[Topic 251751]

Kaspersky Unified Monitoring and Analysis Platform Help

New features

• What's new in KUMA
  
  

Hardware and software requirements

• Hardware and software requirements
  
  

Getting started

• Program architecture
• Installation and removal
• Managing tenants
• Monitoring event sources
  
  

Managing the KUMA web interface

• Administrator's guide
• User guide
  
  

Additional features

• Interaction with external systems via API
  
  

Licensing

• KUMA licensing
  
  

Contacting Technical Support

• How to get technical support
  
  

[Topic 217694]

About Kaspersky Unified Monitoring and Analysis Platform

Kaspersky Unified Monitoring and Analysis Platform (hereinafter KUMA or "program") is an integrated software solution that includes the following set of functions:

• Receiving, processing, and storing information security events.
• Analysis and correlation of incoming data.
• Search within the obtained events.
• Creation of notifications upon detecting symptoms of information security threats.

The program is built on a microservice architecture. This means that you can create and configure the relevant microservices (hereinafter also "services"), thereby making it possible to use KUMA both as a log management system and as a full-fledged SIEM system. In addition, flexible data streams routing allows you to use third-party services for additional event processing.

[Topic 220925]

What's new

• The capability to automatically and manually update the repository is implemented in order to receive packages with new correlation rules and connectors for log sources.
• The cold storage of events is implemented.
• To reduce the number of simultaneous insert queries to ClickHouse tables, in version 2.1.3 or later, you can configure buffering of insert queries for the Storage resource.
• In version 2.1.3 or later, KUMA uses a new driver for connecting to oracle.
• New connectors are added: SNMP traps, 1C log, 1C xml.
• Version 2.1.3 introduces numbering of tags for the xml normalizer.
• Integration with Kaspersky Automated Security Awareness Platform is implemented.
• A new response type is added: Active Directory response rule.
• The list of formats for generating reports is expanded. The following formats are now available: HTML, PDF, CSV, split CSV, Excel.
• RuCERT integration is expanded.
• The capability is added to create common (universal) dashboard layouts for all tenants and fill them with data on the tenants available to the current user. Thus, the number of layouts used in the system can be significantly reduced, and there is no need to create separate standard layouts for each tenant.
• The integration with Active Directory Federation Services is added for logging in without a user name and password (Single Sign On (SSO) scenario).
• The support of the FreeIPA domain is added for logging in the system.
• Added the capability to receive custom attributes of Active Directory accounts from LDAP and enrich events with the custom attributes of AD accounts.

  Before configuring event enrichment using custom attributes, make sure that custom attributes are configured in AD.

  To enrich events with accounts using custom attributes:

  1. Add Custom AD Account Attributes in the LDAP connection settings.

     Standard imported attributes from AD cannot be added as custom attributes. For example, if you want to add the standard accountExpires

     attribute

     as a custom attribute, KUMA will return an error when saving the connection settings.

     The following account attributes can be requested from Active Directory:

     • accountExpires
     • badPasswordTime
     • cn
     • co
     • company
     • department
     • description
     • displayName
     • distinguishedName
     • division
     • employeeID
     • givenName
     • l
     • lastLogon
     • lastLogonTimestamp
     • Mail
     • mailNickname
     • managedObjects
     • manager
     • memberOf (this attribute can be used for search during correlation)
     • mobile
     • name
     • objectCategory
     • objectGUID (this attribute always requested from Active Directory even if a user doesn't specify it)
     • objectSID
     • physicalDeliveryOfficeName
     • pwdLastSet
     • sAMAccountName
     • sAMAccountType
     • sn
     • streetAddress
     • telephoneNumber
     • title
     • userAccountControl
     • UserPrincipalName
     • whenChanged
     • whenCreated

     After you add custom attributes in the LDAP connection settings, the LDAP attribute to receive drop-down list in the collector automatically includes the new attributes. Custom attributes are identified by a question mark next to the attribute name. If you added the same attribute for multiple domains, the attribute is listed only once in the drop-down list. You can view the domains by moving your cursor over the question mark. Domain names are displayed as links. If you click a link, the domain is automatically added to LDAP accounts mapping if it was not previously added.

