Interaction with RuCERT

In KUMA, you can interact with the National Computer Incident Response & Coordination Center (hereinafter RuCERT) in the following ways:

• Export incidents to RuCERT.
• Supplement the exported incident with data when requested by RuCERT.
• Send files to RuCERT.
• Exchange messages with RuCERT experts.
• View the changes made by RuCERT to the exported incidents settings.

Data in KUMA and RuCERT is synchronized every 5-10 minutes.

Conditions for RuCERT interaction

To interact with RuCERT, the following conditions must be met:

• The application license includes the GosSOPKA module.
• RuCERT integration is configured.
• The Can interact with RuCERT check box is selected in the settings of the users whose responsibilities include interaction with RuCERT.

RuCERT interaction workflow

In KUMA, the process of sending incidents to RuCERT to be processed consists of the following stages:

1. Creating an incident and checking it for compliance with RuCERT requirements

   You can create an incident or get it from a child KUMA node. Before sending data to the RuCERT, make sure that the incident category meets RuCERT requirements.

2. Exporting the incident to RuCERT

   If the incident is successfully exported to RuCERT, its Export to RuCERT setting is set to Exported. In the lower part of the incident window, a chat with RuCERT experts becomes available.

   At RuCERT, the incident received from you is assigned a registration number and status. This information is displayed in the incident window in the RuCERT integration section and in automatic chat messages.

   If all the necessary data is provided to RuCERT, the incident is assigned the Under examination status. The settings of the incident having this status can be edited, but the updated information cannot be sent from KUMA to RuCERT. You can view the difference between the incident data in KUMA and in RuCERT.

3. Supplementing incident data

   If RuCERT experts do not have enough information to process an incident, they can assign it the More information required status. In KUMA, this status is displayed in the incident window in the RuCERT integration section. Users are notified about the status change.

   You can attach a file to the incidents with this status.

   When the data is supplemented, the incident is re-exported to RuCERT with earlier information updated. The incidents in the child nodes cannot be modified from the parent KUMA node. It must be done by employees of the child KUMA nodes.

   If the incident is successfully supplemented with data, it is assigned the Under examination status.

4. Completing incident processing

   After the RuCERT experts process the incident, the RuCERT status is changed to Decision made. In KUMA, this status is displayed in the incident window in the RuCERT integration section.

   Upon receiving this status, the incident is automatically closed in KUMA. Interaction with RuCERT on this incident by means of KUMA becomes impossible.

In this section Special consideration for successful export from the KUMA hierarchical structure to RuCERT Exporting data to RuCERT Supplementing incident data on request Sending files to RuCERT Sending incidents involving personal information leaks to RuCERT Communication with RuCERT experts Supported categories and types of RuCERT incidents Notifications about the incident status change in RuCERT

Page top