What's new

• The capability to automatically and manually update the repository is implemented in order to receive packages with new correlation rules and connectors for log sources.
• The cold storage of events is implemented.
• To reduce the number of simultaneous insert queries to ClickHouse tables, in version 2.1.3 or later, you can configure buffering of insert queries for the Storage resource.
• In version 2.1.3 or later, KUMA uses a new driver for connecting to oracle.
• New connectors are added: SNMP traps, 1C log, 1C xml.
• Version 2.1.3 introduces numbering of tags for the xml normalizer.
• Integration with Kaspersky Automated Security Awareness Platform is implemented.
• A new response type is added: Active Directory response rule.
• The list of formats for generating reports is expanded. The following formats are now available: HTML, PDF, CSV, split CSV, Excel.
• RuCERT integration is expanded.
• The capability is added to create common (universal) dashboard layouts for all tenants and fill them with data on the tenants available to the current user. Thus, the number of layouts used in the system can be significantly reduced, and there is no need to create separate standard layouts for each tenant.
• The integration with Active Directory Federation Services is added for logging in without a user name and password (Single Sign On (SSO) scenario).
• The support of the FreeIPA domain is added for logging in the system.
• Added the capability to receive custom attributes of Active Directory accounts from LDAP and enrich events with the custom attributes of AD accounts.

  Before configuring event enrichment using custom attributes, make sure that custom attributes are configured in AD.

  To enrich events with accounts using custom attributes:

  1. Add Custom AD Account Attributes in the LDAP connection settings.

     Standard imported attributes from AD cannot be added as custom attributes. For example, if you want to add the standard accountExpires

     attribute

     as a custom attribute, KUMA will return an error when saving the connection settings.

     The following account attributes can be requested from Active Directory:

     • accountExpires
     • badPasswordTime
     • cn
     • co
     • company
     • department
     • description
     • displayName
     • distinguishedName
     • division
     • employeeID
     • givenName
     • l
     • lastLogon
     • lastLogonTimestamp
     • Mail
     • mailNickname
     • managedObjects
     • manager
     • memberOf (this attribute can be used for search during correlation)
     • mobile
     • name
     • objectCategory
     • objectGUID (this attribute always requested from Active Directory even if a user doesn't specify it)
     • objectSID
     • physicalDeliveryOfficeName
     • pwdLastSet
     • sAMAccountName
     • sAMAccountType
     • sn
     • streetAddress
     • telephoneNumber
     • title
     • userAccountControl
     • UserPrincipalName
     • whenChanged
     • whenCreated

     After you add custom attributes in the LDAP connection settings, the LDAP attribute to receive drop-down list in the collector automatically includes the new attributes. Custom attributes are identified by a question mark next to the attribute name. If you added the same attribute for multiple domains, the attribute is listed only once in the drop-down list. You can view the domains by moving your cursor over the question mark. Domain names are displayed as links. If you click a link, the domain is automatically added to LDAP accounts mapping if it was not previously added.

     If you deleted a custom attribute in the LDAP connection settings, manually delete the row containing the attribute from the mapping table in the collector. Account attribute information in KUMA is updated each time you import accounts.  

  2. Import accounts.
  3. In the collector, in the LDAP mapping table, define the rules for mapping KUMA fields to LDAP attributes.
  4. Restart the collector.

     After the collector is restarted, KUMA begins enriching events with accounts.

      

• The capabilities for working with assets are expanded: it is now possible to add custom fields to assets, to search for assets by the field names, and to export search results to a file.
• In the event search section, event field presets are added allowing you to quickly configure the lookup table columns according to the analyzed logs.
• System fault tolerance is improved.
• The information about assets now displays additional information about protecting the hosts running KES for Windows and KES for Linux. The information is available if you've imported the asset from KSC.
• For KATA/EDR triggering events, a link is added that allows you to go to the corresponding alert card in the KATA/EDR management console.
• The capability is implemented to use the hex, base64, and base64url conversions to process binary values in logs at the event receiving stage.
• Correlation capabilities have been expanded:
  • The list of variable functions is expanded. There are now opportunities to transform keys or define conditions.
  • Ability to manage rule application sequence in the correlator is added.
• Alert segmentation rules are added.
• Normalizers for the event sources are added.
• A new first line analyst role is added. Users with this role are able to create their own content in the system but cannot edit the resources created by other users.
• System logging and the ability to export application component logs to files are improved.