Managing assets

Assets represent the computers of the organization. You can add assets to KUMA; in that case, KUMA automatically adds asset IDs when enriching events, and when you analyze events, you can get additional information about computers in the organization.

You can add assets to KUMA in the following ways:

• Import assets:
  • From the MaxPatrol report.
  • On a schedule from Kaspersky Security Center and KICS for Networks.

    By default, assets are imported every 12 hours, this frequency can be configured. On-demand import of assets is also possible; such on-demand import does not affect the scheduled import time. From the Kaspersky Security Center database, KUMA imports information about devices with installed Kaspersky Security Center Network Agent that has connected to Kaspersky Security Center, that is, has a non-empty 'Connection time' field in the SQL database. KUMA imports the following information about the computer: name, address, time of connection to Kaspersky Security Center, information about hardware and software, including the operating system, as well as vulnerabilities, that is, information received from Kaspersky Security Center Network Agents.

• Create assets manually through the web interface or via the API.

  You can add assets manually. In this case, you must manually specify the following information: address, FQDN, name and version of the operating system, hardware information. Information about the vulnerabilities of assets cannot be added through the web interface. You can provide information about vulnerabilities if you add assets using the API.

You can manage KUMA assets: view information about assets, search for assets, add, edit or delete assets, and export asset data to a CSV file.

Asset categories

You can categorize the assets and then use the categories in filter conditions or correlation rules. For example, you can create alerts of a higher severity level for assets from a higher-severity category. By default, all assets fall into the Uncategorized assets category. A device can be added to multiple categories.

By default, KUMA assigns the following severity levels to asset categories: Low, Medium, High, Critical. You can create custom categories, categories can be nested.

Categories can be populated in the following ways:

• Manually
• Active: dynamic if the asset meets the specified conditions. For example, the moment the asset is upgraded to a specified OS version or placed in a specified subnet, the asset is moved to the specified category.
  1. In the Repeat categorization every drop-down list, specify how often assets will be linked to a category. You can select values ranging from once per hour to once per 24 hours.

     You can forcibly start categorization by selecting Start categorization in the category context menu.

  2. In the Conditions settings block, specify the filter for matching assets to attach to an asset category.

     You can add conditions by clicking the Add condition buttons. Groups of conditions can be added by clicking the Add group buttons. Group operators can be switched between AND, OR, and NOT values.

     Categorization filter operands and operators

     Operand	Operators	Comment
     Build number	>, >=, =, <=, <
     OS	=, like	The "like" operator ensures that the search is not case sensitive.
     IP address	inSubnet, inRange	The IP address is indicated in CIDR notation (for example: 192.168.0.0/24). When the inRange operator is selected, you can indicate only addresses from private ranges of IP addresses (for example: 10.0.0.0–10.255.255.255). Both addresses must be in the same range.
     FQDN	=, like	The "like" operator ensures that the search is not case sensitive.
     CVE	=, in	The "in" operator lets you specify an array of values.
     Software	=, like
     CII	in	More than one value can be selected.
     Anti-virus databases last updated	>=,<=
     Last update of the information	>=,<=
     Protection last updated	>=,<=
     System last started	>=,<=
     KSC extended status	in	Extended status of the device. More than one value can be selected.
     Real-time protection status	=	Status of Kaspersky applications installed on the managed device.
     Encryption status	=
     Spam protection status	=
     Anti-virus protection status of mail servers	=
     Data Leakage Prevention status	=
     KSC extended status ID	=
     Endpoint Sensor status	=
     Last visible	>=,<=

  3. Click the Test conditions button to make sure that the specified filter is correct. When you click the button, the Assets for given conditions window opens containing a list of assets that satisfy the search conditions.
• Reactive—When a correlation rule is triggered, the asset is moved to the specified group.

In KUMA, assets are categorized by tenant and by category. Assets are arranged in a tree structure, where the tenants are located at the root, and the asset categories branch from them. You can view the tree of tenants and categories in the Assets → All assets section of the KUMA Console. When a tree node is selected, the assets assigned to it are displayed in the right part of the window. Assets from the subcategories of the selected category are displayed if you specify that you want to display assets recursively. You can select the check boxes next to the tenants whose assets you want to view.

To open the context menu of a category, hover the mouse cursor over the category and click the ellipsis icon that is displayed to the right of the category name. The following actions are available in the context menu:

Category context menu items

Adding an asset category

To add an asset category:

1. In the KUMA Console, go to the Assets section.
2. Open the category creation window:
   • Click the Add category button.
   • If you want to create a subcategory, select Add subcategory in the context menu of the parent category.

   The Add category details area appears in the right-hand part of the console window.

3. Add information about the category:
   • In the Name field, enter the name of the category. The name must contain 1 to 128 Unicode characters.
   • In the Parent field, indicate the position of the category within the categories tree hierarchy:
     1. Click the button.

        This opens the Select categories window showing the categories tree. If you are creating a new category and not a subcategory, the window may show multiple asset category trees, one for each tenant that you can access. Your tenant selection in this window cannot be undone.

     2. Select the parent category for the category you are creating.
     3. Click Save.

     Selected category appears in Parent fields.

   • The Tenant field displays the tenant whose structure contains your selected parent category. The tenant category cannot be changed.
   • Assign a severity to the category in the Priority drop-down list.
   • If necessary, in the Description field, you can add a note consisting of up to 256 Unicode characters.
4. In the Categorization kind drop-down list, select how the category will be populated with assets. Depending on your selection, you may need to specify additional settings:
   • Manually—assets can only be manually linked to a category.
   • Active—assets will be assigned to a category at regular intervals if they satisfy the defined filter.

     Active category of assets

     1. In the Repeat categorization every drop-down list, specify how often assets will be linked to a category. You can select values ranging from once per hour to once per 24 hours.

        You can forcibly start categorization by selecting Start categorization in the category context menu.

     2. In the Conditions settings block, specify the filter for matching assets to attach to an asset category.

        You can add conditions by clicking the Add condition buttons. Groups of conditions can be added by clicking the Add group buttons. Group operators can be switched between AND, OR, and NOT values.