     If you deleted a custom attribute in the LDAP connection settings, manually delete the row containing the attribute from the mapping table in the collector. Account attribute information in KUMA is updated each time you import accounts.  

  2. Import accounts.
  3. In the collector, in the LDAP mapping table, define the rules for mapping KUMA fields to LDAP attributes.
  4. Restart the collector.

     After the collector is restarted, KUMA begins enriching events with accounts.

      

• The capabilities for working with assets are expanded: it is now possible to add custom fields to assets, to search for assets by the field names, and to export search results to a file.
• In the event search section, event field presets are added allowing you to quickly configure the lookup table columns according to the analyzed logs.
• System fault tolerance is improved.
• The information about assets now displays additional information about protecting the hosts running KES for Windows and KES for Linux. The information is available if you've imported the asset from KSC.
• For KATA/EDR triggering events, a link is added that allows you to go to the corresponding alert card in the KATA/EDR management console.
• The capability is implemented to use the hex, base64, and base64url conversions to process binary values in logs at the event receiving stage.
• Correlation capabilities have been expanded:
  • The list of variable functions is expanded. There are now opportunities to transform keys or define conditions.
  • Ability to manage rule application sequence in the correlator is added.
• Alert segmentation rules are added.
• Normalizers for the event sources are added.
• A new first line analyst role is added. Users with this role are able to create their own content in the system but cannot edit the resources created by other users.
• System logging and the ability to export application component logs to files are improved.

[Topic 217846]

Distribution kit

The distribution kit includes the following files:

• kuma-ansible-installer-<build number>.tar.gz is used to install KUMA components without the capability of deployment in a fault-tolerant configuration.
• kuma-ansible-installer-ha-<build number>.tar.gz is used to install KUMA components with the capability of deployment in a fault-tolerant configuration.
• files containing information about the version (release notes) in Russian and English.

[Topic 217889]

Hardware and software requirements

Recommended hardware requirements

This section lists the hardware requirements for processing a data stream of up to 40,000 events per second (EPS). The KUMA load value depends on the type of events being parsed and the efficiency of the normalizer.

Consider that for event processing efficiency, the CPU core count is more important than the clock rate. For example, eight CPU cores with a medium clock rate can process events more efficiently than four CPU cores with a high clock rate. The following table lists the hardware and software requirements of KUMA components.

Consider also that the amount of RAM utilized by the collector depends on configured enrichment methods (DNS, accounts, assets, enrichment with data from Kaspersky CyberTrace) and whether aggregation is used (RAM consumption is influenced by the data aggregation window setting, the number of fields used for aggregation of data, volume of data in fields being aggregated).

For example, with an event stream of 1,000 EPS and event enrichment disabled (event enrichment is disabled, event aggregation is disabled, 5,000 accounts, 5,000 assets per tenant), one collector requires the following resources:

• 1 CPU core or 1 virtual CPU
• 512 MB of RAM
• 1 GB of disk space (not counting event cache)

For example, to support 5 collectors that do not perform event enrichment, you must allocate the following resources: 5 CPU cores, 2.5 GB of RAM, and 5 GB of free disk space.

Installation of KUMA is supported in the following virtual environments:

• VMware 6.5 or later
• Hyper-V for Windows Server 2012 R2 or later
• QEMU-KVM 4.2 or later
• Software package of virtualization tools "Brest" RDTSP.10001-02

Kaspersky recommendations for storage servers

We recommend putting ClickHouse on solid state drives (SSD). SSDs help improve data access speed. Hard drives can be used to store data using the HDFS technology.

To connect a data storage system to storage servers, you must use high-speed protocols, such as Fibre Channel or iSCSI 10G. We do not recommend using application-level protocols such as NFS and SMB to connect data storage systems.

On ClickHouse cluster servers, using the ext4 file system is recommend.

If you are using RAID arrays, it is recommended to use RAID 0 for high performance, or RAID 10 for high performance and fault tolerance.

To ensure fault tolerance and performance of the data storage subsystem, we recommend making sure that ClickHouse nodes are deployed strictly on different disk arrays.

