About Kaspersky Unified Monitoring and Analysis Platform

Kaspersky Unified Monitoring and Analysis Platform (hereinafter KUMA or "program") is an integrated software solution that includes the following set of functions:

• Receiving, processing, and storing information security events
• Analysis and correlation of incoming data
• Search within the obtained events
• Creation of notifications upon detecting symptoms of information security threats.

The program is built on a microservice architecture. This means that you can create and configure the relevant microservices (hereinafter also "services"), thereby making it possible to use KUMA both as a log management system and as a full-fledged SIEM system. In addition, flexible data streams routing allows you to use third-party services for additional event processing.

What's new

• Multitenancy support is added for managed security service providers (MSSP) and enterprises. This allows multi-divisional organizations and service providers to detect and prioritize threats for multiple branches from a single unified environment, and to close access to other branch offices' data by creating tenants based on event sources. By assigning roles to users in each tenant, the KUMA general administrator can precisely configure which information individual users are allowed to see, create or edit.
• KUMA user authentication using Microsoft Active Directory is supported. Roles for Active Directory users can be configured for each tenant separately.
• KUMA includes a package of standard correlation rules developed by Kaspersky specialists. All rules are aligned with the MITRE ATTACK matrix and can be used as a basis for the development of custom rules for threat monitoring. Please be aware that correlation rules must be tested and adjusted to work correctly in specific environments.
• Incident management capabilities have been significantly expanded. These KUMA capabilities help investigate security incidents, determine their root causes, and coordinate joint work among several analysts.
  • Incident cards are added. Analysts can create incidents either from scratch or from one or several alerts. An incident is created when there is more than just a suspicion of a security incident, i. e. when there is also confirmatory evidence. The incident card provides a single place to collect all of the signs of an incident: suspicious alerts or other data (such as information about affected assets and users).
  • Integration with RuCERT (Russian National Coordinating Center for Computer Incidents) infrastructure is provided to make informing RuCERT about incidents easier for users who are required to do so as part of their compliance obligations.
  • An "Incidents Overview" out-of-the-box Dashboard layout is added.
  • Incidents categorization is supported.
  • Flexible grouping of alerts and incidents is added to reduce the load on analysts. It allows you to precisely configure criteria for auto-consolidation of correlation events and alerts and of alerts and incidents.
• Event source status monitoring is added to promptly notify administrators about any issues that could interrupt or significantly reduce the flow of data coming from event sources. After configuring the expected minimum number of events in the monitoring policy and assigning this policy to the event source, the users indicated in the policy settings will receive notifications about deviations from the specified settings.
• Support for new connectors is implemented to ingest events over the following protocols.
  • WMI (via RPC)—allows receipt of Windows Events from remote computers using RPC methods. Comparing with WEC, which allows ingesting Windows Events only from local computer or from WEC-server where Agent is installed, WMI can be named “agent-less” approach.
  • SNMP versions 1, 2 and 3 allow actively requesting data over the SNMP protocol.
  • NFS allows obtaining events from files stored in an NFS shared folder.
  • FTP allows obtaining events from files accessible over the FTP protocol.
• Automatic asset categorization (dynamic categorization) is supported. Thanks to proactive categorization, KUMA users can define criteria for each category (for example, include assets running Windows that are located in subnet 10.10.0.0/16). At the same time, reactive categorization allows changing asset categories based on correlation. As previously, dynamic categories can be taken into account during correlation and alerts triage.
• KUMA Core data full backup is supported to improve KUMA resiliency.
• HTTP Rest API is added to help manage assets and active lists.
• KUMA agent functionality is significantly improved. Now it support all connectors supported in KUMA (previously only WEC connector was supported) and can be uses for events routing.
• Upgrading from versions 1.0 and 1.1 is supported. Resources (correlation rules, normalizers etc) will be saved during the upgrade. Contact Kaspersky specialists for assistance with transferring accumulated data (events and alerts) during the upgrade.
• Installation wizards for connecting event sources and creating correlators are added. They simplify these processes and prevent potential errors. Wizards will guide KUMA user through all necessary steps and interactively helps to check the settings.

Distribution kit

The distribution kit includes the following files:

• kuma-ansible-installer-<build number>.tar.gz to install KUMA components;
• files containing information about the version (release notes) in Russian and English.

Distribution kit of KUMA version certified by the state authorities of Russian Federation

Hardware and software requirements

Recommended hardware requirements

Hardware described below will ensure event-processing capacity of 40,000 events per second. This figure depends on the type of parsed events and efficiency of the parser. Consider also that it is more efficient to have more cores than a lower number of cores with higher CPU frequency.

• Servers to install collectors:
  • CPU: Intel or AMD with at least 4 cores (8 threads) and support for the SSE 4.2 instruction set or 8 vCPU (virtual processors).
  • RAM: 16 GB
  • Disk: 500 GB of available disk space mounted on /opt
• Servers to install correlators:
  • CPU: Intel or AMD with at least 4 cores (8 threads) and support for the SSE 4.2 instruction set or 8 vCPU (virtual processors).
  • RAM: 16 GB
  • Disk: 500 GB of available disk space mounted on /opt
• Servers to install the Core:
  • CPU: Intel or AMD with at least 2 cores (4 threads) and support for the SSE 4.2 instruction set or 4 vCPU (virtual processors).
  • RAM: 12 GB
  • Disk: 500 GB of available disk space mounted on /opt
• Servers to install storages:
  • CPU: Intel or AMD with at least 12 cores (24 threads) and support for the SSE 4.2 instruction set or 24 vCPU (virtual processors).

    Support is required for SSE4.2 commands.

  • RAM: 48 GB
  • Disk: 500 GB of available disk space mounted on /opt

  Using SSDs highly improves cluster node indexing and search efficiency.

  Local mounted HDD/SSD are more efficient than external JBODs. RAID 0 is recommended for faster performance, while RAID 10 is recommended for redundancy.

  To increase reliability, it is not recommended to deploy all cluster nodes on a single JBOD or single physical server (if virtual servers are used).

  To increase efficiency, we recommend keeping all servers in a single data center.

• Machines to install Windows agents:
  • Processor: single-core, 1.4 GHz or higher.
  • RAM: 512 MB.
  • Disk: 1 GB.
  • OS:
    • Microsoft Windows 2012.
    • Microsoft Windows Server 2012 R2.
    • Microsoft Windows Server 2016.
    • Microsoft Windows Server 2019.
    • Microsoft Windows 10 (20H1, 20H2, 21H1).
• Machines to install Linux agents:
  • Processor: single-core, 1.4 GHz or higher.
  • RAM: 512 MB.
  • Disk: 1 GB.
  • OS:
    • Ubuntu 20.04 LTS, 21.04.
    • Oracle Linux 8.4.

Software requirements

Each server used to install KUMA services must have the Oracle Linux 8.4 operating system installed.

Network requirements

The network interface bandwidth must be at least 100 Mbps.

For KUMA to be able to process more than 20,000 events per second, ensure a data transfer speed of at least 10 Gbps between ClickHouse nodes.

Additional requirements

For computers used for the KUMA web interface, Google Chrome browser version 93 or later, or Mozilla Firefox browser version 92 or later must be installed.