KUMA services

Services are the main components of KUMA that work with events: receiving, processing, analyzing, and storing them. Each service consists of two parts that work together:

• One part of the service is created inside the KUMA web interface based on set of resources for services.
• The second part of the service is installed in the network infrastructure where the KUMA system is deployed as one of its components. The server part of a service can consist of several instances: for example, services of the same agent or storage can be installed on several computers at once.

  On the server side, KUMA services are located in the /opt/kaspersky/kuma directory.

Parts of services are connected to each other by using the IDs of services.

Service types:

• Collectors are used to receive events and convert them to KUMA format.
• Correlators are used to analyze events and search for defined patterns.
• Storages are used to save events.
• Agents are used to receive events on remote devices and forward them to KUMA collectors.

In the KUMA web interface, services are displayed in the Resources → Active services section in table format. The table of services can be updated using the Refresh button and sorted by columns by clicking on the active headers.

Table columns:

• Type—type of service: agent, collector, correlator, or storage.
• Name—name of the service. Clicking on the name of the service opens its settings.
• Version—service version.
• Tenant—the name of the tenant that owns the service.
• FQDN—fully qualified domain name of the service server.
• IP address—IP address of the server where the service is installed.
• API Port—Remote Procedure Call port number.
• Status—service status:
  • Green means that the service is running.
  • Red means that the service is not running.
  • Yellow means that there is no connection with ClickHouse nodes (this status is applied only to storage services). The reason for this is indicated in the service log if logging was enabled.
• Uptime—the time showing how long the service has been running.

Using the Add service button, you can create new services based on existing resource sets for services. In this window, you can restart a service or delete its certificate, copy the service identifier, or delete the service. In this section you can also view storage partitions and active correlator lists

Services can be edited by clicking on them under Resources → Active services. This opens a window containing the set of resources that were used to create the service. A service is edited by changing the settings of the resource set. Changes are saved by clicking the Save button and will take effect after the service is restarted.

If, when changing the settings of a collector resource set, you change or delete conversions in a normalizer connected to it, the edits will not be saved, and the normalizer resource itself may be corrupted. If you need to modify conversions in a normalizer that is already part of a service, the changes must be made directly to the resource under Resources → Normalizers in the web interface.

Services tools

This section describes the tools for working with services available in the Resources → Active services section of the KUMA web interface.

Getting service identifier

The service identifier is used to bind parts of the service residing within KUMA and installed in the network infrastructure into a single complex. An identifier is assigned to a service when it is created in KUMA, and is then used when installing the service to the server.

To get the identifier of a service:

1. Log in to the KUMA web interface and open Resources → Active services.
2. Select the check box next to the service whose ID you want to obtain, and click Copy ID.

The identifier of the service will be copied to the clipboard. It can be used, for example, for installing the service on a server.

Restarting the service

To restart the service:

1. Log in to the KUMA web interface and open Resources → Active services.
2. Select the check box next to the service and select the necessary option:
   • Reload—perform a hot update of a running service configuration. For example, you can change the field mapping settings or the destination point settings this way.
   • Restart—stop a service and start it again. This option is used to modify the port number or connector type.

     Restarting KUMA agents:

     • KUMA Windows Agent can be restarted as described above only if it is running on a remote computer. If the service on the remote computer is inactive, you will receive an error when trying to restart from KUMA. In that case you must restart KUMA Windows Agent service on the remote Windows machine. For information on restarting Windows services, refer to the documentation specific to the operating system version of your remote Windows computer.
     • KUMA Agent for Linux stops when this option is used. To start the agent again, you must execute the command that was used to start it.
   • Reset certificate—remove certificates that the service uses for internal communication. For example, this option can be used to renew the Core certificate.

     Special considerations for deleting Windows agent certificates:

     • If the agent has the green status and you select Reset certificate, KUMA deletes the current certificate and creates a new one, the agent continues working with the new certificate.
     • If the agent has the red status and you select Reset certificate, KUMA generates an error that the agent is not running. In the agent installation folder %APPDATA%\kaspersky\kuma\<Agent ID>\certificates, manually delete the internal.cert and internal.key files and start the agent manually. When the agent starts, a new certificate is created automatically.

     Special considerations for deleting Linux agent certificates:

     1. Regardless of the agent status, apply the Reset certificate option in the web interface to delete the certificate in the databases.
     2. In the agent installation folder /opt/kaspersky/agent/<Agent ID>/certificates, manually delete the internal.cert and internal.key files.
     3. Since the Reset certificate option stops the agent, to continue its operation, start the agent manually. When the agent starts, a new certificate is created automatically.

Deleting the service

Before deleting the service get its ID. It will be required to remove the service for the server.

To delete the service:

1. Log in to the KUMA web interface and open Resources → Active services.
2. Select the check box next to the service you want to delete, and click Delete.

   A confirmation window opens.

3. Click OK.

The service has been deleted from KUMA.

To remove the service from the server:

Delete the file /usr/lib/systemd/system/kuma-<Service type: collector, correlator, or storage >-<ID of the service>.service from the server where the service was installed.

Partitions window

If the Storage service was created and installed, you can view its partitions in the Partitions table.

To open Partitions table:

1. Log in to the KUMA web interface and open Resources → Active services.
2. Select the check box next to the relevant storage and click Go to partitions.

The Partitions table opens.

The table has the following columns:

• Tenant—the name of the tenant that owns the stored data.
• Date—the date when the space was created.
• Space—the name of the space.
• Size—the size of the space.
• Events—the number of stored events.
• Expires—the date when this partition expires.

You can delete partitions.

To delete a partition:

1. Open the Partitions table (see above).
2. Open the drop-down list to the left from the required partition.
3. Select Delete.

   A confirmation window opens.

4. Click OK.

The partition has been deleted.

Correlator active list window

The Correlator active list table displays the active lists that are used by a specific correlator.

To open the Correlator active list table:

1. Log in to the KUMA web interface and open Resources → Active services.
2. Select the check box next to the relevant correlator and click Go to active lists.

The Correlator active list table opens.

The table has the following columns:

• Name—the name of the correlator list.
• Records—the number of record the active list contains.
• Size on disk—the size of the active list.
• Directory—the path to the active list on the KUMA Core server.

You can view, import, export, or clear active lists.

To view active list,

open the Correlator active list table (see above) and click the name of the relevant active list.

The table with active list records opens. If you want to view the contents of a record, click on the value of its key (the Key column). If you want to delete the entry, click on the icon. You can also search records using the Search field.

To export active list:

1. Open the Correlator active list table (see above).
2. Open the drop-down list to the left from the required active list.
3. Click Export.

Active list is downloaded in JSON format using your browsers settings. The name of the downloaded file reflects the name of active list.

To import active list:

1. Open the Correlator active list table (see above).
2. Open the drop-down list to the left from the required active list.
3. Select Import.

   The active list import window opens.

4. In the File field select the file you wan to import.
5. In the Format drop-down list select the format of the file:
   • csv
   • tsv
   • internal
6. Under Key field, enter the name of the column containing the active list record keys.
7. Select Import.

The data from the file is imported into the active list.

Searching for related events

You can search for events processed by the Correlator or the Collector services.

To search for events related to the Correlator or the Collector service:

1. Log in to the KUMA web interface and open Resources → Active services.
2. Select the check box next to the required correlator or collector and click Go to Events.

   A new browser tab opens with the KUMA Events section open.

3. To find events, click the icon.

A table with events selected by the search expression ServiceID = <ID of the selected service> will be displayed.

Service resource sets

Service resource sets are a resource type, a KUMA component, a set of settings based on which the KUMA services are created and operate. Resource sets for services are collections of resources.

Any resources added to a set of resources must be owned by the same tenant that owns the created set of resources. An exception is the shared tenant, whose owned resources can be used in the sets of resources of other tenants.

Resource sets for services are displayed in the Resources → <Resource set type for the service> section of the KUMA web interface. Available types:

• Collectors
• Correlators
• Storages
• Agents

When you select the required type, a table opens with the available sets of resources for services of this type. The resource table contains the following columns:

• Name—the name of a resource set. Can be used for searching and sorting.
• Updated—the date and time of the last update of the resource set. Can be used for sorting.
• Created by—the name of the user who created the resource set.
• Description—the description of the resource set.

Creating a collector

A collector consists of two parts: one part is created inside the KUMA web interface, and the other part is installed on a server in the network infrastructure intended for receiving events.

Actions in the KUMA web interface

The creation of a collector in the KUMA web interface is carried out by using the Installation Wizard. This Wizard combines the required resources into a set of resources for a collector. Upon completion of the Wizard, the service itself is automatically created based on this set of resources.

To create a collector in the KUMA web interface,

Start the Collector Installation Wizard:

• In the KUMA web interface, in the Resources section, click Add event source button.
• In the KUMA web interface in the Resources → Collectors section click Add collector button.

As a result of completing the steps of the Wizard, a collector service is created in the KUMA web interface.

A resource set for a collector includes the following resources:

• Connector
• Normalizer (at least one)
• Filters (if required)
• Aggregation rules (if required)
• Enrichment rules (if required)
• Destinations (normally two are defined for sending events to the correlator and storage)

These resources can be prepared in advance, or you can create them while the Installation Wizard is running.

Actions on the KUMA Collector Server

For installing the collector on the server that you intend to use to receive events, you must on this server run the command displayed at the last step of the Installation Wizard. When installing, you must specify the identifier automatically assigned to the service in the KUMA web interface, as well as the port used for communication.

Testing the installation

After creating a collector, you are advised to make sure that it is working correctly.

Starting the Collector Installation Wizard

A collector consists of two parts: one part is created inside the KUMA web interface, and the other part is installed on the network infrastructure server intended for receiving events. The Installation Wizard creates the first part of the collector.

To start the Collector Installation Wizard:

• In the KUMA web interface, in the Resources section, click Add event source.
• In the KUMA web interface in the Resources → Collectors section click Add collector.

Follow the instructions of the Wizard.

Aside from the first and last steps of the Wizard, the steps of the Wizard can be performed in any order. You can switch between steps by using the Next and Previous buttons, as well as by clicking the names of the steps in the left side of the window.

After the Wizard completes, a resource set for a collector is created in the KUMA web interface under Resources → Collectors, and a collector service is added under Resources → Active services.

Step 1. Connect event sources

This is a required step of the Installation Wizard. At this step, you specify the main settings of the collector: its name and the tenant that will own it.

To specify the basic settings of the collector:

1. In the Collector name field, enter a unique name for the service you are creating. The name must contain from 1 to 128 Unicode characters.

   When certain types of collectors are created, agents named "agent: <Collector name>, auto created" are also automatically created together with the collectors. If this type of agent was previously created and has not been deleted, it will be impossible to create a collector named <Collector name>. If this is the case, you will have to either specify a different name for the collector or delete the previously created agent.

2. In the Tenant drop-down list, select the tenant that will own the collector. The tenant selection determines what resources will be available when the collector is created.

   If you return to this window from another subsequent step of the Installation Wizard and select another tenant, you will have to manually edit all the resources that you have added to the service. Only resources from the selected tenant and shared tenant can be added to the service.

3. If required, specify the number of processes that the service can run concurrently in the Workers field. By default, the number of worker processes is the same as the number of vCPUs on the server where the service is installed.
4. If necessary, use the Debug drop-down list to enable logging of service operations.
5. You can optionally add up to 256 Unicode characters describing the service in the Description field.

The main settings of the collector are specified. Proceed to the next step of the Installation Wizard.

Step 2. Transportation

This is a required step of the Installation Wizard. On the Transport tab of the Installation Wizard, select or create a connector resource with the settings indicating from where the collector service should receive events.

To add an existing connector to a resource set,

select the name of the required connector from the Connector drop-down list.

The Transport tab of the Installation Wizard will display the settings of the selected connector. You can open the selected resource for editing in a new browser tab using the button.

To create a new connector:

1. Select Create new from the Connector drop-down list.
2. In the Type drop-down list, select the connector type and define its settings on the Basic settings and Advanced settings tabs. The available settings depend on the selected type of connector:
   • internal
   • tcp
   • udp
   • netflow
   • sflow
   • nats
   • kafka
   • http
   • sql
   • file
   • ftp
   • nfs
   • wmi
   • wec
   • snmp

   When using the tcp or upd connector type at the normalization stage, IP addresses of the assets from which the events were received will be written in the DeviceAddress event field if it is empty.

   When using a wmi or wec connector, agents will be automatically created for receiving Windows events.

   It is recommended to use the default encoding (UTF-8), and to apply other settings only if bit characters are received in the fields of events.

   Making KUMA collectors to listen on ports up to 1,000 requires running the service of the relevant collector with root privileges. To do this, after installing the collector, add the line AmbientCapabilities = CAP_NET_BIND_SERVICE to its systemd configuration file in the [Service] section.
   The systemd file is located in the /lib/systemd/system/kuma-collector-<collector ID>.service directory.

The connector resource has been added to the resource set of the collector. The created resource is only available in this resource set and is not displayed in the web interface Resources → Connectors section.

Proceed to the next step of the Installation Wizard.

Step 3. Event parsing

This is a required step of the Installation Wizard. On the Event parsing tab of the Installation Wizard, select or create a normalizer resource whose settings will define the rules for converting raw events into normalized events. You can add more than one normalizer to implement complex processing logic.

When creating a new normalizer in the Installation Wizard, by default it is saved in the set of resources for the collector and cannot be used in other collectors. You can use the Save normalizer check box to create a separate resource.

If, when changing the settings of a collector resource set, you change or delete conversions in a normalizer connected to it, the edits will not be saved, and the normalizer resource itself may be corrupted. If you need to modify conversions in a normalizer that is already part of a service, the changes must be made directly to the resource under Resources → Normalizers in the web interface.

Adding a normalizer

To add an existing normalizer to a resource set:

1. Click the Add event parsing button.

   The Event parsing window will open with the normalizer settings and an active Normalization scheme tab.

2. In the Normalizer drop-down list, select the required normalizer.

   The Event parsing window will display the parameters of the selected normalizer. You can open the selected resource for editing in a new browser tab using the button.

3. Click OK.

The normalizer is displayed as a dark circle on the Event parsing tab of the Installation Wizard. Clicking on the circle will open the normalizer options for editing. When you hover over the circle, a plus sign is displayed: click on it to add more normalizers (see below).