        Categorization filter operands and operators

        Operand	Operators	Comment
        Build number	>, >=, =, <=, <
        OS	=, like	The "like" operator ensures that the search is not case sensitive.
        IP address	inSubnet, inRange	The IP address is indicated in CIDR notation (for example: 192.168.0.0/24). When the inRange operator is selected, you can indicate only addresses from private ranges of IP addresses (for example: 10.0.0.0–10.255.255.255). Both addresses must be in the same range.
        FQDN	=, like	The "like" operator ensures that the search is not case sensitive.
        CVE	=, in	The "in" operator lets you specify an array of values.
        Software	=, like
        CII	in	More than one value can be selected.
        Anti-virus databases last updated	>=,<=
        Last update of the information	>=,<=
        Protection last updated	>=,<=
        System last started	>=,<=
        KSC extended status	in	Extended status of the device. More than one value can be selected.
        Real-time protection status	=	Status of Kaspersky applications installed on the managed device.
        Encryption status	=
        Spam protection status	=
        Anti-virus protection status of mail servers	=
        Data Leakage Prevention status	=
        KSC extended status ID	=
        Endpoint Sensor status	=
        Last visible	>=,<=

     3. Click the Test conditions button to make sure that the specified filter is correct. When you click the button, the Assets for given conditions window opens containing a list of assets that satisfy the search conditions.
   • Reactive—the category will be filled with assets by using correlation rules.
5. Click Save.

The new category will be added to the asset categories tree.

Configuring the table of assets

In KUMA, you can configure the contents and order of columns displayed in the assets table. These settings are stored locally on your machine.

To configure the settings for displaying the assets table:

1. In the KUMA Console, go to the Assets section.
2. Click the icon in the upper-right corner of the assets table.
3. In the drop-down list, select the check boxes next to the parameters that you want to view in the table:
   • FQDN
   • IP address
   • Asset source
   • Owner
   • MAC address
   • Created by
   • Updated
   • Tenant
   • CII category

   When you select a check box, the assets table is updated and a new column is added. When a check box is cleared, the column disappears. The table can be sorted based on multiple columns.

4. If you need to change the order of columns, click the left mouse button on the column name and drag it to the desired location in the table.

The assets table display settings are configured.

Searching assets

KUMA has two asset search modes. You can switch between the search modes by clicking the buttons in the upper left part of the window:

• – simple search by the following asset settings: Name, FQDN, IP address, MAC address, and Owner.
• – advanced search for assets using filters by conditions and condition groups.

You can select the check boxes next to the found assets to export their data to a CSV file.

Simple search

To find an asset:

1. Make sure that the button is enabled in the upper left part of the Assets section of the KUMA Console.

   The Search field is displayed at the top of the window.

2. Enter your search query in the Search field and press ENTER or click the icon.

The table displays the assets with the Name, FQDN, IP address, MAC address, and Owner settings matching the search criteria.

Advanced search

An advanced asset search is performed using the filtering conditions that can be specified in the upper part of the window:

• You can click the Add condition button to add a string containing fields for identifying the condition.
• You can click the Add group button to add a group of filters. Group operators can be switched between AND, OR, and NOT.
• Conditions and condition groups can be dragged with the mouse.
• Conditions, groups, and filters can be deleted by clicking the button.
• You can collapse the filtering options by clicking the Collapse button. In this case, the resulting search expression is displayed. Clicking it displays the search criteria in full again.
• The filtering options can be reset by clicking the Clear button.
• The condition operators and available values of the right operand depend on the selected left operand:

  Left operand	Available operators	Right operand
  Build number	=, >, >=, <, <=	An arbitrary value.
  OS	=, ilike	An arbitrary value.
  IP address	inSubnet, inRange	An arbitrary value or a range of values. The filtering condition for the inSubnet operator is met if the IP address in the left operand is included in the subnet that is specified in the right operand. For example, the subnet for the IP address 10.80.16.206 should be specified in the right operand using slash notation as follows: 10.80.16.206/25.
  FQDN	=, ilike	An arbitrary value.
  CVE	=, in	An arbitrary value.
  Asset source	in	Kaspersky Security Center KICS for Networks Imported via API Created manually
  RAM	=, >, >=, <, <=	Number.
  Number of disks	=, >, >=, <, <=	Number.
  Number of network cards	=, >, >=, <, <=	Number.
  Disk free bytes	=, >, >=, <, <=	Number.
  Anti-virus databases last updated	>=, <=	Date.
  Last update of the information	>=, <=	Date.
  Protection last updated	>=, <=	Date.
  System last started	>=, <=	Date.
  KSC extended status	in	The host with the Network Agent installed is connected to the network, but the Network Agent is not active The security application is installed, but real-time protection is not enabled Security application is installed but not running The number of detected viruses is too large The security application is installed, but the real-time protection status differs from the one set by the security administrator The security application is not installed A full virus scan was performed too long ago The anti-virus databases were updated too long ago The Network Agent is inactive for too long License expired The number of untreated objects is too large Restart required Incompatible applications are installed on the host Vulnerabilities are detected on the host The last scan for operating system updates on the host was too long ago Invalid encryption status of the host Mobile device settings do not comply with security policy requirements Unprocessed incidents detected Host status is suggested by a managed application Insufficient disk space on the host. Synchronization errors occur, or not enough disk space
  Real-time protection status	=	Suspended Starting Running (if the security application does not support the Running status categories) Performed with maximum protection Performed with maximum performance Performed with recommended settings Performed with custom settings Error
  Encryption status	=	Encryption rules are not configured on the host. Encryption is in progress. Encryption was canceled by the user. Encryption error occurred. All host encryption rules are met. Encryption is in progress, the host must be restarted. Encrypted files without specified encryption rules are detected on the host.
  Spam protection status	=	Unknown Stopped Suspended Starting In progress Error Not installed License is missing
  Anti-virus protection status of mail servers	=	Unknown Stopped Suspended Starting In progress Error Not installed License is missing
  Data Leakage Prevention status	=	Unknown Stopped Suspended Starting In progress Error Not installed License is missing
  KSC extended status ID	=	OK Critical Attention required
  Endpoint Sensor status	=	Unknown Stopped Suspended Starting In progress Error Not installed License is missing
  Last visible	>=, <=	Date

To find an asset:

1. Make sure that the button is enabled in the upper left part of the Assets section of the KUMA Console.

   The asset filtering settings are displayed in the upper part of the window.

2. Specify the asset filtering settings and click the Search button.

The table displays the assets that meet the search criteria.

Exporting asset data

You can export data about the assets displayed in the assets table as a CSV file.

To export asset data:

1. Configure the assets table.

   Only the data specified in the table is written to the file. The display order of the asset table columns is preserved in the exported file.

2. Find the desired assets and select the check boxes next to them.

   You can select all the assets in the table at a time by selecting the check box in the left part of the assets table header.

3. Click the Export CSV button.

The asset data is written to the assets_<export date>_<export time>.csv file. The file is downloaded according to your browser settings.

