Kaspersky Unified Monitoring and Analysis Platform
- About Kaspersky Unified Monitoring and Analysis Platform
- Program architecture
- Installing and removing KUMA
- Program licensing
- About the End User License Agreement
- About the license
- About the license certificate
- About the license key
- About the key file
- Adding a license key to the program web interface
- Viewing information about an added license key in the program web interface
- Removing a license key in the program web interface
- Integration with other solutions
- Integration with Kaspersky Security Center
- Integration with Kaspersky CyberTrace
- Integration with Kaspersky Threat Intelligence Portal
- Integration with R-Vision Incident Response Platform
- Integration with Active Directory
- Integration with RuCERT
- KUMA resources
- KUMA services
- Analytics
- Working with tenants
- Working with incidents
- About the incidents table
- Saving and selecting incident filter configuration
- Deleting incident filter configurations
- Viewing detailed incident data
- Incident creation
- Incident processing
- Changing incidents
- Automatic linking of alerts to incidents
- Categories and types of incidents
- Exporting incidents to RuCERT
- Working with alerts
- Working with events
- Retroscan
- Managing assets
- Managing KUMA
- Contacting Technical Support
- REST API
- REST API authorization
- Standard error
- Operations
- View list of active lists on the correlator
- Import entries to an active list
- Searching alerts
- Closing alerts
- Searching assets
- Import assets
- Deleting assets
- Searching events
- Viewing information about the cluster
- Resource search
- Loading resource file
- Viewing the contents of a resource file
- Import of resources
- Export resources
- Downloading the resource file
- Search for services
- Tenant search
- View token bearer information
- Appendices
- Commands for components manual starting and installing
- Normalized event data model
- Correlation event fields
- Audit event fields
- Event fields with general information
- User was successfully logged in or failed to log in
- User login successfully changed
- User role was successfully changed
- Other data of the user was successfully changed
- User successfully logged out
- User password was successfully changed
- User was successfully created
- User access token was successfully changed
- Service was successfully created
- Service was successfully deleted
- Service was successfully reloaded
- Service was successfully restarted
- Service was successfully started
- Service was successfully paired
- Service status was changed
- Storage index was deleted by user
- Storage partition was deleted automatically due to expiration
- Active list was successfully cleared or operation failed
- Active list item was successfully deleted or operation was unsuccessful
- Active list was successfully imported or operation failed
- Active list was exported successfully
- Resource was successfully added
- Resource was successfully deleted
- Resource was successfully updated
- Asset was successfully created
- Asset was deleted successfully
- Asset category was successfully added
- Asset category was deleted successfully
- Settings were successfully updated
- Information about third-party code
- Trademark notices
Working with tenants > Tenant affiliation rules
Tenant affiliation rules
Tenant affiliation rules
Tenant inheritance rules
It is important to track which tenant owns specific objects created in KUMA because this determines who will have access to the objects and whether or not interaction with specific objects can be configured. Tenant identification rules:
- The tenant of an object (such as a service or resource) is determined by the user when the object is created.
After the object is created, the tenant selected for that object cannot be changed. However, resources can be exported then imported into another tenant.
- The tenant of an alert and correlation event is inherited from the correlator that created them.
The tenant name is indicated in the
TenantIdevent field. - If events of different tenants that are processed by the same correlator are not merged, the correlation events created by the correlator inherit the tenant of the event.
- The incident tenant is inherited from the alert.
Examples of multitenant interactions
Multitenancy in KUMA provides the capability to centrally investigate alerts and incidents that occur in different tenants. Below are some examples that illustrate which tenants own certain objects that are created.
When correlating events from different tenants in a common stream, you should not group events by tenant. In other words, the TenantId event field should not be specified in the Identical fields field in correlation rules. Events must be grouped by tenant only if you must not merge events from different tenants.
Services that must be accommodated by the capacities of the main tenant can be deployed only by a user with the general administrator role.
- Correlation of events for one tenant, correlator is allocated for this tenant and deployed at the tenant
Condition:
The collector and correlator are owned by tenant 2 (tenantID=2)
Scenario:
- The collector of tenant 2 receives and forwards events to the correlator of tenant 2.
- When correlation rules are triggered, the correlator creates correlation events with tenantID=2.
- The correlator forwards the correlation events to the storage partition for tenant 2.
- An alert is created and linked to the tenant with tenantID=2.
- The events that triggered the alert are appended to the alert.
An incident is created manually by the user. The incident tenant is determined by the tenant of the user. An alert is linked to an incident either manually or automatically.