To create a new normalizer:

1. Select Create new from the Normalizer drop-down list.

   The Event parsing window will open with the normalizer settings and an active Normalization scheme tab.

2. If you want to keep the normalizer as a separate resource, select the Save normalizer check box. This check box is cleared by default.
3. In the Name field, enter a unique name for the normalizer. The name must contain from 1 to 128 Unicode characters.
4. In the Parsing method drop-down list, select the type of events to receive. Depending on your choice, you can use the preconfigured rules for matching event fields or set your own rules. When you select some parsing methods, additional parameter fields required for filling in may become available.

   Available parsing methods:

   • json

     This parsing method is used to process JSON data.

     When processing files with hierarchically arranged data, you can access the fields of nested objects by specifying the names of the parameters dividing them by a period. For example, the username parameter from the string "user": {"username": "system: node: example-01"} can be accessed by using the user.username query.

   • cef

     This parsing method is used to process CEF data.

     When choosing this method, you can use the preconfigured rules for converting events to the KUMA format by clicking the Apply default mapping button.

   • regexp

     This parsing method is used to create custom rules for processing JSON data.

     In the Normalization parameter block field, add a regular expression (RE2 syntax) with named capture groups. The name of a group and its value will be interpreted as the field and the value of the raw event, which can be converted into an event field in KUMA format.

     To add event handling rules:

     1. Copy an example of the data you want to process to the Event examples field. This is an optional but recommended step.
     2. In the Normalization parameter block field add a regular expression with named capture groups in RE2 syntax, for example "(?P<name>regexp)".

        You can add multiple regular expressions by using the Add regular expression button. If you need to remove the regular expression, use the button.

     3. Click the Copy field names to the mapping table button.

        Capture group names are displayed in the KUMA field column of the Mapping table. Now you can select the corresponding KUMA field in the column next to each capture group. Otherwise, if you named the capture groups in accordance with the CEF format, you can use the automatic CEF mapping by selecting the Use CEF syntax for normalization check box.

     Event handling rules were added.

   • syslog

     This parsing method is used to process data in syslog format.

     When choosing this method, you can use the preconfigured rules for converting events to the KUMA format by clicking the Apply default mapping button.

   • csv

     This parsing method is used to create custom rules for processing CSV data.

     When choosing this method, you must specify the separator of values in the string in the Delimiter field. Any single-byte ASCII character can be used as a delimiter.

   • kv

     This parsing method is used to process data in key-value pair format.

     If you select this method, you must provide values in the following required fields:

     • Pair delimiter—specify a character that will serve as a delimiter for key-value pairs. You can specify any one-character (1 byte) value, provided that the character does not match the value delimiter.
     • Value delimiter—specify a character that will serve as a delimiter between the key and the value. You can specify any one-character (1 byte) value, provided that the character does not match the delimiter of key-value pairs.
   • xml

     This parsing method is used to process XML data.

     When this method is selected in the parameter block XML Attributes you can specify the key attributes to be extracted from tags. If an XML structure has several attributes with different values in the same tag, you can indicate the necessary value by specifying its key in the Source column of the Mapping table.

     To add key XML attributes,

     Click the Add field button, and in the window that appears, specify the path to the required attribute.

     You can add more than one attribute. Attributes can be removed one at a time using the cross icon or all at once using the Reset button.

     If XML key attributes are not specified, then in the course of field mapping the unique path to the XML value will be represented by a sequence of tags.

   • netflow5

     This parsing method is used to process data in the NetFlow v5 format.

     When choosing this method, you can use the preconfigured rules for converting events to the KUMA format by clicking the Apply default mapping button.

     In mapping rules, the protocol type for netflow5 is not indicated in the fields of KUMA events by default. When parsing data in NetFlow format on the Enrichment normalizer tab, you should create a constant data enrichment rule that adds the netflow value to the DeviceProduct target field.

   • netflow9

     This parsing method is used to process data in the NetFlow v9 format.

     When choosing this method, you can use the preconfigured rules for converting events to the KUMA format by clicking the Apply default mapping button.

     In mapping rules, the protocol type for netflow9 is not indicated in the fields of KUMA events by default. When parsing data in NetFlow format on the Enrichment normalizer tab, you should create a constant data enrichment rule that adds the netflow value to the DeviceProduct target field.

   • ipfix

     This parsing method is used to process IPFIX data.

     When choosing this method, you can use the preconfigured rules for converting events to the KUMA format by clicking the Apply default mapping button.

     In mapping rules, the protocol type for ipfix is not indicated in the fields of KUMA events by default. When parsing data in NetFlow format on the Enrichment normalizer tab, you should create a constant data enrichment rule that adds the netflow value to the DeviceProduct target field.

   • sql—this method becomes available only when using a sql type connector.

     This parsing method is used to process SQL data.

5. In the Keep raw log drop-down list, specify whether the original raw event should be stored in the newly created normalized event. Available values:
   • Never—do not save the raw event This is the default setting.
   • Only errors—save the raw event in the Raw field of the normalized event if errors occurred when parsing it. This value is convenient to use when debugging a service. In this case, every time an event has a non-empty Raw field, you know there was a problem.
   • Always—always save the raw event in the Raw field of the normalized event.
6. In the Keep extra fields drop-down list, choose whether you want to store the raw event fields in the normalized event if no mapping rules have been configured for them (see below). The data is stored in the Extra event field. By default, fields are not saved.
7. Copy an example of the data you want to process to the Event examples field. This is an optional but recommended step.

   Event examples can also be loaded from a TSV, CSV, or TXT file by using the Load from file button.

8. Configure the mapping of the raw event fields to event fields in KUMA format In the Mapping table:
   1. In the Source column, provide the name of the raw event field that you want to convert into the KUMA event field.

      Clicking the button next to the field names in the Source column opens the Conversion window, in which you can use the Add conversion button to create rules for modifying the original data before they are written to the KUMA event fields.

      Available conversions

      Conversions are changes that can be applied to a value before it gets written to the event field. The conversion type is selected from a drop-down list.

      Available conversions:

      • lower—is used to make all characters of the value lowercase
      • upper—is used to make all characters of the value uppercase
      • regexp – used to convert a value using the regular expression RE2. When this conversion type is selected, the field appears where regular expression should be added.
      • substring—is used to extract characters in the position range specified in the Start and End fields. These fields appear when this conversion type is selected.
      • replace—is used to replace specified character sequence with the other character sequence. When this type of conversion is selected, new fields appear:
        • Replace chars—in this field you can specify the character sequence that should be replaced.
        • With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
      • trim—used to simultaneously remove the characters specified in the Chars field from the leading and end positions of the value. The field appears when this type of conversion is selected. For example, a trim conversion with the Micromon value applied to Microsoft-Windows-Sysmon results in soft-Windows-Sys.
      • append is used to add the characters specified in the Constant field to the end of the event field value. The field appears when this type of conversion is selected.
      • prepend—used to prepend the characters specified in the Constant field to the start of the event field value. The field appears when this type of conversion is selected.
      • replace with regexp—is used to replace RE2 regular expression results with the character sequence.
        • Expression—in this field you can specify the regular expression which results that should be replaced.
        • With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
   2. In the KUMA field column, select the required KUMA event field from the drop-down list. You can search for fields by entering their names in the field.
   3. If the name of the KUMA event field selected at the previous step begins with DeviceCustom*, you can add a unique custom label in the Label field if necessary.

   New table rows can be added by using the Add row button. Rows can be deleted individually using the button or all at once using the Clear all button.

   If you have loaded data into the Event examples field, the table will have an Examples column containing examples of values carried over from the raw event field to the KUMA event field.

9. Click OK.

The normalizer is displayed as a dark circle on the Event parsing tab of the Installation Wizard. Clicking on the circle will open the normalizer options for editing. When you hover over the circle, a plus sign is displayed: click on it to add more normalizers (see below).

Enriching normalized events with additional data

You can add additional data to the newly created normalized events by creating enrichment rules in the normalizer similar to those in enrichment rule resources. These enrichment rules are stored in the normalizer resource where they were created. There can be more than one enrichment rule.

To add enrichment rules to the normalizer:

1. Select the normalizer and go to the Enrichment tab in the Event parsing window.
2. Click the Add enrichment button.

   The enrichment rule parameter block appears. Close the parameter block using the button.

3. Select the enrichment type from the Source kind drop-down list. Depending on the selected type, you may see advanced settings that will also need to be completed.

   Available Enrichment rule source types:

   • constant

     This type of enrichment is used when a constant needs to be added to an event field. Settings of this type of enrichment:

     • In the Constant field, specify the value that should be added to the event field. The value should not be longer than 255 Unicode characters. If you leave this field blank, the existing event field value will be cleared.
     • In the Target field drop-down list, select the KUMA event field to which you want to write the data.

   • dictionary

     This type of enrichment is used if you need to add a value from the dictionary to the event field.

     When this type is selected in the Dictionary name drop-down list, you must select the dictionary that will provide the values. In the Key fields settings block, you must use the Add field button to select the event fields whose values will be used for dictionary entry selection.

   • event

     This type of enrichment is used when you need to write a value from another event field to the current event field. Settings of this type of enrichment:

     • In the Target field drop-down list, select the KUMA event field to which you want to write the data.
     • In the Source field drop-down list, select the event field whose value will be written to the target field.
     • Clicking the button opens the Conversion window in which you can, using the Add conversion button, create rules for modifying the original data before writing them to the KUMA event fields.

       Available conversions

       Conversions are changes that can be applied to a value before it gets written to the event field. The conversion type is selected from a drop-down list.

       Available conversions:

       • lower—is used to make all characters of the value lowercase
       • upper—is used to make all characters of the value uppercase
       • regexp – used to convert a value using the regular expression RE2. When this conversion type is selected, the field appears where regular expression should be added.
       • substring—is used to extract characters in the position range specified in the Start and End fields. These fields appear when this conversion type is selected.
       • replace—is used to replace specified character sequence with the other character sequence. When this type of conversion is selected, new fields appear:
         • Replace chars—in this field you can specify the character sequence that should be replaced.
         • With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
       • trim—used to simultaneously remove the characters specified in the Chars field from the leading and end positions of the value. The field appears when this type of conversion is selected. For example, a trim conversion with the Micromon value applied to Microsoft-Windows-Sysmon results in soft-Windows-Sys.
       • append is used to add the characters specified in the Constant field to the end of the event field value. The field appears when this type of conversion is selected.
       • prepend—used to prepend the characters specified in the Constant field to the start of the event field value. The field appears when this type of conversion is selected.
       • replace with regexp—is used to replace RE2 regular expression results with the character sequence.
         • Expression—in this field you can specify the regular expression which results that should be replaced.
         • With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
   • template

     This type of enrichment is used when you need to write a value obtained by processing Go templates into the event field. Settings of this type of enrichment:

     • Put the Go template into the Template field.

       Event field names are passed in the {{.EventField}} format, where EventField is the name of the event field from which the value must be passed to the script.

       Example: Attack on {{.DestinationAddress}} from {{.SourceAddress}}.

     • In the Target field drop-down list, select the KUMA event field to which you want to write the data.
4. Click OK.

Enrichment rules are added to the normalizer, and the Event parsing window is closed.

Creating a structure of normalizers

You can create several extra normalizers within a normalizer. This allows you to customize complex event handling logic.

The sequence in which normalizers are created matters: events are processed sequentially, and their path is shown using arrows.

To create an extra normalizer:

• Create the initial normalizer (see above).

  The created normalizer will be displayed in the window as a dark circle.

• Hover over the initial normalizer and click the plus sign button that appears.
• In the Add normalizer to normalization scheme window, specify the conditions under which the data will be sent to the extra normalizer:
  • If you want to send only events with specific fields to the extra normalizer, list them in the Fields to pass into normalizer field.
  • If you want to send only events in which certain fields have been assigned specific values to the extra normalizer, specify the name of the event field in the Use normalizer for events with specific event field values field and the value that should match it in the Condition value field.

  The data processed by these conditions can be preconverted by clicking the button. This opens the Conversion window, in which you can use the Add conversion button to create rules for modifying the original data before it is written to the KUMA event fields.

  Available conversions

  Conversions are changes that can be applied to a value before it gets written to the event field. The conversion type is selected from a drop-down list.

  Available conversions:

  • lower—is used to make all characters of the value lowercase
  • upper—is used to make all characters of the value uppercase
  • regexp – used to convert a value using the regular expression RE2. When this conversion type is selected, the field appears where regular expression should be added.
  • substring—is used to extract characters in the position range specified in the Start and End fields. These fields appear when this conversion type is selected.
  • replace—is used to replace specified character sequence with the other character sequence. When this type of conversion is selected, new fields appear:
    • Replace chars—in this field you can specify the character sequence that should be replaced.
    • With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
  • trim—used to simultaneously remove the characters specified in the Chars field from the leading and end positions of the value. The field appears when this type of conversion is selected. For example, a trim conversion with the Micromon value applied to Microsoft-Windows-Sysmon results in soft-Windows-Sys.
  • append is used to add the characters specified in the Constant field to the end of the event field value. The field appears when this type of conversion is selected.
  • prepend—used to prepend the characters specified in the Constant field to the start of the event field value. The field appears when this type of conversion is selected.
  • replace with regexp—is used to replace RE2 regular expression results with the character sequence.
    • Expression—in this field you can specify the regular expression which results that should be replaced.
    • With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
• Click OK.

  This will open the Event parsing window, in which you can configure the rules for processing events as you did in the initial normalizer (see above). The Keep raw log parameter is not available. The Event examples field displays the values specified when the initial normalizer was created.

• Specify the extra normalizer settings similar to the initial normalizer
• Click OK.

The extra normalizer is displayed as a dark block that indicates the conditions under which this normalizer will be used. The conditions can be changed by moving your mouse cursor over the extra normalizer and clicking the button showing the pencil image. If you hover the mouse pointer over the extra normalizer, a plus button appears, which you can use to create a new extra normalizer. To delete a normalizer, use the button with the trash icon.

Proceed to the next step of the Installation Wizard.

Step 4. Filtering events

This is an optional step of the Installation Wizard. The Event filtering tab of the Installation Wizard allows you to select or create a filter resource whose settings specify the conditions for filtering out irrelevant events. You can add more than one filter to a collector. You can swap the filters by dragging them by the icon as well as delete them. Filters are combined by the AND operator.

To add an existing filter to a collector resource set,

Click the Add filter button and select the required filter from the Filter drop-down menu.

