this asset was not sent to KUMA.

skipped asset with invalid FQDN: %v

One of the assets in the report had an incorrect FQDN. Information about this asset was not sent to KUMA.

skipped asset with invalid IP address: %v

One of the assets in the report had an incorrect IP address. Information about this asset was not sent to KUMA.

KUMA response: %v

An error occurred with the specified report when importing asset information.

unexpected status code %v

An unexpected HTTP code was received when importing asset information from KUMA.

Page top
[Topic 265426]

Importing asset information from MaxPatrol VM

The KUMA distribution kit includes the kuma-ptvm utility, which consists of an executable file and a configuration file. The utility is supported on Windows and Linux operating systems. The utility allows you to connect to the MaxPatrol VM API to get data about devices and their attributes, including vulnerabilities, and also lets you edit asset data and import data using the KUMA API. Importing data is supported for MaxPatrol VM 2.6.

Configuring the import of asset information from MaxPatrol VM to KUMA proceeds in stages:

  1. Preparing KUMA and MaxPatrol VM.

    You must create user accounts and a KUMA token for API operations.

  2. Creating a configuration file with data export and import settings.
  3. Importing asset data into KUMA using the kuma-ptvm utility:
    1. The data is exported from MaxPatrol VM and saved in the directory of the utility. Information for each tenant is saved to a separate file in JSON format.

      If necessary, you can edit the received files.

    2. Information from files is imported into KUMA.

When re-importing existing assets, assets that already exist in KUMA are overwritten. In this way, fixed vulnerabilities are removed.

Known limitations

If the same IP address is specified for two assets with different FQDNs, KUMA imports such assets as two different assets; the assets are not combined.

If an asset has two softwares with the same data in the name, version, vendor fields, KUMA imports this data as one software, despite the different software installation paths in the asset.

If the FQDN of an asset contains a space or underscore ("_"), data for such assets is not imported into KUMA, and the log indicates that the assets were skipped during import.

If an error occurs during import, error details are logged and the import stops.

Preparatory actions

  1. Create a separate user account in KUMA and in MaxPatrol VM with the minimum necessary set of permissions to use API requests.
  2. Create user accounts for which you will lager generate an API token.

    Requirements imposed on accounts for which the API token is generated:

    • General administrator, Tenant administrator, Tier 2 analyst, or Tier 1 analyst role.
    • Access to the tenant into which the assets will be imported.
    • In the user account, under API access rights, the check box is selected for POST/api/v1/assets/import.
  3. Generate a token for access to the KUMA REST API.

Creating the configuration file

To create the configuration file:

  1. Go to the KUMA installer folder by executing the following command:

    cd kuma-ansible-installer

  2. Copy the kuma-ptvm-config-template.yaml template to create a configuration file named kuma-ptvm-config.yaml:

    cp kuma-ptvm-config-template.yaml kuma-ptvm-config.yaml

  3. Edit the settings in the kuma-ptvm-config.yaml configuration file.
  4. Save the changes to the file.

The configuration file will be created. Go to the Importing asset data step.

Importing asset data

To import asset information:

  1. If you want to import asset information from MaxPatrol VM into KUMA without intermediate verification of the exported data, run the kuma-ptvm utility with the following options:

    kuma-ptvm --config <path to the kuma-ptvm-config.yaml file> --download --upload

  2. If you want to check the correctness of data exported from MaxPatrol VM before importing it into KUMA:
    1. Run the kuma-ptvm utility with the following options:

      kuma-ptvm --config <path to the kuma-ptvm-config.yaml file> --download

      For each tenant specified in the configuration file, a separate file is created with a name of the form <KUMA tenant ID>.JSON. Also, during export, a 'tenants' file is created, containing a list of JSON files to be uploaded to KUMA. All files are saved in the utility's directory.

    2. Review the exported asset files and if necessary, make the following edits:
      • Assign assets to their corresponding tenants.
      • Manually transfer asset data from the 'default' tenant file to the files of the relevant tenants.
      • In the 'tenants' file, edit the list of tenants whose assets you want to import into KUMA.
    3. Import asset information into KUMA:

      kuma-ptvm --config <path to the kuma-ptvm-config.yaml file> --upload

    To view information about the available commands of the utility, run the --help command.

The asset information is imported from MaxPatrol VM to KUMA. The console displays information on the number of new and updated assets.

Possible errors

When running the kuma-ptvm utility, the "tls: failed to verify certificate: x509: certificate is valid for localhost" error may be returned.

Solution.

  • Issue a certificate in accordance with the MaxPatrol documentation. We recommend resolving the error in this way.
  • Disable certificate validation.

    To disable certificate validation, add the following line to the configuration file in the 'MaxPatrol settings' section:

    ignore_server_cert: true

As a result, the utility is started without errors.

Page top
[Topic 265427]

Settings of the kuma-ptvm-config.yaml configuration file

The table lists the settings that you can specify in the kuma-ptvm-config.yaml file.