Viewing asset details

To view information about an asset, open the asset information window in one of the following ways:

• In the KUMA Console, go to the Assets section, select a category with the relevant assets, and then select an asset.
• In the KUMA Console, go to the Events section → search and filter events , select the relevant event, and then click the link in one of the following fields: SourceAssetID, DestinationAssetID, or DeviceAssetID.

The following information may be displayed in the asset details window:

• Name—asset name.

  Assets imported into KUMA retain the names that were assigned to them at the source. You can change these names in the KUMA Console.

• Tenant—the name of the tenant that owns the asset.
• Asset source—source of information about the asset. There may be several sources. For instance, information can be added in the KUMA Console or by using the API, or it can be imported from Kaspersky Security Center, KICS for Networks, and MaxPatrol reports.

  When using multiple sources to add information about the same asset to KUMA, you should take into account the rules for merging asset data.

• Created—date and time when the asset was added to KUMA.
• Updated—date and time when the asset information was most recently modified.
• Owner—owner of the asset, if provided.
• IP address—IP address of the asset (if any).

  If there are several assets with identical IP addresses in KUMA, the asset that was added the latest is returned in all cases when assets are searched by IP address. If assets with identical IP addresses can coexist in your organization's network, plan accordingly and use additional attributes to identify the assets. For example, this may become important during correlation.

• FQDN—Fully Qualified Domain Name of the asset, if provided.
• MAC address—MAC address of the asset (if any).
• Operating system—operating system of the asset.
• Related alerts—alerts associated with the asset (if any).

  To view the list of alerts related to an asset, click the Find in Alerts link. The Alerts tab opens with the search expression set to filter all assets with the corresponding asset ID.

• Software info and Hardware info—if the asset software and hardware parameters are provided, they are displayed in this section.
• Asset vulnerability information:
  • Open Single Management Platform vulnerabilities—asset vulnerabilities, if any. This information is available for the assets imported from Kaspersky Security Center.

    You can learn more about the vulnerability by clicking the icon, which opens the Kaspersky Threats portal. You can also update the vulnerabilities list by clicking the Update link and requesting updated information from Kaspersky Security Center.

  • KICS for Networks vulnerabilities—vulnerabilities of the asset, if provided. This information is available for the assets imported from KICS for Networks.
• Asset source information:
  • Last visible—time when information about the asset was last received from Kaspersky Security Center. This information is available for the assets imported from Kaspersky Security Center.
  • Host ID—ID of the Kaspersky Security Center Network Agent from which the asset information was received. This information is available for the assets imported from Kaspersky Security Center. This ID is used to determine the uniqueness of the asset in Kaspersky Security Center.
  • KICS for Networks server IP address and KICS for Networks connector ID—data on the KICS for Networks instance from which the asset was imported.
• Custom fields—data written to the asset custom fields.
• Additional information about the protection settings of an asset with Kaspersky Endpoint Security for Windows or Kaspersky Endpoint Security for Linux installed:
  • OSMP extended status ID – asset status. It can have the following values:
    • OK
    • Critical
    • Warning
  • OSMP extended status – information about the asset status. For example, "The anti-virus databases were updated too long ago".
  • Real-time protection status – status of Kaspersky applications installed on the asset. For example: "Running (if the security application does not support the Running status categories)".
  • Encryption status – information about asset encryption. For example: "Encryption rules are not configured on the host".
  • Spam protection status – status of anti-spam protection. For example, "Started".
  • Anti-virus protection status of mail servers – status of the virus protection of mail servers. For example, "Started".
  • Data Leakage Prevention status – status of data leak protection. For example, "Started".
  • Endpoint Sensor status – status of data leak protection. For example, "Started".
  • Anti-virus databases last updated – the version of the downloaded anti-virus databases.
  • Protection last updated – the time when the anti-virus databases were last updated.
  • System last started – the time when the system was last started.

  This information is displayed if the asset was imported from Kaspersky Security Center.

• Categories—categories associated with the asset (if any).
• CII category—information about whether an asset is a critical information infrastructure (CII) object.

Clicking the OSMP response button starts the Kaspersky Security Center task on the asset, and clicking the Move to OSMP group button moves the asset being viewed between Kaspersky Security Center administration groups.

This is available if KUMA is integrated with Kaspersky Security Center.

Adding assets

You can add asset information in the following ways:

• Manually.

  You can add an asset using the KUMA Console or the API.

• Import assets.

  You can import assets from Kaspersky Security Center, KICS for Networks, and MaxPatrol reports.

When assets are added, assets that already exist in KUMA can be merged with the assets being added.

Asset merging algorithm:

1. Checking uniqueness of Kaspersky Security Center or KICS for Networks assets.
   • The uniqueness of an asset imported from Kaspersky Security Center is determined by the Host ID parameter, which contains the Kaspersky Security Center Network Agent Network Agent identifier. If two assets' IDs differ, they are considered to be separate assets and are not merged.
   • The uniqueness of an asset imported from KICS for Networks is determined by the combination of the IP address, KICS for Networks server IP address, and KICS for Networks connector ID parameters. If any of the parameters of two assets differ they are considered to be separate assets and are not merged.

   If the compared assets match, the algorithm is performed further.

2. Make sure that the values in the IP, MAC, and FQDN fields match.

   If at least two of the specified fields match, the assets are combined, provided that the other fields are blank.

   Possible matches:

   • The FQDN and IP address of the assets match. The MAC field is blank.

     The check is performed against the entire array of IP address values. If the IP address of an asset is included in the FQDN, the values are considered to match.

   • The FQDN and MAC address of the assets match. The IP field is blank.

     The check is performed against the entire array of MAC address values. If at least one value of the array fully matches the FQDN, the values are considered to match.

   • The IP address and MAC address of the assets match. The FQDN field is blank.

     The check is performed against the entire array of IP- and MAC address values. If at least one value in the arrays is fully matched, the values are considered to match.

3. Make sure that the values of at least one of the IP, MAC, or FQDN fields match, provided that the other two fields are not filled in for one or both assets.

   Assets are merged if the values in the field match. For example, if the FQDN and IP address are specified for a KUMA asset, but only the IP address with the same value is specified for an imported asset, the fields match. In this case, the assets are merged.

   For each field, verification is performed separately and ends on the first match.

You can see examples of asset field comparison here.

Information about assets can be generated from various sources. If the added asset and the KUMA asset contain data received from the same source, this data is overwritten. For example, a Kaspersky Security Center asset receives a fully qualified domain name, software information, and host ID when imported into KUMA. When importing an asset from Kaspersky Security Center with an equivalent fully qualified domain name, all this data will be overwritten (if it has been defined for the added asset). All fields in which the data can be refreshed are listed in the Updatable data table.