To add a new filter to the collector resource set:

1. Click the Add filter button and select Create new from the Filter drop-down menu.
2. If you want to keep the filter as a separate resource, select the Save filter check box. This can be useful if you decide to reuse the same filter across different services. This check box is cleared by default.
3. If you selected the Save filter check box, enter a name for the created filter resource in the Name field. The name must contain from 1 to 128 Unicode characters.
4. In the Conditions section, specify the conditions that must be met by the filtered events:
   • The Add condition button is used to add filtering conditions. You can select two values (two operands, left and right) and assign the operation you want to perform with the selected values. The result of the operation is either True or False.
     • In the operator drop-down list, select the function to be performed by the filter.

       In this drop-down list, you can select the do not match case check box if the operator should ignore the case of values. This check box is ignored if the InSubnet, InActiveList, InCategory, and InActiveDirectoryGroup operators are selected. This check box is cleared by default.

       Filter operators

       • =—the left operand equals the right operand.
       • <—the left operand is less than the right operand.
       • <=—the left operand is less than or equal to the right operand.
       • >—the left operand is greater than the right operand.
       • >=—the left operand is greater than or equal to the right operand.
       • inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
       • contains—the left operand contains values of the right operand.
       • startsWith—the left operand starts with one of the values of the right operand.
       • endsWith—the left operand ends with one of the values of the right operand.
       • match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.
       • hasBit—checks whether the left operand (string or number) contains bits whose positions are listed in the right operand (in a constant or in a list).
       • hasVulnerability—checks whether the left operand contains an asset with the vulnerability and vulnerability severity specified in the right operand.
       • inActiveList—this operator has only one operand. Its values are selected in the Key fields field and are compared with the entries in the active list selected from the Active List drop-down list.
       • inDictionary—checks whether the specified dictionary contains an entry defined by the key composed with the concatenated values of the selected event fields.
       • inCategory—the asset in the left operand is assigned at least one of the asset categories of the right operand.
       • inActiveDirectoryGroup—the Active Directory account in the left operand belongs to one of the Active Directory groups in the right operand.
       • TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators.
     • In the Left operand and Right operand drop-down lists, select where the data to be filtered will come from. As a result of the selection, Advanced settings will appear. Use them to determine the exact value that will be passed to the filter. For example, when choosing active list you will need to specify the name of the active list, the entry key, and the entry key field.
     • You can use the If drop-down list to choose whether you need to create a negative filter condition.

     Conditions can be deleted using the button.

   • The Add group button is used to add groups of conditions. Operator AND can be switched between AND, OR, and NOT values.

     A condition group can be deleted using the button.

   • Using the Add filter button you can add existing filter resources selected in the Select filter drop-down list to the conditions. You can navigate to a nested filter resource using the button.

     A nested filter can be deleted using the button.

The filter has been added.

Proceed to the next step of the Installation Wizard.

Step 5. Event aggregation

This is an optional step of the Installation Wizard. The Event aggregation tab of the Installation Wizard allows you to select or create an aggregation rule resource whose settings specify the conditions for aggregating events of the same type. More than one aggregation rule can be added to a collector.

To add an existing aggregation rule to a set of collector resources:

Click the Add aggregation rule button and select the required resource from the Aggregation rule drop-down menu.

To add a new aggregation rule to a set of collector resources:

1. Click the Add aggregation rule button and select Create new from the Aggregation rule drop-down menu.
2. Enter the name of the newly created aggregation rule in the Name field. The name must contain from 1 to 128 Unicode characters.
3. In the Threshold field, specify the number of events that should be received before the aggregation rule triggers and the events are aggregated. The default value is 100.
4. In the Triggered rule lifetime field, indicate the number of seconds the program must wait for events for aggregation. On the timeout, the aggregation rule is triggered and a new event is created. The default value is 60.
5. In the Identical fields section, use the Add field button to select the fields that will be used to identify the same types of events. Selected events can be deleted using the buttons with a cross icon.
6. In the Unique fields section, you can use the Add field button to select the fields that will disqualify events from aggregation even if they have fields listed in the Identical fields section. Selected events can be deleted using the buttons with a cross icon.
7. In the Sum fields section, you can use the Add field button to select the fields whose values will be summed during the aggregation process. Selected events can be deleted using the buttons with a cross icon.
8. In the Filter section, you can specify the conditions to define events that will be processed by this resource. You can select an existing filter resource from the drop-down list, or select Create new to create a new filter.

   Creating a filter in resources

   1. In the Filter drop-down list, select Create new.
   2. If you want to keep the filter as a separate resource, select the Save filter check box.

      In this case, you will be able to use the created filter in various services.

      This check box is cleared by default.

   3. If you selected the Save filter check box, enter a name for the created filter resource in the Name field. The name must contain from 1 to 128 Unicode characters.
   4. In the Conditions settings block, specify the conditions that the events must meet:
      1. Click the Add condition button.
      2. In the Left operand and Right operand drop-down lists, specify the search parameters.

         Depending on the data source selected in the Right operand field, you may see fields of additional parameters that you need to use to define the value that will be passed to the filter. For example, when choosing active list you will need to specify the name of the active list, the entry key, and the entry key field.

      3. In the operator drop-down list, select the relevant operator.

         Filter operators

         • =—the left operand equals the right operand.
         • <—the left operand is less than the right operand.
         • <=—the left operand is less than or equal to the right operand.
         • >—the left operand is greater than the right operand.
         • >=—the left operand is greater than or equal to the right operand.
         • inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
         • contains—the left operand contains values of the right operand.
         • startsWith—the left operand starts with one of the values of the right operand.
         • endsWith—the left operand ends with one of the values of the right operand.
         • match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.
         • hasBit—checks whether the left operand (string or number) contains bits whose positions are listed in the right operand (in a constant or in a list).
         • hasVulnerability—checks whether the left operand contains an asset with the vulnerability and vulnerability severity specified in the right operand.
         • inActiveList—this operator has only one operand. Its values are selected in the Key fields field and are compared with the entries in the active list selected from the Active List drop-down list.
         • inDictionary—checks whether the specified dictionary contains an entry defined by the key composed with the concatenated values of the selected event fields.
         • inCategory—the asset in the left operand is assigned at least one of the asset categories of the right operand.
         • inActiveDirectoryGroup—the Active Directory account in the left operand belongs to one of the Active Directory groups in the right operand.
         • TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators.
      4. If necessary, select the do not match case check box. When this check box is selected, the operator ignores the case of the values.

         The selection of this check box does not apply to the InSubnet, InActiveList, InCategory or InActiveDirectoryGroup operators.

         This check box is cleared by default.

      5. If you want to add a negative condition, select If not from the If drop-down list.
      6. You can add multiple conditions or a group of conditions.
   5. If you have added multiple conditions or groups of conditions, choose a search condition (and, or, not) by clicking the AND button.
   6. If you want to add existing filters that are selected from the Select filter drop-down list, click the Add filter button.

      You can view the nested filter settings by clicking the button.

Aggregation rule added. You can delete it using the button.

Proceed to the next step of the Installation Wizard.

Step 6. Event enrichment

This is an optional step of the Installation Wizard. On the Event enrichment tab of the Installation Wizard, you can specify which data from which sources should be added to events processed by the collector. You can enrich events with data received using LDAP or via enrichment rules.

LDAP enrichment

To enable enrichment using LDAP:

1. Click Add enrichment with LDAP data.

   This opens the settings block for LDAP enrichment.

2. In the LDAP accounts mapping settings block, use the New domain button to specify the domain of the user accounts. You can specify multiple domains.
3. In the LDAP mapping table, define the rules for mapping KUMA fields to LDAP attributes:
   • In the KUMA field column, indicate the KUMA event field which data should be compared to LDAP attribute.
   • In the column, the LDAP attribute with which you want to compare the KUMA event field.
   • In the KUMA event field to write to column, specify in which field of the KUMA event the ID of the user account imported from LDAP should be placed if the mapping was successful.

   You can use the Add row button to add a string to the table, and can use the button to remove a string. You can use the Apply default mapping button to fill the mapping table with standard values.

Event enrichment rules for data received from LDAP were added to the group of resources for the collector.

If you add an enrichment to an existing collector using LDAP or change the enrichment settings, you must stop and restart the service.

Rule-based enrichment

There can be more than one enrichment rule. You can add them by clicking the Add enrichment button and can remove them by clicking the button. You can use existing resources of enrichment rules or create rules directly in the Installation Wizard.

To add an existing enrichment rule to a set of resources:

1. Click Add enrichment.

   This opens the enrichment rules settings block.

2. In the Enrichment rule drop-down list, select the relevant resource.

The enrichment rule is added to the set of resources for the collector.

To create a new enrichment rule in a set of resources:

1. Click Add enrichment.

   This opens the enrichment rules settings block.

2. In the Enrichment rule drop-down list, select Create new.
3. In the Source kind drop-down list, select the source of data for enrichment and define its corresponding settings:
   • constant

     This type of enrichment is used when a constant needs to be added to an event field. Settings of this type of enrichment:

     • In the Constant field, specify the value that should be added to the event field. The value should not be longer than 255 Unicode characters. If you leave this field blank, the existing event field value will be cleared.
     • In the Target field drop-down list, select the KUMA event field to which you want to write the data.

   • dictionary

     This type of enrichment is used if you need to add a value from the dictionary to the event field.

     When this type is selected in the Dictionary name drop-down list, you must select the dictionary that will provide the values. In the Key fields settings block, you must use the Add field button to select the event fields whose values will be used for dictionary entry selection.

   • event

     This type of enrichment is used when you need to write a value from another event field to the current event field. Settings of this type of enrichment:

     • In the Target field drop-down list, select the KUMA event field to which you want to write the data.
     • In the Source field drop-down list, select the event field whose value will be written to the target field.
     • In the Conversion settings block, you can create rules for modifying the original data before it is written to the KUMA event fields. The conversion type can be selected from the drop-down list. You can use the Add conversion and Delete buttons to add or delete a conversion, respectively. The order of conversions is important.

       Available conversions

       Conversions are changes that can be applied to a value before it gets written to the event field. The conversion type is selected from a drop-down list.

       Available conversions:

       • lower—is used to make all characters of the value lowercase
       • upper—is used to make all characters of the value uppercase
       • regexp – used to convert a value using the regular expression RE2. When this conversion type is selected, the field appears where regular expression should be added.
       • substring—is used to extract characters in the position range specified in the Start and End fields. These fields appear when this conversion type is selected.
       • replace—is used to replace specified character sequence with the other character sequence. When this type of conversion is selected, new fields appear:
         • Replace chars—in this field you can specify the character sequence that should be replaced.
         • With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
       • trim—used to simultaneously remove the characters specified in the Chars field from the leading and end positions of the value. The field appears when this type of conversion is selected. For example, a trim conversion with the Micromon value applied to Microsoft-Windows-Sysmon results in soft-Windows-Sys.
       • append is used to add the characters specified in the Constant field to the end of the event field value. The field appears when this type of conversion is selected.
       • prepend—used to prepend the characters specified in the Constant field to the start of the event field value. The field appears when this type of conversion is selected.
       • replace with regexp—is used to replace RE2 regular expression results with the character sequence.
         • Expression—in this field you can specify the regular expression which results that should be replaced.
         • With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
   • template

     This type of enrichment is used when you need to write a value obtained by processing Go templates into the event field. Settings of this type of enrichment:

     • Put the Go template into the Template field.

       Event field names are passed in the {{.EventField}} format, where EventField is the name of the event field from which the value must be passed to the script.

       Example: Attack on {{.DestinationAddress}} from {{.SourceAddress}}.

     • In the Target field drop-down list, select the KUMA event field to which you want to write the data.
   • dns

     This type of enrichment is used to send requests to a private network DNS server to convert IP addresses into domain names or vice versa.

     Available settings:

     • URL—in this field, you can specify the URL of a DNS server to which you want to send requests. You can use the Add URL button to specify multiple URLs.
     • RPS—maximum number of requests sent to the server per second. The default value is 1000.
     • Workers—maximum number of requests per one point in time. The default value is 1.
     • Max tasks—maximum number of simultaneously fulfilled requests. By default, this value is equal to the number of vCPUs of the KUMA Core server.
     • Cache TTL—the lifetime of the values stored in the cache. The default value is 60.
     • Cache disabled—you can use this drop-down list to enable or disable caching. Caching is enabled by default.
   • cybertrace

     This type of enrichment is used to add information from CyberTrace data streams to event fields.

     Available settings:

     • URL (required)—in this field, you can specify the URL of a CyberTrace server to which you want to send requests.
     • Number of connections—maximum number of connections to the CyberTrace server that can be simultaneously established by KUMA. By default, this value is equal to the number of vCPUs of the KUMA Core server.
     • RPS—maximum number of requests sent to the server per second. The default value is 1000.
     • Timeout—amount of time to wait for a response from the CyberTrace server, in seconds. The default value is 30.
     • Mapping (required)—this settings block contains the mapping table for mapping KUMA event fields to CyberTrace indicator types. The KUMA field column shows the names of KUMA event fields, and the CyberTrace indicator column shows the types of CyberTrace indicators.

       Available types of CyberTrace indicators:

       • ip
       • url
       • hash

       In the mapping table, you must provide at least one string. You can use the Add row button to add a string, and can use the button to remove a string.

   • timezone

     This type of enrichment is used in collectors and correlators to assign a specific timezone to an event. Timezone information may be useful when searching for events that occurred at unusual times, such as nighttime.

     When this type of enrichment is selected, the required timezone must be selected from the Timezone drop-down list.

     Make sure that the required time zone is set on the server hosting the enrichment-utilizing service. For example, you can do this by using the timedatectl list-timezones command, which shows all time zones that are set on the server. For more details on setting time zones, please refer to your operating system documentation.

     When an event is enriched, the time offset of the selected timezone relative to Coordinated Universal Time (UTC) is written to the DeviceTimeZone event field in the +-hh:mm format. For example, if you select the Asia/Yekaterinburg timezone, the value +05:00 will be written to the DeviceTimeZone field. If the enriched event already has a value in the DeviceTimeZone field, it will be overwritten.

     By default, if the timezone is not specified in the event being processed and enrichment rules by timezone are not configured, the event is assigned the timezone of the server hosting the service (collector or correlator) that processes the event. If the server time is changed, the service must be restarted.