Description of settings in the kuma-ptvm-config.yaml configuration file

Setting

Description

Values

log_level

An optional setting in the 'General settings' group.

Logging level.

Available values:

  • trace
  • info
  • warning
  • error

Default setting: info.

period

An optional setting in the 'General settings' group.

Data for assets that have changed during the specified period is exported from MaxPatrol.

No limitations apply.

Default setting: 30d.

strict_import

Optional setting in the 'General settings' group.

When exporting assets from MaxPatrol, check if the required fields for KUMA are filled. Do not export unverified assets from MaxPatrol.

Available values:

  • true to check for the presence of fields that are required for KUMA.
  • false to skip the check for the presence of fields that are required for KUMA.

Default setting: false.

We recommend specifying true when exporting assets from MaxPatrol, this lets you detect and fix possible errors in JSON files before you import assets into KUMA.

endpoint

Required setting in the 'KUMA settings' group.

URL of the KUMA API server. For example, kuma-example.com:7223

-

token

Required setting in the 'KUMA settings' group.

KUMA API token.

-

ignore_server_cert

Optional setting in the 'KUMA settings' group.

Validation of the KUMA certificate.

Available values:

  • true to disable KUMA certificate validation.
  • false to enable KUMA certificate validation.

This setting is not included in the configuration file template. You can manually add this setting with a true value, which will prevent the kuma-ptvm utility from validating the certificate at startup.

endpoint

Required setting in the 'MaxPatrol VM' group.

URL of the MaxPatrol API server.

-

user

Required setting in the 'MaxPatrol VM' group.

MaxPatrol API user name.

-

password

Required setting in the 'MaxPatrol VM' group.

MaxPatrol API user password.

-

secret

Required setting in the 'MaxPatrol VM settings' group.

MaxPatrol API secret.

-

ignore_server_cert

Optional setting in the 'MaxPatrol VM settings' group.

Validation of the MaxPatrol certificate.

Available values:

  • true to disable the validation of the MaxPatrol certificate.
  • true to enable MaxPatrol certificate validation.

This setting is not included in the configuration file template. You can manually add this setting with a true value if the "tls: failed to verify certificate: x509: certificate is valid for localhost" error occurs. In that case, the kuma-ptvm utility does not validate the certificate when it is started.

We recommend issuing a certificate in accordance with the MaxPatrol documentation as the preferred way of resolving the error.

only_exploitable

Optional setting in the 'Vulnerability filter' group.

Export from MaxPatrol only assets with vulnerabilities for which exploits are known.

Available values:

  • true to export only assets with vulnerabilities for which exploits are known.
  • false to export all assets.

Default setting: false.

min_severity

Optional setting in the 'Vulnerability filter' group.

Import only vulnerabilities of the specified level or higher.

Available values:

  • low
  • medium
  • high
  • critical

Default value: low.

id

Required setting in the 'Tenant map' group.

Tenant ID in KUMA.

Assets are assigned to tenants in the order in which tenants are specified in the configuration file: the higher a tenant is in the list, the higher its priority. This means you can specify overlapping subnets.

-

fqdn

Optional setting in the 'Tenant map' group.

Regular expression for searching the FQDN of an asset.

-

networks

Optional setting in the 'Tenant map' group.

One or more subnets.

-

default_tenant

Optional setting.

The default KUMA tenant for data about assets that could not be allocated to tenants specified in the 'Tenants' group of settings.

-

Page top
[Topic 267952]

Importing asset information from KICS for Networks

After configuring KICS for Networks integration, tasks to obtain data about KICS for Networks assets are created automatically. This occurs:

  • Immediately after creating a new integration.
  • Immediately after changing the settings of an existing integration.
  • According to a regular schedule every several hours. Every 12 hours by default. The schedule can be changed.

Account data update tasks can be created manually.

To start a task to update KICS/KATA asset information for a tenant:

  1. In the KUMA Console, open the Settings → KICS/KATA section.
  2. Select the relevant tenant.

    This opens the KICS/KATA server integration window.

  3. Click the Import assets button.

A task to receive account data from the selected tenant is added to the Task manager section of the KUMA Console.

Page top
[Topic 233671]

Examples of asset field comparison during import

Each imported asset is compared to the matching KUMA asset.

Checking for two-field value match in the IP, MAC, and FQDN fields

Compared assets

Compared fields

FQDN

IP

MAC

KUMA asset

Filled in

Filled in

Empty

Imported asset 1

Filled in, matching

Filled in, matching

Filled in

Imported asset 2

Filled in, matching

Filled in, matching

Empty

Imported asset 3

Filled in, matching

Empty

Filled in

Imported asset 4

Empty

Filled in, matching

Filled in

Imported asset 5

Filled in, matching

Empty

Empty

Imported asset 6

Empty

Empty

Filled in

Comparison results:

  • Imported asset 1 and KUMA asset: the FQDN and IP fields are filled in and match, no conflict in the MAC fields between the two assets. The assets are merged.
  • Imported asset 2 and KUMA asset: the FQDN and IP fields are filled in and match. The assets are merged.
  • Imported asset 3 and KUMA asset: the FQDN and MAC fields are filled in and match, no conflict in the IP fields between the two assets. The assets are merged.
  • Imported asset 4 and KUMA asset: the IP fields are filled in and match, no conflict in the FQDN and MAC fields between the two assets. The assets are merged.
  • Imported asset 5 and KUMA asset: the FQDN fields are filled in and match, no conflict in the IP and MAC fields between the two assets. The assets are merged.
  • Imported asset 6 and KUMA asset: no matching fields. The assets are not merged.