Updatable data

The updated data is displayed in the asset details. You can view asset details in the KUMA Console.

This data may be overwritten when new assets are added. If the data used to generate asset information is not updated from sources for more than 30 days, the asset is deleted. The next time you add an asset from the same sources, a new asset is created.

If you are using KUMA Console to edit asset information that was received from Kaspersky Security Center or KICS for Networks, you can edit the following asset data:

• Name.
• Category.

If asset information was added manually, you can edit the following asset data when editing these assets in the KUMA Console:

• Name.
• Name of the tenant that owns the asset.
• IP address.
• Fully qualified domain name.
• MAC address.
• Owner.
• Category.
• Operating system.
• Hardware info.

Asset data cannot be edited via the REST API. When importing from the REST API, the data is updated according to the rules for merging asset details provided above.

Adding asset information in the KUMA Console

To add an asset in the KUMA Console:

1. In the KUMA Console, go to the Assets section, and click Add asset.

   The Add asset details area opens in the right part of the window.

2. Enter the asset parameters:
   • Asset name (required)
   • Tenant (required)
   • IP address and/or FQDN (required). You can specify multiple FQDNs separated by commas
   • MAC address
   • Owner
3. If required, assign one or multiple categories to the asset:
   1. Click the button.

      Select categories window opens.

   2. Select the check boxes next to the categories that should be assigned to the asset. You can use the and icons to expand or collapse the lists of categories.
   3. Click Save.

   The selected categories appear in the Categories fields.

4. If required, add information about the operating system installed on the asset in the Software section.
5. If required, add information about asset hardware in the Hardware info section.
6. Click Add.

The asset is created and displayed in the assets table in the category assigned to it or in the Uncategorized assets category.

Importing asset information from Kaspersky Security Center

All assets that are protected by this program are registered in Kaspersky Security Center. Information about assets protected by Kaspersky Security Center can be imported into KUMA. To do so, you need to configure integration between the applications in advance.

KUMA supports the following types of asset imports from OSMP:

• Import of information about all assets of all OSMP servers.
• Import of information about assets of the selected OSMP server.

To import information about all assets of all OSMP servers:

1. In the KUMA Console, select the Assets section.
2. Click the Import assets button.

   This opens the Import Open Single Management Platform assets.

3. In the drop-down list, select the tenant for which you want to perform the import.

   In this case, the program downloads information about all assets of all OSMP servers that have been configured to connect to the selected tenant.

   If you want to import information about all assets of all OSMP servers for all tenants, select All tenants.

4. Click OK.

The asset information will be imported.

To import information about the assets of one OSMP server:

1. In the KUMA Console, select the Settings → Open Single Management Platform section.

   This opens the Kaspersky Open Management Platform integration by tenant window.

2. Select the tenant for which you want to import assets.

   This opens the Open Single Management Platform integration window.

3. Click the connection for the relevant Kaspersky Security Center Server.

   This opens a window containing the settings of this connection to Kaspersky Security Center.

4. Do one of the following:
   • If you want to import all assets connected to the selected OSMP server, click the Import assets button.
   • If you want to import only assets that are connected to a secondary server or included in one of the groups (for example, the Unassigned devices group), do the following:
     1. Click the Load hierarchy button.
     2. Select the check boxes next to the names of the secondary servers or groups from which you want to import asset information.
     3. Select the Import assets from new groups check box if you want to import assets from new groups.

        If no check boxes are selected, information about all assets of the selected OSMP server is uploaded during the import.

     4. Click the Save button.
     5. Click the Import assets button.

The asset information will be imported.

Importing asset information from MaxPatrol

You can import asset information from MaxPatrol network device scan reports into XDR. Imported assets are displayed in the Assets group. If necessary, you can edit the settings of assets.

You can import asset information either from a MaxPatrol report or from MaxPatrol VM.

Importing asset information from a MaxPatrol report

The import is performed through the API using the maxpatrol-tool on the server where the KUMA Core is installed.

The tool is included in the KUMA distribution kit and is located in the installer archive in the /kuma-ansible-installer/roles/kuma/files directory.

Imports from MaxPatrol 8 are supported.

To import asset information from a MaxPatrol report:

1. In MaxPatrol, generate a network asset scan report in XML file format and copy the report file to the KUMA Core server. For more details about scan tasks and output file formats, refer to the MaxPatrol documentation.

   Data cannot be imported from reports in SIEM integration file format. The XML file format must be selected.

2. Create a file with the token for accessing the KUMA REST API. For convenience, it is recommended to place it into the MaxPatrol report folder. The file must not contain anything except the token.

   Requirements imposed on accounts for which the API token is generated:

   • Administrator or Analyst role.
   • Access to the tenant into which the assets will be imported.
   • Permissions for using API requests GET /users/whoami and POST /api/v1/assets/import have been configured.

     To import assets from MaxPatrol, it is recommended to create a separate user with the minimum necessary set of rights to use API requests.

3. Copy the maxpatrol-tool to the server hosting the KUMA Core and make the tool's file executable by running the following command:

   chmod +x <path to the maxpatrol-tool file on the server hosting the KUMA Core>

4. Run the maxpatrol-tool:

   ./maxpatrol-tool --kuma-rest <KUMA REST API server address and port> --token <path and name of API token file> --tenant <name of tenant where assets will reside> <path and name of MaxPatrol report file> --cert <path to the KUMA Core certificate file>

   Example: ./maxpatrol-tool --kuma-rest example.kuma.com:7223 --token token.txt --tenant Main example.xml --cert /opt/kaspersky/kuma/core/certificates/ca.cert

You can use additional flags and commands for import operations. For example, the command --verbose, -v will display a full report on the received assets. A detailed description of the available flags and commands is provided in the table titled Flags and commands of maxpatrol-tool. You can also use the --help command to view information on the available flags and commands.

The asset information will be imported from the MaxPatrol report to KUMA. The console displays information on the number of new and updated assets.

The tool works as follows when importing assets:

• KUMA overwrites the data of assets imported through the API, and deletes information about their resolved vulnerabilities.
• KUMA skips assets with invalid data. Error information is displayed when using the --verbose flag.
• If there are assets with identical IP addresses and fully qualified domain names (FQDN) in the same MaxPatrol report, these assets are merged. The information about their vulnerabilities and software is also merged into one asset.

  When uploading assets from MaxPatrol, assets that have equivalent IP addresses and fully qualified domain names (FQDN) that were previously imported from Kaspersky Security Center are overwritten.

  To avoid this problem, you must configure range-based asset filtering by running the following command:

  --ignore <IP address ranges> or -i <IP address ranges>

  Assets that satisfy the filtering criteria are not uploaded. For a description of this command, please refer to the table titled Flags and commands of maxpatrol-tool.