     Permissible time formats when enriching the DeviceTimeZone field

     When processing incoming raw events in the collector, the following time formats can be automatically converted to the +-hh:mm format:

     Time format in a processed event	Example
     +-hh:mm	-07:00
     +-hhmm	-0700
     +-hh	-07

     If the date format in the DeviceTimeZone field differs from the formats listed above, the collector server timezone is written to the field when an event is enriched with timezone information. You can create custom normalization rules for non-standard time formats.

   • geographic data

     This type of enrichment is used to add IP address geographic data to event fields. Learn more about linking IP addresses to geographic data.

     When this type is selected, in the Mapping geographic data to event fields settings block, you must specify from which event field the IP address will be read, select the required attributes of geographic data, and define the event fields in which geographic data will be written:

     1. In the Event field with IP address drop-down list, select the event field from which the IP address is read. Geographic data uploaded to KUMA is matched against this IP address.

        You can use the Add event field with IP address button to specify multiple event fields with IP addresses that require geographic data enrichment. You can delete event fields added in this way by clicking the Delete event field with IP address button.

        When the SourceAddress, DestinationAddress, and DeviceAddress event fields are selected, the Apply default mapping button becomes available. You can use this button to add preconfigured mapping pairs of geographic data attributes and event fields.

     2. For each event field you need to read the IP address from, select the type of geographic data and the event field to which the geographic data should be written.

        You can use the Add geodata attribute button to add field pairs for Geodata attribute – Event field to write to. You can also configure different types of geographic data for one IP address to be written to different event fields. To delete a field pair, click .

        • In the Geodata attribute field, select which geographic data corresponding to the read IP address should be written to the event. Available geographic data attributes: Country, Region, City, Longitude, Latitude.
        • In the Event field to write to, select the event field which the selected geographic data attribute must be written to.

        You can write identical geographic data attributes to different event fields. If you configure multiple geographic data attributes to be written to the same event field, the event will be enriched with the last mapping in the sequence.

4. Use the Debug drop-down list to indicate whether or not to enable logging of service operations. Logging is disabled by default.
5. In the Filter section, you can specify conditions to identify events that will be processed by the enrichment rule resource. You can select an existing filter resource from the drop-down list, or select Create new to create a new filter.

   Creating a filter in resources

   1. In the Filter drop-down list, select Create new.
   2. If you want to keep the filter as a separate resource, select the Save filter check box.

      In this case, you will be able to use the created filter in various services.

      This check box is cleared by default.

   3. If you selected the Save filter check box, enter a name for the created filter resource in the Name field. The name must contain from 1 to 128 Unicode characters.
   4. In the Conditions settings block, specify the conditions that the events must meet:
      1. Click the Add condition button.
      2. In the Left operand and Right operand drop-down lists, specify the search parameters.

         Depending on the data source selected in the Right operand field, you may see fields of additional parameters that you need to use to define the value that will be passed to the filter. For example, when choosing active list you will need to specify the name of the active list, the entry key, and the entry key field.

      3. In the operator drop-down list, select the relevant operator.

         Filter operators

         • =—the left operand equals the right operand.
         • <—the left operand is less than the right operand.
         • <=—the left operand is less than or equal to the right operand.
         • >—the left operand is greater than the right operand.
         • >=—the left operand is greater than or equal to the right operand.
         • inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
         • contains—the left operand contains values of the right operand.
         • startsWith—the left operand starts with one of the values of the right operand.
         • endsWith—the left operand ends with one of the values of the right operand.
         • match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.
         • hasBit—checks whether the left operand (string or number) contains bits whose positions are listed in the right operand (in a constant or in a list).
         • hasVulnerability—checks whether the left operand contains an asset with the vulnerability and vulnerability severity specified in the right operand.
         • inActiveList—this operator has only one operand. Its values are selected in the Key fields field and are compared with the entries in the active list selected from the Active List drop-down list.
         • inDictionary—checks whether the specified dictionary contains an entry defined by the key composed with the concatenated values of the selected event fields.
         • inCategory—the asset in the left operand is assigned at least one of the asset categories of the right operand.
         • inActiveDirectoryGroup—the Active Directory account in the left operand belongs to one of the Active Directory groups in the right operand.
         • TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators.
      4. If necessary, select the do not match case check box. When this check box is selected, the operator ignores the case of the values.

         The selection of this check box does not apply to the InSubnet, InActiveList, InCategory or InActiveDirectoryGroup operators.

         This check box is cleared by default.

      5. If you want to add a negative condition, select If not from the If drop-down list.
      6. You can add multiple conditions or a group of conditions.
   5. If you have added multiple conditions or groups of conditions, choose a search condition (and, or, not) by clicking the AND button.
   6. If you want to add existing filters that are selected from the Select filter drop-down list, click the Add filter button.

      You can view the nested filter settings by clicking the button.

The new enrichment rule was added to the set of resources for the collector.

Proceed to the next step of the Installation Wizard.

Step 7. Routing

This is an optional step of the Installation Wizard. On the Routing tab of the Installation Wizard, you can select or create destination resources with parameters indicating where the events processed by the collector should be redirected. Typically, events from the collector are routed to two points: to the correlator to analyze and search for threats; and to the storage, both for storage and so that processed events can be viewed later. Events can be sent to other locations as needed. There can be more than one destination point.

To add an existing destination to a collector resource set:

1. In the Add destination drop-down list, select the type of destination resource you want to add:
   • Select Storage if you want to configure forwarding of processed events to the storage.
   • Select Correlator if you want to configure forwarding of processed events to a correlator.
   • Select Other if you want to send events to other locations.

     This type of resource includes correlator and storage services that were created in previous versions of the program.

   The Add destination window opens where you can specify parameters for events forwarding.

2. In the Destination drop-down list, select the necessary destination.

   The window name changes to Edit destination, and it displays the settings of the selected resource. The resource can be opened for editing in a new browser tab using the button.

3. Click Save.

The selected destination is displayed on the Installation Wizard tab. A destination resource can be removed from the resource set by selecting it and clicking Delete in the opened window.

To add a new destination resource to a collector resource set:

1. In the Add destination drop-down list, select the type of destination resource you want to add:
   • Select Storage if you want to configure forwarding of processed events to the storage.
   • Select Correlator if you want to configure forwarding of processed events to a correlator.
   • Select Other if you want to send events to other locations.

     This type of resource includes correlator and storage services that were created in previous versions of the program.

   The Add destination window opens where you can specify parameters for events forwarding.

2. Specify the settings on the Basic settings tab:
   • In the Destination drop-down list, select Create new.
   • In the Name field, enter a unique name for the destination resource. The name must contain from 1 to 128 Unicode characters.
   • Use the Disabled toggle button to specify whether events will be sent to this destination. By default, sending events is enabled.
   • Select the Type for the destination resource:
     • Select storage if you want to configure forwarding of processed events to the storage.
     • Select correlator if you want to configure forwarding of processed events to a correlator.
     • Select nats, tcp, http, kafka, or file if you want to configure sending events to other locations.
   • Specify the URL to which events should be sent in the hostname:<API port> format.

     If your KUMA license includes the High Level Availability module, you can specify multiple destination addresses by using the URL button for all types except nats, file, and diode.

     If you have selected storage or correlator as the destination type, the URL field can be populated automatically using the Copy service URL drop-down list that displays active services of the selected type.

   • For the nats and kafka types, use the Topic field to specify which topic the data should be written to. The topic name must contain from 1 to 255 Unicode characters.
3. If required, define the settings on the Advanced settings tab. The available settings vary based on the selected destination resource type:
   • Compression is a drop-down list where you can enable Snappy compression. By default, compression is disabled.
   • Proxy is a drop-down list for proxy server resource selection.
   • Buffer size field is used to set buffer size (in bytes) for the destination resource. The default value is 1 MB, and the maximum value is 64 MB.
   • Timeout field is used to set the timeout (in seconds) for another service or component response. The default value is 30.
   • Disk buffer size limit field is used to specify the size of the disk buffer in bytes. The default size is 10 GB.
   • Storage ID is a NATS storage identifier.
   • TLS mode is a drop-down list where you can specify the conditions for using TLS encryption:
     • Disabled (default)—do not use TLS encryption.
     • Enabled—encryption is enabled, but without verification.
     • With verification—use encryption with verification that the certificate was signed with the KUMA root certificate. The root certificate and key of KUMA are created automatically during program installation and are stored on the KUMA Core server in the folder /opt/kaspersky/kuma/core/certificates/.

     When using TLS, it is impossible to specify an IP address as a URL.

   • URL selection policy is a drop-down list in which you can select a method for determining which URL to send events to if several URLs have been specified:
     • Any. Events are sent to one of the available URLs as long as this URL receives events. If the connection is broken (for example, the receiving node is disconnected) a different URL will be selected as the events destination.
     • Prefer first. Events are sent to the first URL in the list of added addresses. If it becomes unavailable, events are sent to the next available node in sequence. When the first URL becomes available again, events start to be sent to it again.
     • Round robin. Packets with events will be evenly distributed among available URLs from the list. Because packets are sent either on a destination buffer overflow or on the flush timer, this URL selection policy does not guarantee an equal distribution of events to destinations.
   • Delimiter is used to specify the character delimiting the events. By default, \n is used.
   • Path—the file path if the file destination type is selected.
   • Buffer flush interval—this field is used to set the time interval (in seconds) at which the data is sent to the destination. The default value is 100.
   • Workers—this field is used to set the number of services processing the queue. By default, this value is equal to the number of vCPUs of the KUMA Core server.
   • You can set health checks using the Health check path and Health check timeout fields. You can also disable health checks by selecting the Health Check Disabled check box.
   • Debug—a drop-down list where you can specify whether resource logging should be enabled. By default it is Disabled.
   • The Disk buffer disabled drop-down list is used to enable or disable the use of a disk buffer. By default, the disk buffer is disabled.
   • In the Filter section, you can specify the conditions to define events that will be processed by this resource. You can select an existing filter resource from the drop-down list, or select Create new to create a new filter.

     Creating a filter in resources

     1. In the Filter drop-down list, select Create new.
     2. If you want to keep the filter as a separate resource, select the Save filter check box.

        In this case, you will be able to use the created filter in various services.

        This check box is cleared by default.

     3. If you selected the Save filter check box, enter a name for the created filter resource in the Name field. The name must contain from 1 to 128 Unicode characters.
     4. In the Conditions settings block, specify the conditions that the events must meet:
        1. Click the Add condition button.
        2. In the Left operand and Right operand drop-down lists, specify the search parameters.

           Depending on the data source selected in the Right operand field, you may see fields of additional parameters that you need to use to define the value that will be passed to the filter. For example, when choosing active list you will need to specify the name of the active list, the entry key, and the entry key field.

        3. In the operator drop-down list, select the relevant operator.

           Filter operators

           • =—the left operand equals the right operand.
           • <—the left operand is less than the right operand.
           • <=—the left operand is less than or equal to the right operand.
           • >—the left operand is greater than the right operand.
           • >=—the left operand is greater than or equal to the right operand.
           • inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
           • contains—the left operand contains values of the right operand.
           • startsWith—the left operand starts with one of the values of the right operand.
           • endsWith—the left operand ends with one of the values of the right operand.
           • match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.
           • hasBit—checks whether the left operand (string or number) contains bits whose positions are listed in the right operand (in a constant or in a list).
           • hasVulnerability—checks whether the left operand contains an asset with the vulnerability and vulnerability severity specified in the right operand.
           • inActiveList—this operator has only one operand. Its values are selected in the Key fields field and are compared with the entries in the active list selected from the Active List drop-down list.
           • inDictionary—checks whether the specified dictionary contains an entry defined by the key composed with the concatenated values of the selected event fields.
           • inCategory—the asset in the left operand is assigned at least one of the asset categories of the right operand.
           • inActiveDirectoryGroup—the Active Directory account in the left operand belongs to one of the Active Directory groups in the right operand.
           • TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators.
        4. If necessary, select the do not match case check box. When this check box is selected, the operator ignores the case of the values.

           The selection of this check box does not apply to the InSubnet, InActiveList, InCategory or InActiveDirectoryGroup operators.

           This check box is cleared by default.

        5. If you want to add a negative condition, select If not from the If drop-down list.
        6. You can add multiple conditions or a group of conditions.
     5. If you have added multiple conditions or groups of conditions, choose a search condition (and, or, not) by clicking the AND button.
     6. If you want to add existing filters that are selected from the Select filter drop-down list, click the Add filter button.

        You can view the nested filter settings by clicking the button.

4. Click Save.

The created destination resource is displayed on the Installation Wizard tab. A destination resource can be removed from the resource set by selecting it and clicking Delete in the opened window.

Proceed to the next step of the Installation Wizard.

Step 8. Setup validation

This is the required, final step of the Installation Wizard. At this step, KUMA creates a service resource set, and the Services are created automatically based on this set:

• The set of resources for the collector is displayed under Resources → Collectors. It can be used to create new collector services. When this set of resources changes, all services that operate based on this set of resources will start using the new parameters after the services restart. To do so, you can use the Save and restart services and Save and update service configurations buttons.

  A set of resources can be modified, copied, moved from one folder to another, deleted, imported, and exported, like other resources.

• Services are displayed in Resources → Active services. The services created using the Installation Wizard perform functions inside the KUMA program. To communicate with external parts of the network infrastructure, you need to install similar external services on the servers and assets intended for them. For example, an external collector service should be installed on a server intended as an events recipient, external storage services should be installed on servers that have a deployed ClickHouse service, and external agent services should be installed on the Windows assets that must both receive and forward Windows events.

To finish the Installation Wizard:

1. Click Create and save service.

   The Setup validation tab of the Installation Wizard displays a table of services created based on the set of resources selected in the Installation Wizard. The lower part of the window shows examples of commands that you must use to install external equivalents of these services on their intended servers and assets.

   For example:

   /opt/kaspersky/kuma/kuma collector --core https://kuma-example:<port used for communication with the KUMA Core> --id <service ID> --api.port <port used for communication with the service> --install

   The "kuma" file can be found inside the installer in the /kuma-ansible-installer/roles/kuma/files/ directory.

   The port for communication with the KUMA Core, the service ID, and the port for communication with the service are added to the command automatically. You should also ensure the network connectivity of the KUMA system and open the ports used by its components if necessary.

2. Close the Wizard by clicking Save collector.

The collector service is created in KUMA. Now you will install a similar service on the server intended for receiving events.

