AI services

This section provides information about the AI services that KUMA works with.

AI score and asset status

The AI score and asset status service can be installed if your license covers the AI module.

The AI service helps with precisely assessing the severity of correlation events generated as a result of correlation rules triggering.

The AI service gets correlation events with a non-empty Affected assets field from the available storage clusters, constructs the expected sequence of events, and trains the AI model. Based on the chain of triggered correlation rules, the AI service calculates whether such a sequence of events is typical for this infrastructure. Non-typical patterns increase the score of the asset.

The AI service calculates the AI score and the Status, which are displayed in the asset card. If you remove the license, the AI score and Status fields are hidden from the asset card. If you add the license again, the values of the AI score and Status fields are shown again.

The score is a number that quantifies how non-typical the activity on the asset is, and whether it is worth paying attention to. Possible values of the Status field: Low, Medium, High, Critical. The score is a number in the range from 0 to 1.

There are four ranges that correspond to statuses:

Low: 0 ≤ score < 0.25

Medium: 0.25 ≤ score < 0.5

High: 0.5 ≤ score < 0.75

Critical: 0.75 ≤ score ≤ 1

You can apply a filter by the AI score and Status fields when searching for assets. You can also set up proactive categorization of assets by the AI score and Status fields, which moves the asset to the category corresponding to the risk level as soon as the AI service assigns a score to the asset.

You can create a structure of multiple categories and automatically populate these with assets in accordance with the calculated risk values.

In the Settings → Asset audit section, you can configure audit events to be generated when an asset is added to a category. Audit events can be taken into account in correlation rules, and you can monitor them on the dashboard and in reports.

To monitor asset category changes on the dashboard, create an Events widget with a query similar to the following:

SELECT count(ID) AS `metric`, formatDateTime(toTimeZone(fromUnixTimestamp64Milli(Timestamp), 'Europe/Moscow'), '%d.%m.%Y %H:%m:%S') AS `value` FROM `events`

where DeviceVendor = 'Kaspersky' and DeviceProduct = 'KUMA' and

DeviceEventCategory = 'Audit assets' and DeviceAction= 'asset added to category'

and DeviceCustomString1 = 'Main/Categorized assets/ML/score>0.5'

GROUP BY Timestamp ORDER BY value LIMIT 250

To monitor the distribution of assets by status on the dashboard, create an Assets by severity widget. The Assets by severity widget is available if the license includes the AI module. The pie chart indicates the numbers of assets grouped by status.

Every time the AI service is restarted, the AI service trains the model from scratch and reassesses the score of the assets mentioned in events of the current day.

The directory specified in the configuration file stores events that the AI service got from KUMA storage clusters for the specified number of days. For example, if the configuration file specifies 12 days, the AI service gets events for the past 12 days. The oldest events are deleted from the directory. The trained model is stored in the same directory.

The model is retrained at midnight UTC. The asset score is reassessed once an hour for all assets that were mentioned in events of the current day (UTC).

Service logs are stored in /var/log/syslog.

Installing and removing the AI score and asset status service

Installing the AI score and asset status service

To install the service:

1. Unpack the mlservice-installer-0.1.54.XX.tgz archive that is included in the distribution kit.

   The mlservice-installer-0.1.54.XX.tgz archive contains scripts for installing and removing the service, as well as the config.yaml configuration file.

2. In the config.yaml configuration file, in the kuma_address setting, specify the FQDN of the host on which KUMA Core is installed and the port on which the KUMA Core is to listen for AI service connections.

   In a high availability configuration, you must specify port 7226. You can keep default values for the rest of the settings. After installation, the service starts with the settings specified in the config.yaml file.

3. If you want to install the service on a remote host, specify the address of the remote host in the inventory.yaml file and make sure you have network access. By default, the service is installed on the local host as specified in inventory.yaml.
4. Get the Core certificate in the KUMA Console: in the Administrator menu, click REST API CA certificate. The certificate is downloaded to your default download directory.
5. Save the KUMA Core certificate file in the roles/mlservice/files directory under the installer directory.
6. Change to the directory with the service files and from that directory, run the following command:

   ./install <path to inventory.yaml>

7. If you accept the terms and conditions of the EULA, press Y. If you do not accept the terms and conditions of the EULA, you cannot proceed with the installation of the service. You can find the file with the text of the EULA in the mlservice-installer/eula directory.
8. The installer generates the necessary certificate and key during the installation process and places these in the directories specified in the config.yaml configuration file. You must upload the certificate to KUMA.

   In the KUMA Console, in the Settings → AI service section, in the AI score and asset status window, fill in the following fields:

   1. In the URL field, specify the FQDN of the host on which the KUMA Core is installed and port on which the KUMA Core is to listen for the AI service. For example, <FQDN of the host on which KUMA Core is installed>:7226 The port number must match the port number specified in the configuration file. Make sure the port is not being used by other applications.

