Response rules for a custom script
You can create a script containing commands to be executed on the KUMA server when selected events are detected and configure response rules to automatically run this script. In this case, the program will run the script when it receives events that match the response rules.
The script file is stored on the server where the correlator service using the response resource is installed: /opt/kaspersky/kuma/correlator/<Correlator ID>/scripts. The kuma
user of this server requires the permissions to run the script.
When creating and editing response rules for a custom script, you need to define values for the following parameters.
Response rule settings
Setting | Description |
---|---|
Name | Required setting. Unique name of the resource. Must contain 1 to 128 Unicode characters. |
Tenant | Required setting. The name of the tenant that owns the resource. |
Type | Required setting. Response rule type, script. |
Timeout | The number of seconds allotted for the script to finish. If this amount of time is exceeded, the script is terminated. |
Script name | Required setting. Name of the script file. If the response resource is attached to the correlator service but there is no script file in the /opt/kaspersky/kuma/correlator/<Correlator ID>/scripts folder, the correlator will not work. |
Script arguments | Arguments or event field values that must be passed to the script. If the script includes actions taken on files, you should specify the absolute path to these files. Parameters can be written with quotation marks ("). Event field names are passed in the Example: |
Handlers | The number of handlers that the service can run simultaneously to process response rules in parallel. By default, the number of handlers is the same as the number of virtual processors on the server where the service is installed. |
Description | Description of the resource. You can add up to 4,000 Unicode characters. |
Filter | Used to define the conditions for the events to be processed using the response rule. You can select an existing filter from the drop-down list or create a new filter. |