Creating a storage

A storage consists of two parts: one part is created inside the KUMA web interface, and the other part is installed on network infrastructure servers intended for storing events. The server part of a KUMA storage consists of ClickHouse nodes collected into a cluster.

For each ClickHouse cluster, a separate storage must be installed.

Prior to storage creation, carefully plan the structure of the cluster and deploy the necessary network infrastructure. When choosing a ClickHouse cluster configuration, consider the specific event storage requirements of your organization.

It is recommended to use ext4 as the file system.

A storage is created in several steps:

1. Creating a set of resources for a storage in the KUMA web interface
2. Create a storage service in the KUMA web interface.
3. Installing storage nodes in the KUMA network infrastructure.

When creating storage cluster nodes, verify the network connectivity of the system and open the ports used by the components.

Creating a set of resources for a storage

In the KUMA web interface, a storage service is created based on the set of resources for the storage.

To create a set of resources for a storage in the KUMA web interface:

1. In the KUMA web interface, under Resources → Storages, click Add storage.

   The storage creation window opens.

2. In the Storage name field, enter a unique name for the service you are creating. The name must contain from 1 to 128 Unicode characters.
3. In the Tenant drop-down list, select the tenant that will own the storage.
4. You can optionally add up to 256 Unicode characters describing the service in the Description field.
5. In the Default retention period, days field, enter the necessary time period for storing events in the cluster.
6. In the Audit retention period, days field, enter the necessary time period for storing audit events. The minimum value and default value is 365.
7. If necessary, use the Add space button to add space to the storage. There can be multiple spaces. You can delete spaces by clicking the Delete space button. After creating the space, you will be able to view and delete spaces in the storage resource settings.

   Available settings:

   • In the Name field, specify a name for the space. This name can contain from 1 to 128 Unicode characters.
   • In the Retention period, days field, specify the number of days to store events in the cluster.
   • In the Filter section, you can specify conditions to identify events that will be put into this space. You can select an existing filter resource from the drop-down list, or select Create new to create a new filter.

     Creating a filter in resources

     1. In the Filter drop-down list, select Create new.
     2. If you want to keep the filter as a separate resource, select the Save filter check box.

        In this case, you will be able to use the created filter in various services.

        This check box is cleared by default.

     3. If you selected the Save filter check box, enter a name for the created filter resource in the Name field. The name must contain from 1 to 128 Unicode characters.
     4. In the Conditions settings block, specify the conditions that the events must meet:
        1. Click the Add condition button.
        2. In the Left operand and Right operand drop-down lists, specify the search parameters.

           Depending on the data source selected in the Right operand field, you may see fields of additional parameters that you need to use to define the value that will be passed to the filter. For example, when choosing active list you will need to specify the name of the active list, the entry key, and the entry key field.

        3. In the operator drop-down list, select the relevant operator.

           Filter operators

           • =—the left operand equals the right operand.
           • <—the left operand is less than the right operand.
           • <=—the left operand is less than or equal to the right operand.
           • >—the left operand is greater than the right operand.
           • >=—the left operand is greater than or equal to the right operand.
           • inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
           • contains—the left operand contains values of the right operand.
           • startsWith—the left operand starts with one of the values of the right operand.
           • endsWith—the left operand ends with one of the values of the right operand.
           • match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.
           • hasBit—checks whether the left operand (string or number) contains bits whose positions are listed in the right operand (in a constant or in a list).
           • hasVulnerability—checks whether the left operand contains an asset with the vulnerability and vulnerability severity specified in the right operand.
           • inActiveList—this operator has only one operand. Its values are selected in the Key fields field and are compared with the entries in the active list selected from the Active List drop-down list.
           • inDictionary—checks whether the specified dictionary contains an entry defined by the key composed with the concatenated values of the selected event fields.
           • inCategory—the asset in the left operand is assigned at least one of the asset categories of the right operand.
           • inActiveDirectoryGroup—the Active Directory account in the left operand belongs to one of the Active Directory groups in the right operand.
           • TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators.
        4. If necessary, select the do not match case check box. When this check box is selected, the operator ignores the case of the values.

           The selection of this check box does not apply to the InSubnet, InActiveList, InCategory or InActiveDirectoryGroup operators.

           This check box is cleared by default.

        5. If you want to add a negative condition, select If not from the If drop-down list.
        6. You can add multiple conditions or a group of conditions.
     5. If you have added multiple conditions or groups of conditions, choose a search condition (and, or, not) by clicking the AND button.
     6. If you want to add existing filters that are selected from the Select filter drop-down list, click the Add filter button.

        You can view the nested filter settings by clicking the button.

The set of resources for the storage is created and is displayed under Resources → Storages. Now you can create a storage service.

Creating a storage service in the KUMA web interface

When a set of resources is created for a storage, you can proceed to create a storage service in KUMA.

To create a storage service in the KUMA web interface:

1. In the KUMA web interface, under Resources → Active services, click Add service.
2. In the opened Choose a service window, select the set of resources that you just created for the storage and click Create service.

The storage service is created in the KUMA web interface and is displayed under Resources → Active services. Now storage services must be installed to each node of the ClickHouse cluster by using the service ID.

Installing a storage in the KUMA network infrastructure

To create a storage:

1. Log in to the server where you want to install the service.
2. Create the /opt/kaspersky/kuma/ folder.
3. Copy the "kuma" file to the /opt/kaspersky/kuma/ folder. The file is located in the installer in the /kuma-ansible-installer/roles/kuma/files/ folder.

   Make sure the kuma file has sufficient rights to run.

4. Execute the following command:

   sudo /opt/kaspersky/kuma/kuma storage --core https://<KUMA Core server FQDN>:<port used by KUMA Core for internal communication (port 7210 by default)> --id <service ID copied from the KUMA web interface> --install

   Example: sudo /opt/kaspersky/kuma/kuma storage --core https://kuma.example.com:7210 --id XXXXX --install

   When deploying several KUMA services on the same host, during the installation process you must specify unique ports for each component using the --api.port <port> parameter. The following setting values are used by default: --api.port 7221.

5. Repeat steps 1–2 for each storage node.

The storage is installed.