Kaspersky Unified Monitoring and Analysis Platform (KUMA)

Kaspersky Endpoint Security for Windows supports the Kaspersky Unified Monitoring and Analysis Platform solution. Kaspersky Unified Monitoring and Analysis Platform (KUMA) is a security information and event management (SIEM) solution for the IT infrastructure of organizations. KUMA allows detecting, analyzing, and mitigating security threats before they can cause harm.

Kaspersky Endpoint Security is installed on individual computers on the corporate IT infrastructure and continuously monitors processes, open network connections, and files being modified. Information about events on the computer (telemetry) is sent to the Kaspersky Unified Monitoring and Analysis Platform (KUMA) server. In its console, KUMA displays events as a list without markup, similar to the Windows event log. To access all KUMA functionality, you need to purchase a license and deploy the solution in accordance with the KUMA Administrator's guide.

Integration with KUMA

To use KUMA, the following conditions must be met:

• Kaspersky Security Center version 14.2 or higher. In earlier versions of Kaspersky Security Center, it is impossible to activate the KUMA integration functionality.
• The application is activated and the functionality is covered by the license.
• The KUMA integration component is enabled.

Setting up KUMA integration involves the following steps:

1. Installing the KUMA integration component

   You can select the KUMA integration component when installing or upgrading the application, as well as using the Change application components task.

   You must restart your computer to finish upgrading the application with the new component.

2. KUMA activation

   You need a separate license to integrate Kaspersky Endpoint Security with KUMA (Kaspersky Endpoint Security for Windows KUMA Integration Add-on).

   The functionality becomes available after adding the separate KUMA key. As a result, there will be another active key on the computer for Kaspersky Endpoint Security integration with KUMA.

   Licensing for the stand-alone KUMA functionality is the same as the licensing of Kaspersky Endpoint Security.

   Make sure that the KUMA functionality is included in the license and is working in the local interface of the application.

3. Connecting to KUMA

   To connect the computer with the Kaspersky Endpoint Security application to the KUMA solution:

   1. In the Kaspersky Endpoint Security policy, add KUMA server addresses and specify network settings of the connection.
   2. In KUMA console, add a collector with connectors of the tcp or udp type and specify the basic network settings of the connection. For details about managing collectors, please refer to the Kaspersky Unified Monitoring and Analysis Platform Help.

   You can establish a trusted connection between Kaspersky Endpoint Security and KUMA servers. To configure a trusted connection, you must use a TLS certificate. You can get a TLS certificate on the KUMA Core server (see the settings for the tcp type connector in the Kaspersky Unified Monitoring and Analysis Platform Help). Then you must add the TLS certificate to Kaspersky Endpoint Security (see instructions below).

   To make the connection more secure, you can additionally enable the verification of the computer in KUMA (two-way authentication). To enable this verification, you must turn on two-way authentication in KUMA and Kaspersky Endpoint Security settings. To use two-way authentication, you will also need a crypto-container. A crypto-container is a PFX archive with a certificate and a private key. You must generate a certificate with the private key in the PKCS#12 container format in an external certification authority. Then you must add the PFX archive in the KUMA console and in Kaspersky Endpoint Security (see the settings for the tcp type connector in the Kaspersky Unified Monitoring and Analysis Platform Help).

   How to connect a Kaspersky Endpoint Security computer to KUMA using the Administration Console (MMC)

   1. Open the Kaspersky Security Center Administration Console.
   2. In the console tree, select Policies.
   3. Select the necessary policy and double-click to open the policy properties.
   4. In the policy window, select KUMA Integration.
   5. Select the KUMA Integration check box.
   6. Select the protocol for connecting to KUMA servers: TCP, UDP.
   7. Add KUMA servers. To do this, specify the server address (IPv4, IPv6) and the port to connect to the server.

      Kaspersky Endpoint Security connects to the first KUMA server in the list. If the connection fails, Kaspersky Endpoint Security connects to the second KUMA server in the list and so on.

