Support

Support for business applications

Kaspersky XDR Expert

Managing Kaspersky Unified Monitoring and Analysis Platform

Administrator's guide

Managing assets

Adding assets

Importing asset information from MaxPatrol

Kaspersky Next XDR Expert
Online Help
FAQ Forum Contact support Recovery tools

Importing asset information from MaxPatrol

May 15, 2024

ID 264885

Get as PDF

You can import asset information from MaxPatrol network device scan reports into KUMA. The import is performed through the API using the maxpatrol-tool on the server where the KUMA Core is installed. Imported assets are displayed in the KUMA console in the Assets section. If necessary, you can edit the settings of assets.

The tool is included in the KUMA distribution kit and is located in the installer archive in the /kuma-ansible-installer/roles/kuma/files directory.

Imports from MaxPatrol 8 are supported.

To import asset information from a MaxPatrol report:

  1. In MaxPatrol, generate a network asset scan report in XML file format and copy the report file to the KUMA Core server. For more details about scan tasks and output file formats, refer to the MaxPatrol documentation.

    Data cannot be imported from reports in SIEM integration file format. The XML file format must be selected.

  2. Create a file with the token for accessing the KUMA REST API. For convenience, it is recommended to place it into the MaxPatrol report folder. The file must not contain anything except the token.

    Requirements imposed on accounts for which the API token is generated:

    • Administrator or Analyst role.
    • Access to the tenant into which the assets will be imported.
    • Permissions for using API requests GET /users/whoami and POST /api/v1/assets/import are configured.

      To import assets from MaxPatrol, we recommend creating a separate user with the minimum necessary set of rights to use API requests.

  3. Copy the maxpatrol-tool to the server hosting the KUMA Core and make the tool's file executable by running the following command:

    chmod +x <path to the maxpatrol-tool file on the server hosting the KUMA Core>

  4. Run the maxpatrol-tool:

    ./maxpatrol-tool --kuma-rest <KUMA REST API server address and port> --token <path and name of API token file> --tenant <name of tenant where assets will reside> <path and name of MaxPatrol report file> --cert <path to the KUMA Core certificate file>

    Example: ./maxpatrol-tool --kuma-rest example.kuma.com:7223 --token token.txt --tenant Main example.xml --cert /opt/kaspersky/kuma/core/certificates/ca.cert

You can use additional flags and commands for import operations. For example, the command --verbose, -v will display a full report on the received assets. A detailed description of the available flags and commands is provided in the table titled Flags and commands of maxpatrol-tool. You can also use the --help command to view information on the available flags and commands.

The asset information will be imported from the MaxPatrol report to KUMA. The console displays information on the number of new and updated assets.

Example:

inserted 2 assets;

updated 1 asset;

errors occurred: []

The utility works as follows when importing assets:

  • KUMA overwrites the data of assets imported through the API, and deletes information about their resolved vulnerabilities.
  • KUMA skips assets with invalid data. Error information is displayed when using the --verbose flag.
  • If there are assets with identical IP addresses and fully qualified domain names (FQDN) in the same MaxPatrol report, these assets are merged. The information about their vulnerabilities and software is also merged into one asset.

    When uploading assets from MaxPatrol, assets that have equivalent IP addresses and fully qualified domain names (FQDN) that were previously imported from Kaspersky Security Center are overwritten.

    To avoid this problem, you must configure range-based asset filtering by running the following command:

    --ignore <IP address ranges> or -i <IP address ranges>

    Assets that satisfy the filtering criteria are not uploaded. For a description of this command, please refer to the table titled Flags and commands of maxpatrol-tool.

Flags and commands of maxpatrol-tool

Flags and commands

Description

--kuma-rest <KUMA REST API server port and address>, -a <KUMA REST API server port and address>

Address (with the port) of KUMA Core server where assets will be imported. For example, example.kuma.com:7223.

Port 7223 is used for API requests by default. You can change the port if necessary.

--token <path and name of API token file>, -t <path and name of API token file>

Path and name of the file containing the token used to access the REST API. This file must contain only the token.

The Administrator or Analyst role must be assigned to the user account for which the API token is being generated.

--tenant <tenant name>, -T <tenant name>

Name of the KUMA tenant into which you want to import assets from the MaxPatrol report.

--dns <IP address ranges> or -d <IP address ranges>

This command uses DNS to enrich IP addresses with FQDNs from the specified ranges if the FQDNs for these addresses were not already specified.

Example: --dns 0.0.0.0-9.255.255.255,11.0.0.0-255.255.255,10.0.0.2

--dns-server <DNS server IP address>, -s <DNS server IP address>

Address of the DNS server that the tool must contact to receive FQDN information.

Example: --dns-server 8.8.8.8

--ignore <IP address ranges> or -i <IP address ranges>

Address ranges of assets that should be skipped during import.

Example: --ignore 8.8.0.0-8.8.255.255, 10.10.0.1

--verbose, -v

Output of the complete report on received assets and any errors that occurred during the import process.

--help, -h

help

Get reference information on the tool or a command.

Examples:

./maxpatrol-tool help

./maxpatrol-tool <command> --help

version

Get information about the version of the maxpatrol-tool.

completion

Creation of an autocompletion script for the specified shell.

--cert <path to file with the KUMA Core certificate>

Path to the KUMA Core certificate. By default, the certificate is located in the folder with the application installed: /opt/kaspersky/kuma/core/certificates/ca.cert.

Examples:

  • ./maxpatrol-tool --kuma-rest example.kuma.com:7223 --token token.txt --tenant Main example.xml --cert /example-directory/ca.cert – import assets to KUMA from MaxPatrol report example.xml.
  • ./maxpatrol-tool help—get reference information on the tool.

Possible errors

Error message

Description

must provide path to xml file to import assets

The path to the MaxPatrol report file was not specified.

incorrect IP address format

Invalid IP address format. This error may arise when incorrect IP ranges are indicated.

no tenants match specified name

No suitable tenants were found for the specified tenant name using the REST API.

unexpected number of tenants (%v) match specified name. Tenants are: %v

KUMA returned more than one tenant for the specified tenant name.

could not parse file due to error: %w

Error reading the XML file containing the MaxPatrol report.

error decoding token: %w

Error reading the API token file.

error when importing files to KUMA: %w

Error transferring asset information to KUMA.

skipped asset with no FQDN and IP address

One of the assets in the report did not have an FQDN or IP address. Information about this asset was not sent to KUMA.

skipped asset with invalid FQDN: %v

One of the assets in the report had an incorrect FQDN. Information about this asset was not sent to KUMA.

skipped asset with invalid IP address: %v

One of the assets in the report had an incorrect IP address. Information about this asset was not sent to KUMA.

KUMA response: %v

An error occurred with the specified report when importing asset information.

unexpected status code %v

An unexpected HTTP code was received when importing asset information from KUMA.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.