  Flags and commands of maxpatrol-tool

  Flags and commands	Description
  --kuma-rest <KUMA REST API server port and address>, -a <KUMA REST API server port and address>	Address (with the port) of KUMA Core server where assets will be imported. For example, example.kuma.com:7223. Port 7223 is used for API requests by default. You can change the port if necessary.
  --token <path and name of API token file>, -t <path and name of API token file>	Path and name of the file containing the token used to access the REST API. This file must contain only the token. The Administrator or Analyst role must be assigned to the user account for which the API token is being generated.
  --tenant <tenant name>, -T <tenant name>	Name of the KUMA tenant in which the assets from the MaxPatrol report will be imported.
  --dns <IP address ranges> or -d <IP address ranges>	This command uses DNS to enrich IP addresses with FQDNs from the specified ranges if the FQDNs for these addresses were not already specified. Example: --dns 0.0.0.0-9.255.255.255,11.0.0.0-255.255.255,10.0.0.2
  --dns-server <DNS server IP address>, -s <DNS server IP address>	Address of the DNS server that the tool must contact to receive FQDN information. Example: --dns-server 8.8.8.8
  --ignore <IP address ranges> or -i <IP address ranges>	Address ranges of assets that should be skipped during import. Example: --ignore 8.8.0.0-8.8.255.255, 10.10.0.1
  --verbose, -v	Output of the complete report on received assets and any errors that occurred during the import process.
  --help, -h help	Get reference information on the tool or a command. Examples: ./maxpatrol-tool help ./maxpatrol-tool <command> --help
  version	Get information about the version of the maxpatrol-tool.
  completion	Creation of an autocompletion script for the specified shell.
  --cert <path to file with the KUMA Core certificate>	Path to the KUMA Core certificate. By default, the certificate is located in the folder with the application installed: /opt/kaspersky/kuma/core/certificates/ca.cert.

Examples:

• ./maxpatrol-tool --kuma-rest example.kuma.com:7223 --token token.txt --tenant Main example.xml --cert /example-directory/ca.cert – import assets to KUMA from MaxPatrol report example.xml.
• ./maxpatrol-tool help—get reference information on the tool.

  Possible errors

  Error message	Description
  must provide path to xml file to import assets	The path to the MaxPatrol report file was not specified.
  incorrect IP address format	Invalid IP address format. This error may arise when incorrect IP ranges are indicated.
  no tenants match specified name	No suitable tenants were found for the specified tenant name using the REST API.
  unexpected number of tenants (%v) match specified name. Tenants are: %v	KUMA returned more than one tenant for the specified tenant name.
  could not parse file due to error: %w	Error reading the XML file containing the MaxPatrol report.
  error decoding token: %w	Error reading the API token file.
  error when importing files to KUMA: %w	Error transferring asset information to KUMA.
  skipped asset with no FQDN and IP address	One of the assets in the report did not have an FQDN or IP address. Information about this asset was not sent to KUMA.
  skipped asset with invalid FQDN: %v	One of the assets in the report had an incorrect FQDN. Information about this asset was not sent to KUMA.
  skipped asset with invalid IP address: %v	One of the assets in the report had an incorrect IP address. Information about this asset was not sent to KUMA.
  KUMA response: %v	An error occurred with the specified report when importing asset information.
  unexpected status code %v	An unexpected HTTP code was received when importing asset information from KUMA.

Importing asset information from MaxPatrol VM

The OSMP distribution kit includes the kuma-ptvm utility, which consists of an executable file and a configuration file. The utility is supported on Windows and Linux operating systems. The utility allows you to connect to the MaxPatrol VM API to get data about devices and their attributes, including vulnerabilities, and also lets you edit asset data and import data using the XDR API. Importing data is supported for MaxPatrol VM 1.1.

Configuring the import of asset information from MaxPatrol VM to KUMA Core involves the following steps:

1. Preparing XDR and MaxPatrol VM.

   You must create user accounts and an XDR token for API operations.

2. Creating a configuration file with data export and import settings.
3. Importing asset data into KUMA Core using the kuma-ptvm utility:
   1. The data is exported from MaxPatrol VM and saved in the directory of the utility. Information for each tenant is saved to a separate file in JSON format.

      If necessary, you can edit the received files.

   2. Information from files is imported into KUMA Core.

When re-importing existing assets, assets that already exist in KUMA Core are overwritten. In this way, fixed vulnerabilities are removed.

Known limitations:

• If the same IP address is specified for two assets with different FQDNs, KUMA Core imports such assets as two different assets; the assets are not combined.
• If an asset has two softwares with the same data in the name, version, vendor fields, KUMA Core imports this data as one software, despite the different software installation paths in the asset.
• If the FQDN of an asset contains a space or underscore ("_"), data for such assets is not imported into KUMA Core, and the log indicates that the assets were skipped during import.
• If an error occurs during import, error details are logged and the import stops.

Preparatory actions:

1. Create a separate user account in XDR and in MaxPatrol VM with the minimum necessary set of permissions to use API requests.
2. Create user accounts for which you will later generate an API token.

   Requirements imposed on accounts for which the API token is generated:

   • Main administrator, Tenant administrator, Tier 2 analyst, or Tier 1 analyst role.
   • Access to the tenant into which the assets will be imported.
   • In the user account, under API access rights, the check box is selected for POST /xdr/api/v2.1/kuma/assets/import.
3. Generate a token for access to the XDR REST API.

To create the configuration file:

1. Go to the KUMA utilities folder:
   cd /opt/kaspersky/kuma/utils/
2. Copy the kuma-ptvm-config-template.yaml template to create a configuration file named kuma-ptvm-config.yaml:
   cp kuma-ptvm-config-template.yaml kuma-ptvm-config.yaml
3. Edit the settings in the kuma-ptvm-config.yaml configuration file.
4. Save the changes to the file.

The configuration file will be created.

To import asset information:

1. If you want to import asset information from MaxPatrol VM into KUMA Core without intermediate verification of the exported data, run the kuma-ptvm utility with the following options:

   kuma-ptvm --config <path to the kuma-ptvm-config.yaml file> --download --upload

2. If you want to check the correctness of data exported from MaxPatrol VM before importing it into KUMA Core:
   1. Run the kuma-ptvm utility with the following options:

      kuma-ptvm --config <path to the kuma-ptvm-config.yaml file> --download

      For each tenant specified in the configuration file, a separate file is created with a name of the form <tenant ID>.JSON. Also, during export, a 'tenants' file is created, containing a list of JSON files to be uploaded to KUMA Core. All files are saved in the utility's directory.

