Step 1. Preliminary steps

Preliminary steps are as follows:

  1. Event monitoring.

    When a collector is created and configured in KUMA, the program writes information security events registered on controlled elements of the organization's IT infrastructure to the event database. You can find and view these events.

  2. Creating a correlator and correlation rules.

    When a sequence of events that satisfy the conditions of a correlation rule is detected, the program generates alerts. If the same correlation rule is triggered for several events, all these events are associated with the same alert. You can use correlation rules from the distribution kit or create them manually.

  3. Configuring email notifications about an alert to one or more email addresses.

    If notification is configured, KUMA sends a notification to the specified email addresses when a new alert is received. The alert link is displayed in the notification.

  4. Adding assets.

    You can only perform response actions for an asset (for example, block a file from running) if the asset is added to KUMA.

    Performing response action requires integrating KUMA with Kaspersky Security Center and Kaspersky Endpoint Detection and Response.

    Example

    The analyst has carried out the following preliminary steps:

    • Installed the SOC_package correlation rules from the distribution kit and linked them to the correlator.
    • Configured the sending of alert notifications to the analyst's email.
    • Imported assets from Kaspersky Security Center to KUMA.

      According to the incident conditions, after the administrator logged into their account, a malicious file was run, which the attacker had added to Windows autorun. The asset sent Windows security event log events to KUMA. The correlation rules were triggered for these events.

      As a result, the following alerts were written to the KUMA alert database:

    • R223_Collection of information about processes.
    • R050_Windows Event Log was cleared. R295_System manipulations by a non-privileged process.
    • R097_Startup script manipulation.
    • R093_Modification of critical registry hives.

    The information about the alert contains the names of the correlation rules based on which the alerts were created, and the time of the first and last event created when the rules were triggered again.

    The analyst received alert notifications by email. The analyst followed the link to the R093_Changes to critical registry hives alert from the notification.

Page top