Managing assets
Expand all | Collapse all
Assets represent the computers of the organization. You can add assets to KUMA; in that case, KUMA automatically adds asset IDs when enriching events, and when you analyze events, you can get additional information about computers in the organization.
You can add assets to KUMA in the following ways:
- Import assets:
- From the MaxPatrol report.
- On a schedule from Kaspersky Security Center and KICS for Networks.
By default, assets are imported every 12 hours, this frequency can be configured. On-demand import of assets is also possible; such on-demand import does not affect the scheduled import time. From the Kaspersky Security Center database, KUMA imports information about devices with installed Kaspersky Security Center Network Agent that has connected to Kaspersky Security Center, that is, has a non-empty 'Connection time' field in the SQL database. KUMA imports the following information about the computer: name, address, time of connection to Kaspersky Security Center, information about hardware and software, including the operating system, as well as vulnerabilities, that is, information received from Kaspersky Security Center Network Agents.
- Create assets manually through the web interface or via the API.
You can add assets manually. In this case, you must manually specify the following information: address, FQDN, name and version of the operating system, hardware information. Information about the vulnerabilities of assets cannot be added through the web interface. You can provide information about vulnerabilities if you add assets using the API.
You can manage KUMA assets: view information about assets, search for assets, add, edit or delete assets, and export asset data to a CSV file.
Asset categories
You can categorize the assets and then use the categories in filter conditions or correlation rules. For example, you can create alerts of a higher severity level for assets from a higher-severity category. By default, all assets fall into the Uncategorized assets category. A device can be added to multiple categories.
By default, KUMA assigns the following severity levels to asset categories: Low, Medium, High, Critical. You can create custom categories, categories can be nested.
Categories can be populated in the following ways:
- Manually
- Active: dynamic if the asset meets the specified conditions. For example, the moment the asset is upgraded to a specified OS version or placed in a specified subnet, the asset is moved to the specified category.
- In the Repeat categorization every drop-down list, specify how often assets will be linked to a category. You can select values ranging from once per hour to once per 24 hours.
You can forcibly start categorization by selecting Start categorization in the category context menu.
- In the Conditions settings block, specify the filter for matching assets to attach to an asset category.
You can add conditions by clicking the Add condition buttons. Groups of conditions can be added by using the Add group buttons. Group operators can be switched between AND, OR, and NOT values.
Categorization filter operands and operators
Operand
|
Operators
|
Comment
|
Build number
|
=, ilike
|
|
OS
|
=, ilike
|
The ilike operator makes the search case-insensitive.
|
IP address
|
inSubnet, inRange
|
The IP address is indicated in CIDR notation (for example: 192.168.0.0/24).
When the inRange operator is selected, you can indicate only addresses from private ranges of IP addresses (for example: 10.0.0.0–10.255.255.255). Both addresses must be in the same range.
|
FQDN
|
=, ilike
|
The ilike operator makes the search case-insensitive.
|
CVE
|
=, in
|
The in operator lets you specify an array of CVE (Common Vulnerabilities and Exposures) IDs.
|
CVSS
|
>, >=, =, <=,<
|
Severity level of CVE vulnerabilities on the asset.
The CVSS parameter takes values from 0 to 10.
Not applicable to vulnerabilities from Open Single Management Platform.
|
CVE count
|
>, >=, =, <=, <
|
The number of unique vulnerabilities with the CVE attribute for the asset. Vulnerabilities without CVEs do not count towards this figure.
For categorization by the number of CVEs of a certain severity level, you can use a combined condition. For example:
CVE count >= 1
AND
CVSS >= 6.5
|
Software
|
=, ilike
|
Categorization by software installed on the asset.
The ilike operator makes the search case-insensitive.
|
Software version
|
=, ilike, in
|
Categorization by version (build) number of the software installed on the asset.
The ilike operator makes the search case-insensitive.
|
CII
|
in
|
More than one value can be selected.
|
KSC group
|
=, ilike
|
Categorization by the name of the Open Single Management Platform administration group in which the asset is placed.
|
Anti-virus databases last updated
|
>=,<=
|
For categorization The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser.
You can specify the date and time for this operand in one of the following ways:
- Select the exact date in the calendar.
- Select a period relative to the present time in the Relative period list.
- Enter a value manually: an exact date and time or a relative period, or a combination of both.
For details, see the Using time values subsection below.
A relative period for repeated categorization takes into account asset information that is current at the time when categorization is started.
|
Last update of the information
|
>=,<=
|
For categorization The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser.
You can specify the date and time for this operand in one of the following ways:
- Select the exact date in the calendar.
- Select a period relative to the present time in the Relative period list.
- Enter a value manually: an exact date and time or a relative period, or a combination of both.
For details, see the Using time values subsection below.
A relative period for repeated categorization takes into account asset information that is up-to-date at the time when categorization is started.
|
Protection last updated
|
>=,<=
|
For categorization The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser.
You can specify the date and time for this operand in one of the following ways:
- Select the exact date in the calendar.
- Select a period relative to the present time in the Relative period list.
- Enter a value manually: an exact date and time or a relative period, or a combination of both.
For details, see the Using time values subsection below.
A relative period for repeated categorization takes into account asset information that is up-to-date at the time when categorization is started.
|
System last started
|
>=,<=
|
For categorization The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser.
You can specify the date and time for this operand in one of the following ways:
- Select the exact date in the calendar.
- Select a period relative to the present time in the Relative period list.