   2. Review the exported asset files and if necessary, make the following edits:
      • Assign assets to their corresponding tenants.
      • Manually transfer asset data from the 'default' tenant file to the files of the relevant tenants.
      • In the 'tenants' file, edit the list of tenants whose assets you want to import into KUMA Core.
   3. Import asset information into KUMA Core:

      kuma-ptvm --config <path to the kuma-ptvm-config.yaml file> --upload

      To view information about the available commands of the utility, run the --help command.

   The asset information is imported from MaxPatrol VM to KUMA Core. The console displays information on the number of new and updated assets.

Possible errors:

When running the kuma-ptvm utility, the "tls: failed to verify certificate: x509: certificate is valid for localhost" error may be returned.

To resolve the issue:

• Issue a certificate in accordance with the MaxPatrol documentation. We recommend resolving the error in this way.
• Disable certificate validation.

  To disable certificate validation, add the following line to the configuration file in the 'MaxPatrol settings' section:

  ignore_server_cert: true

As a result, the utility is started without errors.

Importing asset information from KICS for Networks

After configuring KICS for Networks integration, tasks to obtain data about KICS for Networks assets are created automatically. This occurs:

• Immediately after creating a new integration.
• Immediately after changing the settings of an existing integration.
• According to a regular schedule every several hours. Every 12 hours by default. The schedule can be changed.

Account data update tasks can be created manually.

To start a task to update KICS for Networks asset data for a tenant:

1. In the KUMA Console, open the Settings → Kaspersky Industrial CyberSecurity for Networks section.
2. Select the relevant tenant.

   The Kaspersky Industrial CyberSecurity for Networks integration window opens.

3. Click the Import assets button.

A task to receive account data from the selected tenant is added to the Task manager section of the KUMA Console.

Examples of asset field comparison during import

Each imported asset is compared to the matching KUMA asset.

Checking for two-field value match in the IP, MAC, and FQDN fields

Comparison results:

• Imported asset 1 and KUMA asset: the FQDN and IP fields are filled in and match, no conflict in the MAC fields between the two assets. The assets are merged.
• Imported asset 2 and KUMA asset: the FQDN and IP fields are filled in and match. The assets are merged.
• Imported asset 3 and KUMA asset: the FQDN and MAC fields are filled in and match, no conflict in the IP fields between the two assets. The assets are merged.
• Imported asset 4 and KUMA asset: the IP fields are filled in and match, no conflict in the FQDN and MAC fields between the two assets. The assets are merged.
• Imported asset 5 and KUMA asset: the FQDN fields are filled in and match, no conflict in the IP and MAC fields between the two assets. The assets are merged.
• Imported asset 6 and KUMA asset: no matching fields. The assets are not merged.

Checking for single-field value match in the IP, MAC, and FQDN fields

Comparison results:

• Imported asset 1 and KUMA asset: the IP fields are filled in and match, no conflict in the FQDN and MAC fields between the two assets. The assets are merged.
• Imported asset 2 and KUMA asset: the IP fields are filled in and match, no conflict in the FQDN and MAC fields between the two assets. The assets are merged.
• Imported asset 3 and KUMA asset: no matching fields. The assets are not merged.
• Imported asset 4 and KUMA asset: no matching fields. The assets are not merged.

Settings of the kuma-ptvm-config.yaml configuration file

The table lists the settings that you can specify in the kuma-ptvm-config.yaml file.

Assigning a category to an asset

To assign a category to one asset:

1. In the KUMA Console, go to the Assets section.
2. Select the category with the relevant assets.

   The assets table is displayed.

3. Select an asset.
4. In the opened window, click the Edit button.
5. In the Categories field, click the button.
6. Select a category.

   If you want to move an asset to the Uncategorized assets section, you must delete the existing categories for the asset by clicking the button.

7. Click the Save button.

The category will be assigned.

To assign a category to multiple assets:

1. In the KUMA Console, go to the Assets section.
2. Select the category with the relevant assets.

   The assets table is displayed.

3. Select the check boxes next to the assets for which you want to change the category.
4. Click the Link to category button.
5. In the opened window, select a category.
6. Click the Save button.

The category will be assigned.

Do not assign the Categorized assets category to assets.

Editing the parameters of assets

In KUMA, you can edit asset parameters. All the parameters of manually added assets can be edited. For assets imported from Kaspersky Security Center, you can only change the name of the asset and its category.

To change the parameters of an asset:

1. In the KUMA Console, go to the Assets section, and click the asset that you want to edit.

   The Asset details area opens in the right part of the window.

2. Click the Edit button.

   The Edit asset window opens.

3. Make the changes you need in the available fields:
   • Asset name (required). This is the only field available for editing if the asset was imported from Kaspersky Security Center or KICS for Networks.
   • IP address and/or FQDN (required). You can specify multiple FQDNs separated by commas.
   • MAC address
   • Owner
   • Software info:
     • OS name
     • OS build
   • Hardware info:

     Hardware parameters

     You can add information about asset hardware to the Hardware info section:

     Available fields for describing the asset CPU:

     • CPU name
     • CPU frequency
     • CPU core count

     You can add CPUs to the asset by using the Add CPU link.

     Available fields for describing the asset disk:

     • Disk free bytes
     • Disk volume

     You can add disks to the asset by using the Add disk link.

     Available fields for describing the asset RAM:

     • RAM frequency
     • RAM total bytes

     Available fields for describing the asset network card:

     • Network card name
     • Network card manufacture
     • Network card driver version

     You can add network cards to the asset by using the Add network card link.

   • Custom fields.
   • CII category.
4. Assign or change the category of the asset:
   1. Click the button.

      Select categories window opens.

   2. Select the check boxes next to the categories that should be assigned to the asset.
   3. Click Save.

   The selected categories appear in the Categories fields.

   You can also select the asset and then drag and drop it into the relevant category. This category will be added to the list of asset categories.

   Do not assign the Categorized assets category to assets.

5. Click the Save button.

Asset parameters have been changed.

Archiving assets

In KUMA, the archival functionality is available for the following types of assets:

• For assets imported from Kaspersky Security Center and KICS.

  If KUMA did not receive information about the asset, at the time of import, the asset is automatically archived and is stored in the database for the time specified in the Archived assets retention period setting. The default setting is 0 days. This means that archived assets are stored indefinitely. An archived asset becomes active if KUMA receives information about the asset from the source before the retention period for archived assets expires.