If a wmi or wec connector was selected for collectors, you must also install the automatically created KUMA agents.

Installing a collector in a KUMA network infrastructure

A collector consists of two parts: one part is created inside the KUMA web interface, and the other part is installed on the network infrastructure server intended for receiving events. The second part of the collector is installed in the network infrastructure.

To install a collector:

1. Log in to the server where you want to install the service.
2. Create the /opt/kaspersky/kuma/ folder.
3. Copy the "kuma" file to the /opt/kaspersky/kuma/ folder. The file is located in the installer in the /kuma-ansible-installer/roles/kuma/files/ folder.

   Make sure the kuma file has sufficient rights to run.

4. Execute the following command:

   sudo /opt/kaspersky/kuma/kuma collector --core https://<KUMA Core server FQDN>:<port used by KUMA Core for internal communication (port 7210 is used by default)> --id <service ID copied from the KUMA web interface> --api.port <port used for communication with the installed component>

   Example: sudo /opt/kaspersky/kuma/kuma collector --core https://test.kuma.com:7210 --id XXXX --api.port YYYY

   If errors are detected as a result of the command execution, make sure that the settings are correct. For example, the availability of the required access level, network availability between the collector service and the Core, and the uniqueness of the selected API port. After fixing errors, continue installing the collector.

   If no errors were found, and the collector status in the KUMA web interface is changed to green, stop the command execution and proceed to the next step.

   The command can be copied at the last step of the installer wizard. It automatically specifies the address and port of the KUMA Core server, the identifier of the collector to be installed, and the port that the collector uses for communication.

   When deploying several KUMA services on the same host, during the installation process you must specify unique ports for each component using the --api.port <port> parameter. The following setting values are used by default: --api.port 7221.

   Before installation, ensure the network connectivity of KUMA components.

5. Run the command again by adding the --install key:

   sudo /opt/kaspersky/kuma/kuma collector --core https://<KUMA Core server FQDN>:<port used by KUMA Core server for internal communication (port 7210 by default)> --id <service ID copied from the KUMA web interface> --api.port <port used for communication with the installed component> --install

   Example: sudo /opt/kaspersky/kuma/kuma collector --core https://kuma.example.com:7210 --id XXXX --api.port YYYY --install

6. Add KUMA collector port to firewall exclusions.

   For the program to run correctly, ensure that the KUMA components are able to interact with other components and programs over the network via the protocols and ports specified during the installation of the KUMA components.

The collector is installed. You can use it to receive data from an event source and forward it for processing.

Validating collector installation

To verify that the collector is ready to receive events:

1. In the KUMA web interface, open Resources → Active services.
2. Make sure that the collector you installed has the green status.

If the collector is installed correctly and you are sure that data is coming from the event source, the table should display events when you search for events associated with the collector.

To check for normalization errors using the Events section of the KUMA web interface:

1. Make sure that the Collector service is running.
2. Make sure that the event source is providing events to the KUMA.
3. Make sure that you selected Only errors in the Keep raw event drop-down list of the Normalizer resource in the Resources section of the KUMA web interface.
4. In the Events section of KUMA, search for events with the following parameters:
   • ServiceID = <ID of the collector to be checked>
   • Raw != ""

If any events are found with this search, it means that there are normalization errors and they should be investigated.

To check for normalization errors using the Grafana Dashboard:

1. Make sure that the Collector service is running.
2. Make sure that the event source is providing events to the KUMA.
3. Open the Metrics section and follow the KUMA Collectors link.
4. See if the Errors section of the Normalization widget displays any errors.

If there are any errors, it means that there are normalization errors and they should be investigated.

For WEC and WMI collectors, you must ensure that unique ports are used to connect to their agents. This port is specified in the Transport section of Collector Installation Wizard.

Ensuring uninterrupted collector operation

An uninterrupted event stream from the event source to KUMA is important for protecting the network infrastructure. Continuity can be ensured though automatic forwarding of the event stream to a larger number of collectors:

• On the KUMA side, two or more identical collectors must be installed.
• On the event source side, you must configure control of event streams between collectors using third-party server load management tools, such as rsyslog or nginx.

With this configuration of the collectors in place, no incoming events will be lost if the collector server is unavailable for any reason.

Please keep in mind that when the event stream switches between collectors, each collector will aggregate events separately.

Event stream control using rsyslog

To enable rsyslog event stream control on the event source server:

1. Create two or more identical collectors that you want to use to ensure uninterrupted reception of events.
2. Install rsyslog on the event source server (see the rsyslog documentation).
3. Add rules for forwarding the event stream between collectors to the configuration file /etc/rsyslog.conf:

   *. * @@ <main collector server FQDN>: <port for incoming events> $ActionExecOnlyWhenPreviousIsSuspended on *. * @@ <backup collector server FQDN>: <port for incoming events> $ActionExecOnlyWhenPreviousIsSuspended off

   Example configuration file

   Example configuration file specifying one primary and two backup collectors. The collectors are configured to receive events on TCP port 5140.

   *.* @@kuma-collector-01.example.com:5140 $ActionExecOnlyWhenPreviousIsSuspended on & @@kuma-collector-02.example.com:5140 & @@kuma-collector-03.example.com:5140 $ActionExecOnlyWhenPreviousIsSuspended off

4. Restart rsyslog by running systemctl restart rsyslog command.

Event stream control is now enabled on the event source server.

Event stream control using nginx

To control event stream using nginx, you need to create and configure an ngnix server to receive events from the event source and then forward these to collectors.

To enable nginx event stream control on the event source server:

1. Create two or more identical collectors that you want to use to ensure uninterrupted reception of events.
2. Install nginx on the server intended for event stream control.
   • Installation command in Oracle Linux 8.6:

     $sudo dnf install nginx

   • Installation command in Ubuntu 20.4:

     $sudo apt-get install nginx

     When installing from sources, you must compile with the parameter -with-stream option:
     $ sudo ./configure -with-stream -without-http_rewrite_module -without-http_gzip_module

3. On the nginx server, add the stream module to the nginx.conf configuration file that contains the rules for forwarding the stream of events between collectors.

   Example stream module

   Example module in which event stream is distributed between the collectors kuma-collector-01.example.com and kuma-collector-02.example.com, which receive events via TCP on port 5140 and via UPD on port 5141. Balancing uses the nginx.example.com ngnix server.

   stream {  upstream syslog_tcp { server kuma-collector-1.example.com:5140; server kuma-collector-2.example.com:5140; } upstream syslog_udp { server kuma-collector-1.example.com:5141; server kuma-collector-2.example.com:5141; }  server { listen nginx.example.com:5140; proxy_pass syslog_tcp; } server { listen nginx.example.com:5141 udp; proxy_pass syslog_udp; proxy_responses 0; } }  worker_rlimit_nofile 1000000; events { worker_connections 20000; } # worker_rlimit_nofile is the limit on the number of open files (RLIMIT_NOFILE) for workers. This is used to raise the limit without restarting the main process. # worker_connections is the maximum number of connections that a worker can open simultaneously.

4. Restart nginx by running systemctl restart rsyslog .
5. On the event source server, forward events to the ngnix server.

Event stream control is now enabled on the event source server.

Nginx Plus may be required to fine-tune balancing, but certain balancing methods, such as Round Robin and Least Connections, are available in the base version of ngnix.

For more details on configuring nginx, please refer to the nginx documentation.

Creating a correlator

A correlator consists of two parts: one part is created inside the KUMA web interface, and the other part is installed on the network infrastructure server intended for processing events.

Actions in the KUMA web interface

A correlator is created in the KUMA web interface by using the Installation Wizard, which combines the necessary resources into a set of resources for the correlator. Upon completion of the Wizard, the service is automatically created based on this set of resources.

To create a correlator in the KUMA web interface:

Start the Correlator Installation Wizard:

• In the KUMA web interface, under Resources, click Create correlator.
• In the KUMA web interface, under Resources → Correlators, click Add correlator.

As a result of completing the steps of the Wizard, a correlator service is created in the KUMA web interface.

A resource set for a correlator includes the following resources:

• Correlation rules
• Enrichment rules (if required)
• Response rules (if required)
• Destinations (normally one for sending events to a storage)

These resources can be prepared in advance, or you can create them while the Installation Wizard is running.

Actions on the KUMA correlator server

If you are installing the correlator on a server that you intend to use for event processing, you need to run the command displayed at the last step of the Installation Wizard on the server. When installing, you must specify the identifier automatically assigned to the service in the KUMA web interface, as well as the port used for communication.

Testing the installation

After creating a correlator, it is recommended to make sure that it is working correctly.

Starting the Correlator Installation Wizard

To start the Correlator Installation Wizard:

• In the KUMA web interface, under Resources, click Add correlator.
• In the KUMA web interface, under Resources → Correlators, click Add correlator.

Follow the instructions of the Wizard.

Aside from the first and last steps of the Wizard, the steps of the Wizard can be performed in any order. You can switch between steps by using the Next and Previous buttons, as well as by clicking the names of the steps in the left side of the window.

After the Wizard completes, a resource set for the correlator is created in the KUMA web interface under Resources → Correlators, and a correlator service is added under Resources → Active services.

Step 1. General correlator settings

This is a required step of the Installation Wizard. At this step, you specify the main settings of the correlator: the correlator name and the tenant that will own it.

To define the main settings of the correlator:

• In the Name field, enter a unique name for the service you are creating. The name must contain from 1 to 128 Unicode characters.
• In the Tenant drop-down list, select the tenant that will own the correlator. The tenant selection determines what resources will be available when the collector is created.

  If you return to this window from another subsequent step of the Installation Wizard and select another tenant, you will have to manually edit all the resources that you have added to the service. Only resources from the selected tenant and shared tenant can be added to the service.

• If required, specify the number of processes that the service can run concurrently in the Workers field. By default, the number of worker processes is the same as the number of vCPUs on the server where the service is installed.
• If necessary, use the Debug drop-down list to enable logging of service operations.
• You can optionally add up to 256 Unicode characters describing the service in the Description field.

The main settings of the correlator are defined. Proceed to the next step of the Installation Wizard.

Step 2. Global variables

If tracking values in event fields, active lists, or dictionaries is not enough to cover some specific security scenarios, you can use global and local variables. You can use them to take various actions on the values received by the correlators by implementing complex logic for threat detection. Variables can be assigned a specific function and then queried from correlation rules as if they were ordinary event fields, with the triggered function result received in response.

To add a global variable in the correlator,

click the Add variable button and specify the following parameters:

• In the Variable window, enter the name of the variable.

  Variable naming requirements

  • Must be unique within the correlator.
  • Must contain from 1 to 128 Unicode characters.
  • Must not begin with the character $.
  • Must be written in camelCase or CamelCase.
• In the Value window, enter the variable function.

  Description of variable functions.

The global variable is added. It can be queried from correlation rules by adding the $ character in front of the variable name. There can be multiple variables. Added variables can be edited or deleted by using the icon.

Proceed to the next step of the Installation Wizard.

Step 3. Correlation

This is an optional but recommended step of the Installation Wizard. On the Correlation tab of the Installation Wizard, you should select or create resources of correlation rules. These resources define the sequences of events that indicate security-related incidents. When these sequences are detected, the correlator creates a correlation event and an alert.

If you have added global variables to the correlator, all added correlation rules can query them.

Correlation rules that are added to the set of resources for the correlator are displayed in the table with the following columns:

• Correlation rules—name of the correlation rule resource.
• Type—type of correlation rule: standard, simple, operational. The table can be filtered based on the values of this column by clicking the column header and selecting the relevant values.
• Actions—list of actions that will be performed by the correlator when the correlation rule is triggered. These actions are indicated in the correlation rule settings. The table can be filtered based on the values of this column by clicking the column header and selecting the relevant values.

You can use the Search field to search for a correlation rule. Added correlation rules can be removed from the set of resources by selecting the relevant rules and clicking Delete.

When a correlation rule is selected, a window opens to show its settings. The resource settings can be edited and then saved by clicking the Save button. If you click Delete in this window, the correlation rule is unlinked from the set of resources.

To link the existing correlation rules to the set of resources for the correlator:

1. Click Link.

   The resource selection window opens.

2. Select the relevant correlation rules and click OK.

The correlation rules will be linked to the set of resources for the correlator and will be displayed in the rules table.

To create a new correlation rule in a set of resources for a correlator:

1. Click Add.

   The correlation rule creation window opens.

2. Specify the correlation rule settings and click Save.

The correlation rule will be created and linked to the set of resources for the correlator. It is displayed in the correlation rules table and in the list of resources under Resources → Correlation rules.

Proceed to the next step of the Installation Wizard.

Step 4. Enrichment

This is an optional step of the Installation Wizard. On the Enrichment tab of the Installation Wizard, you can select or create a resource for enrichment rules and indicate which data from which sources should be added to correlation events created by the correlator. There can be more than one enrichment rule. You can add them by clicking the Add button and can remove them by clicking the button.

To add an existing enrichment rule to a set of resources:

1. Click Add.

   This opens the enrichment rule settings block.

2. In the Enrichment rule drop-down list, select the relevant resource.

The enrichment rule is added to the set of resources for the correlator.

To create a new enrichment rule in a set of resources:

1. Click Add.

   This opens the enrichment rule settings block.

2. In the Enrichment rule drop-down list, select Create new.
3. In the Source kind drop-down list, select the source of data for enrichment and define its corresponding settings:
   • constant

     This type of enrichment is used when a constant needs to be added to an event field. Settings of this type of enrichment:

     • In the Constant field, specify the value that should be added to the event field. The value should not be longer than 255 Unicode characters. If you leave this field blank, the existing event field value will be cleared.
     • In the Target field drop-down list, select the KUMA event field to which you want to write the data.

   • dictionary

     This type of enrichment is used if you need to add a value from the dictionary to the event field.

     When this type is selected in the Dictionary name drop-down list, you must select the dictionary that will provide the values. In the Key fields settings block, you must use the Add field button to select the event fields whose values will be used for dictionary entry selection.

   • event

     This type of enrichment is used when you need to write a value from another event field to the current event field. Settings of this type of enrichment:

     • In the Target field drop-down list, select the KUMA event field to which you want to write the data.
     • In the Source field drop-down list, select the event field whose value will be written to the target field.
     • In the Conversion settings block, you can create rules for modifying the original data before it is written to the KUMA event fields. The conversion type can be selected from the drop-down list. You can use the Add conversion and Delete buttons to add or delete a conversion, respectively. The order of conversions is important.

