Working with events

In the Events section of the KUMA Core web interface, you can inspect events stored in the Storage cluster to investigate security threats or create correlation rules.

This section displays only filtered events. You can update the displayed event selection to display the most recent entries by refreshing the web page or by setting the events table refresh period.

Events can be analyzed retrospectively.

The displayed date and time format depend your machine's locale. In the English version, the first day of the week is Sunday.

Filtering events

In KUMA, you can specify what events to display in the events table using the query builder or SQL queries. Both search methods are interchangeable and search conditions can be viewed or created using either of them.

You can also modify filters in the events table using these shortcuts:

• Changing the filter from the Statistics window

  To change the filter from the Statistics window:

  1. Open Statistics details area:
     • In the drop-down list in the top right corner of the events table select Statistics.
     • In the events table click any value and in the opened context menu select Statistics.

     The Statistics details area appears in the right part of the web interface window.

  2. Open the drop-down list of a needed parameter and hover the mouse over the needed value.

     A plus and a minus icons appear near the value.

  3. Change the filter using plus or minus icons:
     • To include into the events selection only events with the selected value, click icon.
     • To exclude from the events selection all events with the selected value, click icon.

  As a result, the filter and the events table will be updated, and the new filter expression will be displayed in the top right corner of the Events window.

• Changing the filter from the events table

  To change filter from the events table,

  In the Events section of the KUMA web interface, click any event parameter value and select one of the following options in the opened menu:

  • To include into the events selection only events with the selected value, click Filter by this value.
  • To exclude events with the selected value from the events selection, click Exclude from filter.

  As a result, the filter and the events table will be updated, and the new filter expression will be displayed in the top right corner of the Events window.

• Changing the filter from the Event details area

  To change the filter from the event details area:

  1. In the Events section of the KUMA web interface, click the relevant event.

     The Event details area appears in the right part of the window.

  2. Change the filter using plus or minus icons near parameters you need:
     • To include into the events selection only events with the selected value, click icon.
     • To exclude from the events selection all events with the selected value, click icon.

  As a result, the filter and the events table will be updated, and the new filter expression will be displayed in the top right corner of the Events window.

You can also filter events by time period. Filter configurations can be saved. Existing filter configurations can be deleted.

Query builder and SQL search queries can be used to specify the number of events that are loaded per page. If the specified filter returns more events than can be displayed on one page (according to settings), when you reach the end of the page, the Show more events button appears. The maximum number of events that can be displayed on the page is specified in the LIMIT section of the query builder or in the LIMIT parameter of an SQL query. This functionality can be used only when events are also filtered by the time period.

Filter functions are available for users regardless of their roles.

Filtering events by period

In KUMA, you can specify the time period to display events from.

To filter events by period:

1. In the Events section of KUMA web interface open the drop-down list to the right from the drop-down list at the top of the window.
2. If you want to filter by a standard period, select one of the following:
   • 5 minutes
   • 15 minutes
   • 1 hour
   • 24 hours
3. If you want to set the period manually:
   1. In the drop-down list to the right from the drop-down list select In period.

      A window with a calendar opens.

   2. Set the start and end dates of the period using the calendar.

      The date and time format depends on your operating system's settings. If you want, you can change date values manually following the date and time format of your operating system.

   3. Click Apply Filter.
4. Click the button with the icon.

When the period filter is set, only events registered during the specified time interval will be displayed. The period will be displayed at the top of the window.

You can also set a period using the events histogram at the top of the Events section by clicking the grey box with the time frame you need, or by dragging the mouse over the required time period and clicking the Show events button.

Filtering events using the constructor

In KUMA you can filter events using the filter constructor.

To create a filter using the constructor:

1. In the Events section of the KUMA web interface, click the field and select the Builder tab.

   The filter constructor window opens.

2. Generate a search query:
   • In the SELECT section drop-down list select event parameter that must be displayed in the events table. You can select multiple parameters using ADD COLUMN button. By default, the * value is selected, which means that all available event parameters must be displayed.

     Selecting only few required parameters will omit unnecessary parameter details from displaying in the events table thus optimizing search process.

   • In the FROM section drop-down list select events.
   • In the WHERE section create search conditions:
     1. Select the event parameter you want to use as a filter in the left drop-down list.
     2. Select the required operator in the middle drop-down list. Available operators vary based on the chosen parameter's value type.
     3. Enter the value of the parameter.

