Threat hunting
The Threat hunting page contains tools that help you analyze events to search threats and vulnerabilities that have not been detected automatically. To create an alert from a set of events, select the events, and then click the Create alert button.
You can open the Threat hunting page in any of the following ways:
- In the main menu, go to Monitoring & reporting → Threat hunting.
- In the Alert or Incident details, invoke the context menu for an attribute, and then select Search in Threat Hunting.
- In the Incident details, click the View on graph button. In the investigation graph that opens, click the Threat hunting button.
The Threat hunting page displays events. You can filter out events:
- By editing the SQL query
- By changing the time range
- By selecting the tenants to which the events belong
Working with events
The Threat hunting section contains tools that help you search threats and vulnerabilities by analyzing the events.
Granular access to events
In KUMA, users with different rights can have granular access to events. Access to events is controlled at the level of storage spaces.
You can assign spaces to users in the Spaces permissions section. After upgrading to the latest version, the 'All spaces' space set is assigned to all existing users, that is, access to all spaces is unrestricted. An event contains a tenant ID and a space ID, therefore the user needs rights to the corresponding tenant and space to have access to the event.
Keep in mind the following special considerations involved in displaying storages:
- If a storage is not listed in the Active services section, the storage and its spaces are not displayed in the list of spaces of the set.
- If the storage service was stopped using the
systemctl stop kuma-<storage ID>
command, the storage and its spaces are not displayed in the list of spaces of the set. - If the storage was started and then deleted using the
uninstall
command, the storage and its spaces remain in the list of spaces of the set.
In the list of events, you can add the SpaceID field to the table, which will display the name of the space. The space of audit events is displayed as KUMA Audit. KUMA Default is the space inside each storage, where all events go if the storage does not have configured spaces or if the event does not match the conditions of the existing spaces.
When you export the list of events to a TSV file, the space ID and name are displayed for spaces.
To differentiate access:
- Configure the space sets.
You can create, edit, or delete space sets. These actions result in audit events.
- Configure the access rights of the space set: you can grant or revoke access rights of selected users.
Use cases
Migrating to the latest KUMA version with differentiated access to events
Restricting access to spaces for all users
Allowing some users to view all events
Permitting some users to view events from a finite set of spaces
Supplementing an explicitly specified space set for a user
Page topViewing the events table
The events table provides you with an overview of all events received by KUMA Core from the data sources. The table displays the list of events filtered according to the executed SQL query.
To view the events table:
- In the main menu, go to Monitoring & reporting → Threat hunting.
- If necessary, apply the tenant filter. By default, the tenant filter is disabled and the events table displays the events related to all of the tenants to which you have the Read access right. To apply the tenant filter:
- Click the link next to the Tenant filter setting.
The tenant filter opens.
- Select the check boxes next to the required tenants.
The events table displays only the events related to the selected tenants.
- Click the link next to the Tenant filter setting.
The events table is displayed. For details about the table columns, relate to the normalized event data model.
Searching and filtering events
To search and filter events, modify an SQL query in the search field, and then click the Run Query button. You can enter the SQL query manually or generate it by using the query builder.
Data aggregation and grouping is supported in SQL queries.
You can add filter conditions to an already generated SQL query in the window for viewing statistics, the events table, and the event details area.
To change the filtering settings in the Statistics window
- Follow the steps to open the events table.
- Open Statistics details area by using one of the following methods:
- Click the
button in the top right corner of the events table, and then select Statistics.
- In the events table, click any value, and then select Statistics in the context menu that opens.
The Statistics details area appears in the right part of the web interface window.
- Click the
- Open the drop-down list of the relevant parameter and hover your mouse cursor over the necessary value.
- Change the filter settings by doing one of the following:
- To include only events with the selected value, click the
button.
- To exclude all events with the selected value, click the
button.
- To include only events with the selected value, click the
To change the filtering settings in the events table
- Follow the steps to open the events table.
- Click an event parameter value in the events table.
- In the opened menu, select one of the following options:
- To show only events with the selected value, select Filter by this value.
- To exclude all events with the selected value from the table, select Exclude from filter.
To change the filter settings in the event details area
- Follow the steps to open the events table.
- Click a relevant event to invoke the event details panel.
- Change the filter settings by doing one of the following:
- To include only events with the selected value, click the
button.
