Working in hierarchy mode

When multiple KUMA instances are deployed in various organizations, they may be merged into a hierarchical structure. Interaction between parent and child instances of KUMA (or nodes) provides the following capabilities:

• Child KUMA nodes relay data on other descendant nodes to parent KUMA nodes. This enables the parent node to see its entire branch of the hierarchical tree.
• Parent KUMA nodes receive data on incidents from descendant nodes, and can also receive data on incident-related alerts and events if the corresponding settings are enabled in a child node.
• Child KUMA nodes do not receive information about upstream nodes, except information about their parent KUMA node.

Parent and child nodes interact via API. Authentication relies on self-signed certificates, which the administrators of the parent and child organization must exchange over an encrypted channel when they connect to each other.

One parent node can have more than one child node. A child node can be connected to only one parent node. A parent node cannot be a child node of its descendants.

General administrator users can configure hierarchy mode in the KUMA web interface under Settings → Hierarchy:

• On the Node profile tab, you can configure the profile of your node, create a certificate, and enable or disable hierarchy mode.
• On the Structure tab, you can view your available branch of the hierarchical tree, change the connected nodes, or disconnect them.
• You can connect parent and child nodes on either of these tabs.

Incidents of child nodes can be viewed by users of all roles in the KUMA web interface under Incidents. In incidents, you can obtain information about their related alerts, events, assets, and users.

Enabling hierarchy mode for the first time

When enabling hierarchy mode for the first time, you must complete the profile of your node.

To complete the profile of your node:

1. In the KUMA web interface, open Settings → Hierarchy → Node profile.
2. In the Organization name field, indicate the name of your company (1–128 characters). This name will be used for the name of your node in the hierarchy.

   To change the organization name, you will have to regenerate the certificate of your node and replace it on the nodes that you are connected to.

3. In the FQDN field, specify the FQDN of your node.
4. If necessary, use the Proxy drop-down list to select the proxy server resource that should be used to communicate with other nodes. You can create a proxy server by using the button. The selected proxy server can be changed by clicking the button.

   The user account credentials entered into the proxy server URL can contain only the following characters: letters of the English alphabet, numbers, and special characters ("-", ".", "_", ":", "~", "!", "$", "&", "\", "(", ")", "*", "+", ",", ";", "=", "%", "@"). The URL in the proxy server resource is indicated by using the secret resource, which is selected from the Use URL from the secret drop-down list.

5. Click Generate certificate.

The profile of your KUMA node is complete and hierarchy mode is enabled. When hierarchy mode is enabled, a certificate is automatically created for authentication of your node. You can use the icon to download the certificate and then forward it to other nodes over an encrypted channel to create a connection between these nodes.

Creating a node certificate

Nodes in the hierarchy are authenticated using self-signed certificates of the nodes. A certificate contains the name of the organization and its FQDN.

The certificate is created when hierarchy mode is enabled, but you can also recreate a certificate if necessary. The certificate must be recreated whenever you change the name of a node or its FQDN.

To create a node certificate:

1. In the KUMA web interface, open Settings → Hierarchy → Node profile.

   You will see a window containing the settings of your node in the hierarchy.

2. Click the Generate certificate button.

   The certificate creation window opens.

3. In the FQDN field, specify the FQDN of your node.
4. In the Organization name field, indicate the name of your company (1–128 characters). This name will be used for the name of your node in the hierarchy.
5. Close the window by clicking Save.

The node certificate will be created and can be downloaded by clicking the icon. Then it can be transferred to other nodes over an encrypted channel to create a connection between these nodes.

Connecting nodes into a hierarchical structure

Prior to connecting nodes, you should make sure that they have hierarchy mode enabled, their node profiles have been configured, and certificates have been created for the nodes. Parent and child nodes must exchange their certificates over encrypted communication channels.

Connection of nodes in a hierarchy consists of the following steps:

• The child node connects to the parent node.
• The parent node connects the child node.

Prior to connecting nodes, make sure that the system time on the machines is synchronized with the NTP server. For more details, please refer to the appropriate documentation for Oracle Linux and for Astra Linux Special Edition.

When a connection is established, the parent node polls its child nodes for their available hierarchy data every 5 minutes, and thereby identify the structure of their available branch of the hierarchical tree. This data is displayed in the KUMA web interface under Settings → Hierarchy → Structure after the web page is refreshed.

Information about the hierarchical structure can be manually refreshed by using the Update structure button. To display the updated data, you must refresh the page of your web browser.

Connecting to a parent node

To connect to a parent node:

1. In the KUMA web interface, open Settings → Hierarchy and click the Add parent node button.

   The Connect to parent node window opens.

2. Use the Upload certificate button to upload the certificate to KUMA.

   The window will display a description of the certificate and indicate the organization that issued it and its FQDN.

3. If necessary, use the Port field to specify the port used for accessing the parent node.
4. Click Save.

You are now connected to the parent node. It can now add your node as a child node so that it will receive data on your child nodes and view your incidents.

Connecting a child node

If you connected a parent node, you will be able to add child nodes only after your parent node adds you as a child node. Prior to connecting a child node, make sure that it has added your node as the parent node.

To connect a child node:

1. In the KUMA web interface, open Settings → Hierarchy and click the Add child node button.

   The Connect to child node window opens.

2. Use the Upload certificate button to upload the certificate of the child node to KUMA.

   The window will display a description of the certificate and indicate the organization that issued it and its FQDN.

3. If necessary, use the Port field to specify the port used for accessing the child node.
4. Click Save.

The child node is added and displayed on the Settings → Hierarchy → Structure tab. This tab also displays the descendants of the child node. You can view the incidents of your child nodes and their descendants.

