Kaspersky Unified Monitoring and Analysis Platform 4.0.1 introduces the following features and improvements:
Now you can use variables to filter widget data on the dashboard. Widgets of the Event type create charts based on SQL queries to the ClickHouse cluster. You can specify the SQL query in the properties of the widget. Variables allow you to modify this SQL query by substituting the data that you see in the widget on the dashboard into the query. The widget filters the data based on the new values of the variables and refreshes the chart. You do not need to manually change the SQL query in the properties of the widget.
Starting with KUMA 4.0.1, it is possible to receive OSINT data if integration with Kaspersky Threat Intelligence Portal is configured. After you configure the integration and accept the End User License Agreement, events, alerts, and correlation events are automatically enriched with OSINT data.
The new parsing method, normalizer, lets you reuse a previously created normalizer as the primary or extra normalizer for processing events.
In the Resources → Active services section, in the table of partitions, you can filter partitions by tenants and spaces by clicking the header of a column and selecting filters.
[OOTB][AD] Account created and deleted within a short period of time → [OOTB][DEMO][AD] Account created and deleted within a short period of time
[OOTB][AD] An account failed to log on from different hosts → [OOTB][DEMO][AD] An account failed to log on from different hosts
[OOTB][AD] Membership of sensitive group was modified → [OOTB][DEMO][AD] Membership of sensitive group was modified
[OOTB][AD] Multiple accounts failed to log on from the same host → [OOTB[DEMO]][AD] Multiple accounts failed to log on from the same host
[OOTB][AD] Successful authentication with the same account on multiple hosts → [OOTB][DEMO][AD] Successful authentication with the same account on multiple hosts
[OOTB][AD] The account added and deleted from the group in a short period of time → [OOTB][DEMO][AD] The account added and deleted from the group in a short period of time
[OOTB][Net] Possible port scan → [OOTB][DEMO][Net] Possible port scan
Correlation rules are displayed with the [DEMO] designation only for users of KUMA 4.0.1 installed from scratch.
Kaspersky Unified Monitoring and Analysis Platform 4.0 introduces the following features and improvements:
You can install KUMA as a distributed installation with multiple KUMA Core services in a Raft cluster. Write operations are performed by the leader and broadcast to all servers in the cluster. Read operations are performed by each service from its local SQLite database. Thus, in addition to high availability, creating multiple KUMA Core services also takes care of horizontal scaling.
The common Metrics service is now used instead of the Grafana and VictoriaMetrics services. By default, the service is installed on a server from the kuma_core group specified in the inventory file. The data is stored in the /opt/kaspersky/kuma/metrics/<KUMA Core service ID>/data directory.
The general application installation requirements have been updated. Python versions from 3.6 to 3.12 are now supported, but you cannot combine hosts with Python version up to 3.6 inclusive and hosts with Python version 3.10 and later in one instance.
New settings comprise the security policy for logging in to KUMA web interface. A configured security policy helps reduce the risk of unauthorized access to KUMA by a cybercriminal. For example, you can manage the settings to make it impossible to log in to the KUMA web interface by brute-forcing a password.
The list of data processed by KUMA has been updated. Now, to provide its main functionality, KUMA can receive, store and process data from GosSOPKA and from NCIRCC messages, as well as information about valid licenses in KUMA.
A new mechanism for merging license keys has been added. If multiple license groups (active-reserve license key pairs) are added to one KUMA instance, the active license keys of all license groups are automatically merged. This creates a merged license. In a merged license, the Available EPS values of all active license keys are added together. The resulting EPS value is specified in the merged license and becomes available to all tenants.
New systems added to the list of supported event sources: Alcatel AOS-W, Alcatel Network Switch, Avanpost PKI, Cyberprotect Cyber Backup, Dell Network Switch, Eset Protect, Fortinet FortiAnalyzer, Kaspersky DFI, Kaspersky NDR, Kaspersky Secure Mail Gateway (KSMG) версии 2.1.1, Microsoft → Windows → DNS-Server → Audit, Netwrix Endpoint Protector, Proftpd, SecurityCode Continent 3.9, Solar webProxy, SolarWinds SFTP & SCP Server file, Sophos Central, Staffcop Enterprise, VK WorkSpace Mail, Vsftpd, Konfident - Dallas Lock Unified Management Center, Microsoft –> Windows -> Group Policy -> Operational, Bastion Synonyx, Angie web server, Cisco FWSM, Webmonitorx, Veeam Software Veeam Backup & Replication, Cisco NGIPS.
