Exporting incidents to RuCERT

Incidents created in KUMA can be exported to the National Coordinating Center for Computer Incidents (also known as RuCERT). Prior to exporting incidents, you must configure integration with RuCERT. An incident can be exported only once.

You can export incidents to RuCERT only if your application license includes the GosSOPKA module (GosSOPKA is a Russian government system for the detection, prevention, and mitigation of computer attacks).

To export an incident to RuCERT:

In the Incidents section of the KUMA web interface, select the incident that you want to export using one of the following ways:
- Select the check box next to the relevant incident.
- Open the relevant incident.
Click Export to RuCERT.
This opens the export settings window.

Specify the settings on the Basic tab of the Export to RuCERT window:

Category and Type—specify the type and category of the incident. Only incidents of specific categories and types can be exported to RuCERT.

Categories and types of incidents that can be exported to RuCERT

TLP (required)—assign a Traffic Light Protocol marker to an incident to define the nature of information about the incident. The default value is RED. Available values:
- WHITE—disclosure is not restricted.
- GREEN—disclosure is only for the community.
- AMBER—disclosure is only for organizations.
- RED—disclosure is only for a specific group of people.
Affected system name (required)—specify the name of the information resource where the incident occurred. You can enter up to 500,000 characters in the field.
Affected system category (required)—specify the critical information infrastructure (CII) category of your organization. If your organization does not have a CII category, select Information resource is not a CII object.
Affected system function (required)—specify the scope of activity of your organization. The value specified in RuCERT integration settings is used by default.
Available company business sectors
- Nuclear energy
- Banking and other financial market sectors
- Mining
- Federal/municipal government
- Healthcare
- Metallurgy
- Science
- Defense industry
- Education
- Aerospace industry
- Communication
- Mass media
- Fuel and power
- Transportation
- Chemical industry
- Other
Location (required)—select the location of your organization from the drop-down list.
Affected system has Internet connection—select this check box if the assets related to this incident have an Internet connection. In addition, after completing an export in the GosSOPKA account dashboard, provide technical information about the computer incident, computer attack, or vulnerability in the notification card. By default, this check box is cleared.
Product info (required)—this table becomes available if you selected Notification about a detected vulnerability as the incident category.
You can use the Add new element button to add a string to the table. In the Name column, you must indicate the name of the application (for example, MS Office). Specify the application version in the Version column (for example, 2.4).
Vulnerability ID—if necessary, specify the identifier of the detected vulnerability. For example, CVE-2020-1231.
This field becomes available if you selected Notification about a detected vulnerability as the incident category.
Name and version of vulnerable product—if necessary, specify the name and version of the vulnerable product. For example, Microsoft operating systems and their components.
This field becomes available if you selected Notification about a detected vulnerability as the incident category.

If required, define the settings on the Advanced tab of the Export to RuCERT window.
The available settings on the tab depend on the selected category and type of incident:
- Incident detection tool—specify the name of the product that was used to register the incident. For example, KUMA 1.5.
- Assistance required—select this check box if you need help from GosSOPKA employees.
- Incident end time—specify the date and time when the standard operating mode of the controlled information resource (CII object) was restored after the computer incident, when the computer attack was ended, or when the vulnerability was fixed.
- Availability impact—assess the degree of impact that the incident had on system availability:
  - High
  - Low
  - None
- Integrity impact—assess the degree of impact that the incident had on system integrity:
  - High
  - Low
  - None
- Confidentiality impact—assess the degree of impact that the incident had on data confidentiality:
  - High
  - Low
  - None
- Custom impact—specify other significant impacts from the incident.
- City—indicate the city where your organization is located.
Click Export.
Confirm the export.

Information about the incident is submitted to RuCERT, and the Export to RuCERT incident parameter is changed to Exported successfully. If changes need to be made to the exported incident, you should do this in your GosSOPKA account dashboard.

Page top

Category	Type
Computer incident notification	Involvement of a controlled resource in malicious software infrastructure
	Slowed operation of the resource due to a DDoS attack
	Malware infection
	Network traffic interception
	Use of a controlled resource for phishing
	Compromised user account
	Unauthorized data modification
	Unauthorized disclosure of information
	Publication of illegal information on the resource
	Distribution of spam messages from the controlled resource
	Successful exploitation of a vulnerability
Notification about a computer attack	DDoS attack
	Unsuccessful authorization attempts
	Malware injection attempts
	Attempts to exploit a vulnerability
	Publication of fraudulent information
	Network scanning
	Social engineering
Notification about a detected vulnerability	Vulnerable resource