Configuring integration in R-Vision SOAR
This section describes KUMA integration with R-Vision SOAR from the R-Vision SOAR side.
Integration in R-Vision SOAR is configured in the Settings section of the R-Vision SOAR web interface. For details on configuring R-Vision SOAR, please refer to the documentation on this application.
Configuring integration with KUMA consists of the following steps:
- Configuring R-Vision SOAR user role
- Assign the Incident manager system role to the R-Vision SOAR user utilized for integration. The role is assigned when a user is selected in the R-Vision SOAR web interface in the Settings → General → System users section. The role is added in the System Roles block of settings.
R-Vision SOAR version 4.0 user with the Incident Manager role
R-Vision SOAR version 5.0 user with the Incident Manager role
- Make sure that the API token of the R-Vision SOAR user utilized for integration is indicated in the secret in the KUMA web interface. The token is displayed in the R-Vision SOAR web interface under Settings → General → API.
- Assign the Incident manager system role to the R-Vision SOAR user utilized for integration. The role is assigned when a user is selected in the R-Vision SOAR web interface in the Settings → General → System users section. The role is added in the System Roles block of settings.
- Configuring R-Vision SOAR incident fields and KUMA alert fields
- Add the ALERT_ID and ALERT_URL incident fields.
- Configure the category of R-Vision SOAR incidents created based on KUMA alerts. You can do this in the R-Vision SOAR web interface, in the Settings → Incident management → Incident categories section. Add a new incident category or edit an existing incident category by indicating the previously created
Alert ID
andAlert URL
incident fields in the Category fields settings block. TheAlert ID
field can be hidden.Incident categories with data from KUMA alerts in R-Vision SOAR version 4.0
Incident categories with data from KUMA alerts in R-Vision SOAR version 5.0
- Block editing of previously created
Alert ID
andAlert URL
incident fields. In the R-Vision SOAR web interface, under Settings → Incident management → Presentation, select the category of R-Vision SOAR incidents that will be created based on KUMA alerts and put a lock icon next to theAlert ID
andAlert URL
incident fields.The Alert URL field is not editable in R-Vision SOAR version 4.0
The Alert URL field is not editable in R-Vision SOAR version 5.0
- Creating R-Vision SOAR collector and connector
- Creating a rule to close a KUMA alert
Create a rule for sending KUMA alert closing request when R-Vision SOAR incident is closed.
Integration with KUMA is now configured in R-Vision SOAR. If integration is also configured in KUMA, when alerts appear in KUMA, information about those alerts is sent to R-Vision SOAR to create an incident. The Details on alert section in the KUMA web interface displays a link to R-Vision SOAR.