• Combined assets

  When importing, KUMA performs a check for uniqueness among assets imported from Kaspersky Security Center and KICS, and among manually added assets. If the fields of an imported asset and a manually added asset match, the assets are combined into a single asset, which is considered imported and can become archived.

Assets added manually in the console or using the API are not archived.

An asset becomes archived under the following conditions:

• KUMA did not receive information about the asset from Kaspersky Security Center or KICS for Networks.
• Disabled integration with Kaspersky Security Center.

  If you disable integration with Kaspersky Security Center, the asset is considered active for 30 days. After 30 days, the asset is automatically archived and is stored in the database for the time specified in the Archived assets retention period.

An asset is not updated in the following cases:

• Information about the Kaspersky Security Center asset has not been updated for more than the retention period of archived assets.
• Information about the asset does not exist in Kaspersky Security Center or KICS for Networks.
• Connection with the Kaspersky Security Center Server has not been established for more than 30 days.

To configure the archived assets retention period:

1. In the KUMA Console, select the Settings → Assets section.

   This opens the Assets window.

2. Enter the new value in the Archived assets retention period field.

   The default setting is 0 days. This means that archived assets are stored indefinitely.

3. Click Save.

The retention period for archived assets is configured.

Information about the archived asset remains available for viewing in the alert and incident card.

To view an archived asset card:

1. In the KUMA Console, select the Alerts or Incidents section.

   A list of alerts or incidents is displayed.

2. Open the alert or incident card linked to the archived asset.

   You can view the information in the archived asset card.

Deleting assets

If you no longer need to receive information from an asset or information about the asset has not been updated for a long time, you can have KUMA delete the asset. Deletion is available to all roles except first line analyst. If an asset was deleted, but KUMA once again begins receiving information about that asset from Kaspersky Security Center, KUMA recreates the asset with a new ID.

In KUMA, you can delete assets in the following ways:

• Automatically.

  KUMA automatically deletes only archived assets. KUMA deletes an archived asset if the information about the asset has not been updated for longer than the retention period of archived assets.

• Manually.

To delete an asset manually:

1. In KUMA Console, in the Assets section, click the asset that you want to delete.

   This opens the Asset information window in the right-hand part of the console.

2. Click the Delete button.

   A confirmation window opens.

3. Click OK.

The asset is deleted and no longer appears in the alert or incident card.

Updating third-party applications and fixing vulnerabilities on Kaspersky Security Center assets

You can update third-party applications (including Microsoft applications) that are installed on Kaspersky Security Center assets, and fix vulnerabilities in these applications.

First you need to create the Install required updates and fix vulnerabilities task on the selected Kaspersky Security Center Administration Server with the following settings:

• Application—Kaspersky Security Center.
• Task type—Install required updates and fix vulnerabilities.
• Devices to which the task will be assigned—you need to assign the task to the root administration group.
• Rules for installing updates:
  • Install approved updates only.
  • Fix vulnerabilities with a severity level equal to or higher than (optional setting).

    If this setting is enabled, updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

• Scheduled start—the task run schedule.

For details on how to create a task, please refer to the Kaspersky Security Center Help Guide.

The Install required updates and fix vulnerabilities task is available with a Vulnerability and Patch Management license.

Next, you need to install updates for third-party applications and fix vulnerabilities on assets in KUMA.

To install updates and fix vulnerabilities in third-party applications on an asset in KUMA:

1. Open the asset details window in one of the following ways:
   • In the KUMA Console, select Assets → select a category with the relevant assets → select an asset.
   • In the KUMA Console, select the Events section → search and filter events → select the relevant event → click the link in one of the following fields: SourceAssetID, DestinationAssetID, or DeviceAssetID.
2. In the asset details window, expand the list of Kaspersky Security Center vulnerabilities.
3. Select the check boxes next to the applications that you want to update.
4. Click the Upload updates link.
5. In the opened window, select the check box next to the ID of the vulnerability that you want to fix.
6. If No is displayed in the EULA accepted column for the selected ID, click the Approve updates button.
7. Click the link in the EULA URL column and carefully read the text of the End User License Agreement.
8. If you agree to it, click Accept selected EULAs in the KUMA Console.

   The ID of the vulnerability for which the EULA was accepted shows Yes in the EULA accepted successfully column.

9. Repeat steps 7–10 for each required vulnerability ID.
10. Click OK.

Updates will be uploaded and installed on the assets managed by the Administration Server where the task was started, and on the assets of all secondary Administration Servers.

The terms of the End User License Agreement for updates and vulnerability patches must be accepted on each secondary Administration Server separately.

Updates are installed on assets where the vulnerability was detected.

You can update the list of vulnerabilities for an asset in the asset details window by clicking the Update link.

Moving assets to a selected administration group

You can move assets to a selected administration group of Kaspersky Security Center. In this case, the group policies and tasks will be applied to the assets. For more details on Kaspersky Security Center tasks and policies, please refer to the Kaspersky Security Center Help Guide.

Administration groups are added to KUMA when the hierarchy is loaded during import of assets from Kaspersky Security Center. First, you need to configure KUMA integration with Kaspersky Security Center.

To move an asset to a selected administration group:

1. Open the asset details window in one of the following ways:
   • In the KUMA Console, go to Assets, select a category with the relevant assets, and then select an asset.
   • In the KUMA Console, go to Alerts, click the link with the relevant alert, and then select the asset in the Related endpoints section.
2. In the asset details window, click the Move to KSC group button.
3. Click the Move to KSC group button.
4. Select the group in the opened window.

   The selected group must be owned by the same tenant as the asset.

5. Click the Save button.

The selected asset will be moved.

To move multiple assets to a selected administration group:

1. In the KUMA Console, select the Assets section.
2. Select the category with the relevant assets.
3. Select the check boxes next to the assets that you want to move to the group.
4. Click the Move to KSC group button.

   The button is active if all selected assets belong to the same Administration Server.

5. Select the group in the opened window.
6. Click the Save button.

The selected assets will be moved.

You can see the specific group of an asset in the asset details.

Kaspersky Security Center assets information is updated in KUMA when information about assets is imported from Kaspersky Security Center. This means that a situation may arise when assets have been moved between administration groups in Kaspersky Security Center, but this information is not yet displayed in KUMA. When an attempt is made to move such an asset to an administration group in which it is already located, KUMA returns the Failed to move assets to another KSC group error.

Asset audit

KUMA can be configured to generate asset audit events under the following conditions:

• Asset was added to KUMA. The application monitors manual asset creation, as well as creation during import via the REST API and during import from Kaspersky Security Center or KICS for Networks.
• Asset parameters have been changed. A change in the value of the following asset fields is monitored:
  • Name
  • IP address
  • MAC address
  • FQDN
  • Operating system

  Fields may be changed when an asset is updated during import.

