Interaction with NCIRCC

Support

Support for business applications

Kaspersky Unified Monitoring and Analysis Platform

User guide

Analytics

Working with incidents

Interaction with NCIRCC

April 8, 2024

ID 221855

Get as PDF

In KUMA, you can interact with the National Computer Incident Response & Coordination Center (hereinafter NCIRCC) in the following ways:

Export incidents to NCIRCC.
Supplement the exported incident with data when requested by NCIRCC.
Send files to NCIRCC.
Exchange messages with NCIRCC experts.
View the changes made by NCIRCC to the exported incidents settings.

Data in KUMA and NCIRCC is synchronized every 5-10 minutes.

Conditions for NCIRCC interaction

To interact with NCIRCC, the following conditions must be met:

The application license includes the GosSOPKA module.
NCIRCC integration is configured.
The Can interact with NCIRCC check box is selected in the settings of the users whose responsibilities include interaction with NCIRCC.

NCIRCC interaction workflow

In KUMA, the process of sending incidents to NCIRCC to be processed consists of the following stages:

Creating an incident and checking it for compliance with NCIRCC requirements
You can create an incident or get it from a child KUMA node. Before sending data to the NCIRCC, make sure that the incident category meets NCIRCC requirements.
Exporting the incident to NCIRCC
If the incident is successfully exported to NCIRCC, its Export to NCIRCC setting is set to Exported. In the lower part of the incident window, a chat with NCIRCC experts becomes available.

At NCIRCC, the incident received from you is assigned a registration number and status. This information is displayed in the incident window in the NCIRCC integration section and in automatic chat messages.

If all the necessary data is provided to NCIRCC, the incident is assigned the Under examination status. The settings of the incident having this status can be edited, but the updated information cannot be sent from KUMA to NCIRCC. You can view the difference between the incident data in KUMA and in NCIRCC.
Supplementing incident data
If NCIRCC experts do not have enough information to process an incident, they can assign it the More information required status. In KUMA, this status is displayed in the incident window in the NCIRCC integration section. Users are notified about the status change.

You can attach a file to the incidents with this status.

When the data is supplemented, the incident is re-exported to NCIRCC with earlier information updated. The incidents in the child nodes cannot be modified from the parent KUMA node. It must be done by employees of the child KUMA nodes.

If the incident is successfully supplemented with data, it is assigned the Under examination status.
Completing incident processing
After the NCIRCC experts process the incident, the NCIRCC status is changed to Decision made. In KUMA, this status is displayed in the incident window in the NCIRCC integration section.

Upon receiving this status, the incident is automatically closed in KUMA. Interaction with NCIRCC on this incident by means of KUMA becomes impossible.

In this section

Special consideration for successful export from the KUMA hierarchical structure to NCIRCC

Exporting data to NCIRCC

Supplementing incident data on request

Sending files to NCIRCC

Sending incidents involving personal information leaks to NCIRCC

Communication with NCIRCC experts

Supported categories and types of NCIRCC incidents

Notifications about the incident status change in NCIRCC

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.