- To exclude all events with the selected value, click the
button.
- To include only events with the selected value, click the
As a result, the filter settings and the events table are updated, and the new search query is displayed in the upper part of the screen.
When you switch to the query builder, the parameters of a query entered manually in the search field are not transferred to the builder, so you will need to create your query again. The query created in the builder does not overwrite the query that was entered into the search string until you click the Apply button in the builder window.
Click the button to save the current filter.
Manually creating SQL queries
You can use the search string to manually create SQL queries of any complexity to filter events.
Executing an SQL query affects the displayed table columns.
If the SQL query contains the * value, columns specified in the query are added to the table if they were absent. Removing a displayed column from the subsequent queries does not hide the corresponding column.
If the SQL query does not contain the * value, the table only displays columns for the specified fields that conform the normalized event data model. Columns are displayed even if there is no data for them.
To manually generate an SQL query:
- Follow the steps to open the events table.
- Enter your SQL query into the input field.
- Click the Apply query button.
The table displays events that satisfy the criteria of your query. If necessary, you can filter events by period.
To display non-printable characters in the SQL query field, press either of the following key combinations:
- Ctrl+*/Command+*
- Ctrl+Shift+8/Command+Shift+8
If you enable the display of non-printable characters in the XDR component, other components (such as KUMA) do not automatically display non-printable characters until you reload the components' browser tabs.
Supported functions and operators
SELECT
Event fields that should be returned.
For SELECT fields, the program supports the following functions and operators:
Aggregation functions: count, avg, max, min, sum.
Arithmetic operators: +, -, *, /, <, >, =, !=, >=, <=.
You can combine these functions and operators.
If you are using aggregation functions in a query, you cannot customize the events table display, sort events in ascending or descending order, or receive statistics.
FROM
Data source.
WHERE
Conditions for filtering events.
- AND, OR, NOT, =, !=, >, >=, <, <=
- IN
- BETWEEN
- LIKE
- ILIKE
- inSubnet
- match (the re2 syntax of regular expressions is used in queries; special characters must be shielded with "\")
GROUP BY
Event fields or aliases to be used for grouping the returned data.
If you are using data grouping in a query, you cannot customize the events table display, sort events in ascending or descending order, receive statistics, or perform a retrospective scan.
ORDER BY
Columns used as the basis for sorting the returned data.
Possible values:
- DESC — descending order.
- ASC — ascending order.
OFFSET
Skip the indicated number of lines before printing the query results output.
LIMIT
Number of strings displayed in the table.
The default value is 250.
When switching to the query builder, the query parameters that were manually entered into the search string are not transferred to the builder, so you will need to create your query again. Also, the query created in the builder does not overwrite the query that was entered into the search string until you click the Apply button in the builder window.
Aliases must not contain spaces.
Example queries
- SELECT * FROM `events` WHERE Type IN ('Base', 'Audit') ORDER BY Timestamp DESC LIMIT 250
In the events table, all events with the Base and Audit type are sorted by the Timestamp column in descending order. The number of strings that can be displayed in the table is 250.
- SELECT * FROM `events` WHERE BytesIn BETWEEN 1000 AND 2000 ORDER BY Timestamp ASC LIMIT 250
All events of the events table for which the BytesIn field contains a value of received traffic in the range from 1,000 to 2,000 bytes are sorted by the Timestamp column in ascending order. The number of strings that can be displayed in the table is 250.
- SELECT * FROM `events` WHERE Message LIKE '%ssh:%' ORDER BY Timestamp DESC LIMIT 250
In the events table, all events whose Message field contains data corresponding to the defined %ssh:% template in lowercase are sorted by the Timestamp column in descending order. The number of strings that can be displayed in the table is 250.
- SELECT * FROM `events` WHERE inSubnet(DeviceAddress, '00.0.0.0/00') ORDER BY Timestamp DESC LIMIT 250
In the events table, all events for the hosts that are in the 00.0.0.0/00 subnet are sorted by the Timestamp column in descending order. The number of strings that can be displayed in the table is 250.
- SELECT * FROM `events` WHERE match(Message, 'ssh.*') ORDER BY Timestamp DESC LIMIT 250
In the events table, all events whose Message field contains text corresponding to the ssh.* template are sorted by the Timestamp column in descending order. The number of strings that can be displayed in the table is 250.
