Asset audit

KUMA can be configured to generate asset audit events under the following conditions:

• Asset was added to KUMA. The application monitors manual asset creation, as well as creation during import via the REST API and during import from Kaspersky Security Center or KICS for Networks.
• Asset parameters have been changed. A change in the value of the following asset fields is monitored:
  • Name
  • IP address
  • MAC address
  • FQDN
  • Operating system

  Fields may be changed when an asset is updated during import.

• Asset was deleted from KUMA. The program monitors manual deletion of assets, as well as automatic deletion of assets imported from Kaspersky Security Center and KICS for Networks, whose data is no longer being received.
• Vulnerability info was added to the asset. The program monitors the appearance of new vulnerability data for assets. Information about vulnerabilities can be added to an asset, for example, when importing assets from Kaspersky Security Center or KICS for Networks.
• Asset vulnerability was resolved. The program monitors the removal of vulnerability information from an asset. A vulnerability is considered to be resolved if data about this vulnerability is no longer received from any sources from which information about its occurrence was previously obtained.
• Asset was added to a category. The program monitors the assignment of an asset category to an asset.
• Asset was removed from a category. The program monitors the deletion of an asset from an asset category.

Asset audit events can be sent to storage or to correlators, for example.

Configuring an asset audit

To configure an asset audit:

1. In the KUMA web interface, open Settings → Asset audit.
2. Perform one of the following actions with the tenant for which you want to configure asset audit:
   • Add the tenant by using the Add tenant button if this is the first time you are configuring asset audit for the relevant tenant.

     In the opened Asset audit window, select a name for the new tenant.

   • Select an existing tenant in the table if asset audit has already been configured for the relevant tenant.

     In the opened Asset audit window, the tenant name is already defined and cannot be edited.

   • Clone the settings of an existing tenant to create a copy of the conditions configuration for the tenant for which you are configuring asset audit for the first time. To do so, select the check box next to the tenant whose configuration you need to copy and click Clone. In the opened Asset audit window, select the name of the tenant to use the copied configuration.
3. For each condition for generating asset audit events, select the destination to where the created events will be sent:
   1. In the settings block of the relevant type of asset audit events, use the Add destination drop-down list to select the type of destination to which the created events should be sent:
      • Select Storage if you want events to be sent to storage.
      • Select Correlator if you want events to be sent to the correlator.
      • Select Other if you want to select a different destination.

        This type of resource includes correlator and storage services that were created in previous versions of the program.

      In the Add destination window that opens you must define the settings for event forwarding.

   2. Use the Destination drop-down list to select an existing destination or select Create if you want to create a new destination.

      If you are creating a new destination, fill in the settings as indicated in the destination resource description.

   3. Click Save.

   A destination has been added to the condition for generating asset audit events. Multiple destinations can be added for each condition. You can also disable a previously configured condition for creating asset audit events by clicking the Disabled check box next to the relevant condition.

4. Click Save.

The asset audit has been configured. Asset audit events will be generated for those conditions for which destinations have been added. You can also disable asset audit for an existing tenant. To do so, click the relevant tenant and select the Disabled check box in the upper part of the opened Asset audit window. Click Save.

Storing and searching asset audit events

Asset audit events are considered to be base events and do not replace audit events. Asset audit events can be searched based on the following parameters:

Enabling and disabling an asset audit

You can enable or disable asset audits for a tenant or for a specific condition within a single tenant.

To enable or disable an asset audit for a tenant:

1. In the KUMA web interface, open Settings → Asset audit and select the tenant for which you want to enable or disable an asset audit.

   The Asset audit window opens.

2. Select or clear the Disabled check box in the upper part of the window.
3. Click Save.

To enable or disable an individual condition for generating asset audit events:

1. In the KUMA web interface, open Settings → Asset audit and select the tenant for which you want to enable or disable a condition for generating asset audit events.

   The Asset audit window opens.

2. Select or clear the Disabled check box next to the relevant conditions.
3. Click Save.