Configuring integration in R-Vision SOAR

Support

Support for business applications

Kaspersky Unified Monitoring and Analysis Platform

Administrator's guide

Integration with other solutions

Integration with R-Vision Security Orchestration, Automation and Response

Configuring integration in R-Vision SOAR

April 8, 2024

ID 224437

Get as PDF

This section describes KUMA integration with R-Vision SOAR from the R-Vision SOAR side.

Integration in R-Vision SOAR is configured in the Settings section of the R-Vision SOAR web interface. For details on configuring R-Vision SOAR, please refer to the documentation on this application.

Configuring integration with KUMA consists of the following steps:

Configuring R-Vision SOAR user role
1. Assign the Incident manager system role to the R-Vision SOAR user utilized for integration. The role is assigned when a user is selected in the R-Vision SOAR web interface in the Settings → General → System users section. The role is added in the System Roles block of settings.
  R-Vision SOAR version 4.0 user with the Incident Manager role
  
  R-Vision SOAR version 5.0 user with the Incident Manager role
2. Make sure that the API token of the R-Vision SOAR user utilized for integration is indicated in the secret in the KUMA web interface. The token is displayed in the R-Vision SOAR web interface under Settings → General → API.
  API token in R-Vision SOAR version 4.0
  
  API token in R-Vision SOAR version 5.0
Configuring R-Vision SOAR incident fields and KUMA alert fields
1. Add the ALERT_ID and ALERT_URL incident fields.
2. Configure the category of R-Vision SOAR incidents created based on KUMA alerts. You can do this in the R-Vision SOAR web interface, in the Settings → Incident management → Incident categories section. Add a new incident category or edit an existing incident category by indicating the previously created Alert ID and Alert URL incident fields in the Category fields settings block. The Alert ID field can be hidden.
  Incident categories with data from KUMA alerts in R-Vision SOAR version 4.0
  
  Incident categories with data from KUMA alerts in R-Vision SOAR version 5.0
3. Block editing of previously created Alert ID and Alert URL incident fields. In the R-Vision SOAR web interface, under Settings → Incident management → Presentation, select the category of R-Vision SOAR incidents that will be created based on KUMA alerts and put a lock icon next to the Alert ID and Alert URL incident fields.
  The Alert URL field is not editable in R-Vision SOAR version 4.0
  
  The Alert URL field is not editable in R-Vision SOAR version 5.0
Creating R-Vision SOAR collector and connector
1. Create an R-Vision SOAR collector to interact with KUMA.
2. Create and configure an R-Vision SOAR connector to send API requests to close KUMA alerts.
Creating a rule to close a KUMA alert
Create a rule for sending KUMA alert closing request when R-Vision SOAR incident is closed.

Integration with KUMA is now configured in R-Vision SOAR. If integration is also configured in KUMA, when alerts appear in KUMA, information about those alerts is sent to R-Vision SOAR to create an incident. The Details on alert section in the KUMA web interface displays a link to R-Vision SOAR.

In this section

Adding the ALERT_ID and ALERT_URL incident fields

Creating a collector in R-Vision SOAR

Creating connector in R-Vision SOAR

Creating rule for closing KUMA alert when R-Vision SOAR incident is closed

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.