This is an optional step of the Installation Wizard. On the Event enrichment tab of the Installation Wizard, you can specify which data from which sources should be added to events processed by the collector. You can enrich events with data received using LDAP or via enrichment rules.
LDAP enrichment
To enable enrichment using LDAP:
Click Add enrichment with LDAP data.
This opens the settings block for LDAP enrichment.
In the LDAP accounts mapping settings block, use the New domain button to specify the domain of the user accounts. You can specify multiple domains.
In the LDAP enrichment mapping table, define the rules for mapping KUMA requests to LDAP responses:
In the KUMA field column, indicate the KUMA event field whose data should be sent to LDAP.
In the LDAP attribute to receive column, indicate the type of data to send to LDAP.
In the KUMA event field to write to column, indicate which field of a KUMA event should receive data obtained from LDAP.
You can use the New line button to add a string to the table, and can use the button to remove a string. You can use the Apply default mapping button to fill the mapping table with standard values.
Event enrichment rules for data received from LDAP were added to the group of resources for the collector.
There can be more than one enrichment rule. You can add them by clicking the Add enrichment button and can remove them by clicking the button. You can use existing resources of enrichment rules or create rules directly in the Installation Wizard.
To add an existing enrichment rule to a set of resources:
Click Add enrichment.
This opens the response rule settings block.
In the Enrichment rule drop-down list, select the relevant resource.
The enrichment rule is added to the set of resources for the collector.
To create a new enrichment rule in a set of resources:
Click Add enrichment.
This opens the response rule settings block.
In the Enrichment rule drop-down list, select Create.
In the Source kind drop-down list, select the source of data for enrichment and define its corresponding settings:
This type of enrichment is used when a constant needs to be added to an event field.
When choosing this type, you must specify the value to add to the event field in the Constant field. The value should not be longer than 255 Unicode characters. If you leave this field blank, the existing event field value will be cleared.
This type of enrichment is used if you need to add a value from dictionary.
When this type is selected in the Dictionary name drop-down list, you must select the dictionary that will provide the values. In the Key fields settings block, you must use the Add field button to select the event fields whose values will be used for dictionary entry selection.
This type of enrichment is used when you need to write a value from another event field to the current event field.
When this type is selected in the Source field drop-down list, you must select the event field from where the value will be copied to the target field.
In the Conversion settings block, you can create rules for modifying the original data before it is written to the KUMA event fields. The conversion type can be selected from the drop-down list. You can use the Add conversion and Delete buttons to add or delete a conversion, respectively. The order of conversions is important.
Conversions are changes that can be applied to a value before it gets written to the event field. The conversion type is selected from a drop-down list.
Available conversions:
lower—is used to make all characters of the value lowercase
upper—is used to make all characters of the value uppercase
regexp—is used to apply a RE2 regular expression to the value. When this conversion type is selected, the field appears where regular expression should be added.
substring—is used to delete characters in the position range specified in the Start and the End fields. These fields appear when this conversion type is selected.
replace—is used to replace specified character sequence with the other character sequence. When this type of conversion is selected, new fields appear:
Replace chars—in this field you can specify the character sequence that should be replaced.
With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
trim is used to remove the characters specified in the Chars field from trailing positions of the value. The field appears when this type of conversion is selected.
append is used to add the characters specified in the Constant field to the end of the event field value. The field appears when this type of conversion is selected.
prepend—used to prepend the characters specified in the Constant field to the start of the event field value. The field appears when this type of conversion is selected.
replace with regexp—is used to replace RE2 regular expression results with the character sequence.
Expression—in this field you can specify the regular expression which results that should be replaced.
With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
This type of enrichment is used when you need to write a value obtained by processing Go templates into the event field.
When this type is selected, a Go template must be specified in the Template field.
Event field names are passed in the {{.EventField}} format, where EventField is the name of the event field from which the value must be passed to the script.
Example: Attack on {{.DestinationAddress}} from {{.SourceAddress}}
This type of enrichment is used to send requests to a private network DNS server to convert IP addresses into domain names or vice versa.
