Initializing integration

To configure KUMA integration with Kaspersky Managed Detection and Response:

  1. Prepare the files on the server by following these steps:
    1. Copy the kuma_mdr_integration.tar.gz archive to the KUMA server (for a distributed installation, to the Core server).
    2. Extract the archive to the /opt directory using the following command:

      sudo tar -xf kuma_mdr_integration.tar.gz -C /opt

  2. Set up the configuration file by following these steps:
    1. Go to the /opt/mdr/conf directory and open the config.yml file for editing.
    2. In the General settings section, specify the following settings:
      • Actual path to the directories (by default, /opt/mdr/*)
      • client_id (client ID)
    3. In the Modules settings → kuma section, specify the following settings:
      • api_url is the address of the KUMA API.
      • username is the name of the user with access to the API that you added earlier.
      • password is password of the added user.
      • tenantId is ID of the tenant to which incidents will be imported.
    4. In the Modules settingslogging section, specify the current path to the directory where the script is stored (by default, /opt/mdr/log).
  3. Add an MDR authorization token by following these steps:
    1. In the /opt/mdr/conf directory, open the .refresh_token file for editing and paste the MDR API access token that you generated earlier into this file.
    2. Make sure that the file does not end in a newline character \n because this may result in an authentication error. To check, you can run the following commands:

      # Check for a newline character

      wc -l /opt/mdr/conf/.refresh_token

      # If the output is "1 .refresh_token", delete the character

      perl -p -i -e 'chomp if eof' /opt/mdr/conf/.refresh_token

      # Check again

      wc -l /opt/mdr/conf/.refresh_token

      # The expected output is "0 .refresh_token"

  4. Specify when to start collecting incidents:
    1. Go to the /opt/mdr/conf directory and open the .last_check file for editing.
    2. In this file, specify the timestamp (in milliseconds, 13 digits) from which you want to import incidents.

      To check whether the configuration is correct, we recommend specifying a time before the last incident occurred (for example, 1672520400000).

  5. Update the MDR certificate. In the /opt/mdr/conf/ directory, replace the mdr.pem file with a file containing the up-to-date certificate that you created earlier.
  6. Run the main.py integration script using the python3 ./main.py command:
    • If you see messages about missing required packages when you start the script for the first time, install these packages.
    • If no error messages are displayed after running the script (except for warnings about an invalid certificate), the integration is configured correctly.

    You can find the script log in the /opt/mdr/log/app.log directory.

  7. Check the import of incidents.

    Make sure that incidents created in the MDR Console, starting from the time that you specified in the .last_check file, have been imported into KUMA.

  8. Run the script in the background by following these steps:
    1. Stop the currently running script (if running).
    2. Run the main.py script again in the background with the following command:

      nohup python3 /opt/mdr/main.py &

  9. Configure the script to run automatically after a server restart:

    sudo crontab -e

    @reboot sleep 300 && python3 /opt/mdr/main.py &

    A delay of 5 minutes (sleep 300) is necessary to start the kuma-core service before starting the integration script.

Integration of KUMA with Kaspersky Managed Detection and Response is now configured. From now on, incidents from the MDR Console will be automatically imported into KUMA for processing and analysis.

Page top