Configuring a response rule for integration with KWTS
To configure a response rule:
- Create a response rule:
- In the KUMA web interface, select the Resources → Response rules section and click Add response rule.
- This opens the Create response rule window; in that window, in the Name field, enter the name of the rule.
- In the Tenant drop-down list, select the tenant that owns the resource.
- In the Type drop-down list, select Run script.
- In the Script name field, enter the name of the script, kwts.py.
- In the Script arguments field, specify:
--host — address of the KWTS server.--username — name of the user account created in KWTS or local administrator.--password — KWTS user account password.--rule_id — ID of the rule created in KWTS.- Specify one of the options depending on the type of the object being blocked:
--url — specify the field of the KUMA event from which you want to obtain the URL, for example, {{.RequestUrl}}.--ip — specify the field of the KUMA event from which you want to obtain the IP address, for example, {{.DestinationAddress}}.--domain — specify the field of the KUMA event from which you want to obtain the domain name, for example, {{.DestinationHostName}}.
--ntlm — specify this option if the KWTS user was created with NTLM authentication.
Example:
--host <address> --username <user> --password <pass> --rule_id <id> --url {{.RequestUrl}}
|
- In the Conditions section, add conditions corresponding to correlation rules that require blocking in KWTS when triggered.
- Click Save.
- Add the response rule to the correlator:
- In the Resources → Correlators section, select the correlator that must respond and in whose directory you placed the script.
- In the steps tree, select Response rules.
- Click Add.
- In the Response rule drop-down list, select the rule added at step 1 of these instructions.
- In the steps tree, select Setup validation.
- Click Save and reload services.
- Click the Save button.
The response rule is linked to the correlator and ready to use.
Page top