Disconnecting a node

You can disconnect from a parent node or child node. However, it is impossible to disconnect from nodes that are descendants of your child nodes.

To disconnect from a node:

1. In the KUMA web interface, open Settings → Hierarchy and select the Structure tab.

   The hierarchical structure will be displayed.

2. Select the node that you want to disconnect from.

   The right side of the window will display the details area containing information about this node.

3. Click Disconnect.

You have disconnected from the node. If you have disconnected from a parent node, it will no longer receive information about your child nodes and incidents. If you have disconnected from a child node, you will no longer receive information about its child nodes and its incidents.

Changing a node

If the name and/or FQDN of a node has changed, this node must reissue a certificate. Then the procedure for connecting the nodes must be repeated. Outdated nodes must be disconnected.

The port for connecting to nodes can be changed in the details area of the node without reissuing a certificate.

To change the settings for connecting to a node:

1. In the KUMA web interface, open the Structure tab under Settings → Hierarchy and select the relevant node.

   The right side of the window will display the details area of the node.

2. In the Port field, enter the required port.
3. Change the settings for email notifications regarding incidents on the child node:
   • If you need to disable notifications, clear the Monitoring incidents check box.
   • If you need to enable notifications, select the Monitoring incidents check box and use the input field to add the necessary email addresses.

     To send email notifications, you need to configure a connection to the SMTP server.

4. Click Save.

The node connection settings have been changed.

Errors when connecting nodes

Errors that occur when connecting nodes may be incompletely displayed in the KUMA web interface. You can use the developer's console of your browser to view the full server report.

The table below lists the errors that may arise when connecting KUMA nodes into a hierarchy, and includes recommendations on resolving those errors.

Errors that occur when establishing a connection to a node are displayed in pop-up windows in the lower part of the screen. Errors in already connected nodes can be viewed in the KUMA web interface under Settings → Hierarchy → Structure. The error text is displayed when you move your mouse cursor over the red triangle icon next to the node that encountered the error.

Viewing your own branch of the hierarchy and available nodes

In the KUMA web interface, under Settings → Hierarchy, select the Structure tab to view your branch of the hierarchical tree extending from the parent node to all descendants of its child nodes. Your node in the hierarchy is highlighted in green.

When you click a node of the branch, the right side of the window shows the node details area in which you can do the following:

• Change the port for connecting to the parent node or child node.
• Disable a parent node or child node.
• Change the settings of email notifications regarding incidents for child nodes and their descendants.

Editing a node profile

You can modify the profile settings of your node.

To change the settings of your node:

1. In the KUMA web interface, open Settings → Hierarchy → Node profile.
2. If necessary, use the Proxy drop-down list to select the proxy server resource that should be used to communicate with other nodes. You can create a proxy server by using the button. The selected proxy server can be changed by clicking the button.

   The user account credentials entered into the proxy server URL can contain only the following characters: letters of the English alphabet, numbers, and special characters ("-", ".", "_", ":", "~", "!", "$", "&", "\", "(", ")", "*", "+", ",", ";", "=", "%", "@"). The URL in the proxy server resource is indicated by using the secret resource, which is selected from the Use URL from the secret drop-down list.

3. If necessary, use the Port field to enter the port used for accessing your node. Make sure that access to the port is open.
4. If necessary, use the Timeout field to indicate how many seconds to wait for a response from nodes when attempting a connection. The default value is 60.
5. If necessary, select or clear the following check boxes: Do not include events to the incidents relayed to parent nodes or Do not include alerts to the incidents relayed to parent nodes. These check boxes are cleared by default.
6. Click Save.

The settings of your node are changed.

If you want to change the FQDN or name of your node, regenerate a certificate for the node.

Viewing incidents from child nodes

If hierarchy mode is enabled, you can view the Incidents section to inspect the incidents that were created on child nodes and their descendants. The incidents table displays the Branch column, which can be used to filter incidents based on the nodes in which they were created. By default, the incidents table displays the incidents that were created on your node.

To select the nodes whose incidents you want to view:

1. In the KUMA web interface, open the Incidents section.
2. Click the header of the Branch column and click the icon in the opened window.

   The right side of the window will display the details area containing the hierarchical structure of the organization. You can use the button to expand or collapse all branches of the structure, or select all KUMA nodes.

3. Select the relevant nodes and click Save.

The incidents table displays the incidents that were created on the nodes that you selected.

When you click an incident, a window opens with detailed information about the incident. The data is read-only. An incident from another node cannot be edited or processed.

Special considerations when viewing data on an incident created on a different node:

• The Related alerts section of the incident window contains information only if the child node is configured to forward data on incident-related alerts to the parent node.

  When you click on the name of an incident-related alert, a window opens with detailed information about this alert. This data is also read-only. An alert from another node cannot be edited or processed.

• The Related events section in the window of an alert related to an incident of another node contains information only if the child node is configured to forward data on incident-related events to the parent node.

  In this case, you can use the Find in events button to open the events table and search for relevant events. However, you cannot select the storage, and there are limitations applied to SQL queries when searching events in drilldown analysis mode. This mode employs data enrichment (for example, using Kaspersky Threat Intelligence Portal, Kaspersky CyberTrace or Active Directory). The results of Kaspersky Threat Intelligence Portal data enrichment performed on child nodes are not available on parent nodes.

Enabling and disabling hierarchy mode

To enable or disable hierarchy mode:

1. In the KUMA web interface, open Settings → Hierarchy → Node profile.
2. Enable or disable hierarchy mode:
   • If you want to enable hierarchy mode, clear the Disabled check box.
   • If you want to disable hierarchy mode, select the Disabled check box.
3. Click Save.

Hierarchy mode will be enabled or disabled according to your selection.