Correlation rules

The file that can be downloaded by clicking the link describes the correlation rules that are included in the distribution kit. It provides the scenarios covered by rules, the conditions of their use, and the necessary sources of events.

The correlation rules described in this document are contained in the SOC_package file in the OSMP distribution kit; the password for the file is SOC_package1. Only one version of the SOC rule set can be used at a time: either Russian or English.

You can add imported correlation rules to correlators that your organization uses. Refer to the following topic for details: Step 3. Correlation.

To import the correlation rule package into KUMA:

1. In KUMA Console, go to Settings → Repository update, and then set the Update source parameter to Kaspersky update servers.

   You can also configure the repository update.

2. Click Run update to save the update settings and manually start the Repository update task.
3. Go to Task manager to ensure that the Repository update task is completed.
4. Go to Resources, and then click Import resources.
5. In the Resource import window, select the tenant to assign the imported resources to.
6. In the Import source drop-down list, select Repository, select the SOC Content package, and then click Import.

The resources from the SOC Content package are imported to KUMA. For more information about importing, refer to Importing resources.

Download the description of correlation rules contained in the SOC_package.xlsx file.