The file that can be downloaded by clicking the link describes the correlation rules that are included in the distribution kit of Kaspersky Unified Monitoring and Analysis Platform version 4.0. It provides the scenarios covered by rules, the conditions of their use, and the necessary sources of events.
The correlation rules described in this document are contained in the KUMA distribution in the Network_package, PCIDSS_package, and UEBA_package files and are protected with the passwords Network_package1234, PCIDSS_package1234, and UEBA_package1234. Only one of the following versions of the SOC rule set can be used at a time: [OOTB] SOC Content - RU, [OOTB] SOC Content - ENG, [OOTB] SOC Content - RU for KUMA 4.0 or [OOTB] SOC Content - ENG for KUMA 4.0, [OOTB] KSC Package - RU or [OOTB] KSC Package - ENG, [OOTB] KSMG Package - RU or [OOTB] KSMG Package - ENG, [OOTB] Network Package - RU or [OOTB] Network Package - ENG, [OOTB] PCIDSS Package - RU or [OOTB] PCIDSS Package - ENG, [OOTB] XDR package - RU or [OOTB] XDR package - ENG, [OOTB] UEBA package - RU или [OOTB] UEBA package - ENG.
You can import correlation rules into KUMA. See the Importing resources section of the Help: https://support.kaspersky.com/KUMA/4.0/en-US/242787.htm.
You can add imported correlation rules to correlators that your organization uses. See the Help section Step 3. Correlation: https://support.kaspersky.com/KUMA/4.0/en-US/221168.htm.
Download the description of KSC Package correlation rules
Download the description of KSMG Package correlation rules
Download the description of Network Package correlation rules
Download the description of PCIDSS Package correlation rules
Download a description of SOC Content correlation rules
Download the description of UEBA Package correlation rules
Download the description of XDR Package correlation rules
Description of correlation rule packages
The distribution kit of Kaspersky Unified Monitoring and Analysis Platform 4.0 includes the correlation rule packages listed in the table below.
Correlation rule packages
Package name |
Description |
|---|---|
[OOTB] SOC Content - RU |
Correlation rule package for KUMA version 2.1 or later with Russian localization. This package is no longer supported. |
[OOTB] SOC Content - ENG |
Correlation rule package for KUMA version 2.1 or later with English localization. This package is no longer supported. |
[OOTB] SOC Content - RU for KUMA 3.2 |
Correlation rule package for KUMA version 3.2 or later with Russian localization. The rules contain information about MITRE ATT&CK matrix coverage. |
[OOTB] SOC Content - ENG for KUMA 3.2 |
Correlation rule package for KUMA version 3.2 or later with English localization. The rules contain information about MITRE ATT&CK matrix coverage. |
[OOTB] KSC Package - RU |
Package of correlation rules for monitoring Kaspersky Security Center events. The package is available for KUMA version 3.2 or later with Russian localization. Allows detecting potentially dangerous actions in the system based on internal audit events. For correlation rules to work properly, make sure your audit settings provide for a sufficient level of detail in event logs. The correlation rules package works on events that are collected via the Kaspersky Security Center database. The rules contain information about MITRE ATT&CK matrix coverage. |
[OOTB] KSC Package - ENG |
Package of correlation rules for monitoring Kaspersky Security Center events. The package is available for KUMA version 3.2 or later with English localization. Allows detecting potentially dangerous actions in the system based on internal audit events. For correlation rules to work properly, make sure your audit settings provide for a sufficient level of detail in event logs. The correlation rules package works on events that are collected via the Kaspersky Security Center database. The rules contain information about MITRE ATT&CK matrix coverage. |
[OOTB] KSMG Package - RU |
Package of correlation rules for monitoring Kaspersky Security Mail Gateway events. The package is available for KUMA version 3.2 or later with Russian localization. Allows detecting potentially dangerous actions in the mail traffic protection system system based on internal audit events. For the rules to work properly, make sure your audit settings provide for a sufficient level of detail in event logs. The audit settings of Kaspersky Secure Mail Gateway are located in the Settings → Logs and events → Events section. In the Audit events section, select Audit log level → Log audit events and modified parameters. Notes:
The rules contain information about MITRE ATT&CK matrix coverage. |
[OOTB] KSMG Package - ENG |
Package of correlation rules for monitoring Kaspersky Security Mail Gateway events. The package is available for KUMA version 3.2 or later with English localization. Allows detecting potentially dangerous actions in the mail traffic protection system system based on internal audit events. For the rules to work properly, make sure your audit settings provide for a sufficient level of detail in event logs. The audit settings of Kaspersky Secure Mail Gateway are located in the Settings → Logs and events → Events section. In the Audit events section, select Audit log level → Log audit events and modified parameters. Notes:
The rules contain information about MITRE ATT&CK matrix coverage. |
[OOTB] Network Package - RU |
Package of correlation rules aimed at detecting network activity anomalies, for KUMA version 3.2 and later with Russian localization. The rules contain information about MITRE ATT&CK matrix coverage. |
[OOTB] Network Package - ENG |
Package of correlation rules aimed at detecting network activity anomalies, for KUMA version 3.2 and later with English localization. The rules contain information about MITRE ATT&CK matrix coverage. |
