Multitenancy support is added for managed security service providers (MSSP) and enterprises. This allows multi-divisional organizations and service providers to detect and prioritize threats for multiple branches from a single unified environment, and to close access to other branch offices' data by creating tenants based on event sources. By assigning roles to users in each tenant, the KUMA general administrator can precisely configure which information individual users are allowed to see, create or edit.
KUMA includes a package of standard correlation rules developed by Kaspersky specialists. All rules are aligned with the MITRE ATTACK matrix and can be used as a basis for the development of custom rules for threat monitoring. Please be aware that correlation rules must be tested and adjusted to work correctly in specific environments.
Incident management capabilities have been significantly expanded. These KUMA capabilities help investigate security incidents, determine their root causes, and coordinate joint work among several analysts.
Incident cards are added. Analysts can create incidents either from scratch or from one or several alerts. An incident is created when there is more than just a suspicion of a security incident, i. e. when there is also confirmatory evidence. The incident card provides a single place to collect all of the signs of an incident: suspicious alerts or other data (such as information about affected assets and users).
Flexible grouping of alerts and incidents is added to reduce the load on analysts. It allows you to precisely configure criteria for auto-consolidation of correlation events and alerts and of alerts and incidents.
Event source status monitoring is added to promptly notify administrators about any issues that could interrupt or significantly reduce the flow of data coming from event sources. After configuring the expected minimum number of events in the monitoring policy and assigning this policy to the event source, the users indicated in the policy settings will receive notifications about deviations from the specified settings.
Support for new connectors is implemented to ingest events over the following protocols.
WMI (via RPC)—allows receipt of Windows Events from remote computers using RPC methods. Comparing with WEC, which allows ingesting Windows Events only from local computer or from WEC-server where Agent is installed, WMI can be named “agent-less” approach.
SNMP versions 1, 2 and 3 allow actively requesting data over the SNMP protocol.
NFS allows obtaining events from files stored in an NFS shared folder.
FTP allows obtaining events from files accessible over the FTP protocol.
Automatic asset categorization (dynamic categorization) is supported. Thanks to proactive categorization, KUMA users can define criteria for each category (for example, include assets running Windows that are located in subnet 10.10.0.0/16). At the same time, reactive categorization allows changing asset categories based on correlation. As previously, dynamic categories can be taken into account during correlation and alerts triage.
HTTP Rest API is added to help manage assets and active lists.
KUMA agent functionality is significantly improved. Now it support all connectors supported in KUMA (previously only WEC connector was supported) and can be uses for events routing.
Upgrading from versions 1.0 and 1.1 is supported. Resources (correlation rules, normalizers etc) will be saved during the upgrade. Contact Kaspersky specialists for assistance with transferring accumulated data (events and alerts) during the upgrade.
Installation wizards for connecting event sources and creating correlators are added. They simplify these processes and prevent potential errors. Wizards will guide KUMA user through all necessary steps and interactively helps to check the settings.