Kaspersky Next XDR Expert
1.2

Contents

Working with Open Single Management Platform tasks

You can connect Open Single Management Platform assets to KUMA and download database and application module updates to these assets, or run an anti-virus scan on them by using Open Single Management Platform tasks. Tasks are started in the KUMA Console.

To run Open Single Management Platform tasks on assets connected to KUMA, it is recommended to use the following script:

  1. Creating a user account in the Open Single Management Platform Administration Console

    The credentials of this account are used when creating a secret to establish a connection with Open Single Management Platform, and can be used to create a task.

    For more details about creating a user account and assigning permissions to a user, please refer to the Open Single Management Platform Help Guide.

  2. Creating KUMA tasks in Open Single Management Platform
  3. Configuring KUMA integration with Open Single Management Platform
  4. Importing asset information from Open Single Management Platform into KUMA
  5. Assigning a category to the imported assets

    After import, the assets are automatically placed in the Uncategorized devices group. You can assign one of the existing categories to the imported assets, or create a category and assign it to the assets.

  6. Running tasks on assets

    You can manually start tasks in the asset information or configure tasks to start automatically.

In this section

Creating KUMA tasks in Open Single Management Platform

Starting Open Single Management Platform tasks manually

Starting Open Single Management Platform tasks automatically

Checking the status of Open Single Management Platform tasks
Page top
[Topic 218045]

Creating KUMA tasks in Open Single Management Platform

You can run the anti-virus database and application module update task, and the virus scan task on Open Single Management Platform assets connected to KUMA. The assets must have Kaspersky Endpoint Security for Windows or Linux installed. The tasks are created in OSMP Console.

For details about creating the Update and Virus scan tasks on the assets with Kaspersky Endpoint Security for Windows, refer to the Kaspersky Endpoint Security for Windows Help.

For more details about creating the Update and Virus scan tasks on the assets with Kaspersky Endpoint Security for Linux, refer to the Kaspersky Endpoint Security for Linux Help.

Task names must begin with "kuma" (not case-sensitive and without quotations). For example, KUMA antivirus check. Otherwise, the task is not displayed in the list of available tasks in the KUMA Console.

Page top
[Topic 240903]

Starting Open Single Management Platform tasks manually

You can manually run the anti-virus database, application module update task, and the anti-virus scan task on Open Single Management Platform assets connected to KUMA. The assets must have Kaspersky Endpoint Security for Windows or Linux installed.

First, you need to configure the integration of Open Single Management Platform with KUMA and create tasks in Open Single Management Platform.

To manually start a Open Single Management Platform task:

  1. In the Assets section of the KUMA Console, select the asset that was imported from Open Single Management Platform.

    The Asset details window opens.

  2. Click the KSC response button.

    This button is displayed if the connection to the Open Single Management Platform that owns the selected asset is enabled.

  3. In the opened Select task window, select the check boxes next to the tasks that you want to start, and click the Start button.

Open Single Management Platform starts the selected tasks.

Some types of tasks are available only for certain assets.

You can obtain vulnerability and software information only for assets running a Windows operating system.

Page top
[Topic 218009]

Starting Open Single Management Platform tasks automatically

You can configure the automatic start of the anti-virus database and application module update task and the virus scan task for Open Single Management Platform assets connected to KUMA. The assets must have Kaspersky Endpoint Security for Windows or Linux installed.

First, you need to configure the integration of Open Single Management Platform with KUMA and create tasks in Open Single Management Platform.

Configuring automatic start of Open Single Management Platform tasks includes the following steps:

Step 1. Adding a correlation rule

To add a correlation rule:

  1. In the KUMA Console, select the Resources section.
  2. Select Correlation rules and click the Add correlation rule button.
  3. On the General tab, specify the following settings:
    1. In the Name field, define the rule name.
    2. In the Tenant drop-down list, select the tenant that owns the resource.
    3. In the Type drop-down list, select simple.
    4. In the Propagated fields field, add the following fields: DestinationAssetID.
    5. If required, define the values for the following fields:
      • In the Rate limit field, define the maximum number of times per second that the rule will be triggered.
      • In the Severity field, define the severity of alerts and correlation events that will be created as a result of the rule being triggered.
      • In the Description field, provide any additional information.
  4. On the SelectorsSettings tab:
    1. In the Filter drop-down list, select Create new.
    2. In the Conditions field, click the Add group button.
    3. In the operator field for the group you added, select AND.
    4. Add a condition for filtering by the DeviceProduct field value:
      1. In the Conditions field, click the Add condition button.
      2. In the condition field, select If.
      3. In the Left operand field, select event field.
      4. In the 'Event field' field, select DeviceProduct.
      5. In the Operator field, select =.
      6. In the Right operand field, select constant.
      7. In the value field, enter KSC.
    5. Add a condition for filtering by the Name field value:
      1. In the Conditions field, click the Add condition button.
      2. In the condition field, select If.
      3. In the Left operand field, select event field.
      4. In the event field, select Name.
      5. In the Operator field, select =.
      6. In the Right operand field, select constant.
      7. In the value field, enter the name of the event. When this event is detected, the task is started automatically.

        For example, if you want the Virus scan task to start when Open Single Management Platform registers the Malicious object detected event, specify this name in the Value field.

