Support

Support for business applications

Kaspersky Unified Monitoring and Analysis Platform

Administrator's guide

Integration with other solutions

Integration with the Security Orchestration Automation and Response Platform (SOAR)

Configuring integration in SOAR

Importing and configuring a connector

Kaspersky Unified Monitoring and Analysis Platform
Нет результатов
Knowledge Base Online Help
FAQ Solution overview Forum Contact support Product videos

Importing and configuring a connector

June 18, 2024

ID 232293

Save as PDF

Adding a connector to SOAR

Integration of SOAR and KUMA is performed using the Kaspersky KUMA connector. Contact your SOAR vendor to learn more about the methods and conditions for obtaining a Kaspersky KUMA connector.

To import the Kaspersky KUMA connector to SOAR:

  1. In SOAR, open the SettingsConnectorsConnectors section.

    A list of connectors added to SOAR is displayed.

  2. At the top of the screen, click the import button and select the ZIP archive containing the Kaspersky KUMA connector.

The connector is imported into SOAR and is ready to be configured.

Configuring a connector for a connection to KUMA

To use a connector, you need to configure its connection to KUMA.

To configure a connection to KUMA in SOAR using the Kaspersky KUMA connector:

  1. In SOAR, open the SettingsConnectorsConnectors section.

    A list of connectors added to your SOAR is displayed.

  2. Select the Kaspersky KUMA connector.

    The general settings of the connector will be displayed.

  3. Under Connector settings, click the Edit button.

    The connector configuration will be displayed.

  4. In the URL field, specify the address and port of KUMA. For example, kuma.example.com:7223.
  5. In the Token field, specify KUMA user API token.

The connection to KUMA is configured in the SOAR connector.

Security Vision IRP connector settings

Configuring commands for interaction with KUMA in the SOAR connector

You can use SOAR to receive information about KUMA alerts (referred to as incidents in SOAR terminology) and send requests to close these alerts. To perform these actions, you need to configure the appropriate commands in the SOAR connector.

The instructions below describe how to add commands to receive and close alerts. However, if you need to implement more complex logic of interaction between SOAR and KUMA, you can similarly create your own commands containing other API requests.

To configure a command to receive alert information from KUMA:

  1. In SOAR, open the SettingsConnectorsConnectors section.

    A list of connectors added to SOAR is displayed.

  2. Select the Kaspersky KUMA connector.

    The general settings of the connector will be displayed.

  3. Click the +Command button.

    The command creation window opens.

  4. Specify the command settings for receiving alerts:
    • In the Name field, enter the command name: Receive incidents.
    • In the Request type drop-down list, select GET.
    • In the Called method field, enter the API request to search for alerts:

      api/v1/alerts/?withEvents&status=new

    • Under Request headers, in the Name field, indicate authorization. In the Value field, indicate Bearer <token>.
    • In the Content type drop-down list, select application/json.
  5. Save the command and close the window.

The connector command is configured. When this command is executed, the SOAR connector queries KUMA for information about all alerts with the New status and all events related to those alerts. The received data is sent to the SOAR processor, which uses it to create SOAR incidents. If new data appears in an alert that has been already imported into SOAR, incident information is updated in SOAR.

To configure a command to close KUMA alerts:

  1. In SOAR, open the SettingsConnectorsConnectors section.

    A list of connectors added to SOAR is displayed.

  2. Select the Kaspersky KUMA connector.

    The general settings of the connector will be displayed.

  3. Click the +Command button.

    The command creation window will be displayed.

  4. Specify the command settings for receiving alerts:
    • In the Name field, enter the command name: Close incident.
    • In the Request type drop-down list, select POST.
    • In the Called method field, enter API request to close an alert:

      api/v1/alerts/close

    • In the Request field, enter the contents of the sent API request:

      {"id":"<Alert ID>","reason":"responded"}

      You can create multiple commands for different reasons to close alerts, such as responded, incorrect data, and incorrect correlation rule.

    • Under Request headers, in the Name field, indicate authorization. In the Value field, indicate Bearer <token>.
    • In the Content type drop-down list, select application/json.
  5. Save the command and close the window.

The connector command is configured. When this command is executed, the incident is closed in SOAR and the corresponding alert is closed in KUMA.

Creating commands in SOAR

After the SOAR connector is configured, KUMA alerts are sent to the platform as SOAR incidents. Then you need to configure incident handling in SOAR based on the security policies of your organization.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.