If you are using a virtualized infrastructure to host system components, we recommend deploying ClickHouse cluster nodes on different hypervisors. In this case, it is necessary to prevent two virtual machines with ClickHouse from working on the same hypervisor.

For high-load KUMA installations, we recommend installing ClickHouse on physical servers.

Requirements for devices for installing agents

To have data sent to the KUMA collector, you must install agents on the network infrastructure devices. Device requirements are listed in the following table.

Requirements for client devices for managing the KUMA web interface

CPU: Intel Core i3 8th generation

RAM: 8 GB

Supported browsers:

• Google Chrome 102 or later.
• Mozilla Firefox 103 or later.

Device requirements for installing KUMA on Kubernetes

The minimum configuration of a Kubernetes cluster for deployment of a fault-tolerant KUMA configuration includes the following:

• 1 load balancer node (not part of the cluster).
• 3 controller nodes.
• 2 worker nodes.

The minimum hardware requirements for devices for installing KUMA on Kubernetes are listed in the table below.

[Topic 230383]

KUMA interface

The program is managed through the web interface.

The window of the program web interface contains the following items:

• Sections in the left part of the program web interface window
• Tabs in the upper part of the program web interface window for some sections of the program
• Workspace in the lower part of the program web interface window

The workspace displays the information that you choose to view in the sections and on the tabs of the program web interface window. It also contains management elements that you can use to configure how the information is displayed.

While working with the program web interface, you can use hot keys to perform the following actions:

• In all sections: close the window that opens in the right side pane—Esc.
• In the Events section:
  • Switch between events in the right side pane—↑ and ↓.
  • Start a search (when focused on the query field)—Ctrl/Command + Enter.
  • Save a search query—Ctrl/Command + S.

[Topic 230384]

Compatibility with other applications

Kaspersky Endpoint Security for Linux

If the components of KUMA and Kaspersky Endpoint Security for Linux are installed on the same server, the report.db directory may grow very large and even take up the entire drive space. To avoid this problem, it is recommended to upgrade Kaspersky Endpoint Security for Linux to version 11.2 or later.

[Topic 217958]

Program architecture

The standard program installation includes the following components:

• The Core that includes a graphical interface to monitor and manage the settings of system components.
• One or more Collectors that receive messages from event sources and parse, normalize, and, if required, filter and/or aggregate them.
• A Correlator that analyzes normalized events received from Collectors, performs the necessary actions with active lists, and creates alerts in accordance with the correlation rules.
• The Storage, which contains normalized events and registered incidents.

Events are transmitted between components over optionally encrypted, reliable transport protocols. You can configure load balancing to distribute load between service instances, and it is possible to enable automatic switching to the backup component if the primary one is unavailable. If all components are unavailable, events are saved to the hard disk buffer and sent later. The size of the buffer in the file system for temporary storage of events can be changed.

KUMA architecture

[Topic 217779]

Core

The Core is the central component of KUMA that serves as the foundation upon which all other services and components are built. It provides a graphical user interface that is intended for everyday use by operators/analysts and for configuring the entire system.

The Core allows you to:

• create and configure services, or components, of the program, as well as integrate the necessary software into the system;
• manage program services and user accounts in a centralized way;
• visualize statistical data on the program;
• investigate security threats based on the received events.

[Topic 217762]

Collector

A collector is an application component that receives messages from event sources, processes them, and transmits them to a storage, correlator, and/or third-party services to identify alerts.

For each collector, you need to configure one connector and one normalizer. You can also configure an unlimited number of additional Normalizers, Filters, Enrichment rules, and Aggregation rules. To enable the collector to send normalized events to other services, specific destinations must be added. Normally, two destinations are used: the storage and the correlator.

The collector operation algorithm includes the following steps:

1. Receiving messages from event sources

   To receive messages, you must configure an active or passive connector. The passive connector can only receive messages from the event source, while the active connector can initiate a connection to the event source, such as a database management system.

   Connectors can also vary by type. The choice of connector type depends on the transport protocol for transmitting messages. For example, for an event source that transmits messages over TCP, you must install a TCP type connector.

