Working with alerts

In the Alerts section of the KUMA web interface, you can view and process the alerts registered by the program. Alerts can be filtered. When you click the alert name, a window with its details opens.

The displayed date and time format depend your machine's locale. In the English version, the first day of the week is Sunday.

Alert overflow

Each alert and its related events cannot exceed the size of 16 MB. When this limit is reached:

• New events can no longer be linked to the alert.
• The alert has an Overflowed tag displayed in the Detected column. The same tag is displayed in the Details on alert section of the alert details window.

Overflowed alerts should be processed as soon as possible.

Filtering alerts

In KUMA, you can perform alert selection by using the filtering and sorting tools in the Alerts section.

Filter configurations can be saved. Existing filter configurations can be deleted.

Configuring alerts table

The main part of the Alerts section shows a table containing information about registered alerts. You can click column titles to open drop-down lists with tools for filtering alerts and configuring alert table:

• Priority ()—shows the importance of a possible security threat: Critical , High , Medium , or Low .
• Name—alert name.

  If Overflowed tag is displayed next to the alert name, it means the alert size has reached or is about to reach the limit and should be processed as soon as possible.

• Status—current status of an alert:
  • New—a new alert that hasn't been processed yet.
  • Assigned—the alert has been processed and assigned to a security officer for investigation or response.
  • Closed—the alert was closed. Either it was a false alert, or the security threat was eliminated.
  • Escalated—an incident was generated based on this alert.
• Assigned to—the name of the security officer the alert was assigned to for investigation or response.
• Incident—name of the incident to which this alert is linked.
• First seen—the date and time when the first correlation event of the event sequence was created, triggering creation of the alert.
• Last seen—the date and time when the last correlation event of the event sequence was created, triggering creation of the alert.
• Tenant—the name of the tenant that owns the alert.

You can search alerts' related endpoints and/or users using the Search for hosts and users using PCRE regex field.

Saving and selecting alert filter configurations

In KUMA, you can save changes to the alert table settings as filters. Filter configurations are saved on the KUMA Core server and are available to all KUMA users of the tenant for which they were created.

To save the current filter settings:

1. In the Alerts section of KUMA open the Filters drop-down list.
2. Select Save current filter.

   A field will appear for entering the name of the new filter and selecting the tenant that will own it.

3. Enter a name for the filter configuration. The name must be unique for alert filters, incident filters, and event filters.
4. In the Tenant drop-down list, select the tenant that will own the filter and click Save.

The filter configuration is now saved.

To select a previously saved filter configuration:

1. In the Alerts section of KUMA open the Filters drop-down list.
2. Select the configuration you want.

The filter configuration is now active.

You can select the default filter by putting an asterisk to the left of the required filter configuration name in the Filters drop-down list.

To reset the current filter settings:

Open the Filters drop-down list and select Clear filters.

Deleting alert filter configurations

To delete a previously saved filter configuration:

1. In the Alerts section of KUMA open the Filters drop-down list.
2. Click the button near configuration you want to delete.
3. Click OK.

The filter configuration is now deleted for all KUMA users.

Alert window

In this window you can take a closer look at a specific alert and all the data related to it.

To see alert details,

In the Alerts section of the KUMA web interface, click the alert whose information you want to view.

The alert window opens with the alert name displayed in the top left corner of the window.

The upper part of the alert details window contains a toolbar and shows the alert priority and the user name to which the alert is assigned. Here you can process the alert: change its priority, assign it to a user, and close and create an incident using it.