       Available conversions

       Conversions are changes that can be applied to a value before it gets written to the event field. The conversion type is selected from a drop-down list.

       Available conversions:

       • lower—is used to make all characters of the value lowercase
       • upper—is used to make all characters of the value uppercase
       • regexp – used to convert a value using the regular expression RE2. When this conversion type is selected, the field appears where regular expression should be added.
       • substring—is used to extract characters in the position range specified in the Start and End fields. These fields appear when this conversion type is selected.
       • replace—is used to replace specified character sequence with the other character sequence. When this type of conversion is selected, new fields appear:
         • Replace chars—in this field you can specify the character sequence that should be replaced.
         • With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
       • trim—used to simultaneously remove the characters specified in the Chars field from the leading and end positions of the value. The field appears when this type of conversion is selected. For example, a trim conversion with the Micromon value applied to Microsoft-Windows-Sysmon results in soft-Windows-Sys.
       • append is used to add the characters specified in the Constant field to the end of the event field value. The field appears when this type of conversion is selected.
       • prepend—used to prepend the characters specified in the Constant field to the start of the event field value. The field appears when this type of conversion is selected.
       • replace with regexp—is used to replace RE2 regular expression results with the character sequence.
         • Expression—in this field you can specify the regular expression which results that should be replaced.
         • With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
   • template

     This type of enrichment is used when you need to write a value obtained by processing Go templates into the event field. Settings of this type of enrichment:

     • Put the Go template into the Template field.

       Event field names are passed in the {{.EventField}} format, where EventField is the name of the event field from which the value must be passed to the script.

       Example: Attack on {{.DestinationAddress}} from {{.SourceAddress}}.

     • In the Target field drop-down list, select the KUMA event field to which you want to write the data.
   • dns

     This type of enrichment is used to send requests to a private network DNS server to convert IP addresses into domain names or vice versa.

     Available settings:

     • URL—in this field, you can specify the URL of a DNS server to which you want to send requests. You can use the Add URL button to specify multiple URLs.
     • RPS—maximum number of requests sent to the server per second. The default value is 1000.
     • Workers—maximum number of requests per one point in time. The default value is 1.
     • Max tasks—maximum number of simultaneously fulfilled requests. By default, this value is equal to the number of vCPUs of the KUMA Core server.
     • Cache TTL—the lifetime of the values stored in the cache. The default value is 60.
     • Cache disabled—you can use this drop-down list to enable or disable caching. Caching is enabled by default.
   • cybertrace

     This type of enrichment is used to add information from CyberTrace data streams to event fields.

     Available settings:

     • URL (required)—in this field, you can specify the URL of a CyberTrace server to which you want to send requests.
     • Number of connections—maximum number of connections to the CyberTrace server that can be simultaneously established by KUMA. By default, this value is equal to the number of vCPUs of the KUMA Core server.
     • RPS—maximum number of requests sent to the server per second. The default value is 1000.
     • Timeout—amount of time to wait for a response from the CyberTrace server, in seconds. The default value is 30.
     • Mapping (required)—this settings block contains the mapping table for mapping KUMA event fields to CyberTrace indicator types. The KUMA field column shows the names of KUMA event fields, and the CyberTrace indicator column shows the types of CyberTrace indicators.

       Available types of CyberTrace indicators:

       • ip
       • url
       • hash

       In the mapping table, you must provide at least one string. You can use the Add row button to add a string, and can use the button to remove a string.

   • timezone

     This type of enrichment is used in collectors and correlators to assign a specific timezone to an event. Timezone information may be useful when searching for events that occurred at unusual times, such as nighttime.

     When this type of enrichment is selected, the required timezone must be selected from the Timezone drop-down list.

     Make sure that the required time zone is set on the server hosting the enrichment-utilizing service. For example, you can do this by using the timedatectl list-timezones command, which shows all time zones that are set on the server. For more details on setting time zones, please refer to your operating system documentation.

     When an event is enriched, the time offset of the selected timezone relative to Coordinated Universal Time (UTC) is written to the DeviceTimeZone event field in the +-hh:mm format. For example, if you select the Asia/Yekaterinburg timezone, the value +05:00 will be written to the DeviceTimeZone field. If the enriched event already has a value in the DeviceTimeZone field, it will be overwritten.

     By default, if the timezone is not specified in the event being processed and enrichment rules by timezone are not configured, the event is assigned the timezone of the server hosting the service (collector or correlator) that processes the event. If the server time is changed, the service must be restarted.

     Permissible time formats when enriching the DeviceTimeZone field

     When processing incoming raw events in the collector, the following time formats can be automatically converted to the +-hh:mm format:

     Time format in a processed event	Example
     +-hh:mm	-07:00
     +-hhmm	-0700
     +-hh	-07

     If the date format in the DeviceTimeZone field differs from the formats listed above, the collector server timezone is written to the field when an event is enriched with timezone information. You can create custom normalization rules for non-standard time formats.

4. Use the Debug drop-down list to indicate whether or not to enable logging of service operations. Logging is disabled by default.
5. In the Filter section, you can specify conditions to identify events that will be processed by the enrichment rule resource. You can select an existing filter resource from the drop-down list, or select Create new to create a new filter.

   Creating a filter in resources

   1. In the Filter drop-down list, select Create new.
   2. If you want to keep the filter as a separate resource, select the Save filter check box.

      In this case, you will be able to use the created filter in various services.

      This check box is cleared by default.

   3. If you selected the Save filter check box, enter a name for the created filter resource in the Name field. The name must contain from 1 to 128 Unicode characters.
   4. In the Conditions settings block, specify the conditions that the events must meet:
      1. Click the Add condition button.
      2. In the Left operand and Right operand drop-down lists, specify the search parameters.

         Depending on the data source selected in the Right operand field, you may see fields of additional parameters that you need to use to define the value that will be passed to the filter. For example, when choosing active list you will need to specify the name of the active list, the entry key, and the entry key field.

      3. In the operator drop-down list, select the relevant operator.

         Filter operators

         • =—the left operand equals the right operand.
         • <—the left operand is less than the right operand.
         • <=—the left operand is less than or equal to the right operand.
         • >—the left operand is greater than the right operand.
         • >=—the left operand is greater than or equal to the right operand.
         • inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
         • contains—the left operand contains values of the right operand.
         • startsWith—the left operand starts with one of the values of the right operand.
         • endsWith—the left operand ends with one of the values of the right operand.
         • match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.
         • hasBit—checks whether the left operand (string or number) contains bits whose positions are listed in the right operand (in a constant or in a list).
         • hasVulnerability—checks whether the left operand contains an asset with the vulnerability and vulnerability severity specified in the right operand.
         • inActiveList—this operator has only one operand. Its values are selected in the Key fields field and are compared with the entries in the active list selected from the Active List drop-down list.
         • inDictionary—checks whether the specified dictionary contains an entry defined by the key composed with the concatenated values of the selected event fields.
         • inCategory—the asset in the left operand is assigned at least one of the asset categories of the right operand.
         • inActiveDirectoryGroup—the Active Directory account in the left operand belongs to one of the Active Directory groups in the right operand.
         • TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators.
      4. If necessary, select the do not match case check box. When this check box is selected, the operator ignores the case of the values.

         The selection of this check box does not apply to the InSubnet, InActiveList, InCategory or InActiveDirectoryGroup operators.

         This check box is cleared by default.

      5. If you want to add a negative condition, select If not from the If drop-down list.
      6. You can add multiple conditions or a group of conditions.
   5. If you have added multiple conditions or groups of conditions, choose a search condition (and, or, not) by clicking the AND button.
   6. If you want to add existing filters that are selected from the Select filter drop-down list, click the Add filter button.

      You can view the nested filter settings by clicking the button.

The new enrichment rule was added to the set of resources for the correlator.

Proceed to the next step of the Installation Wizard.

Step 5. Response

This is an optional step of the Installation Wizard. On the Response tab of the Installation Wizard, you can select or create a resource for response rules and indicate which actions must be performed when the correlation rules are triggered. There can be multiple response rules. You can add them by clicking the Add button and can remove them by clicking the button.

To add an existing response rule to a set of resources:

1. Click Add.

   The response rule settings window opens.

2. In the Response rule drop-down list, select the relevant resource.

The response rule is added to the set of resources for the correlator.

To create a new response rule in a set of resources:

1. Click Add.

   The response rule settings window opens.

2. In the Response rule drop-down list, select Create new.
3. In the Type drop-down list, select the type of response rule and define its corresponding settings:
   • ksctasks—response rules for automatically starting tasks on Kaspersky Security Center assets. For example, you can configure automatic startup of a virus scan or database update.

     Tasks are automatically started when KUMA is integrated with Kaspersky Security Center. Tasks are run only on assets that were imported from Kaspersky Security Center.

     Settings of ksctasks responses

     • Kaspersky Security Center task (required)—name of the Kaspersky Security Center task that you need to start. Tasks must be created beforehand, and their names must begin with "KUMA ". For example, "KUMA antivirus check".
     • Event field (required)—defines the event field of the asset for which the Kaspersky Security Center task should be started. Possible values:
       • SourceAssetID
       • DestinationAssetID
       • DeviceAssetID

     To send requests to Kaspersky Security Center, you must ensure that Kaspersky Security Center is available over the UDP protocol.

   • script—response rules for automatically running a script. For example, you can create a script containing commands to be executed on the KUMA server when selected events are detected.

     The script file is stored on the server where the correlator service using the response resource is installed: /opt/kaspersky/kuma/correlator/<Correlator ID>/scripts.

     The kuma user of this server requires the permissions to run the script.

     Settings of script responses

     • Timeout—the number of seconds the system will wait before running the script.
     • Script name (required)—the name of the script file.

       If the script Response resource is linked to the Correlator service, but the is no script file in the /opt/kaspersky/kuma/correlator/<Correlator ID>/scripts folder, the service will not start.

     • Script arguments—parameters or event field values that must be passed to the script.

       If the script includes actions taken on files, you should specify the absolute path to these files.

       Parameters can be written with quotation marks (").

       Event field names are passed in the {{.EventField}} format, where EventField is the name of the event field which value must be passed to the script.

       Example: -n "\"usr\": {{.SourceUserName}}"

   • kata/edr—response rules for automatically creating prevention rules, starting network isolation, or starting the application on Kaspersky Endpoint Detection and Response and Kaspersky Security Center assets.

     Automatic response actions are carried out when KUMA is integrated with Kaspersky Endpoint Detection and Response.

     Settings of kata/edr-type responses

     • Event field (required)—event field containing the asset for which the response actions are needed. Possible values:
       • SourceAssetID
       • DestinationAssetID
       • DeviceAssetID
     • Task type—response action to be performed when data matching the filter is received. The following types of response actions are available:
       • Enable network isolation.

         When selecting this type of response, you need to define values for the following settings:

         • Isolation timeout—the number of hours during which the network isolation of an asset will be active. You can indicate from 1 to 9999 hours.

           If necessary, you can add an exclusion for network isolation.

           To add an exclusion for network isolation:

           1. Click the Add exclusion button.
           2. Select the direction of network traffic that must not be blocked:
              • Inbound.
              • Outbound.
              • Inbound/Outbound.
           3. In the Asset IP field, enter the IP address of the asset whose network traffic must not be blocked.
           4. If you selected Inbound or Outbound, specify the connection ports in the Remote ports and Local ports fields.
           5. If you want to add more than one exclusion, click Add exclusion and repeat the steps to fill in the Traffic direction, Asset IP, Remote ports and Local ports fields.
           6. If you want to delete an exclusion, click the Delete button under the relevant exclusion.

           When adding exclusions to a network isolation rule, Kaspersky Endpoint Detection and Response may incorrectly display the port values in the rule details. This does not affect application performance. For more details on viewing a network isolation rule, please refer to the Kaspersky Anti Targeted Attack Platform Help Guide.

       • Disable network isolation.
       • Add prevention rule.

         When selecting this type of response, you need to define values for the following settings:

         • Event fields to extract hash from—event fields from which KUMA extracts SHA256 or MD5 hashes of the files that must be prevented from starting.

           The selected event fields and the values selected in the Event field must be added to the inherited fields of the correlation rule.

         • File hash #1—SHA256 or MD5 hash of the file to be blocked.

         At least one of the above fields must be completed.

       • Delete prevention rule.
       • Run program.

         When selecting this type of response, you need to define values for the following settings:

         • File path—path to the file of the process that you want to start.
         • Command line parameters—parameters with which you want to start the file.
         • Working directory—directory in which the file is located at the time of startup.

         When a response rule is triggered for users with the General Administrator role, the Run program task will be displayed in the Task manager section of the program web interface. Scheduled task is displayed for this task in the Created column of the task table. You can view task completion results.

         All of the listed operations can be performed on assets that have Kaspersky Endpoint Agent for Windows. On assets that have Kaspersky Endpoint Agent for Linux, the program can only be started.

         At the software level, the capability to create prevention rules and network isolation rules for assets with Kaspersky Endpoint Agent for Linux is unlimited. KUMA and Kaspersky Endpoint Detection and Response do not provide any notifications about unsuccessful application of these rules.

   • kics – response rules for automatically starting tasks on KICS for Networks assets. For example, you can change the asset status in KICS for Networks.

     Tasks are automatically started when KUMA is integrated with KICS for Networks.

     Settings of kics responses

     • Event field (required)—event field containing the asset for which the response actions are needed. Possible values:
       • SourceAssetID
       • DestinationAssetID
       • DeviceAssetID
     • KICS for Networks task—response action to be performed when data matching the filter is received. The following types of response actions are available:
       • Change asset status to Authorized.
       • Change asset status to Unauthorized.

       When a response rule is triggered, KUMA will send KICS for Networks an API request to change the status of the specified device to Authorized or Unauthorized.

• In the Workers field, specify the number of processes that the service can run simultaneously.

  By default, the number of workers is the same as the number of virtual processors on the server where the service is installed.

  This field is optional.

1. In the Filter section, you can specify conditions to identify events that will be processed by the response rule resource. You can select an existing filter resource from the drop-down list, or select Create new to create a new filter.

   Creating a filter in resources

   1. In the Filter drop-down list, select Create new.
   2. If you want to keep the filter as a separate resource, select the Save filter check box.

      In this case, you will be able to use the created filter in various services.

      This check box is cleared by default.

