About Kaspersky Unified Monitoring and Analysis Platform

Kaspersky Unified Monitoring and Analysis Platform (hereinafter KUMA or "program") is an integrated software solution that includes the following set of functions:

• Receiving, processing, and storing information security events.
• Analysis and correlation of incoming data.
• Search within the obtained events.
• Creation of notifications upon detecting symptoms of information security threats.

The program is built on a microservice architecture. This means that you can create and configure the relevant microservices (hereinafter also "services"), thereby making it possible to use KUMA both as a log management system and as a full-fledged SIEM system. In addition, flexible data streams routing allows you to use third-party services for additional event processing.

What's new

• Deep integration with the Kaspersky Endpoint Detection and Response Expert (KEDR Expert). Integration is available only with a Symphony XDR license.
• Added integration with Kaspersky Industrial CyberSecurity for Networks in asset inventory and response scenarios.
• Expanded integration with Kaspersky Security Center.
• Expanded capabilities for an SQL search based on events in storage.
• Expanded capabilities of event collection components (collectors):
  • Added enrichment with information about the region by IP address (GeoIP).
  • Added capability of enrichment from dictionaries (tables) filled in manually in the web interface or via API.
  • Added capability to adjust the time according to the time zone of the event source.
• Added computable variables to cover complex threat detection scenarios during event correlation.
• Added capability to collect events from an isolated segment containing a data diode when there is no possibility of transmitting network UDP packets.
• Added capability to configure custom templates and alert notification rules.
• Expanded analytics tools and added new widgets.
• Added asset audit function.
• Added sFlow traffic telemetry support for Juniper hardware. Similarly to Netflow, event data can be collected without limitations when using a license with an active Netflow module.

Distribution kit

The distribution kit includes the following files:

• kuma-ansible-installer-<build number>.tar.gz to install KUMA components;
• files containing information about the version (release notes) in Russian and English.

Hardware and software requirements

Recommended hardware requirements

The hardware listed below will ensure an event-processing capacity of 40,000 events per second. This figure depends on the type of parsed events and efficiency of the parser. Consider also that it is more efficient to have more cores than a lower number of cores with higher CPU frequency.

• Servers to install collectors:
  • CPU: Intel or AMD with at least 4 cores (8 threads) and support for the SSE 4.2 instruction set or 8 vCPU (virtual processors).
  • RAM: 16 GB

    Each collector that uses geographic data event enrichment requires an additional amount of RAM equal to the size of the geographic database.

  • Disk: 500 GB of available disk space mounted on /opt
• Servers to install correlators:
  • CPU: Intel or AMD with at least 4 cores (8 threads) and support for the SSE 4.2 instruction set or 8 vCPU (virtual processors).
  • RAM: 16 GB
  • Disk: 500 GB of available disk space mounted on /opt
• Servers to install the Core:
  • CPU: Intel or AMD with at least 4 cores (8 threads) and support for the SSE 4.2 instruction set or 4 vCPU (virtual processors).
  • RAM: 16 GB

    When importing geographic data, the server requires additional RAM equal to the size of the geographic database.

  • Disk: 500 GB of available disk space mounted on /opt
• Servers to install storages:
  • CPU: Intel or AMD with at least 12 cores (24 threads) and support for the SSE 4.2 instruction set or 24 vCPU (virtual processors).

    Support is required for SSE4.2 commands.

  • RAM: 48 GB
  • Disk: 500 GB of available disk space mounted on /opt

  To connect a data storage system to storage servers, you must use high-speed protocols (for example, Fibre Channel or iSCSI 10G). It is not recommended to connect storage systems using application-layer protocols (for example, NFS or SMB).

  Using SSDs highly improves cluster node indexing and search efficiency.

  Local mounted HDD/SSD are more efficient than external JBODs. RAID 0 is recommended for faster performance, while RAID 10 is recommended for redundancy.

  To increase reliability, it is not recommended to deploy all cluster nodes on a single JBOD or single physical server (if virtual servers are used).

  To increase efficiency, we recommend keeping all servers in a single data center.

  Ext4 is the recommended file system for ClickHouse cluster servers.

• Machines to install Windows agents:
  • Processor: single-core, 1.4 GHz or higher
  • RAM: 512 MB
  • Disk: 1 GB
  • OS:
    • Microsoft Windows 2012
    • Microsoft Windows Server 2012 R2
    • Microsoft Windows Server 2016
    • Microsoft Windows Server 2019
    • Microsoft Windows 10 (20H2, 21H1)
• Machines to install Linux agents:
  • Processor: single-core, 1.4 GHz or higher
  • RAM: 512 MB
  • Disk: 1 GB
  • OS:
    • Ubuntu 20.04 LTS, 21.04
    • Oracle Linux version 8.6
    • Astra Linux Special Edition RUSB.10015-01 (2021-1126SE17 update 1.7.1)
• Installation in virtual environments is supported:
  • VMware 6.5 or later
  • Hyper-V for Windows Server 2012 R2 or later
  • KVM Qumu version 4.2 or later
  • Software package of virtualization tools "Brest" RDTSP.10001-02

Software requirements

The Collector, Correlator, Kernel, and Storage components can be deployed using only Oracle Linux 8.6, or Astra Linux Special Edition (version RUSB.10015-01, 2021-1126SE17 update 1.7.1).

Network requirements

The network interface bandwidth must be at least 100 Mbps.

For KUMA to be able to process more than 20,000 events per second, ensure a data transfer speed of at least 10 Gbps between ClickHouse nodes.

Additional requirements

Computers used for the KUMA web interface:

• CPU: Intel Core i3 8th generation
• RAM: 8 GB
• Installed Google Chrome browser version 102 or later, or Mozilla Firefox browser version 103 or later.

KUMA interface

The program is managed through the web interface.

The window of the program web interface contains the following items:

• Sections in the left part of the program web interface window
• Tabs in the upper part of the program web interface window for some sections of the program
• Workspace in the lower part of the program web interface window

The workspace displays the information that you choose to view in the sections and on the tabs of the program web interface window. It also contains management elements that you can use to configure how the information is displayed.

While working with the program web interface, you can use hot keys to perform the following actions:

• In all sections: close the window that opens in the right side pane—Esc.
• In the Events section:
  • Switch between events in the right side pane—↑ and ↓.
  • Start a search (when focused on the query field)—Ctrl/Command + Enter.
  • Save a search query—Ctrl/Command + S.

Compatibility with other applications

Kaspersky Endpoint Security for Linux

If the components of KUMA and Kaspersky Endpoint Security for Linux are installed on the same server, the report.db directory may grow very large and even take up the entire drive space. To avoid this problem, the following is recommended:

• Upgrade Kaspersky Endpoint Security for Linux to version 11.2 or later.
• Add the following directories to general exclusions and to on-demand scan exclusions:
  • /opt/kaspersky/kuma/clickhouse/data/store/
  • /opt/kaspersky/kuma/victoria-metrics/
  • /var/lib/rsyslog/imjournal.state

  For more details on scan exclusions, please refer to the Kaspersky Endpoint Security for Linux Online Help Guide.