- SELECT max(BytesOut) / 1024 FROM `events`
Maximum amount of outbound traffic (KB) for the selected time period.
- SELECT count(ID) AS "Count", SourcePort AS "Port" FROM `events` GROUP BY SourcePort ORDER BY Port ASC LIMIT 250
Number of events and port number. Events are grouped by port number and sorted by the Port column in ascending order. The number of strings that can be displayed in the table is 250.
The ID column in the events table is named Count, and the SourcePort column is named Port.
- SELECT * FROM `events` WHERE match(Message, 'ssh:\'connection.*') ORDER BY Timestamp DESC LIMIT 250
If you want to use a special character in a query, you need to escape this character by placing a backslash (\) character in front of it.
In the events table, all events whose Message field contains text corresponding to the ssh: 'connection' template are sorted by the Timestamp column in descending order. The number of strings that can be displayed in the table is 250.
Generating an SQL query using a builder
You can use the query builder to generate an SQL query for filtering events.
Executing an SQL query affects the displayed table columns.
If the SQL query contains the * value, columns specified in the query are added to the table if they were absent. Removing a displayed column from the subsequent queries does not hide the corresponding column.
If the SQL query does not contain the * value, the table only displays columns for the specified fields that conform the normalized event data model. Columns are displayed even if there is no data for them.
To generate an SQL query using the builder:
- Follow the steps to open the events table.
- Click the
button to open the query builder.
Generate a search query by providing data in the following parameter blocks:
- SELECT
Event fields that should be returned. The * value is selected by default, which means that all available event fields must be returned. To adjust the displayed fields, select the desired fields in the drop-down list. Note that Select * increases the duration of the request execution, but eliminates the need to specify the fields in the request.
When selecting an event field, you can use the field on the right of the drop-down list to specify an alias for the column of displayed data, and you can use the right-most drop-down list to select the operation to perform on the data: count, max, min, avg, sum.
- FROM
Data source. Select the events value.
- WHERE
Conditions for filtering events.
To add conditions and groups, click the Add condition and Add group buttons. The AND operator value is selected by default in a group of conditions. Click the operator value to change it. Available values: AND, OR, NOT.
To change the structure of conditions and condition groups, use the
icon to drag and drop expressions.
To add filter conditions:
- In the drop-down list on the left, select the event field that you want to use for filtering.
- Select the necessary operator from the middle drop-down list. The available operators depend on the type of value of the selected event field.
- Enter the value of the condition. Depending on the selected type of field, you may have to manually enter the value, select it from the drop-down list, or select it on the calendar.
To delete filter conditions, click the X button. To delete group conditions, click the Delete group button.
- GROUP BY
Event fields or aliases to be used for grouping the returned data.
If you are using data grouping in a query, you cannot customize the events table display, sort events in ascending or descending order, receive statistics, or perform a retrospective scan.
- ORDER BY
Columns used as the basis for sorting the returned data. In the drop-down list on the right, you can select the necessary order: DESC — descending, ASC — ascending.
- LIMIT
Number of strings displayed in the table.
The default value is 250.
If you are filtering events by a user-defined period and the number of strings in the search results exceeds the defined value, you can click the Show next records button to display additional strings in the table. This button is not displayed when filtering events by the standard period.
- SELECT
- Click the Apply button.
The current SQL query will be overwritten. The generated SQL query is displayed in the search field.
To reset the builder settings, click the Default query button.
To close the builder without overwriting the existing query, click the
button.
- Click the Apply query button to display the data in the table.
The table will display the search results based on the generated SQL query.
When switching to another section of the web interface, the query generated in the builder is not preserved. If you return to the Events section from another section, the builder will display the default query.
Page topViewing event details
To open the event details panel, select an event in the events table in the Threat hunting section or in an alert details page.
The Event details panel appears in the right part of the web interface window and contains a list of the event parameters with values. In this area you can:
- Include the selected field in the search or exclude it from the search by clicking
or
next to a parameter's value.
- Find similar events and add or delete a prevention rule by clicking the FileHash and DeviceCustomString values.
- When integrated with Kaspersky CyberTrace and Kaspersky Threat Intelligence Portal, you can add to Internal TI of CyberTrace and show info from Threat Lookup by clicking the FileHash and DeviceCustomString values.