   3. If you selected the Save filter check box, enter a name for the created filter resource in the Name field. The name must contain from 1 to 128 Unicode characters.
   4. In the Conditions settings block, specify the conditions that the events must meet:
      1. Click the Add condition button.
      2. In the Left operand and Right operand drop-down lists, specify the search parameters.

         Depending on the data source selected in the Right operand field, you may see fields of additional parameters that you need to use to define the value that will be passed to the filter. For example, when choosing active list you will need to specify the name of the active list, the entry key, and the entry key field.

      3. In the operator drop-down list, select the relevant operator.

         Filter operators

         • =—the left operand equals the right operand.
         • <—the left operand is less than the right operand.
         • <=—the left operand is less than or equal to the right operand.
         • >—the left operand is greater than the right operand.
         • >=—the left operand is greater than or equal to the right operand.
         • inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
         • contains—the left operand contains values of the right operand.
         • startsWith—the left operand starts with one of the values of the right operand.
         • endsWith—the left operand ends with one of the values of the right operand.
         • match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.
         • hasBit—checks whether the left operand (string or number) contains bits whose positions are listed in the right operand (in a constant or in a list).
         • hasVulnerability—checks whether the left operand contains an asset with the vulnerability and vulnerability severity specified in the right operand.
         • inActiveList—this operator has only one operand. Its values are selected in the Key fields field and are compared with the entries in the active list selected from the Active List drop-down list.
         • inDictionary—checks whether the specified dictionary contains an entry defined by the key composed with the concatenated values of the selected event fields.
         • inCategory—the asset in the left operand is assigned at least one of the asset categories of the right operand.
         • inActiveDirectoryGroup—the Active Directory account in the left operand belongs to one of the Active Directory groups in the right operand.
         • TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators.
      4. If necessary, select the do not match case check box. When this check box is selected, the operator ignores the case of the values.

         The selection of this check box does not apply to the InSubnet, InActiveList, InCategory or InActiveDirectoryGroup operators.

         This check box is cleared by default.

      5. If you want to add a negative condition, select If not from the If drop-down list.
      6. You can add multiple conditions or a group of conditions.
   5. If you have added multiple conditions or groups of conditions, choose a search condition (and, or, not) by clicking the AND button.
   6. If you want to add existing filters that are selected from the Select filter drop-down list, click the Add filter button.

      You can view the nested filter settings by clicking the button.

The new response rule was added to the set of resources for the correlator.

Proceed to the next step of the Installation Wizard.

Step 6. Routing

This is an optional step of the Installation Wizard. On the Routing tab of the Installation Wizard, you can select or create destination resources with parameters indicating the forwarding destination of events created by the correlator. Events from a correlator are usually redirected to storage so that they can be saved and later viewed if necessary. Events can be sent to other locations as needed. There can be more than one destination point.

To add an existing destination to a set of resources for a correlator:

1. In the Add destination drop-down list, select the type of destination resource you want to add:
   • Select Storage if you want to configure forwarding of processed events to the storage.
   • Select Correlator if you want to configure forwarding of processed events to a correlator.
   • Select Other if you want to send events to other locations.

     This type of resource includes correlator and storage services that were created in previous versions of the program.

   The Add destination window opens where you can specify parameters for events forwarding.

2. In the Destination drop-down list, select the necessary destination.

   The window name changes to Edit destination, and it displays the settings of the selected resource. The resource can be opened for editing in a new browser tab using the button.

3. Click Save.

The selected destination is displayed on the Installation Wizard tab. A destination resource can be removed from the resource set by selecting it and clicking Delete in the opened window.

To add a new destination to a set of resources for a correlator:

1. In the Add destination drop-down list, select the type of destination resource you want to add:
   • Select Storage if you want to configure forwarding of processed events to the storage.
   • Select Correlator if you want to configure forwarding of processed events to a correlator.
   • Select Other if you want to send events to other locations.

     This type of resource includes correlator and storage services that were created in previous versions of the program.

   The Add destination window opens where you can specify parameters for events forwarding.

2. Specify the settings on the Basic settings tab:
   • In the Destination drop-down list, select Create new.
   • In the Name field, enter a unique name for the destination resource. The name must contain from 1 to 128 Unicode characters.
   • Use the Disabled toggle button to specify whether events will be sent to this destination. By default, sending events is enabled.
   • Select the Type for the destination resource:
     • Select storage if you want to configure forwarding of processed events to the storage.
     • Select correlator if you want to configure forwarding of processed events to a correlator.
     • Select nats, tcp, http, kafka, or file if you want to configure sending events to other locations.
   • Specify the URL to which events should be sent in the hostname:<API port> format.

     You can specify multiple destination URLs using the URL button for all types except nats and file, if your KUMA license includes High Level Availability module.

     If you have selected storage or correlator as the destination type, the URL field can be populated automatically using the Copy service URL drop-down list that displays active services of the selected type.

   • For the nats and kafka types, use the Topic field to specify which topic the data should be written to. The topic name must contain from 1 to 255 Unicode characters.
3. If required, define the settings on the Advanced settings tab. The available settings vary based on the selected destination resource type:
   • Compression is a drop-down list where you can enable Snappy compression. By default, compression is disabled.
   • Proxy is a drop-down list for proxy server resource selection.
   • Buffer size field is used to set buffer size (in bytes) for the destination resource. The default value is 1 MB, and the maximum value is 64 MB.
   • Timeout field is used to set the timeout (in seconds) for another service or component response. The default value is 30.
   • Disk buffer size limit field is used to specify the size of the disk buffer in bytes. The default size is 10 GB.
   • Storage ID is a NATS storage identifier.
   • TLS mode is a drop-down list where you can specify the conditions for using TLS encryption:
     • Disabled (default)—do not use TLS encryption.
     • Enabled—encryption is enabled, but without verification.
     • With verification—use encryption with verification that the certificate was signed with the KUMA root certificate. The root certificate and key of KUMA are created automatically during program installation and are stored on the KUMA Core server in the folder /opt/kaspersky/kuma/core/certificates/.

     When using TLS, it is impossible to specify an IP address as a URL.

   • URL selection policy is a drop-down list in which you can select a method for determining which URL to send events to if several URLs have been specified:
     • Any. Events are sent to one of the available URLs as long as this URL receives events. If the connection is broken (for example, the receiving node is disconnected) a different URL will be selected as the events destination.
     • Prefer first. Events are sent to the first URL in the list of added addresses. If it becomes unavailable, events are sent to the next available node in sequence. When the first URL becomes available again, events start to be sent to it again.
     • Round robin. Packets with events will be evenly distributed among available URLs from the list. Because packets are sent either on a destination buffer overflow or on the flush timer, this URL selection policy does not guarantee an equal distribution of events to destinations.
   • Delimiter is used to specify the character delimiting the events. By default, \n is used.
   • Path—the file path if the file destination type is selected.
   • Buffer flush interval—this field is used to set the time interval (in seconds) at which the data is sent to the destination. The default value is 100.
   • Workers—this field is used to set the number of services processing the queue. By default, this value is equal to the number of vCPUs of the KUMA Core server.
   • You can set health checks using the Health check path and Health check timeout fields. You can also disable health checks by selecting the Health Check Disabled check box.
   • Debug—a drop-down list where you can specify whether resource logging should be enabled. By default it is Disabled.
   • The Disk buffer disabled drop-down list is used to enable or disable the use of a disk buffer. By default, the disk buffer is disabled.
   • In the Filter section, you can specify the conditions to define events that will be processed by this resource. You can select an existing filter resource from the drop-down list, or select Create new to create a new filter.

     Creating a filter in resources

     1. In the Filter drop-down list, select Create new.
     2. If you want to keep the filter as a separate resource, select the Save filter check box.

        In this case, you will be able to use the created filter in various services.

        This check box is cleared by default.

     3. If you selected the Save filter check box, enter a name for the created filter resource in the Name field. The name must contain from 1 to 128 Unicode characters.
     4. In the Conditions settings block, specify the conditions that the events must meet:
        1. Click the Add condition button.
        2. In the Left operand and Right operand drop-down lists, specify the search parameters.

           Depending on the data source selected in the Right operand field, you may see fields of additional parameters that you need to use to define the value that will be passed to the filter. For example, when choosing active list you will need to specify the name of the active list, the entry key, and the entry key field.

        3. In the operator drop-down list, select the relevant operator.

           Filter operators

           • =—the left operand equals the right operand.
           • <—the left operand is less than the right operand.
           • <=—the left operand is less than or equal to the right operand.
           • >—the left operand is greater than the right operand.
           • >=—the left operand is greater than or equal to the right operand.
           • inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
           • contains—the left operand contains values of the right operand.
           • startsWith—the left operand starts with one of the values of the right operand.
           • endsWith—the left operand ends with one of the values of the right operand.
           • match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.
           • hasBit—checks whether the left operand (string or number) contains bits whose positions are listed in the right operand (in a constant or in a list).
           • hasVulnerability—checks whether the left operand contains an asset with the vulnerability and vulnerability severity specified in the right operand.
           • inActiveList—this operator has only one operand. Its values are selected in the Key fields field and are compared with the entries in the active list selected from the Active List drop-down list.
           • inDictionary—checks whether the specified dictionary contains an entry defined by the key composed with the concatenated values of the selected event fields.
           • inCategory—the asset in the left operand is assigned at least one of the asset categories of the right operand.
           • inActiveDirectoryGroup—the Active Directory account in the left operand belongs to one of the Active Directory groups in the right operand.
           • TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators.
        4. If necessary, select the do not match case check box. When this check box is selected, the operator ignores the case of the values.

           The selection of this check box does not apply to the InSubnet, InActiveList, InCategory or InActiveDirectoryGroup operators.

           This check box is cleared by default.

        5. If you want to add a negative condition, select If not from the If drop-down list.
        6. You can add multiple conditions or a group of conditions.
     5. If you have added multiple conditions or groups of conditions, choose a search condition (and, or, not) by clicking the AND button.
     6. If you want to add existing filters that are selected from the Select filter drop-down list, click the Add filter button.

        You can view the nested filter settings by clicking the button.

4. Click Save.

The created destination resource is displayed on the Installation Wizard tab. A destination resource can be removed from the resource set by selecting it and clicking Delete in the opened window.

Proceed to the next step of the Installation Wizard.

Step 7. Setup validation

This is the required, final step of the Installation Wizard. At this step, KUMA creates a service resource set, and the Services are created automatically based on this set:

• The set of resources for the correlator is displayed under Resources → Correlators. It can be used to create new correlator services. When this set of resources changes, all services that operate based on this set of resources will start using the new parameters after the services restart. To do so, you can use the Save and restart services and Save and update service configurations buttons.

  A set of resources can be modified, copied, moved from one folder to another, deleted, imported, and exported, like other resources.

• Services are displayed in Resources → Active services. The services created using the Installation Wizard perform functions inside the KUMA program. To communicate with external parts of the network infrastructure, you need to install similar external services on the servers and assets intended for them. For example, an external correlator service should be installed on a server intended to process events, external storage services should be installed on servers with a deployed ClickHouse service, and external agent services should be installed on Windows assets that must both receive and forward Windows events.

To finish the Installation Wizard:

1. Click Create and save service.

   The Setup validation tab of the Installation Wizard displays a table of services created based on the set of resources selected in the Installation Wizard. The lower part of the window shows examples of commands that you must use to install external equivalents of these services on their intended servers and assets.

   For example:

   /opt/kaspersky/kuma/kuma correlator --core https://kuma-example:<port used for communication with the KUMA Core> --id <service ID> --api.port <port used for communication with the service> --install

   The "kuma" file can be found inside the installer in the /kuma-ansible-installer/roles/kuma/files/ directory.

   The port for communication with the KUMA Core, the service ID, and the port for communication with the service are added to the command automatically. You should also ensure the network connectivity of the KUMA system and open the ports used by its components if necessary.

2. Close the Wizard by clicking Save.

The correlator service is created in KUMA. Now the equivalent service must be installed on the server intended for processing events.

Installing a correlator in a KUMA network infrastructure

A correlator consists of two parts: one part is created inside the KUMA web interface, and the other part is installed on the network infrastructure server intended for processing events. The second part of the correlator is installed in the network infrastructure.

To install a correlator:

1. Log in to the server where you want to install the service.
2. Create the /opt/kaspersky/kuma/ folder.
3. Copy the "kuma" file to the /opt/kaspersky/kuma/ folder. The file is located in the installer in the /kuma-ansible-installer/roles/kuma/files/ folder.

   Make sure the kuma file has sufficient rights to run.

4. Execute the following command:

   sudo /opt/kaspersky/kuma/kuma correlator --core https://<KUMA Core server FQDN>:<port used by KUMA Core server for internal communication (port 7210 by default)> --id <service ID copied from the KUMA web interface> --api.port <port used for communication with the installed component> --install

   Example: sudo /opt/kaspersky/kuma/kuma correlator --core https://kuma.example.com:7210 --id XXXX --api.port YYYY --install

   You can copy the correlator installation command at the last step of the Installation Wizard. It automatically specifies the address and port of the KUMA Core server, the identifier of the correlator to be installed, and the port that the correlator uses for communication. Before installation, ensure the network connectivity of KUMA components.

   When deploying several KUMA services on the same host, during the installation process you must specify unique ports for each component using the --api.port <port> parameter. The following setting values are used by default: --api.port 7221.

The correlator is installed. You can use it to analyze events for threats.

Validating correlator installation

To verify that the correlator is ready to receive events:

1. In the KUMA web interface, open Resources → Active services.
2. Make sure that the correlator you installed has the green status.

If the events that are fed into the correlator contain events that meet the correlation rule filter conditions, the events tab will show events with the DeviceVendor=Kaspersky and DeviceProduct=KUMA parameters. The name of the triggered correlation rule will be displayed as the name of these correlation events.

If correlation events were not found

You can create a simpler version of your correlation rule to find possible errors. Use a simple correlation rule and a single Output action. It is recommended to create a filter to find events that are regularly received by KUMA.

When updating, adding, or removing a correlation rule, you must reload the correlator to update its configuration.

When you finish testing your correlation rules, you must remove all testing and temporary correlation rules from KUMA and reload the correlator.

Creating an agent

A KUMA agent consists of two parts: one part is created inside the KUMA web interface, and the second part is installed on a server or on an asset in the network infrastructure.