- Enter a value manually: an exact date and time or a relative period, or a combination of both.
For details, see the Using time values subsection below.
A relative period for repeated categorization takes into account asset information that is up-to-date at the time when categorization is started.
|
KSC extended status
|
in
|
Extended status of the device.
More than one value can be selected.
|
Real-time protection status
|
=
|
Status of Kaspersky applications installed on the managed device.
|
Encryption status
|
=
|
|
Spam protection status
|
=
|
|
Anti-virus protection status of mail servers
|
=
|
|
Data Leakage Prevention status
|
=
|
|
KSC extended status ID
|
=
|
|
Endpoint Sensor status
|
=
|
|
Last visible
|
>=,<=
|
For categorization The time is specified as UTC time, and then converted in the KUMA interface to the local time zone set in the browser.
You can specify the date and time for this operand in one of the following ways:
- Select the exact date in the calendar.
- Select a period relative to the present time in the Relative period list.
- Enter a value manually: an exact date and time or a relative period, or a combination of both.
For details, see the Using time values subsection below.
A relative period for repeated categorization takes into account asset information that is up-to-date at the time when categorization is started.
|
Score ML
|
>,>=,=,<=,<
|
Categorization by asset score assigned by AI services.
|
Status
|
=, in
|
Categorization by predefined asset statuses assigned by AI services.
|
Custom asset field
|
=, ilike
|
Categorization by values of custom asset fields.
|
Using time values
Some conditions, for example, Anti-virus databases last updated or System last started, use date and time as the operand value. For these conditions, you can use an exact date and time or a relative period.
To specify a date and time value:
- Select an operand, an operator and click the date field.
- Do one of the following:
- Select the exact date in the calendar.
By default, the current time is automatically added to the selected date, with millisecond precision. Changing the date in the calendar does not change the specified time. The date and time are displayed in the time zone of the browser. If necessary, you can edit the date and time in the field.
- In the Relative period list, select a relative period.
The period is calculated relative to the start time of the current categorization and takes into account asset information that is up-to-date at that moment. For example, for the condition Anti-virus databases last updated, you can select 1 hour and the >= operator to periodically link to the category those assets for which the anti-virus databases have not been updated for more than 1 hour before the start of categorization.
- In the date and time field, enter a value manually.
You can enter an exact date and time in the DD.MM.YYYY HH:mm:ss.SSS format for the Russian localization and YYYY-MM-DD HH:mm:ss.SSS for the English localization or a relative period as a formula. You can also combine these methods if necessary.
If you do not specify milliseconds when entering the exact date, 000 is substituted automatically.
In the relative period formulas, you can use the now parameter for the current date and time and the interval parameterization language: +, -, / (rounding to the nearest), as well as time units: y (year), M (month), w (week), d (day), h (hour), m (minute), s (second).
For example, for the Information last updated condition, you can specify the value now-2d with the operator >= operator and the value now-1d with the >= operator to regularly link assets to the category if those assets had information updated during the day before the categorization was started; alternatively, you can specify the value now/w with the <= operator to regularly link assets to the category if those assets had information updated between the beginning of the first day of the current week (00:00:00:000 UTC) and now.
KUMA stores time values in UTC, but in the user interface time is converted to the time zone of your browser. This is relevant to the relative periods: Today, Yesterday, This week, and This month. For example, if the time zone in your browser is UTC+3, and you select Today as the period, the category will cover assets from 03:00:00.000 until now, not from 00:00:00.000 until now.
If you want to take your time zone into account when selecting a relative period, such as Today, Yesterday, This week, or This month, you need to manually add a time offset in the date and time field by adding or subtracting the correct number of hours. For example, if your browser's time zone is UTC+3 and you want the categorization to cover the Yesterday period, you need to change the value to now-1d/d-3h. If you want the categorization to cover the Today period, change the value to now/d-3h.
- Use the Test conditions button to make sure that the specified filter is correct. When you click the button, you should see the Assets for given conditions window containing a list of assets that satisfy the search conditions.
- Reactive—When a correlation rule is triggered, the asset is moved to the specified group.
In KUMA, assets are categorized by tenant and by category. Assets are arranged in a tree structure, where the tenants are located at the root, and the asset categories branch from them. You can view the tree of tenants and categories in the Assets → All assets section of the KUMA Console. When a tree node is selected, the assets assigned to it are displayed in the right part of the window. Assets from the subcategories of the selected category are displayed if you specify that you want to display assets recursively. You can select the check boxes next to the tenants whose assets you want to view.
To open the context menu of a category, hover the mouse cursor over the category and click the ellipsis icon that is displayed to the right of the category name. The following actions are available in the context menu:
Category context menu items
Action
|
Description
|
Show assets
|
Display assets of the selected category in the right part of the window.
|
Show assets recursively
|
View assets from subcategories of the selected category. If you want to exit recursive viewing mode, select another category to view.
|
Show info
|
View information about the selected category in the Category information details area displayed in the right part of the web interface window.
|
Start categorization
|
Start automatic binding of assets to the selected category. This option is available for categories that have active categorization.
|
Add subcategory
|
Add a subcategory to the selected category.
|
Edit category
|
Edit the selected category.
|
Delete category
|
Delete the selected category. You can only delete categories that have no assets or subcategories. Otherwise the Delete category option is inactive.
|
Pin as tab
|
Display the selected category on a separate tab. You can undo this action by selecting Unpin as tab in the context menu of the relevant category.
|
Page top