   The program has the following connector types available:

   • internal
   • tcp
   • udp
   • netflow
   • sflow
   • nats-jetstream
   • kafka
   • http
   • sql
   • file
   • diode
   • ftp
   • nfs
   • wmi
   • wec
   • snmp
2. Event parsing and normalization

   Events received by the connector are processed using the normalizer and normalization rules set by the user. The choice of normalizer depends on the format of the messages received from the event source. For example, you must select a CEF-type root normalizer for a source that sends events in CEF format.

   The following normalizers are available in the program:

   • JSON
   • CEF
   • Regexp
   • Syslog (as per RFC3164 and RFC5424)
   • CSV
   • Key-value
   • XML
   • NetFlow v5
   • NetFlow v9
   • IPFIX (v10)
3. Filtering of normalized events

   You can configure filters that allow you to filter out events that meet specified conditions. Events that do not meet the filtering conditions will be sent for processing.

4. Enrichment and conversion of normalized events

   Enrichment rules let you to supplement event contents with information from internal and external sources. The program has the following enrichment sources:

   • constants
   • cybertrace
   • dictionaries
   • dns
   • events
   • ldap
   • templates
   • timezone data
   • geographic data

   Mutation rules let you convert event field contents in accordance with the defined criteria. The program has the following conversion methods:

   • lower—converts all characters to lower case.
   • upper—converts all characters to upper case.
   • regexp—extracts a substring using RE2 regular expressions.
   • substring—gets a substring based on the specified numbers of the start and end positions.
   • replace—replaces text with the entered string.
   • trim—deletes the specified characters.
   • append—adds characters to the end of the field value.
   • prepend—adds characters to the beginning of the field value.
5. Aggregation of normalized events

   You can configure aggregation rules to reduce the number of similar events that are transmitted to the storage and/or the correlator. Configuring aggregation rules lets you combine several events into one event. This helps you reduce the load on the services responsible for further event processing, conserves storage space and the license quota for events per second (EPS). For example, you can aggregate into one event all events involving network connections made using the same protocol (transport and application layers) between two IP addresses and received during a specified time interval.

6. Transmission of normalized events

   After all the processing stages are completed, the event is sent to configured destinations.

[Topic 217784]

Correlator

The Correlator is a program component that analyzes normalized events. Information from active lists and/or dictionaries can be used in the correlation process.

The data obtained by analysis is used to carry out the following tasks:

• Alert detection.
• Notification about detected incidents.
• Active lists content management.
• Sending correlation events to configured destinations.

Event correlation is performed in real time. The operating principle of the correlator is based on an event signature analysis. This means that every event is processed according to the correlation rules set by the user. When the program detects a sequence of events that satisfies the conditions of the correlation rule, it creates a correlation event and sends it to the Storage. The correlation event can also be sent to the correlator for repeated analysis, which allows you to customize the correlation rules so that they are triggered by the results of a previous analysis. Products of one correlation rule can be used by other correlation rules.

You can distribute correlation rules and the active lists they use among correlators, thereby sharing the load between services. In this case, the collectors will send normalized events to all available correlators.

The correlator operation algorithm has the following steps:

1. Obtaining an event

   The correlator receives a normalized event from the collector or from another service.

2. Applying correlation rules

   You can configure correlation rules so they are triggered based on a single event or a sequence of events. If no alert was detected using the correlation rules, the event processing ends.

3. Responding to an alert

   You can specify actions that the program must perform when an alert is detected. The following actions are available in the program:

   • Event enrichment
   • Operations with active lists
   • Sending notifications
   • Storing correlation event
4. Sending a correlation event

   When the program detects a sequence of events that satisfies the conditions of the correlation rule, it creates a correlation event and sends it to the storage. Event processing by the correlator is now finished.

[Topic 218010]

Storage

A KUMA storage is used to store normalized events so that they can be quickly and continually accessed from KUMA for the purpose of extracting analytical data. Access speed and continuity are ensured through the use of the ClickHouse technology. This means that a storage is a ClickHouse cluster bound to a KUMA storage service. ClickHouse clusters can be supplemented with cold storage disks.