Checking for single-field value match in the IP, MAC, and FQDN fields

Compared assets

Compared fields

FQDN

IP

MAC

KUMA asset

Empty

Filled in

Empty

Imported asset 1

Filled in

Filled in, matching

Yes

Imported asset 2

Filled in

Filled in, matching

Empty

Imported asset 3

Filled in

Empty

Filled in

Imported asset 4

Empty

Empty

Filled in

Comparison results:

  • Imported asset 1 and KUMA asset: the IP fields are filled in and match, no conflict in the FQDN and MAC fields between the two assets. The assets are merged.
  • Imported asset 2 and KUMA asset: the IP fields are filled in and match, no conflict in the FQDN and MAC fields between the two assets. The assets are merged.
  • Imported asset 3 and KUMA asset: no matching fields. The assets are not merged.
  • Imported asset 4 and KUMA asset: no matching fields. The assets are not merged.
Page top
[Topic 243031]

Settings of the kuma-ptvm-config.yaml configuration file

The table lists the settings that you can specify in the kuma-ptvm-config.yaml file.

Setting

Description

Values

log_level

An optional setting in the 'General settings' group.

Logging level.

Available values:

  • trace
  • info
  • warning
  • error

Default setting: info.

period

An optional setting in the 'General settings' group.

Data for assets that have changed during the specified period is exported from MaxPatrol.

No limitations apply.

Default setting: 30d.

strict_import

Optional setting in the 'General settings' group.

When exporting assets from MaxPatrol, check if the required fields for KUMA are filled. Do not export unverified assets from MaxPatrol.

Available values:

  • true to check for the presence of fields that are required for KUMA.
  • false to skip the check for the presence of fields that are required for KUMA.

Default setting: false.

We recommend specifying true when exporting assets from MaxPatrol, this lets you detect and fix possible errors in JSON files before you import assets into XDR.

endpoint

Required setting in the 'KUMA settings' group.

URL of the XDR API server. For example, api.<XDR FQDN>/xdr/

-

token

Required setting in the 'KUMA settings' group.

XDR API token.

-

ignore_server_cert

Optional setting in the 'KUMA settings' group.

Validation of the XDR certificate.

Available values:

true to disable certificate validation.

false to enable certificate validation.

This setting is not included in the configuration file template. You can manually add this setting with a true value, which will prevent the kuma-ptvm utility from validating the certificate at startup.

endpoint

Required setting in the 'MaxPatrol VM' group.

URL of the MaxPatrol API server.

-

user

Required setting in the 'MaxPatrol VM' group.

MaxPatrol API user name.

-

password

Required setting in the 'MaxPatrol VM' group.

MaxPatrol API user password.

-

secret

Required setting in the 'MaxPatrol VM settings' group.

MaxPatrol API secret.

-

ignore_server_cert

Optional setting in the 'MaxPatrol VM settings' group.

Validation of the MaxPatrol certificate.

Available values:

  • true to disable the validation of the MaxPatrol certificate.
  • false to enable MaxPatrol certificate validation.

This setting is not included in the configuration file template. You can manually add this setting with a true value if the "tls: failed to verify certificate: x509: certificate is valid for localhost" error occurs. In that case, the kuma-ptvm utility does not validate the certificate when it is started.

We recommend issuing a certificate in accordance with the MaxPatrol documentation as the preferred way of resolving the error.

only_exploitable

Optional setting in the 'Vulnerability filter' group.

Export from MaxPatrol only assets with vulnerabilities for which exploits are known.

Available values:

true to export only assets with vulnerabilities for which exploits are known.

false to export all assets.

Default setting: false.

min_severity

Optional setting in the 'Vulnerability filter' group.

Import only vulnerabilities of the specified level or higher.

Available values:

  • low
  • medium
  • high
  • critical

Default value: low.

id

Required setting in the 'Tenant map' group.

Tenant ID in XDR.

Assets are assigned to tenants in the order in which tenants are specified in the configuration file: the higher a tenant is in the list, the higher its priority. This means you can specify overlapping subnets.

-

fqdn

Optional setting in the 'Tenant map' group.

Regular expression for searching the FQDN of an asset.

-

networks

Optional setting in the 'Tenant map' group.

One or more subnets.

-

default_tenant

Optional setting.

The default XDR tenant for data about assets that could not be allocated to tenants specified in the 'Tenants' group of settings.

-

Page top
[Topic 292435]