Kaspersky Unified Monitoring and Analysis Platform
- About Kaspersky Unified Monitoring and Analysis Platform
- Program architecture
- Installing and removing KUMA
- Program licensing
- About the End User License Agreement
- About the license
- About the license certificate
- About the license key
- About the key file
- Adding a license key to the program web interface
- Viewing information about an added license key in the program web interface
- Removing a license key in the program web interface
- Integration with other solutions
- Integration with Kaspersky Security Center
- Integration with Kaspersky CyberTrace
- Integration with Kaspersky Threat Intelligence Portal
- Integration with R-Vision Incident Response Platform
- Integration with Active Directory
- Integration with RuCERT
- KUMA resources
- KUMA services
- Analytics
- Working with tenants
- Working with incidents
- About the incidents table
- Saving and selecting incident filter configuration
- Deleting incident filter configurations
- Viewing detailed incident data
- Incident creation
- Incident processing
- Changing incidents
- Automatic linking of alerts to incidents
- Categories and types of incidents
- Exporting incidents to RuCERT
- Working with alerts
- Working with events
- Retroscan
- Managing assets
- Managing KUMA
- Contacting Technical Support
- REST API
- REST API authorization
- Standard error
- Operations
- View list of active lists on the correlator
- Import entries to an active list
- Searching alerts
- Closing alerts
- Searching assets
- Import assets
- Deleting assets
- Searching events
- Viewing information about the cluster
- Resource search
- Loading resource file
- Viewing the contents of a resource file
- Import of resources
- Export resources
- Downloading the resource file
- Search for services
- Tenant search
- View token bearer information
- Appendices
- Commands for components manual starting and installing
- Normalized event data model
- Correlation event fields
- Audit event fields
- Event fields with general information
- User was successfully logged in or failed to log in
- User login successfully changed
- User role was successfully changed
- Other data of the user was successfully changed
- User successfully logged out
- User password was successfully changed
- User was successfully created
- User access token was successfully changed
- Service was successfully created
- Service was successfully deleted
- Service was successfully reloaded
- Service was successfully restarted
- Service was successfully started
- Service was successfully paired
- Service status was changed
- Storage index was deleted by user
- Storage partition was deleted automatically due to expiration
- Active list was successfully cleared or operation failed
- Active list item was successfully deleted or operation was unsuccessful
- Active list was successfully imported or operation failed
- Active list was exported successfully
- Resource was successfully added
- Resource was successfully deleted
- Resource was successfully updated
- Asset was successfully created
- Asset was deleted successfully
- Asset category was successfully added
- Asset category was deleted successfully
- Settings were successfully updated
- Information about third-party code
- Trademark notices
Incident creation
To create an incident:
- Open the KUMA web interface and select the Incidents section.
- Click Create incident.
The window for creating an incident will open.
- Fill in the mandatory parameters of the incident:
- In the Name field enter the name of the incident. The name must contain from 1 to 128 Unicode characters.
- In the Tenant drop-down list, select the tenant that owns the created incident.
- If necessary, provide other parameters for the incident:
- In the Priority drop-down list, select the severity of the incident. Available options: Low, Medium, High, Critical.
- In the First event time and Last event time fields, specify the time range in which events related to the incident were received.
- In the Category and Type drop-down lists, select the category and type of the incident. The available incident types depend on the selected category.
- Add the incident Description. The description can contain no more than 256 Unicode characters.
- In the Available tenants drop-down list, select the tenants whose alerts can be linked to the incident automatically.
- In the Related alerts section, add alerts related to the incident.
To link an alert to an incident:
- In the Related alerts section of the incident window click Link.
A window with a list of alerts not linked to incidents will open.
- Select the required alerts.
Alerts can be searched by user and asset using PCRE regular expressions.
- Click Link.
Alerts are now related to the incident and displayed in the Related alerts section.
To unlink alerts from an incident:
- Select the required alerts in the Related Users section and click Unlink.
- Click Save.
Alerts have been unlinked from the incident. Also, the alert can be unlinked from the incident in the alert window using the Unlink button.
- In the Related alerts section of the incident window click Link.
- In the Related endpoints section, add assets related to the incident.
To link an asset to an incident:
- In the Related endpoints section of the incident window, click Link
A window containing a list of assets will open.
- Select the assets you need.
You can use the Search field to look for assets.
- Click Link.
Assets are now linked with the incident and are displayed in the Related endpoints section.
To unlink assets from an incident:
- Select the relevant assets in the Related users section and click the Unlink button.
- Click Save.
The assets are now unlinked from the incident.
- In the Related endpoints section of the incident window, click Link
- In the Related Users section, add users related to the incident.
To link a user to an incident:
- In the Related Users section of the incident window, click Link
The user list window opens.
- Select the required users.
You can use the Search field to look for users.
- Click Link.
Users are now linked to the incident and appear in the Related Users section.
To unlink users from the incident:
- Select the required users in the Related Users section and click the Unlink button.
- Click Save.
Users are unlinked from the incident.
- In the Related Users section of the incident window, click Link
- Add a Comment to the incident.
- Click Save.
The incident has been created.