When choosing a ClickHouse cluster configuration, consider the specific event storage requirements of your organization. For more information, please refer to the ClickHouse documentation.

In repositories, you can create spaces. The spaces enable to create a data structure in the cluster and, for example, store the events of a certain type together.

[Topic 220211]

Basic entities

This section describes the main entities that KUMA works with.

[Topic 221264]

About tenants

KUMA has a multitenancy mode in which one instance of the KUMA application installed in the infrastructure of the main organization (main tenant) enables isolation of branches (tenants) so that they receive and process their own events.

The system is managed centrally through the main interface while tenants operate independently of each other and have access only to their own resources, services, and settings. Events of tenants are stored separately.

Users can have access to multiple tenants at the same time. You can also select which tenants' data will be displayed in sections of the KUMA web interface.

In KUMA, two tenants are created by default:

• The main tenant contains resources and services related to the main tenant. These resources are available only to the general administrator.
• The shared tenant is where the general administrator can place resources, asset categories, and monitoring policies that users of all tenants will be able to utilize. Access to a shared tenant can be restricted to individual users.

  If in user settings, the Hide shared resources check box is selected, the user cannot gain access to the Shared folder belonging to the shared tenant in the KUMA web interface in the Resources → <resource type>. This means that the user cannot view, edit, or otherwise use shared resources. The user is also unable to export shared resources and resource sets that incorporate resources from the shared tenant, either through the web interface or through the REST API.

  If any of the services available to the user use shared resources, the user can see the names of these resources in the service settings, but cannot view or modify the resources. The content of active lists is available to the user even if the resource of this active list is shared.

  The limitation does not apply to shared asset categories. Shared resources are also always available to users with the general administrator role.

[Topic 217693]

About events

Events are information security events registered on the monitored elements of the organization's IT infrastructure. For example, events include login attempts, interactions with a database, and sensor information broadcasts. Each separate event may seem meaningless, but when considered together they form a bigger picture of network activities to help identify security threats. This is the core functionality of KUMA.

KUMA receives events from logs and restructures their information, making the data from different event sources consistent (this process is called normalization). Afterwards, the events are filtered, aggregated, and later sent to the correlator service for analysis and to the Storage for retaining. When KUMA recognizes specific event or a sequences of events, it creates correlation events, that are also analyzed and retained. If an event or sequence of events indicates a potential security threat, KUMA creates an alert. This alert consists of a warning about the threat and all related data that should be investigated by a security officer.

Throughout their life cycle, events undergo conversions and may receive different names. Below is a description of a typical event life cycle:

The first steps are carried out in a collector.

1. Raw event. The original message received by KUMA from an event source using a Connector is called a raw event. This is an unprocessed message and it cannot be used yet by KUMA. To fit into the KUMA pipeline, raw events must be normalized into the KUMA data model. That's what the next stage is for.
2. Normalized event. A normalizer transforms 'raw' event data in accordance with the KUMA data model. After this conversion, the original message becomes a normalized event and can be used by KUMA for analysis. From here on, only normalized events are used in KUMA. Raw events are no longer used, but they can be kept as a part of normalized events inside the Raw field.

   The program has the following normalizers:

   • JSON
   • CEF
   • Regexp
   • Syslog (as per RFC3164 and RFC5424)
   • CSV/TSV
   • Key-value
   • XML
   • Netflow v5, v9, IPFIX (v10), sFlow v5
   • SQL

   At this point normalized events can already be used for analysis.

3. Event destination. After the Collector service have processed an event, it is ready to be used by other KUMA services and sent to the KUMA Correlator and/or Storage.

The next steps of the event life cycle are completed in the correlator.

Event types:

1. Base event. An event that was normalized.
2. Aggregated event. When dealing with a large number of similar events, you can "merge" them into a single event to save processing time and resources. They act as base events, but In addition to all the parameters of the parent events (events that are "merged"), aggregated events have a counter that shows the number of parent events it represents. Aggregated events also store the time when the first and last parent events were received.
3. Correlation event. When a sequence of events is detected that satisfies the conditions of a correlation rule, the program creates a correlation event. These events can be filtered, enriched, and aggregated. They can also be sent for storage or looped into the Correlator pipeline.
4. Audit event. Audit events are created when certain security-related actions are completed in KUMA. These events are used to ensure system integrity. They are automatically placed in a separate storage space and stored for at least 365 days.
5. Monitoring event. These events are used to track changes in the amount of data received by KUMA.