An agent is created in several steps:

1. Creating a set of resources for the agent in the KUMA web interface
2. Creating an agent service in the KUMA web interface
3. Installing the server portion of the agent to the asset that will forward messages

A KUMA agent for Windows assets can be created automatically when you create a collector with the wmi or wec transport type. Although the set of resources and service of these agents are created in the Collector Installation Wizard, they must still be installed to the asset that will be used to forward a message.

Creating a set of resources for an agent

In the KUMA web interface, an agent service is created based on the set of resources for an agent that unites connectors and destinations.

To create a set of resources for an agent in the KUMA web interface:

1. In the KUMA web interface, under Resources → Agents, click Add agent.

   This opens a window for creating an agent with the Base settings tab active.

2. Fill in the settings on the Base settings tab:
   • In the Agent name field, enter a unique name for the created service. The name must contain from 1 to 128 Unicode characters.
   • In the Tenant drop-down list, select the tenant that will own the storage.
   • If you want, select the Debug check box to log service operations.
   • You can optionally add up to 256 Unicode characters describing the service in the Description field.
3. Create a connection for the agent by using the button and switch to the added Connection <number> tab.

   You can delete tabs by using the button.

4. In the Connector settings block, add a connector resource:
   • If you want to select an existing resource, select it from the drop-down list.
   • If you want to create a new resource, select it in the Create new drop-down list and define its settings:
     • Specify the connector name in the Name field. The name must contain from 1 to 128 Unicode characters.
     • In the Type drop-down list, select the connector type and define its settings on the Basic settings and Advanced settings tabs. The available settings depend on the selected type of connector:
       • tcp
       • udp
       • nats
       • kafka
       • http
       • file
       • ftp
       • nfs
       • wmi
       • wec
       • snmp

       The agent type is determined by the connector that is used in the agent. The only exception is for agents with a destination of the diode type. These agents are considered to be diode agents.

       When using the tcp or upd connector type at the normalization stage, IP addresses of the assets from which the events were received will be written in the DeviceAddress event field if it is empty.

   • You can optionally add up to 256 Unicode characters describing the resource in the Description field.

   The connector resource is added to the selected connection of the agent's set of resources. The created resource is only available in this resource set and is not displayed in the web interface Resources → Connectors section.

5. In the Destinations settings block, add resources of destinations.
   • If you want to select an existing resource, select it from the drop-down list.
   • If you want to create a new resource, select it in the Create new drop-down list and define its settings:
     • Specify the destination name in the Name field. The name must contain from 1 to 128 Unicode characters.
     • In the Type drop-down list, select the destination type and define its settings on the Basic settings and Advanced settings tabs. The available settings depend on the selected type of destination:
       • nats—used for NATS communications.
       • tcp—used for communications over TCP.
       • http—used for HTTP communications.
       • diode—used to transmit events using a data diode.
       • kafka—used for Kafka communications.
       • file—used for writing to a file.
   • You can optionally add up to 256 Unicode characters describing the resource in the Description field.

     The advanced settings for an agent destination (such as TLS mode and compression) must match the advanced destination settings for the collector that you want to link to the agent.

   There can be more than one destination point. You can add them by clicking the Add destination button and can remove them by clicking the button.

6. Repeat steps 3–5 for each agent connection that you want to create.
7. Click Save.

The set of resources for the agent is created and displayed under Resources → Agents. Now you can create an agent service in KUMA.

Creating an agent service in the KUMA web interface

When a set of resources is created for an agent, you can proceed to create an agent service in KUMA.

To create an agent service in the KUMA web interface:

1. In the KUMA web interface, under Resources → Active services, click Add service.
2. In the opened Choose a service window, select the set of resources that was just created for the agent and click Create service.

The agent service is created in the KUMA web interface and is displayed under Resources → Active services. Now agent services must be installed to each asset from which you want to forward data to the collector. A service ID is used during installation.

Installing an agent in a KUMA network infrastructure

When an agent service is created in KUMA, you can proceed to installation of the agent to the network infrastructure assets that will be used to forward data to a collector.

Prior to installation, verify the network connectivity of the system and open the ports used by its components.

Installing a KUMA agent on Linux assets

To install a KUMA agent to a Linux asset:

1. Log in to the server where you want to install the service.
2. Create the following directories:
   • /opt/kaspersky/kuma/
   • /opt/kaspersky/agent/
3. Copy the "kuma" file to the /opt/kaspersky/kuma/ folder. The file is located in the installer in the /kuma-ansible-installer/roles/kuma/files/ folder.

   Make sure the kuma file has sufficient rights to run.

4. Execute the following command:

   sudo /opt/kaspersky/kuma/kuma agent --core https://<KUMA Core server FQDN>:<port used by KUMA Core server for internal communication (port 7210 by default)> --id <service ID copied from the KUMA web interface> --wd <path to the directory that will contain the files of the installed agent. If this flag is not specified, the files will be stored in the directory where the kuma file is located>

   Example: sudo /opt/kaspersky/kuma/kuma agent --core https://kuma.example.com:7210 --id XXXX --wd /opt/kaspersky/kuma/agent/XXXX

The KUMA agent is installed on the Linux asset. The agent forwards data to KUMA, and you can set up a collector to receive this data.

Installing a KUMA agent on Windows assets

Prior to installing a KUMA agent to a Windows asset, the server administrator must create a user account with the EventLogReaders and Log on as a service permissions on the Windows asset. This user account must be used to start the agent.

To install a KUMA agent to a Windows asset:

1. Copy the kuma.exe file to a folder on the Windows asset. C:\Users\<User name>\Desktop\KUMA folder is recommended for installation.

   The kuma.exe file is located inside the installer in the /kuma-ansible-installer/roles/kuma/files/ folder.

2. Start the Command Prompt on the Windows asset with Administrator privileges and locate the folder containing the kuma.exe file.
3. Execute the following command:

   kuma agent --core https://<fullly qualified domain name of the KUMA Core server>:<port used by the KUMA Core server for internal communications (port 7210 by default)> --id <ID of the agent service that was created in KUMA> --user <name of the user account used to run the agent, including the domain> --install

   Example: kuma agent --core https://kuma.example.com:7210 --id XXXXX --user domain\username --install

   You can get help information by executing the kuma help agent command.

4. Enter the password of the user account used to run the agent.

The C:\Program Files\Kaspersky Lab\KUMA\agent\<Agent ID> folder is created in which the KUMA agent service is installed. The agent forwards Windows events to KUMA, and you can set up a collector to receive them.

When the agent service is installed, it starts automatically. The service is also configured to restart in case of any failures. The agent can be restarted from the KUMA web interface, but only when the service is active. Otherwise, the service needs to be manually restarted on the Windows asset.

Removing a KUMA agent from Windows assets

When configuring services, you can test the configuration for errors before installation by running the agent with the following command: kuma agent --core https://<fully qualified domain name of the KUMA Core server>:<port used by the KUMA Core server for internal communications (port 7210 by default)> --id <ID of the agent service that was created in KUMA> --user <name of the user account used to run the agent, including the domain>.

Automatically created agents

When creating a collector with wec or wmi connectors, agents are automatically created for receiving Windows events.

Automatically created agents have the following special conditions:

• Automatically created agents can have only one connection.
• Automatically created agents are displayed under Resources → Agents, and auto created is indicated at the end of their name. Agents can be reviewed or deleted.
• The settings of automatically created agents are defined automatically based on the collector settings from the Connect event sources and Transport sections. You can change the settings only for a collector that has a created agent.
• The description of an automatically created agent is taken from the collector description in the Connect event sources section.
• Debugging of an automatically created agent is enabled and disabled in the Connect event sources section of the collector.
• When deleting a collector with an automatically created agent, you will be prompted to choose whether to delete the collector together with the agent or to just delete the collector. When deleting only the collector, the agent will become available for editing.
• When deleting automatically created agents, the type of collector changes to http, and the connection address is deleted from the URL field of the collector.

In the KUMA interface, automatically created agents appear at the same time when the collector is created. However, they must still be installed on the asset that will be used to forward a message.

Update agents

When updating KUMA versions, the WMI and WEC agents installed on remote machines must also be updated.

To update the agent:

1. Install the new agent on a remote machine.

   The agent has been updated, but no data is coming from it due to an invalid certificate.

2. In the KUMA web interface, under Resources → Active services, reset the certificate of the agent being upgraded.
3. On the remote machine with the installed agent, start the "KUMA Windows Agent <service ID>" service.

   For more information on Windows services, see the documentation for your version of Windows.

The agent and its certificates have been updated.

Creating a storage

A storage consists of two parts: one part is created inside the KUMA web interface, and the other part is installed on network infrastructure servers intended for storing events. The server part of a KUMA storage consists of ClickHouse nodes collected into a cluster.

For each ClickHouse cluster, a separate storage must be installed.

Prior to storage creation, carefully plan the structure of the cluster and deploy the necessary network infrastructure. When choosing a ClickHouse cluster configuration, consider the specific event storage requirements of your organization.

It is recommended to use ext4 as the file system.

A storage is created in several steps:

1. Creating a set of resources for a storage in the KUMA web interface
2. Create a storage service in the KUMA web interface.
3. Installing storage nodes in the KUMA network infrastructure.

When creating storage cluster nodes, verify the network connectivity of the system and open the ports used by the components.

Creating a set of resources for a storage

In the KUMA web interface, a storage service is created based on the set of resources for the storage.

To create a set of resources for a storage in the KUMA web interface:

1. In the KUMA web interface, under Resources → Storages, click Add storage.

   The storage creation window opens.

2. In the Storage name field, enter a unique name for the service you are creating. The name must contain from 1 to 128 Unicode characters.
3. In the Tenant drop-down list, select the tenant that will own the storage.
4. You can optionally add up to 256 Unicode characters describing the service in the Description field.
5. In the Default retention period, days field, enter the necessary time period for storing events in the cluster.
6. In the Audit retention period, days field, enter the necessary time period for storing audit events. The minimum value and default value is 365.
7. If necessary, use the Add space button to add space to the storage. There can be multiple spaces. You can delete spaces by clicking the Delete space button. After creating the space, you will be able to view and delete spaces in the storage resource settings.

   Available settings:

   • In the Name field, specify a name for the space. This name can contain from 1 to 128 Unicode characters.
   • In the Retention period, days field, specify the number of days to store events in the cluster.
   • In the Filter section, you can specify conditions to identify events that will be put into this space. You can select an existing filter resource from the drop-down list, or select Create new to create a new filter.

     Creating a filter in resources

     1. In the Filter drop-down list, select Create new.
     2. If you want to keep the filter as a separate resource, select the Save filter check box.

        In this case, you will be able to use the created filter in various services.

        This check box is cleared by default.

     3. If you selected the Save filter check box, enter a name for the created filter resource in the Name field. The name must contain from 1 to 128 Unicode characters.
     4. In the Conditions settings block, specify the conditions that the events must meet:
        1. Click the Add condition button.
        2. In the Left operand and Right operand drop-down lists, specify the search parameters.

           Depending on the data source selected in the Right operand field, you may see fields of additional parameters that you need to use to define the value that will be passed to the filter. For example, when choosing active list you will need to specify the name of the active list, the entry key, and the entry key field.

        3. In the operator drop-down list, select the relevant operator.

           Filter operators

           • =—the left operand equals the right operand.
           • <—the left operand is less than the right operand.
           • <=—the left operand is less than or equal to the right operand.
           • >—the left operand is greater than the right operand.
           • >=—the left operand is greater than or equal to the right operand.
           • inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
           • contains—the left operand contains values of the right operand.
           • startsWith—the left operand starts with one of the values of the right operand.
           • endsWith—the left operand ends with one of the values of the right operand.
           • match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.
           • hasBit—checks whether the left operand (string or number) contains bits whose positions are listed in the right operand (in a constant or in a list).
           • hasVulnerability—checks whether the left operand contains an asset with the vulnerability and vulnerability severity specified in the right operand.
           • inActiveList—this operator has only one operand. Its values are selected in the Key fields field and are compared with the entries in the active list selected from the Active List drop-down list.
           • inDictionary—checks whether the specified dictionary contains an entry defined by the key composed with the concatenated values of the selected event fields.
           • inCategory—the asset in the left operand is assigned at least one of the asset categories of the right operand.
           • inActiveDirectoryGroup—the Active Directory account in the left operand belongs to one of the Active Directory groups in the right operand.
           • TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators.
        4. If necessary, select the do not match case check box. When this check box is selected, the operator ignores the case of the values.

           The selection of this check box does not apply to the InSubnet, InActiveList, InCategory or InActiveDirectoryGroup operators.

           This check box is cleared by default.

        5. If you want to add a negative condition, select If not from the If drop-down list.
        6. You can add multiple conditions or a group of conditions.
     5. If you have added multiple conditions or groups of conditions, choose a search condition (and, or, not) by clicking the AND button.
     6. If you want to add existing filters that are selected from the Select filter drop-down list, click the Add filter button.

        You can view the nested filter settings by clicking the button.

The set of resources for the storage is created and is displayed under Resources → Storages. Now you can create a storage service.

Creating a storage service in the KUMA web interface

When a set of resources is created for a storage, you can proceed to create a storage service in KUMA.

To create a storage service in the KUMA web interface:

1. In the KUMA web interface, under Resources → Active services, click Add service.
2. In the opened Choose a service window, select the set of resources that you just created for the storage and click Create service.

The storage service is created in the KUMA web interface and is displayed under Resources → Active services. Now storage services must be installed to each node of the ClickHouse cluster by using the service ID.

Installing a storage in the KUMA network infrastructure

To create a storage:

1. Log in to the server where you want to install the service.
2. Create the /opt/kaspersky/kuma/ folder.
3. Copy the "kuma" file to the /opt/kaspersky/kuma/ folder. The file is located in the installer in the /kuma-ansible-installer/roles/kuma/files/ folder.

   Make sure the kuma file has sufficient rights to run.

4. Execute the following command:

   sudo /opt/kaspersky/kuma/kuma storage --core https://<KUMA Core server FQDN>:<port used by KUMA Core for internal communication (port 7210 by default)> --id <service ID copied from the KUMA web interface> --install

   Example: sudo /opt/kaspersky/kuma/kuma storage --core https://kuma.example.com:7210 --id XXXXX --install

   When deploying several KUMA services on the same host, during the installation process you must specify unique ports for each component using the --api.port <port> parameter. The following setting values are used by default: --api.port 7221.

5. Repeat steps 1–2 for each storage node.

The storage is installed.