[OOTB] PCIDSS Package - RU |
Package of correlation rules aimed at compliance with the PCI DSS standard. The package is available for KUMA version 3.2 or later with Russian localization. The rules contain information about MITRE ATT&CK matrix coverage. |
[OOTB] PCIDSS Package - ENG |
Package of correlation rules aimed at compliance with the PCI DSS standard. The package is available for KUMA version 3.2 or later with English localization. The rules contain information about MITRE ATT&CK matrix coverage. |
[OOTB] XDR package - RU |
This package contains a set of resources for detecting advanced attacks in the infrastructure. The package is available for KUMA version 3.2 or later with Russian localization. It can help detect phishing (which is, according to Kaspersky MDR, the most popular vector of initial access), but also virus infection, defense evasion, payload delivery and attempts to bypass protective equipment, delivery and launch, persistence, reconnaissance, lateral movement, and various methods of communication with a command and control server. The rules can be applied to events from Kaspersky software (EDR, KSC, KSMG) as well as events from Windows operating systems. The rules contain information about MITRE ATT&CK matrix coverage. |
[OOTB] XDR package - ENG |
This package contains a set of resources for detecting advanced attacks in the infrastructure. The package is available for KUMA version 3.2 or later with English localization. It can help detect phishing (which is, according to Kaspersky MDR, the most popular vector of initial access), but also virus infection, defense evasion, payload delivery and attempts to bypass protective equipment, delivery and launch, persistence, reconnaissance, lateral movement, and various methods of communication with a command and control server. The rules can be applied to events from Kaspersky software (EDR, KSC, KSMG) as well as events from Windows operating systems. The rules contain information about MITRE ATT&CK matrix coverage. |
[OOTB] UEBA package - RU |
Beta version of the correlation rule package. This correlation rule package aims to detect abnormal behavior of an account or workstation on a corporate network. The package is available for KUMA version 3.2 or later with Russian localization. It builds adaptive models of normal behavior based on accumulated historical data (the data collection period can be configured, one month being the default). These models are used to calculate statistical indicators that minimize false positives and effectively identify potentially dangerous deviations. Sources of data: Windows OS, NetFlow, Cisco, Solar Proxy events. Notes:
The rules contain information about MITRE ATT&CK matrix coverage. |
[OOTB] UEBA package - ENG |
Beta version of the correlation rule package. This correlation rule package aims to detect abnormal behavior of an account or workstation on a corporate network. The package is available for KUMA version 3.2 or later with English localization. It builds adaptive models of normal behavior based on accumulated historical data (the data collection period can be configured, one month being the default). These models are used to calculate statistical indicators that minimize false positives and effectively identify potentially dangerous deviations. Sources of data: Windows OS, NetFlow, Cisco, Solar Proxy events. Notes:
The rules contain information about the MITRE ATT&CK matrix coverage. |
Automatic rule suppression
The SOC_package correlation rules package allows automatically suppressing the triggering of rules if the triggering frequency exceeds thresholds.
The automatic suppression option works as follows: if a rule is triggered more than 100 times in 1 minute and this behavior occurs at least 5 times in the span of 10 minutes, the rule is added to the stop list.
The logic is described in the resources: rules, active lists, and dictionaries, which are located in the "SOC_package/System/Rule disabling by condition" directory.
You can customize settings and thresholds in accordance with your requirements.
To enable the automatic suppression option, set the enable setting to 1 in the "SOC_package/Integration/Rule disabling configuration" dictionary.
To disable the automatic suppression option, set the enable setting to 0 in the "SOC_package/Integration/Rule disabling configuration" dictionary.
By default, automatic suppression is enabled and the enable setting is set to 1.
Audit events
Correlation rules from the "[OOTB] SOC Content" resource set use the audit events that are listed in the table below.
Audit events
Event source |
Audit events |
|---|---|
CheckPoint |
Anti Malware, Threat Emulation |
Cisco ASA, FTD, PIX |
106021, 320001, 322001, 322002, 322003, 405001, 405002 |
CyberTrace |
alert |
DNS |
query |
KATA |
TAA has tripped on events database |
KSC |
GNRL_EV_ATTACK_DETECTED, GNRL_EV_SUSPICIOUS_OBJECT_FOUND, GNRL_EV_VIRUS_FOUND, GNRL_EV_WEB_URL_BLOCKED, KLSRV_HOST_STATUS_CRITICAL, KLSRV_HOST_STATUS_OK, KLSRV_HOST_STATUS_WARNING |
KSMG |
LMS_EV_SCAN_LOGIC_AV_STATUS, LMS_EV_SCAN_LOGIC_KT_STATUS, LMS_EV_SCAN_LOGIC_CF_STATUS, LMS_EV_SCAN_LOGIC_AP_STATUS |
KUMA |
Correlation rule |
Windows Event Log Powershell |
4103, 4104 |
Windows Event Log Security |
1102, 4624, 4625, 4656, 4657, 4662, 4663, 4672, 4688, 4697, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4768, 4769, 4771, 5136, 5140, 5145 |
Windows Event Log System |
7036, 7045 |
Windows Event Log Defender |
1006, 1015, 1116, 1117, 5001, 5010, 5012, 5101 |
Netflow, FW |
Traffic log |
Palo Alto |
virus |
auditd |
ADD_USER, DEL_USER, PATH, SYSCALL, USER_AUTH, USER_LOGIN, execve |