[Topic 217691]

About alerts

In KUMA, an alert is created when a sequence of events is received that triggers a correlation rule. Correlation rules are created by KUMA analysts to check incoming events for possible security threats, so when a correlation rule is triggered, it's a warning there may be some malicious activity happening. Security officers should investigate these alerts and respond if necessary.

KUMA automatically assigns the severity to each alert. This parameter shows how important or numerous the processes are that triggered the correlation rule. Alerts with higher severity should be dealt with first. The severity value is automatically updated when new correlation events are received, but a security officer can also set it manually. In this case, the alert severity is no longer automatically updated.

Alerts have related events linked to them, making alerts enriched with data from these events. KUMA also offers drill down functionality for alert investigations.

You can create incidents based on alerts.

Alert management in KUMA is described in this section.

[Topic 220212]

About incidents

If the nature of the data received by KUMA or the generated correlation events and alerts indicate a possible attack or vulnerability, the symptoms of such an event can be combined into an incident. This allows security experts to analyze threat manifestations in a comprehensive manner and facilitates response.

You can assign a category, type, and severity to incidents, and assign incidents to data protection officers for processing.

Incidents can be exported to RuCERT.

[Topic 217692]

About assets

Assets are network devices registered in KUMA. Assets generate network traffic when they send and receive data. The KUMA program can be configured to track this activity and create baseline events with a clear indication of where the traffic is coming from and where it is going. The event can contain source and destination IP addresses, as well as DNS names. If you register an asset with certain parameters (for example, a specific IP address), this asset is linked to all events that contain this IP address in any of its parameters.

Assets can be divided into logical groups. This helps keep your network structure transparent and gives you additional ways to work with correlation rules. When an event linked to an asset is processed, the category of this asset is also taken into consideration. For example, if you assign high severity to a certain category of assets, the base events involving these assets will trigger the creation of correlation events with higher severity. This in turn cascades into higher severity alerts and, therefore, a more rapid response to such an alert.

It is recommended to register network assets in KUMA because their use makes it possible to formulate clear and versatile correlation rules for much more efficient analysis of events.

Asset management in KUMA is described in this section.

[Topic 221640]

About resources

Resources are KUMA components that contain parameters for implementing various functions: for example, establishing a connection with a given web address or converting data according to certain rules. Like parts of an erector set, these components are assembled into resource sets for services that are then used as the basis for creating KUMA services.

[Topic 221642]

About services

Services are the main components of KUMA that work with events: receiving, processing, analyzing, and storing them. Each service consists of two parts that work together:

• One part of the service is created inside the KUMA web interface based on set of resources for services.
• The second part of the service is installed in the network infrastructure where the KUMA system is deployed as one of its components. The server part of a service can consist of multiple instances: for example, services of the same agent or storage can be installed on multiple devices at once.

Parts of services are connected to each other via the service ID.

[Topic 217690]

About agents

KUMA agents are services that are used to forward raw events from servers and workstations to KUMA destinations.

Types of agents:

• wmi agents are used to receive data from remote Windows devices using Windows Management Instrumentation. They are installed to Windows assets.
• wec agents are used to receive Windows logs from a local device using Windows Event Collector. They are installed to Windows assets.
• tcp agents are used to receive data over the TCP protocol. They are installed to Linux and Windows assets.
• udp agents are used to receive data over the UDP protocol. They are installed to Linux and Windows assets.
• nats-jetstream—used for NATS communications. They are installed to Linux and Windows assets.
• kafka agents are used for Kafka communications. They are installed to Linux and Windows assets.
• http agents are used for communication over the HTTP protocol. They are installed to Linux and Windows assets.
• file agents are used to get data from a file. They are installed to Linux assets.
• ftp agents are used to receive data over the File Transfer Protocol. They are installed to Linux and Windows assets.
• nfs agents are used to receive data over the Network File System protocol. They are installed to Linux and Windows assets.
• snmp agents are used to receive data over the Simple Network Management Protocol. They are installed to Linux and Windows assets.
• diode agents are used together with data diodes to receive events from isolated network segments. They are installed to Linux and Windows assets.

