Kaspersky Unified Monitoring and Analysis Platform
- About Kaspersky Unified Monitoring and Analysis Platform
- Program architecture
- Installing and removing KUMA
- Program licensing
- About the End User License Agreement
- About the license
- About the license certificate
- About the license key
- About the key file
- Adding a license key to the program web interface
- Viewing information about an added license key in the program web interface
- Removing a license key in the program web interface
- Integration with other solutions
- Integration with Kaspersky Security Center
- Integration with Kaspersky CyberTrace
- Integration with Kaspersky Threat Intelligence Portal
- Integration with R-Vision Incident Response Platform
- Integration with Active Directory
- Integration with RuCERT
- KUMA resources
- KUMA services
- Analytics
- Working with tenants
- Working with incidents
- About the incidents table
- Saving and selecting incident filter configuration
- Deleting incident filter configurations
- Viewing detailed incident data
- Incident creation
- Incident processing
- Changing incidents
- Automatic linking of alerts to incidents
- Categories and types of incidents
- Exporting incidents to RuCERT
- Working with alerts
- Working with events
- Retroscan
- Managing assets
- Managing KUMA
- Contacting Technical Support
- REST API
- REST API authorization
- Standard error
- Operations
- View list of active lists on the correlator
- Import entries to an active list
- Searching alerts
- Closing alerts
- Searching assets
- Import assets
- Deleting assets
- Searching events
- Viewing information about the cluster
- Resource search
- Loading resource file
- Viewing the contents of a resource file
- Import of resources
- Export resources
- Downloading the resource file
- Search for services
- Tenant search
- View token bearer information
- Appendices
- Commands for components manual starting and installing
- Normalized event data model
- Correlation event fields
- Audit event fields
- Event fields with general information
- User was successfully logged in or failed to log in
- User login successfully changed
- User role was successfully changed
- Other data of the user was successfully changed
- User successfully logged out
- User password was successfully changed
- User was successfully created
- User access token was successfully changed
- Service was successfully created
- Service was successfully deleted
- Service was successfully reloaded
- Service was successfully restarted
- Service was successfully started
- Service was successfully paired
- Service status was changed
- Storage index was deleted by user
- Storage partition was deleted automatically due to expiration
- Active list was successfully cleared or operation failed
- Active list item was successfully deleted or operation was unsuccessful
- Active list was successfully imported or operation failed
- Active list was exported successfully
- Resource was successfully added
- Resource was successfully deleted
- Resource was successfully updated
- Asset was successfully created
- Asset was deleted successfully
- Asset category was successfully added
- Asset category was deleted successfully
- Settings were successfully updated
- Information about third-party code
- Trademark notices
Importing events from the Kaspersky Security Center database
In KUMA, you can receive events directly from the Kaspersky Security Center SQL database. Events are received by using a collector, which utilizes the provided resources of the connector [Example] KSC SQL and normalizer [Example] KSC from SQL.
To create a collector to receive Kaspersky Security Center events:
Follow the instructions under Creating a collector to select the preconfigured resources in the Installation Wizard:
- At step 2 of the Installation Wizard, select the [Example] KSC SQL connector:
- In the URL field, specify the server connection string in the following format:
sqlserver://user:password@kscdb.example.com:1433/KAVwhere:
user—user account with public and db_datareader rights to the required database.password—user account password.kscdb.example.com:1433—address and port of the database server.KAV—name of the database.
- In the Query field, specify a database query based on the need to receive certain events.
An example of a query to the Kaspersky Security Center SQL database
SELECT ev.event_id AS externalId, ev.severity AS severity, ev.task_display_name AS taskDisplayName,
ev.product_name AS product_name, ev.product_version AS product_version,
ev.event_type As deviceEventClassId, ev.event_type_display_name As event_subcode, ev.descr As msg,
CASE
WHEN ev.rise_time is not NULL THEN DATEADD(hour,DATEDIFF(hour,GETUTCDATE(),GETDATE()),ev.rise_time )
ELSE ev.rise_time
END
AS endTime,
CASE
WHEN ev.registration_time is not NULL
THEN DATEADD(hour,DATEDIFF(hour,GETUTCDATE(),GETDATE()),ev.registration_time )
ELSE ev.registration_time
END
AS kscRegistrationTime,
cast(ev.par7 as varchar(4000)) as sourceUserName,
hs.wstrWinName as dHost,
hs.wstrWinDomain as strNtDom, serv.wstrWinName As kscName,
CAST(hs.nIp / 256 / 256 / 256 % 256 AS VARCHAR) + '.' +
CAST(hs.nIp / 256 / 256 % 256 AS VARCHAR) + '.' +
CAST(hs.nIp / 256 % 256 AS VARCHAR) + '.' +
CAST(hs.nIp % 256 AS VARCHAR) AS sourceAddress,
serv.wstrWinDomain as kscNtDomain,
CAST(serv.nIp / 256 / 256 / 256 % 256 AS VARCHAR) + '.' +
CAST(serv.nIp / 256 / 256 % 256 AS VARCHAR) + '.' +
CAST(serv.nIp / 256 % 256 AS VARCHAR) + '.' +
CAST(serv.nIp % 256 AS VARCHAR) AS kscIP,
CASE
WHEN virus.tmVirusFoundTime is not NULL
THEN DATEADD(hour,DATEDIFF(hour,GETUTCDATE(),GETDATE()),virus.tmVirusFoundTime )
ELSE ev.registration_time
END
AS virusTime,
virus.wstrObject As filePath,
virus.wstrVirusName as virusName,
virus.result_ev as result
FROM KAV.dbo.ev_event as ev
LEFT JOIN KAV.dbo.v_akpub_host as hs ON ev.nHostId = hs.nId
INNER JOIN KAV.dbo.v_akpub_host As serv ON serv.nId = 1
Left Join KAV.dbo.rpt_viract_index as Virus on ev.event_id = virus.nEventVirus
where registration_time >= DATEADD(minute, -191, GetDate())
- In the URL field, specify the server connection string in the following format:
- At step 3 of the Installation Wizard, select the [Example] KSC from SQL normalizer.
- Specify other parameters in accordance with your collector requirements.