The Details on alert section of the alert window contains the following data:

• Correlation rule priority—the priority of the correlation rule that triggered the creation of this alert.
• Max asset category priority—the highest priority of an asset category assigned to assets related to this alert. If multiple assets are related to the alert, the largest value is displayed.
• Linked to incident—if the alert is linked to an incident, its name and status are displayed here.
• First seen—the date and time when the first correlation event of the event sequence was created, triggering creation of the alert.
• Last seen—the date and time when the last correlation event of the event sequence was created, triggering creation of the alert.
• Alert ID—the unique identifier of an alert in KUMA.
• Tenant—the name of the tenant that owns the alert.
• Correlation rule—the name of the correlation rule that triggered the creation of this alert. The rule name is represented as a link that can be used to open the settings of this correlation rule.
• Overflowed—this tag means that the alert size has reached or will soon reach the limit and should be processed as soon as possible. Events are not added to the overflowed alerts, but you can get selection of the events that would be related to the alert if there were no alert size limit by clicking the All possible related events link.

The Related events section of the alert window contains the table of events related to the alert. If you click icon near the correlation rule, the base events from this correlation rule will be displayed. Events can be sorted by priority and time.

When an event is selected, the details area opens in the right part of the web interface window. This area contains information about the selected event. If a correlation event is selected, this area also contains the Detailed view button that opens the correlation event window.

The Find in events links below correlation events and the Find in events button to the right of the section header are used for drilldown analysis.

The Related endpoints section of the alert window contains the table of hosts related to the alert. This information comes from events that are related to the alert. You can search for endpoints by using the Search for IP addresses or FQDN field. Endpoints can be sorted using the Count and the Endpoint columns.

If assets are related to the alert, they are displayed in this section. Clicking the name of the asset opens the Asset details window.

The Related users section of the alert window contains the table of users related to the alert. This information comes from events that are related to the alert. You can search for users using the Search for users field. Users can be sorted by the Count, User, User principal name and Email address columns.

The Change log section of the alert window contains entries about changes made to the alert by users. Changes are automatically logged, but it is also possible to add comments manually. Comments can be sorted by using the Time column.

To add a comment to an alert,

In the alert window, enter the comment to the Comment field and click Add.

Processing alerts

You can change the alert priority, assign an alert to a user, close the alert, or create an incident based on the alert.

To process an alert:

1. Select required alerts using one of the methods below:
   • In the Alerts section of the KUMA web interface, click the alert whose information you want to view.

     The Alert window opens with the alert processing toolbar at the very top.

   • In the Alerts section of the KUMA web interface, select the check box next to the required alert. It is possible to select more than one alert.

     Alerts with the closed status cannot be selected for processing.

     The action toolbar appears at the bottom of the window.

2. If you want to change the priority of an alert, select the required value in the Priority drop-down list:
   • Low
   • Medium
   • High
   • Critical

   The priority of the alert changes to the selected value.

3. If you want to assign an alert to a user, select the relevant user from the Assign to drop-down list.

   You can assign the alert to yourself by selecting Me.

   The status of the alert changes to Assigned and the name of the selected user is displayed in the Assign to drop-down list.

4. Create an incident based on the alert:
   1. Click Create incident.

      The window for creating an incident will open. The alert name is used as the incident name.

   2. Update the desired incident parameters and click the Save button.

   The incident is created, and the alert status is changed to Escalated. An alert can be unlinked from an incident by selecting it and clicking Unlink.

5. If you want to close the alert:
   1. Click Close alert.

      A confirmation window opens.

   2. Select the reason for closing the alert:
      • Responded. This means the appropriate measures were taken to eliminate the security threat.
      • Incorrect data. This means the alert was a false positive and the received events do not indicate a security threat.
      • Incorrect correlation rule. This means the alert was a false positive and the received events do not indicate a security threat. The correlation rule may need to be updated.
   3. Click OK.

   The status of the alert changes to Closed. Alerts with this status are no longer updated with new correlation events and aren't displayed in the alerts table unless the Closed check box is selected in the Status drop-down list in the alerts table. You cannot change the status of a closed alert or assign it to another user.

Drilldown analysis

Drilldown analysis is used when you need to find more information about the threat an alert is warning you about: is the threat real, where's it coming from, what network environment elements are affected by it, how should the threat be dealt with. Studying the events related to the correlation events that triggered an alert can help you determine the course of action.