[Topic 217695]

About Priority

Priority reflects the relative importance of security-sensitive activity detected by a KUMA correlator. It shows the order in which multiple alerts should be processed, and indicates whether senior security officers should be involved.

The Correlator automatically assigns severity to correlation events and alerts based on correlation rule settings. The severity of an alert also depends on the assets related to the processed events because correlation rules take into account the severity of a related asset's category. If the alert or correlation event does not have linked assets with a defined severity or does not have any related assets at all, the severity of this alert or correlation event is equal to the severity of the correlation rule that triggered them. The alert or the correlation event severity is never lower than the severity of the correlation rule that triggered them.

Alert severity can be changed manually. The severity of alerts changed manually is no longer automatically updated by correlation rules.

Possible severity values:

• Low
• Medium
• High
• Critical

[Topic 217959]

Program licensing

This section covers the main aspects of program licensing.

[Topic 222243]

About the End User License Agreement

The End User License agreement is a legal agreement between you and AO Kaspersky Lab that specifies the conditions under which you can use the program.

Read the terms of the End User License Agreement carefully before using the program for the first time.

You can familiarize yourself with the terms of the End User License Agreement in the following ways:

• During the installation of KUMA.
• By reading the LICENSE document. This document is included in the distribution kit and is located inside the installer in the /kuma-ansible-installer/roles/kuma/files/ folder.

  After the program is deployed, the document is available in the /opt/kaspersky/kuma/LICENSE folder.

You accept the terms of the End User License Agreement by confirming your acceptance of the End User License Agreement during the program installation. If you do not accept the terms of the End User License Agreement, you must cease the installation of the program and must not use the program.

[Topic 233460]

About the license

A License is a time-limited right to use the program, granted under the terms of the End User License Agreement.

A license entitles you to the following kinds of services:

• Use of the program in accordance with the terms of the End User License Agreement
• Getting technical support

The scope of services and the duration of usage depend on the type of license under which the program was activated.

A license is provided when the program is purchased. When the license expires, the program continues to work but with limited functionality (for example, new resources cannot be created). To continue using KUMA with its full functionality, you need to renew your license.

We recommend that you renew your license no later than its expiration date to ensure maximum protection against cyberthreats.

[Topic 233471]

About the License Certificate

A License Certificate Is a document that is provided to you along with a key file or activation code.

The License Certificate contains the following information about the license being granted:

• License key or order number
• Information about the user who is granted the license
• Information about the program that can be activated under the provided license
• Restriction on the number of licensing units (for example, the number of events that can be processed per second)
• Start date of the license term
• License expiration date or license term
• License type

[Topic 233462]

About the license key

A license key is a sequence of bits that you can apply to activate and then use the program in accordance with the terms of the End User License Agreement. License keys are generated by Kaspersky specialists.

You can add a license key to the program by applying a key file. The license key is displayed in the program interface as a unique alphanumeric sequence after you add it to the program.

The license key may be blocked by Kaspersky in case the terms of the License Agreement have been violated. If the license key has been blocked, you need to add another one if you want to use the program.

A license key may be active or reserve.

An active license key is the license key currently used by the program. An active license key can be added for a trial or commercial license. The program cannot have more than one active license key.

A reserve license key is the license key that entitles the user to use the program but is not currently in use. The additional license key automatically becomes active when the license associated with the current active license key expires. An additional license key can be added only if an active license key has already been added.

A license key for a trial license can be added as an active license key. A license key for a trial license cannot be added as an additional license key.

[Topic 233467]

About the key file

The key file is a file named license.key provided to you by Kaspersky. The key file is used to add a license key that activates the program.

You receive a key file at the email address that you provided after purchasing KUMA.

You do not need to connect to Kaspersky activation servers in order to activate the program with a key file.