      For a KUMA installation in high availability configuration, the URL field is not displayed in the interface, the port value is taken from the KUMA_APPRAISER_AI_API_PORT environment variable and the port is opened for all IP addresses of the KUMA Core host.

   2. In the Certificate drop-down list, select Create new to open the Create secret window; in that window, specify Certificate as the secret type and upload the certificate from the directory specified in the config.yaml configuration file.
   3. Move the Disabled toggle switch to the inactive position. By default, the toggle switch is on.
   4. Click Save.

   Immediately after installation, the service will make attempts to connect to KUMA for 15 minutes with 1-minute intervals. If no certificate is added in the KUMA Console, the connection will fail and the service will stop. In this case, you can add a certificate and restart the AI service; the service will make new attempts to connect.

   After saving the settings, get the log of the Core server and make sure it does not contain the "<port number>: bind: address already in use" error

The AI service is installed.

Removing the AI score and asset status service

To remove the AI service, change to the directory with the AI service files, and from that directory, run the following:

./uninstall <path to inventory.yaml>

Settings of the AI score and asset status service

Available AI service settings

Analyze using KIRA

In KUMA, you can use Kaspersky Investigation and Response Assistant (KIRA) to analyze the command that triggered the correlation rule. The command is written to the event field if normalization is configured to write the command to the event field. You can view the command in the event card or the correlation event card and click Analyze using KIRA in the upper part of the event card to send a request to KIRA. KIRA performs deobfuscation and displays the cached result of the previous request for the command if such a request was performed earlier. This helps investigate alerts and incidents. The analysis results are kept in cache for 14 days and are available for repeated viewing. Each time a request is sent, an audit event is generated.

This functionality is available in the RU region if the following conditions are satisfied:

• An active license covering the AI module is available.

  If the license has expired, the analysis results remain available through tasks during the lifetime of the cache, that is, for 14 days from the moment the result is cached.

• A certificate was uploaded when configuring the KIRA integration. You can get the certificate file in PFX format, packed in the <customer name>.ZIP archive, and the password for the certificate from Technical Support.
• The user has one of the following roles with corresponding access rights: General administrator, Administrator, Tier 2 analyst, Tier 1 analyst, and Junior analyst. Only a user with the General administrator role can configure the integration.

Configuring integration with KIRA

To configure integration with KIRA:

1. Get a license with the AI module and activate in KUMA.
2. In the KUMA Console, go to the Settings → AI services section and in the AI services window, go to the KIRA tab.
3. On the KIRA tab, in the Certificate drop-down list, click Select file and upload the certificate file in PFX format, packed into the <customer name>.ZIP archive.
4. In the Certificate password field, enter the password.
5. If necessary, in the Proxy server drop-down list, select a previously created resource or create a new resource.
6. Click Save.

   After clicking Save, you are prompted to accept the terms of use of the service. If you do not accept the terms of use, you cannot proceed to save settings and use the functionality.

   After saving the settings, the available number of tokens is displayed. The allowance is reset every day.

   If you want to disable this functionality, turn on the Disable toggle switch.

Integration is configured, you can proceed to the analysis. Analysis is available for all events: new and previously received.

Analyzing using KIRA

After configuring the integration, you can analyze commands using KIRA.

To perform an analysis:

1. Go to the card of the event or correlation event and on the toolbar in the event card, in the Analyze using KIRA drop-down list, select the field whose value you want to analyze.

   This opens the Analyze using KIRA window.

2. This opens the Analyze using KIRA window, displaying the command to be analyzed. You can do the following:
   • If the command is obfuscated, it is de-obfuscated automatically without spending tokens. If you want to analyze the command in obfuscated form, in the Actions drop-down list, select Revert to original string. If necessary, you can de-obfuscate the string again.
   • If you want to know in advance how many tokens will be spent on analysis, in the Actions drop-down list, select Calculate size in tokens. Number of tokens for analysis = number of tokens to send a request + number of tokens to produce a response.
   • To analyze the command, click the Analyze button.

     If you have enough tokens, the analysis and the Request to KIRA task are started.

     Processing the request may take 30 seconds or longer.

     Tokens are expended even if the request returns an error saying that the requested topic is in the deny list; the information about remaining tokens is also updated.

The command is analyzed.

The result of the analysis is available in the same Analyze using KIRA window: the output, a brief summary, and a detailed analysis. You can also view the result in a separate window by clicking View result in the pop-up notification. This opens a separate KIRA result window, from which you can also click the link to Go to event. After the analysis is completed, the Result is displayed on the KIRA analysis tab in the event card and is available for viewing by all users with access to the Analyze using KIRA functionality.

You can also view the result of the analysis in the Task manager section in the properties of the Request to KIRA task. You can click the name of the task to select one of the following commands in the context menu:

• View result shows the results of the task from the cache to any user with access to KIRA tasks; no tokens are expended.
• Restart performed the analysis disregarding the data of the previous analysis stored in the cache; the analysis expends tokens.

Possible errors of the Analyze using KIRA task

Possible errors