        You can view the event name in the Name field of the event details.

  5. On the Actions tab, specify the following settings:
    1. In the Actions section, open the On every event drop-down list.
    2. Select the Output check box.

      You do not need to fill in other fields.

  6. Click the Save button.

The correlation rule will be created.

Step 2. Creating a correlator

You need to launch the correlator installation wizard. At step 3 of the wizard, you are required to select the correlation rule that you added by following this guide.

The DeviceHostName field must display the domain name (FQDN) of the asset. If it is not displayed, create a DNS record for this asset and create a DNS enrichment rule at Step 4 of the wizard.

Step 3. Adding a filter

To add a filter:

  1. In the KUMA Console, select the Resources section.
  2. Select Filters and click the Add filter button.
  3. In the Name field, specify the filter name.
  4. In the Tenant drop-down list, select the tenant that owns the resource.
  5. In the Conditions field, click the Add group button.
  6. In the operator field for the group you added, select AND.
  7. Add a condition for filtering by the DeviceProduct field value:
    1. In the Conditions field, click the Add condition button.
    2. In the condition field, select If.
    3. In the Left operand field, select event field.
    4. In the 'Event field' field, select Type.
    5. In the Operator field, select =.
    6. In the Right operand field, select constant.
    7. In the Value field, enter 3.
  8. Add a condition for filtering by the Name field value:
    1. In the Conditions field, click the Add condition button.
    2. In the condition field, select If.
    3. In the Left operand field, select event field.
    4. In the event field, select Name.
    5. In the Operator field, select =.
    6. In the Right operand field, select constant.
    7. In the Value field, enter the name of the correlation rule created at Step 1.

Step 4. Adding a response rule

To add a response rule:

  1. In the KUMA Console, select the Resources section.
  2. Select Response rules and click the Add response rule button.
  3. In the Name field, define the rule name.
  4. In the Tenant drop-down list, select the tenant that owns the resource.
  5. In the Type drop-down list, select Response via KSC.
  6. In the Open Single Management Platform task drop-down list, select the Open Single Management Platform task you want to start.
  7. In the Event field drop-down list, select the DestinationAssetID.
  8. In the Workers field, specify the number of processes that the service can run simultaneously.

    By default, the number of work processes is the same as the number of virtual processors on the server where the correlator service is installed.

  • In the Description field, you can add up to 4,000 Unicode characters.
  • In the Filter drop-down list, select the filter added at Step 3 of this instruction.

To send requests to Open Single Management Platform, you must ensure that Open Single Management Platform is available over the UDP protocol.

If a response rule is owned by the shared tenant, the displayed Open Single Management Platform tasks that are available for selection are from the Open Single Management Platform server that the main tenant is connected to.

If a response rule has a selected task that is absent from the Open Single Management Platform server that the tenant is connected to, the task is not performed for assets of this tenant. This situation could arise when two tenants are using a common correlator, for example.

Step 5. Adding a response rule to the correlator

To add a response rule to the correlator:

  1. In the KUMA Console, select the Resources section.
  2. Select Correlators.
  3. In the list of correlators, select the correlator added at Step 2 of this instruction.
  4. In the steps tree, select Response rules.
  5. Click Add.
  6. In the Response rule drop-down list, select the rule added at step 4 of these instructions.
  7. In the steps tree, select Setup validation.
  8. Click the Save and restart services button.
  9. Click the Save button.

The response rule will be added to the correlator.

The automatic start will be configured for the anti-virus database and application module update task and the virus scan task on Open Single Management Platform assets connected to KUMA. The tasks are started when a threat is detected on the assets and KUMA receives the corresponding events.

Page top
[Topic 218008]

Checking the status of Open Single Management Platform tasks

In the Kaspersky Unified Monitoring and Analysis Platform web interface, you can check whether a Open Single Management Platform task was started or whether a search for events owned by the collector listening for Open Single Management Platform events was completed.

To check the status of Open Single Management Platform tasks:

  1. In Kaspersky Unified Monitoring and Analysis Platform, select the Resources → Active services section.
  2. Select the collector that is configured to receive events from the Open Single Management Platform server and click the Go to Events button.

This opens a new browser tab with the Events section of Kaspersky Unified Monitoring and Analysis Platform. The table displays events from the Open Single Management Platform server. The status of the tasks can be seen in the Name column.

Open Single Management Platform event fields:

  • Name—status or type of the task.
  • Message—message about the task or event.
  • FlexString<number>Label—name of the attribute received from Open Single Management Platform. For example, FlexString1Label=TaskName.
  • FlexString<number>—value of the FlexString<number>Label attribute. For example, FlexString1=Download updates.
  • DeviceCustomNumber<number>Label—name of the attribute related to the task state. For example, DeviceCustomNumber1Label=TaskOldState.
  • DeviceCustomNumber<number>—value related to the task state. For example, DeviceCustomNumber1=1 means the task is executing.
  • DeviceCustomString<number>Label—name of the attribute related to the detected vulnerability: for example, a virus name, affected application.
  • DeviceCustomString<number>—value related to the detected vulnerability. For example, the attribute-value pairs DeviceCustomString1Label=VirusName and DeviceCustomString1=EICAR-Test-File mean that the EICAR test virus was detected.
Page top
[Topic 217753]