   8. For TCP, you can configure a trusted connection. To do so, click the Settings for connecting to KUMA servers button.
   9. Configure the server connection:
      • Timeout. Maximum KUMA server response timeout. When the timeout runs out, Kaspersky Endpoint Security tries to connect to a different KUMA server.
      • Server TLS certificate. TLS certificate for establishing a trusted connection with the KUMA server.

        To establish a trusted connection, in the KUMA console, in tcp connector settings, you must select the With verification TLS mode (see the settings for the tcp type connector in the Kaspersky Unified Monitoring and Analysis Platform Help).

      • Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Endpoint Security and KUMA. To use two-way authentication, in the KUMA console, in tcp connector settings, you must select the Custom PFX TLS mode (see the settings for the tcp type connector in the Kaspersky Unified Monitoring and Analysis Platform Help). Then you must get a cryptocontainer and set a password to protect the cryptocontainer. A crypto-container is a PFX archive with a certificate and a private key. After configuring KUMA settings, you need to also enable two-way authentication in Kaspersky Endpoint Security settings and load a password-protected crypto-container.

        The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.

   10. Click OK.
   11. If necessary, configure the Maximum events transmission delay (sec) setting in the Data transmission settings block. When the specified time runs out, Kaspersky Endpoint Security tries to connect to the same server or connects to the next server in the list if there are multiple servers. The default setting is 30 seconds.
   12. Save your changes.

   How to connect a Kaspersky Endpoint Security computer to KUMA using the Web Console

   1. In the main window of the Web Console, select Devices → Policies & profiles.
   2. Click the name of the Kaspersky Endpoint Security policy.

      The policy properties window opens.

   3. Select the Application settings tab.
   4. Go to the KUMA Integration section.
   5. Turn on the Enable KUMA Integration toggle.
   6. Select the protocol for connecting to KUMA servers: TCP, UDP.
   7. Add KUMA servers. To do this, specify the server address (IPv4, IPv6) and the port to connect to the server.

      Kaspersky Endpoint Security connects to the first KUMA server in the list. If the connection fails, Kaspersky Endpoint Security connects to the second KUMA server in the list and so on.

   8. For TCP, you can configure a trusted connection. To do so, click the Settings for connecting to KUMA servers button.
   9. Configure the server connection:
      • Timeout. Maximum KUMA server response timeout. When the timeout runs out, Kaspersky Endpoint Security tries to connect to a different KUMA server.
      • Server TLS certificate. TLS certificate for establishing a trusted connection with the KUMA server.

        To establish a trusted connection, in the KUMA console, in tcp connector settings, you must select the With verification TLS mode (see the settings for the tcp type connector in the Kaspersky Unified Monitoring and Analysis Platform Help).

      • Use two-way authentication. Two-way authentication when establishing a secure connection between Kaspersky Endpoint Security and KUMA. To use two-way authentication, in the KUMA console, in tcp connector settings, you must select the Custom PFX TLS mode (see the settings for the tcp type connector in the Kaspersky Unified Monitoring and Analysis Platform Help). Then you must get a cryptocontainer and set a password to protect the cryptocontainer. A crypto-container is a PFX archive with a certificate and a private key. After configuring KUMA settings, you need to also enable two-way authentication in Kaspersky Endpoint Security settings and load a password-protected crypto-container.

        The crypto-container must be password-protected. It is not possible to add a crypto-container with a blank password.

   10. Click OK.
   11. If necessary, configure the Maximum events transmission delay (sec) setting in the Data transmission settings block. When the specified time runs out, Kaspersky Endpoint Security tries to connect to the same server or connects to the next server in the list if there are multiple servers. The default setting is 30 seconds.
   12. Save your changes.

You can verify that the receipt of Windows events is configured correctly in the KUMA console (for details see Kaspersky Unified Monitoring and Analysis Platform Help). Check the operating status of the component by viewing the Application components status report in the Kaspersky Security Center console. You can also view the operating status of a component in reports in the local interface of Kaspersky Endpoint Security. The KUMA Integration component will be added to the list of Kaspersky Endpoint Security components.

Page top