• Asset was deleted from KUMA. The program monitors manual deletion of assets, as well as automatic deletion of assets imported from Kaspersky Security Center and KICS for Networks, whose data is no longer being received.
• Vulnerability info was added to the asset. The program monitors the appearance of new vulnerability data for assets. Information about vulnerabilities can be added to an asset, for example, when importing assets from Kaspersky Security Center or KICS for Networks.
• Asset vulnerability was resolved. The program monitors the removal of vulnerability information from an asset. A vulnerability is considered to be resolved if data about this vulnerability is no longer received from any sources from which information about its occurrence was previously obtained.
• Asset was added to a category. The program monitors the assignment of an asset category to an asset.
• Asset was removed from a category. The program monitors the deletion of an asset from an asset category.

By default, if asset audit is enabled, under the conditions described above, KUMA creates not only audit events (Type = 4), but also base events (Type = 1).

Asset audit events can be sent to storage or to correlators, for example.

Configuring an asset audit

To configure an asset audit:

1. In the KUMA Console, go to the Settings → Asset audit section.
2. Perform one of the following actions with the tenant for which you want to configure asset audit:
   • Add the tenant by clicking the Add tenant button if this is the first time you are configuring asset audit for the relevant tenant.

     In the opened Asset audit window, select a name for the new tenant.

   • Select an existing tenant in the table if asset audit has already been configured for the relevant tenant.

     In the opened Asset audit window, the tenant name is already defined and cannot be edited.

   • Clone the settings of an existing tenant to create a copy of the conditions configuration for the tenant for which you are configuring asset audit for the first time. To do so, select the check box next to the tenant whose configuration you need to copy and click Clone. In the opened Asset audit window, select the name of the tenant to use the copied configuration.
3. For each condition for generating asset audit events, select the destination to where the created events will be sent:
   1. In the settings block of the relevant type of asset audit events, use the Add destination drop-down list to select the type of destination to which the created events should be sent:
      • Select Storage if you want events to be sent to storage.
      • Select Correlator if you want events to be sent to the correlator.
      • Select Other if you want to select a different destination.

        This type of resource includes correlator and storage services that were created in previous versions of the program.

      In the Add destination window that opens you must define the settings for event forwarding.

   2. Use the Destination drop-down list to select an existing destination or select Create if you want to create a new destination.

      If you are creating a new destination, fill in the settings as indicated in the destination description.

   3. Click Save.

   A destination has been added to the condition for generating asset audit events. Multiple destinations can be added for each condition.

4. Click Save.

The asset audit has been configured. Asset audit events will be generated for those conditions for which destinations have been added. Click Save.

Storing and searching asset audit events

Asset audit events are considered to be base events and do not replace audit events. Asset audit events can be searched based on the following parameters:

Enabling and disabling an asset audit

You can enable or disable asset audit for a tenant:

To enable or disable an asset audit for a tenant:

1. In the KUMA Console, open the Settings → Asset audit section and select the tenant for which you want to enable or disable an asset audit.

   The Asset audit window opens.

2. Select or clear the Disabled check box in the upper part of the window.
3. Click Save.

By default, when asset audit is enabled in KUMA, when an audit condition occurs, two types of events are simultaneously created: a base event and an audit event.

You can disable the generation of base events with audit events.

To enable or disable the creation of base events for an individual condition:

1. In the KUMA Console, open the Settings → Asset audit section and select the tenant for which you want to enable or disable a condition for generating asset audit events.

   The Asset audit window opens.

2. Select or clear the Disabled check box next to the relevant conditions.
3. Click Save.

For conditions with the Disabled check box selected, only audit events are created, and base events are not created.

Custom asset fields

In addition to the existing fields of the asset data model, you can create custom asset fields. Data from the custom asset fields is displayed when you view information about the asset. Custom fields can be filled in with data either manually or using the API.

You can create or edit the custom fields in the KUMA Console in the Settings → Assets section, in the Custom fields table. The table has the following columns:

• Name – the name of the custom field that is displayed when you view information about the asset.
• Default value – the value that is written to the custom field when an asset is added to KUMA.
• Mask – a regular expression to which the value in the custom field must match.

To create a custom asset field:

1. In the KUMA Console, in the Settings → Assets section, click Add field.

   An empty row is added to the Custom fields table. You can add multiple rows with the custom field settings at once.

2. Fill in the columns with the settings of the custom field:
   • Name (required)–from 1 to 128 characters in Unicode encoding.
   • Default value–from 1 to 1,024 Unicode characters.
   • Mask–from 1 to 1,024 Unicode characters.
3. Click Save.

A custom field is added to the asset data model.

To delete or edit a custom asset field:

1. In the KUMA Console, go to the Settings → Assets section.
2. Make the necessary changes in the Custom fields table:
   • To delete a custom field, click the icon next to the row with the settings of the required field. Deleting a field also deletes the data written in this field for all assets.
   • You can change the values of the field settings. Changing the default value does not affect the data written in the asset fields before.
   • To change the display order of the fields, drag the lines with the mouse by the .
3. Click Save.

The changes are made.

Critical information infrastructure assets

In KUMA, you can tag assets related to the critical information infrastructure (CII) of the Russian Federation. This allows you to restrict the KUMA users capabilities to handle alerts and incidents, which are associated with the assets related to the CII objects.

You can assign the CII category to assets if the license with the GosSOPKA module is active in KUMA.

Main administrators and users with the Access to CII facilities check box selected in their profiles can assign the CII category to an asset. If none of these conditions are met, the following restrictions apply to the user:

• The CII category group of settings is not displayed in the Asset details and Edit asset windows. You cannot view or change the CII category of an asset.
• Alerts and incidents associated with the assets of the CII category are not available for viewing. You cannot perform any actions on such alerts and incidents; they are not displayed in the table of alerts and incidents.
• The CII column is not displayed in the Alerts and Incidents tables.
• Search and closing of the alerts using the REST API is not available.

The CII category of an asset is displayed in the Asset details window in the CII category group of settings.

To change the CII category of an asset:

1. In the KUMA Console, in the Assets section, select the relevant asset.

   The Asset details window opens.

2. Click the Edit button and select one of the available values in the drop-down list:
   • Information resource is not a CII object – default value, indicating that the asset does not have a CII category. The users with the Access to CII facilities check box cleared in their profiles can work with such assets and the alerts and incidents related to these assets.
   • CII object without importance category.
   • CII object of the third importance category.
   • CII object of the second importance category.
   • CII object of the first importance category.
3. Click Save.