- Correlation of events for one tenant, correlator is allocated for this tenant and deployed at the main tenant
Condition:
- The collector is deployed at tenant 2 and is owned by this tenant (tenantID=2).
- The correlator is deployed at the main tenant.
The owner of the correlator is determined by the general administrator depending on who will investigate incidents of tenant 2: employees of the main tenant or employees of tenant 2. The owner of the alert and incident depends on the owner of the correlator.
Scenario 1. The correlator belongs to tenant 2 (tenantID=2):
- The collector of tenant 2 receives and forwards events to the correlator.
- When correlation rules are triggered, the correlator creates correlation events with tenantID=2.
- The correlator forwards the correlation events to the storage partition of tenant 2.
- An alert is created and linked to the tenant with tenantID=2.
- The events that triggered the alert are appended to the alert.
Result 1:
- The created alert and its linked events can be accessed by employees of tenant 2.
Scenario 2. The correlator belongs to the main tenant (tenantID=1):
- The collector of tenant 2 receives and forwards events to the correlator.
- When correlation rules are triggered, the correlator creates correlation events with tenantID=1.
- The correlator forwards the correlation events to the storage partition of the main tenant.
- An alert is created and linked to the tenant with tenantID=1.
- The events that triggered the alert are appended to the alert.
Result 2:
- The alert and its linked events cannot be accessed by employees of tenant 2.
- The alert and its linked events can be accessed by employees of the main tenant.
- Centralized correlation of events received from different tenants
Condition:
- Two collectors are deployed: one at tenant 2 and one at tenant 3. Both collectors forward events to the same correlator.
- The correlator is owned by the main tenant. A correlation rule waits for events from both tenants.
Scenario:
- The collector of tenant 2 receives and forwards events to the correlator of the main tenant.
- The collector of tenant 3 receives and forwards events to the correlator of the main tenant.
- When a correlation rule is triggered, the correlator creates correlation events with tenantID=1.
- The correlator forwards the correlation events to the storage partition of the main tenant.
- An alert is created and linked to the main tenant with tenantID=1.
- The events that triggered the alert are appended to the alert.
Result:
- The alert and its linked events cannot be accessed by employees of tenant 2.
- The alert and its linked events cannot be accessed by employees of tenant 3.
- The alert and its linked events can be accessed by employees of the main tenant.
- The tenant correlates its own events, but the main tenant additionally provides centralized correlation of events.
Condition:
- Two collectors are deployed: one on the main tenant and one on tenant 2.
- Two correlators are deployed:
- Correlator 1 is owned by the main tenant and receives events from the collector of the main tenant and correlator 2.
- Correlator 2 is owned by tenant 2 and receives events from the collector of tenant 2.
Scenario:
- The collector of tenant 2 receives and forwards events to correlator 2.
- When a correlation rule is triggered, the correlator of tenant 2 creates correlation events with tenantID=2.
- Correlator 2 forwards the correlation events to the storage partition of tenant 2.
- Alert 1 is created and linked to the tenant with tenantID=2.
- The events that triggered the alert are appended to the alert.
- Correlation events from the correlator of tenant 2 are forwarded to correlator 1.
- The collector of the main tenant receives and forwards events to correlator 1.
- Correlator 1 processes events of both tenants. When a correlation rule is triggered, correlation events with tenantID=1 are created.
- Correlator 1 forwards the correlation events to the storage partition of the main tenant.
- Alert 2 is created and linked to the tenant with tenantID=1.
- The events that triggered the alert are appended to the alert.
Result:
- Alert 2 and its linked events cannot be accessed by employees of tenant 2.
- Alert 2 and its linked events can be accessed by employees of the main tenant.
- One correlator for two tenants
If you do not want events from different tenants to be merged during correlation, you should specify the
TenantIdevent field in the Identical fields field in correlation rules. In this case, the alert inherits the tenant from the correlator.Condition:
- Two collectors are deployed: one at tenant 2 and one at tenant 3.
- One correlator owned by the main tenant (tenantID=1) is deployed. It receives events from both tenants, but processes them irrespective of each other.
Scenario:
- The collector of tenant 2 receives and forwards events to the correlator.
- The collector of tenant 3 receives and forwards events to the correlator.
- When a correlation rule is triggered, the correlator creates correlation events with tenantID=1.
- The correlator forwards the correlation events to the storage partition of the main tenant.
- An alert is created and linked to the main tenant with tenantID=1.
- The events that triggered the alert are appended to the alert.
Result:
- Alerts that were created based on events from tenant 2 and 3 are not available to employees of tenants 2 and 3.
- Alerts and their linked events can be accessed by employees of the main tenant.
Article ID: 221469, Last review: Sep 2, 2022