Configuring integration in KUMA
This section describes integration of KUMA with R-Vision SOAR from the KUMA side.
Integration in KUMA is configured in the web interface under Settings → IRP / SOAR.
To configure integration with R-Vision SOAR:
- In the KUMA web interface, open Resources → Secrets.
The list of available secrets will be displayed.
- Click the Add secret button to create a new secret. This resource is used to store token for R-Vision SOAR API requests.
The secret window is displayed.
- Enter information about the secret:
- In the Name field, enter a name for the added secret. The name must contain 1 to 128 Unicode characters.
- In the Tenant drop-down list, select the tenant that will own the created resource.
- In the Type drop-down list, select token.
- In the Token field, enter your R-Vision SOAR API token.
You can obtain the token in the R-Vision SOAR web interface under Settings → General → API.
- If necessary, in the Description field, add up to 4,000 Unicode characters describing the secret.
- Click Save.
The R-Vision SOAR API token is now saved and can be used in other KUMA resources.
- In the KUMA web interface, go to Settings → IRP / SOAR.
The window containing R-Vision SOAR integration settings opens.
- Make the necessary changes to the following parameters:
- Disabled—select this check box if you want to disable R-Vision SOAR integration with KUMA.
- In the Secret drop-down list, select the previously created secret.
You can create a new secret by clicking the button with the plus sign. The created secret will be saved in the Resources → Secrets section.
- URL (required)—URL of the R-Vision SOAR server host.
- Field name where KUMA alert IDs must be placed (required)—name of the R-Vision SOAR field where the ID of the KUMA alert must be written.
- Field name where KUMA alert URLs must be placed (required)—name of the R-Vision SOAR field where the link for accessing the KUMA alert should be written.
- Category (required)—category of R-Vision SOAR incident that is created after KUMA alert is received.
- KUMA event fields that must be sent to IRP / SOAR (required)—drop-down list for selecting the KUMA event fields that should be sent to R-Vision SOAR.
- Severity group of settings (required)—used to map KUMA severity values to R-Vision SOAR severity values.
- Click Save.
In KUMA integration with R-Vision SOAR is now configured. If integration is also configured in R-Vision SOAR, when alerts appear in KUMA, information about those alerts will be sent to R-Vision SOAR to create an incident. The Details on alert section in the KUMA web interface displays a link to R-Vision SOAR.
If you are working with multiple tenants and want to integrate with R-Vision SOAR, the names of tenants must match the abbreviated names of companies in R-Vision SOAR.