        Depending on the selected parameter type, you may have to input the value manually, select it in the drop-down list, or select it on the calendar.

        You can add filter conditions using the Add condition button or delete them using the button with the icon.

        You can also add group conditions using the Add group button. By default, group conditions are added with the AND operator, but you can switch the operator between AND, OR, and NOT by clicking the operator name. Available values: AND, OR, NOT. Group conditions are deleted using the Delete group button.

   • In the ORDER BY section set the displayed events order:
     • In the left drop-down list select parameter that must be used for sorting events.
     • In the right drop-down list select ascending (ASC) or descending (DESC) sorting order.

     You can add event parameters for event sorting by clicking ADD COLUMN button or delete them using the button with the icon.

   • In the LIMIT section field enter the number of events displayed per page. By default, it is set to 250.
3. Click Search.

After this, only events matching he created filter are displayed in the events table, and the filter expression is displayed in the Search field.

To remove the filter:

1. In the Events section of KUMA click the field with the filter expression.

   The filter constructor window opens.

2. Click the New search button.

   Filter parameters will be reset.

3. Click the Search button.

The filter will no longer be applied to the displayed events.

This action will also delete the time-based filter.

Filtering events using SQL queries

In KUMA you can filter events using SQL syntax queries.

To create a filter using SQL search queries:

1. In the Events section of KUMA click the field and select the SQL query tab.

   The field for entering the search query opens.

2. Generate a search query.
3. Click Search.

After this, only events matching he created filter are displayed in the events table, and the filter expression is displayed in the Search field.

To remove the filter:

1. In the Events section of KUMA click the field with the filter expression.
2. Click New search.

The filter will no longer be applied to the displayed events.

This action will also delete the time-based filter.

Saving and selecting events filter configuration

In KUMA, you can save a filter configuration so it can be used in the future or by other users. When saving a filter, you save the settings of all the active filters at once: time-based filter, query builder, and the events table settings. Search queries are saved on the KUMA Core server and are available to all KUMA users of the selected tenant.

To save the current filter settings, search the query and time period:

1. In the Events section of the KUMA web interface, click the drop-down list next to the filter attribute and select Save current filter.
2. In the window that opens, enter the name of the filter configuration in the Name field. The name must contain 128 Unicode characters or less.
3. In the Tenant drop-down list, select the tenant that will own the created filter.
4. Click Save.

The filter configuration is now saved.

To select a previously saved filter configuration:

In the Events section of the KUMA web interface, click the drop-down list near the filter expression and select the relevant filter.

Selected configuration is active.

You can click the icon near the filter configuration name to make it a default filter.

The list of filter configurations can also be opened using Saved searches button in the filter builder window.

Deleting event filter configurations

To delete a previously saved filter configuration:

1. In the Events section of the KUMA web interface, click the drop-down list next to the filter search query and click the icon next to the configuration that you need to delete.
2. Click OK.

The filter configuration is now deleted for all KUMA users.

The list of filter configurations can also be opened using Saved searches button in the filter builder window.

Viewing event detail areas

In KUMA, you can inspect the parameters of any event in your selection, which can help during alert investigation or when working with correlation rules.

To see event parameters,

In the Events section of the KUMA web interface, click the relevant event.

The Event details area appears in the right part of the web interface window and contains a list of the event's parameters with values. In this area you can:

• To modify the event sample you can use and icons located next to parameter values.
• Open the service that registered the event using the link in the Service parameter value.
• Open a window with information about the asset if it is mentioned in the event fields and registered in the program.
• Link the event to an alert if the program is in analysis drilldown mode.
• Open the Details on correlation event window if the event you selected is a correlation event.
• If integration with Kaspersky CyberTrace and/or Kaspersky Threat Intelligence Portal is configured, view and request information about objects in the event fields from these sources.

Exporting events

In KUMA, you can export information about events to a TSV file. The selection of events that will be exported to a TSV file depends on filter settings. The information is exported from the columns that are currently displayed in the events table. The columns in the exported file are populated with the available data even if they were empty in the events table in the KUMA web interface due to the special features of the SQL query.

To export information about events:

1. In the Events section of the KUMA web interface, open the drop-down list and choose Export TSV.

   The new export TSV file task is created in the Task manager section.

2. Find the task you created in the Task manager section.

   When the file is ready to download, the icon will appear in the Status column of the task.