- View the settings of the service that registered the event by clicking the Service value.
In the Event details panel, the name of the described object is shown instead of its ID in the values of the following settings. If you change the filter settings from the Event details panel, the object's ID, and not its name, is added to the SQL query:
- TenantID
- SeriviceID
- DeviceAssetID
- SourceAssetID
- DestinationAssetID
- SourceAccountID
- DestinationAccountID
Saving and selecting events filter configuration
You can save the current filter configuration, including the time-based filter, query builder, and the events table settings, for future use. Saved filter configurations are available to you and other users that have corresponding access rights.
To save the current settings of the filter, query, and period
- Follow the steps to open the events table.
- Click the
icon next to the search query and select Save current filter.
- In the New filter window that opens, enter the name of the filter configuration in the Name field. The name must contain 128 Unicode characters or less.
- In the Tenant drop-down list, select the tenant for which to save the created filter.
- Click Save.
The filter configuration is now saved.
To select a previously saved filter configuration
- Follow the steps to open the events table.
- Click the
icon next to the search query and select the desired filter.
To save the current settings of the filter, query, and the events table settings
- Follow the steps to open the events table.
- Click the gear icon in the panel above the events table.
- Click Save current preset.
- In the New preset window that opens, enter the name of the preset in the Name field. The name must contain 128 Unicode characters or less.
- In the Tenant drop-down list, select the tenant for which to save the created preset.
- Click Save.
The preset configuration is now saved.
To select a previously saved preset
- Follow the steps to open the events table.
- Click the gear icon in the panel above the events table. Select the Presets tab.
- Select the desired preset.
To delete a previously saved filter configuration for all users
- Follow the steps to open the events table.
- Click the
icon next to the search query.
- Click the
icon next to the configuration that you need to delete.
- Click OK.
Filtering events by time range
You can specify the period to display events from.
To filter events by time range:
- Follow the steps to open the events table.
- Open the second drop-down list in the upper part of the window.
- Specify the time range. You can select predefined ranges relative to the current date and time or specify a custom range by using the Range start and Range end fields or by selecting dates in the calendar.
- Click the Apply button.
Exporting events
You can export information about events to a TSV file. The selection of events that will be exported to a TSV file depends on filter settings. The information is exported from the columns that are displayed in the events table. The columns in the exported file are populated with the available data even if they did not display in the events table in the Threat hunting section due to the special features of the SQL query.
To export information about events:
- Follow the steps to open the events table.
- Click the
button in the top right corner of the events table and select Export TSV.
The new export TSV file task is created in the KUMA Task Manager section.
- Log in to the KUMA Console and find the task you created in the Task Manager section.
- Click the task type name and select Upload from the drop-down list.
The TSV file will be downloaded using your browser's settings. By default, the file name is event-export-<date>_<time>.tsv.
The file is saved based on your web browser's settings.
Page topRetrospective scan
You can use retrospective scan to refine the correlation rule resources or analyze historical data.
You can also choose to create alerts based on a retrospective scan.
To use retrospective scan:
- In the main menu, go to Monitoring & reporting → Threat hunting.
- Click the
button in the top right corner of the events table, and then select Retroscan.
The Retroscan panel opens.
- In the Correlator drop-down list, select the Correlator to feed selected events to.
- In the Correlation rules drop-down list, select the Correlation rules that must be used when processing events.
- To execute responses during event processing, turn on the Execute responses toggle switch.
- To generate alerts during event processing, turn on the Create alerts toggle switch.
- Click the Create task button.
The retrospective scan task is created in the KUMA Task Manager section.
Getting events table statistics
You can get statistics for the current events selection displayed in the events table. The selected events depend on the filter settings.
To obtain statistics:
- Follow the steps to open the events table.
- Do one of the following:
- In the upper-right corner of the events table, select Statistics from the
drop-down list.
- In the events table, click on any value and select Statistics from the opened context menu.
- In the upper-right corner of the events table, select Statistics from the
The Statistics details area appears with the list of parameters from the current event selection. The numbers near each parameter indicate the number of events with that parameter in the selection. If a parameter is expanded, five most frequently occurring values are displayed. Type a parameter name in Search fields to filter displayed data.
The Statistics window allows you to modify the events filter.
When using SQL queries with data grouping and aggregation for filtering events, statistics are not available.
Page top