The drilldown mode is enabled in KUMA when you click the Find in events link in the alert window or the correlation event window. When the drill-down mode is enabled, the events table is shown with filters automatically set to match the events from the alert or correlation event. The filters also match the time period of the alert duration or the time when the correlation event was registered. You can change these filters to find other events and learn more about the processes related to the threat.

An additional drop-down list becomes available in drilldown mode:

• All events—view all events.
• Related to alert (selected by default)—view only events related to the alert.

  When filtering events related to an alert, SQL query complexity is limited.

You can manually link events to alerts. Only events that are not related to the alert can be linked to it.

You can create and save event filter configuration in drilldown mode. When using this filter outside of drilldown mode, all events that match the filter criteria will be selected disregarding whether or not they are related to the alert that was selected for drilldown analysis.

To link a base event to an alert:

1. In the Alerts section of the KUMA web interface, click the alert that you want to link to the event.

   The Alert window opens.

2. In the Related events section click the Find in events button.

   The events table opens with active filters matching the data and period of events related to the alert, and columns show the settings used by the correlation rule to create the alert. The Link to alert column is also added to the events table showing the events linked to the alert.

3. In the drop-down list select All events.
4. Modify the filters to find the event you want to link to the alert.
5. Select the event you want, and click the Link to alert button at the bottom of the event details area.

The event will be linked to the alert. You can unlink this event from the alert by clicking in the Unlink from alert detailed view.

When the event is linked or unlinked from the alert, the Change log entry is added in the Alert window. You can click the link in this entry and in the opened event details area link or unlink the event using the Link to alert and Unlink from alert buttons.

Alert storage period

Alerts are stored in KUMA for a year by default. This period can be changed by editing the application startup parameters in the /usr/lib/systemd/system/kuma-core.service file on the KUMA Core server.

To change the storage period for alerts:

1. Log in to the OS of the server where the KUMA Core is installed as the root user.
2. In the /usr/lib/systemd/system/kuma-core.service file, edit the following string by inserting the necessary number of days:

   ExecStart=/opt/kaspersky/kuma/kuma core --alerts.retention <number of days to keep alerts> --external :7220 --internal :7210 --mongo mongodb://localhost:27017

3. Restart KUMA by running the following commands in sequence:
   1. systemctl daemon-reload
   2. systemctl restart kuma-core

The storage period for alerts has been changed.

Alert segmentation rules

In KUMA, you can configure segmentation rules for alerts, that is, you can create separate alerts with certain conditions. This can be useful when the correlator groups the same type of correlation events into one common alert, but you want separate alerts to be generated based on some of these events, which differ from others for some important reason.

Segmentation rules are created separately for each tenant. They are displayed in the Settings → Alerts section of the KUMA web interface in a table with the following columns:

• Tenant—the name of the tenant that owns the segmentation rules.
• Updated—date and time of the last update of the segmentation rules.
• Disabled—this column displays a label if the segmentation rules are turned off.

To create an alert segmentation rule:

1. Open the Settings → Alerts section in the KUMA web interface.
2. Select the tenant for which you would like to create a segmentation rule:
   • The tenant already has segmentation rules. Select it in the table.
   • If the tenant does not have segmentation rules, click Add and select the relevant tenant from the Tenant drop-down list.
3. In the Segmentation rules settings block, press Add and specify the segmentation rule settings:
   • Name (required)—specify the segmentation rule name in this field.
   • Correlation rule (required)—in this drop-down list, select the correlation rule whose events you want to highlight in a separate alert.
   • Selector (required)—in this settings block, you need to specify a condition under which the segmentation rule will be triggered. The conditions are specified in a way similar to filters.
4. Click Save.

The alert segmentation rule is created. Events matching these rules will be combined into a separate alert with the name of the segmentation rule.

To turn off the segmentation rules:

1. Open the Settings → Alerts section of the KUMA web interface and select the tenant whose segmentation rules you want to disable.
2. Select the Disabled check box.
3. Click Save.

The segmentation rules for the alerts of the selected tenant are disabled.