3. Click the task type name and select Download from the drop-down list.

   The TSV file will be downloaded using your browser's settings. By default, the file name is event-export-<date>_<time>.tsv.

The file is saved based on your web browser's settings.

Selecting Storage

Events that are displayed in the Events section of the KUMA web interface are retrieved from storage (from the ClickHouse cluster). Depending on the demands of your company, you may have more than one Storage. However, you can only receive events from one Storage at a time, so you must specify which one you want to use.

To select the Storage you want to receive events from,

In the Events section of the KUMA web interface, open the drop-down list and select the relevant storage cluster.

Now events from the selected storage are displayed in the events table. The name of the selected storage is displayed in the drop-down list.

The drop-down list displays only the clusters of tenants available to the user, and the cluster of the main tenant.

Getting events table statistics

You can get statistics for the current events selection displayed in the events table. The selected events depends on filter settings.

To get statistics, complete one of the following:

• In the drop-down list in the top right corner of the events table select Statistics.
• In the events table click any value and in the opened context menu select Statistics.

The Statistics details area appears with the list of parameters from the current event selection. The numbers near each parameter indicate the number of events with that parameter in the selection. You can also see top five values with a percent distribution for each parameter in the parameter's drop-down list. Parameters can be searched using the Search field.

The Statistics window allows you to modify the events filter.

Configuring the table of events

Default column configuration of the events table:

• Tenant
• Timestamp
• Name
• DeviceProduct
• DeviceVendor
• DestinationAddress
• DestinationUserName

In KUMA, you can customize the displayed set of table columns and their display order. You can also save this configuration.

To configure the fields displayed in the events table:

1. Click the icon in the top right corner of the events table.

   A window for configuring the events table opens.

2. Select the check boxes opposite the settings you want to view in the table:

   You can choose to display a column for any parameter from the KUMA event data model. You can search for parameters using the Search field. The Timestamp and Name parameters are always displayed in the table. Click the Default button to display only default event parameters in the events table.

   When you select a check box, the events table is updated and a new column is added. When a check box is cleared, the column disappears.

   You can also remove columns from the events table by clicking the column title and selecting Hide column from the drop-down list.

3. In the table, drag and drop column titles to change the column display order.
4. If you want to sort the events by a specific column, click its title and in the drop-down list select one of the available options: Ascending or Descending.

The selected columns will be displayed in the Events section of the table in the order you specified.

Refreshing events table

You can update the displayed event selection with the most recent entries by refreshing the web browser page. You can also refresh the events table automatically and set the frequency of updates. Automatic refresh is disabled by default.

To enable automatic refresh:

Select the update frequency in the drop-down list:

• 5 seconds
• 15 seconds
• 30 seconds
• 1 minute
• 5 minutes
• 15 minutes

The events table now refreshes automatically.

To disable automatic refresh:

Select No refresh in the drop-down list:

Opening the correlation event window

You can view the details of a correlation event in the Correlation event details window.

To open the correlation event window:

1. In the Events section of the KUMA web interface, click a correlation event.

   You can use filters to find correlation events by assigning the correlated value to the Type parameter.

   The details area of the selected event will open. If the selected event is a correlation event, the Detailed view button will be displayed at the bottom of the details area.

2. Click the Detailed view button.

The correlation event window will open. The event name is displayed in the upper left corner of the window.

The Correlation event details section of the correlation event window contains the following data:

• Correlation event priority—the importance of the correlation event.
• Correlation rule—the name of the correlation rule that triggered the creation of this correlation event. The rule name is represented as a link that can be used to open the settings of this correlation rule.
• Correlation rule priority—the importance of the correlation rule that triggered the correlation event.
• Correlation rule ID—the identifier of the correlation rule that triggered the creation of this correlation event.
• Tenant—the name of the tenant that owns the correlation event.

The Related events section of the correlation event window contains the table of events related to the correlation event. These are base events that actually triggered the creation of the correlation event. When an event is selected, the details area opens in the right part of the web interface window.

The Find in events link to the right of the section header is used for drilldown analysis.

The Related endpoints section of the correlation event window contains the table of hosts related to the correlation event. This information comes from the base events related to the correlation event. Clicking the name of the asset opens the Asset details window.

The Related users section of the correlation event window contains the table of users related to the correlation event. This information comes from the base events related to the correlation event.