Available settings:
URL—in this field, you can specify the URL of a DNS server to which you want to send requests. You can use the Add URL button to specify multiple URLs.
RPS—maximum number of requests sent to the server per second. The default value is 1000.
Workers—maximum number of requests per one point in time. The default value is 1.
Max tasks—maximum number of simultaneously fulfilled requests. By default, this value is equal to the number of vCPUs of the KUMA Core server.
Cache TTL—the lifetime of the values stored in the cache. The default value is 60.
Cache disabled—you can use this drop-down list to enable or disable caching. Caching is enabled by default.
This type of enrichment is used to add information from CyberTrace data streams to event fields.
Available settings:
URL (required)—in this field, you can specify the URL of a CyberTrace server to which you want to send requests.
Number of connections—maximum number of connections to the CyberTrace server that can be simultaneously established by KUMA. By default, this value is equal to the number of vCPUs of the KUMA Core server.
RPS—maximum number of requests sent to the server per second. The default value is 1000.
Timeout—amount of time to wait for a response from the CyberTrace server, in seconds. The default value is 30.
Mapping (required)—this settings block contains the mapping table for mapping KUMA event fields to CyberTrace indicator types. The KUMA fields column shows the names of KUMA event fields, and the CyberTrace indicator column shows the types of CyberTrace indicators.
Available types of CyberTrace indicators:
ip
url
hash
In the mapping table, you must provide at least one string. You can use the New line button to add a string, and can use the button to remove a string.
In the Target field drop-down list, select the KUMA event field to which you want to write the data.
Use the Debug drop-down list to indicate whether or not to enable logging of service operations. Logging is disabled by default.
In the Filter section, you can specify conditions to identify events that will be processed by the enrichment rule resource. You can select an existing filter resource from the drop-down list, or select Create new to create a new filter.
If you want to keep the filter as a separate resource, set the Save filter toggle switch. This can be useful if you decide to reuse the same filter across different services. The toggle switch is turned off by default.
If you toggle the Save filter switch on, enter a name for the created filter resource in the Name field. The name must contain from 1 to 128 Unicode characters.
In the conditions section, specify the conditions that the events must meet:
The Add condition button is used to add filtering conditions. You can select two values (two operands, left and right) and assign the operation you want to perform with the selected values. The result of the operation is either True or False.
In the operator drop-down list, select the function to be performed by the filter.
<—the left operand is less than the right operand.
<=—the left operand is less than or equal to the right operand.
>—the left operand is greater than the right operand.
>=—the left operand is greater than or equal to the right operand.
inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
contains—the left operand contains values of the right operand.
startsWith—the left operand starts with one of the values of the right operand.
endsWith—the left operand ends with one of the values of the right operand.
match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.
inActiveList—this filter has only one operand. Its values are selected in the Key fields field and are compared with the entries in the active list selected from the Active List drop-down list.
inCategory—the asset in the left operand is assigned at least one of the asset categories of the right operand.
inActiveDirectoryGroup—the Active Directory account in the left operand belongs to one of the Active Directory groups in the right operand.
TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators.
You can use the Match case check box in the Operator drop-down list to choose whether the values passed to the filter should be case sensitive. This check box is cleared by default.
In the Left operand and Right operand drop-down lists, select where the data to be filtered will come from. As a result of the selection, Advanced settings will appear. Use them to determine the exact value that will be passed to the filter. For example, when choosing active list you will need to specify the name of the active list, the entry key and the entry key field.
You can use the If drop-down list to choose whether you want to create a negative filter condition.
Conditions can be deleted using the button.
The Add group button is used to add groups of conditions. Operator AND can be switched between AND, OR, and NOT values.
A condition group can be deleted using the button.
Using the Add filter button you can add existing filter resources selected in the Select filter drop-down list to the conditions. You can navigate to a nested filter resource using the button.
A nested filter can be deleted using the button.
The new enrichment rule was added to the set of resources for the collector.
Proceed to the next step of the Installation Wizard.
button to remove a string. You can use the Apply default mapping button to fill the mapping table with standard values.
button.