Exporting data to NCIRCC

To export an incident to NCIRCC:

1. In the Incidents section of the KUMA web interface, open the incident you want to export.
2. Click the Export to NCIRCC button in the lower part of the window.
3. If you have not specified the category and type of incident, specify this information in the window that opens and click the Export to NCIRCC button.

   This opens the export settings window.

4. Specify the settings on the Basic tab of the Export to NCIRCC window:
5. On the Basic settings tab, fill in the required fields:

   Company name, Asset owner, Incident category, Incident type, Description, value of the TLP protocol, Incident creation date, Status, Affected system name, Affected system category, Affected system function, Location.

   • Nuclear energy
   • Banking and other financial market sectors
   • Mining
   • Federal/municipal government
   • Healthcare
   • Metallurgy
   • Science
   • Defense industry
   • Education
   • Aerospace industry
   • Communication
   • Mass media
   • Fuel and power
   • Transportation
   • Chemical industry
   • Other
   • WHITE—disclosure is not restricted.
   • GREEN—disclosure is only for the community.
   • AMBER—disclosure is only for organizations.
   • RED—disclosure is only for a specific group of people.
   • If you want to provide information about a personal data leak, select the Information about PD leakage check box, which enables the Information about PD leakage tab. This check box is cleared by default.

     The Operator name, INN, and Operator address fields are populated automatically with the values specified when setting up the NCIRCC integration. However, the field values can be edited when preparing the data export to NCIRCC.

     Personal data leak fields are available for the Notification about a computer incident category for the following notification types:

     • Malware infection
     • Compromised user account
     • Unauthorized disclosure of information
     • Successful exploitation of a vulnerability
     • Event is not related to a computer attack
   • Product info (required)—this table becomes available if you selected Notification about a detected vulnerability as the incident category.

     You can use the Add new element button to add a string to the table. In the Name column, you must indicate the name of the application (for example, MS Office). Specify the application version in the Version column (for example, 2.4).

   • Vulnerability ID—if necessary, specify the identifier of the detected vulnerability. For example, CVE-2020-1231.

     This field becomes available if you selected Notification about a detected vulnerability as the incident category.

   • Product category—if necessary, specify the name and version of the vulnerable product. For example, Microsoft operating systems and their components.

     This field becomes available if you selected Notification about a detected vulnerability as the incident category.

6. If required, define the settings on the Advanced tab of the Export to NCIRCC window.

   The available settings on the tab depend on the selected category and type of incident:

   • Detection tool—specify the name of the product that was used to register the incident. For example, KUMA 1.5.
   • Assistance required—select this check box if you need help from GosSOPKA employees.
   • Incident end time—specify the date and time when the critical information infrastructure (CII object) was restored to normal operation after a computer incident, computer attack was ended, or a vulnerability was fixed.
   • Availability impact—assess the degree of impact that the incident had on system availability:
     • High
     • Low
     • None
   • Integrity impact—assess the degree of impact that the incident had on system integrity:
     • High
     • Low
     • None
   • Confidentiality impact—assess the degree of impact that the incident had on data confidentiality:
     • High
     • Low
     • None
   • Custom impact—specify other significant impacts from the incident.
   • City—indicate the city where your organization is located.
7. If assets are attached to the incident, you can specify their settings on the Technical details tab.

   This tab is active only if you select the Affected system has Internet connection check box.

   If you need to edit or supplement the information previously specified on the Technical details tab, you should do this in your GosSOPKA account, even if NCIRCC experts requested additional information from you, and you can edit the exported incident.

   The categories of the listed assets must match the category of the affected CII in your system.

8. Click Export.
9. Confirm the export.

Information about the incident is submitted to NCIRCC, and the Export to NCIRCC incident setting is changed to Exported. At NCIRCC, the incident received from you is assigned a registration number and status. This information is displayed in the incident window in the NCIRCC integration section.

It is possible to change the data in the exported incident only if the NCIRCC experts requested additional information from you. If no additional information was requested, but you need to update the exported incident, you should do it in your GosSOPKA dashboard.

After the incident is successfully exported, the Compare KUMA incident to NCIRCC data button is displayed at the bottom of the screen. When you click this button, a window opens, where the differences in the incident data between KUMA and NCIRCC are highlighted.

Page top