By processing events, KUMA lets you detect unknown assets in the infrastructure that are not included in the list of added KUMA assets. The asset must have an IP address or host name. An unknown asset being detected can be normal or it may indicate an information security incident.
Added a connector of the dfi type that is used to get data from Kaspersky Digital Footprint Intelligence via API.
A new mechanism allows detecting DLL Hijacking attacks. DLL Hijacking is an attack technique that involves delivering vulnerable legitimate software along with a malicious dynamic link library (DLL) to the target system. To detect such attacks, KUMA uses the AI module. The AI module analyzes the launch and runtime parameters of applications and identifies suspicious launches of legitimate software with malicious libraries.
Additional normalizers now work differently. Previously, if an event was successfully processed by the main normalizer, but did not satisfy the conditions of additional normalizers, the data sent to the additional normalizer was lost. Now KUMA generates an error in the collector log and writes an event in the Raw field if an event fails to be processed not only by the main normalizer, but also by an additional normalizer. This lets track down the error and fix the normalizer.
Importing a file with a list of servers for WMI agents. If you have many servers, you can import a .TSV file with a list of event sources for WMI agents so that you do not have to manually fill in the Server, Domain, and Log type settings for the WMI agent on each server. In such a file, you can prepare a list of servers to which the WMI agent will connect and a list of logs that you want to receive from the specified servers. After importing and filling in all the fields of the remote hosts, a check is performed when you save settings. If any errors are found in the fields, the settings are not saved, and the errors are highlighted. You can manually update the fields as necessary and save the settings.
Now you can view all filled fields in an event card using the View all event fields button. To get query results quickly, we recommend running queries with a certain set of fields instead of SELECT *. Previously, only fields specified in the query were available in the event card. Now the event card has the View all event fields button. When you click this button, all non-empty fields of the event become available for viewing. This does not change the original query or rebuild the table of events.
The Events widget used in reports and dashboards, now has the ability to use extended event schema fields of the array type. If you add an SA.<field name> in the Settings → Other → Extended event schema fields section of KUMA and configure the field mapping in the normalizer, you can use ClickHouse's arrayJoin and groupArray functions to work with arrays, and you can also create charts. For example, you can make a chart of the most used URLs based on received and normalized events.
When creating a widget with a Table, Bar chart, or Date Histogram chart type, you can configure gradient fill for chart bars. Also, when creating a widget of the Date Histogram type with a Line chart timeline view, you can display multiple graphs on the same widget. This allows comparing data for different correlation rules, users, or hosts.
New options for customizing the display of the structure of normalization rules. You can duplicate normalizers, rearrange extranormalizers, and customize the display of the normalization structure.
Active asset categorization follows a new logic. If an asset no longer satisfies the specified condition, such an asset is unlinked from the category, regardless of whether the assets were added automatically or manually.
The lookup function in SQL queries now uses the like operator instead of the match and imatch operators. Previously used queries cannot be migrated.
In the KUMA integration settings, you can now specify the version of Kaspersky CyberTrace using the Major version of CyberTrace setting. If you select Major version of CyberTrace>= 5.1 in a KUMA enrichment rule, KUMA uses the new API type of CyberTrace 5.1, and CyberTrace can display statistics and retrospective analysis data for KUMA enrichment requests made over http. When enriching events and adding indicators, the General tenant is indicated in the request.
When Kaspersky CyberTrace integration is configured, you can run a retrospective indicator scan. This allows automatically receiving alerts for events that did not initially match any indicators, but were detected after CyberTrace feed were updated.
Optimized active list management. Previously, you could manage active list data at Resources → Active services → Correlator → Go to active lists. The old path remains available, but you can also manage active list data at Resources → Resources configuration → Active lists. The default set of columns is displayed in the table of the active list without the need for additional actions to display the information. If necessary, you can customize all columns of the active list table. You can also add multiple comma-separated key values in JSON format in the table of active lists.
KUMA web interface updates improve efficiency and usability. This helps streamline task table management, structures dashboards and report templates, and facilitates integration with other applications.
Managing dashboards and reports is optimized and you can also do it in the Resources → List section. Now you can export and import dashboards and report templates. Export and import can be performed into any tenant available to the user. A dashboard or report template exported or imported into the Shared tenant is considered universal.
The Speedometer chart offers new ways to graphically represent data on dashboards. You can also display up and down trends as well as average values in charts.