If the key file has been accidentally deleted, you can restore it. You may need a key file, for example, to register with Kaspersky CompanyAccount.

To restore the key file, you need to do one of the following:

• Contact the license seller.
• Get a key file on the Kaspersky website based on the available activation code.

[Topic 217709]

Adding a license key to the program web interface

You can add an application license key in the KUMA web interface.

Only users with the Administrator role can add a license key.

To add a license key to the KUMA web interface:

1. Open the KUMA web interface and select Settings → License.

   The window with KUMA license conditions opens.

2. Select the key you want to add:
   • If you need to add an active key, click the Add active license key button.

     This button is not displayed if a license key has already been added to the program. If you want to add an active license key instead of the key that has already been added, the current license key must be deleted.

   • If you want to add a reserve key, click the Add reserve license key button.

     This button is inactive until an active key is added. If you want to add a reserve license key instead of the key that has already been added, the current reserve license key must be deleted.

   The license key file selection window appears on the screen.

3. Select a license file by specifying the path to the folder and the name of the license key file with the KEY extension.

The license key from the selected file will be loaded into the program. Information about the license key is displayed under Settings → License.

[Topic 218040]

Viewing information about an added license key in the program web interface

In the KUMA web interface, you can view information about the added license key. Information about the license key is displayed under Settings → License.

Only users with the Administrator role can view license information.

The License tab window displays the following information about added license keys:

• Expires on—date when the license key expires.
• Days remaining—number of days before the license is expired.
• EPS available—number of events processed per second supported by the license.
• EPS current—current average number of events per second processed by KUMA.
• License key—unique alphanumeric sequence.
• Company—name of the company that purchased the license.
• Client name—name of client who purchased the license.
• Modules—modules available for the license.

[Topic 217963]

Removing a license key in the program web interface

In KUMA, you can remove an added license key from the program (for example, if you need to replace the current license key with a different key). After the license key is removed, the program stops to receive and process events. This functionality will be re-activated the next time you add a license key.

Only users with the administrator role can delete license keys.

To delete an added license key:

1. Open the KUMA web interface and select Settings → License.

   The window with KUMA license conditions opens.

2. Click the icon on the license that you want to delete.

   A confirmation window opens.

3. Confirm deletion of the license key.

The license key will be removed from the program.

[Topic 249526]

Administrator's guide

This chapter provides information about installing and configuring the KUMA SIEM system.

[Topic 217904]

Installing and removing KUMA

To complete the installation, you need a distribution kit:

• kuma-ansible-installer-<build number>.tar.gz contains all necessary files for installing KUMA without the support for fault-tolerant configurations.
• kuma-ansible-installer-ha-<build number>.tar.gz contains all necessary files for installing KUMA in a fault-tolerant configuration.

To complete the installation, you need the install.sh installer file and an inventory file that describes the infrastructure. You can create an inventory file based on a template. Each distribution contains an install.sh installer file and the following inventory file templates:

• single.inventory.yml.template
• distributed.inventory.yml.template
• expand.inventory.yml.template
• k0s.inventory.yml.template

KUMA places its files in the /opt directory, so we recommend making /opt a separate partition and allocating 16 GB for the operating system and the remainder of the disk space for the /opt partition.

KUMA is installed in the same way on all hosts using the installer and your prepared inventory file in which you describe your configuration. We recommend taking time to think through the setup before you proceed.

The following installation options are available:

• Installation on a single server

  Single-server installation diagram

  

  Installation on a single server

  You can install all KUMA components on the same server: specify the same server in the single.inventory.yml inventory file for all components. An "all-in-one" installation can handle a small stream of events, up to 10,000 EPS. If you plan to use multiple dashboard layouts and handle a high volume of search queries, a single server might not be sufficient. In that case, we recommend choosing the distributed installation instead.

• Distributed installation

  Distributed Installation diagram

  

  Distributed Installation diagram

  You can install KUMA services on different servers; you can describe the configuration for a distributed installation in the distributed.inventory.yml inventory file.

• Distributed installation in a fault-tolerant configuration

  You can install the KUMA Core on a Kubernetes cluster for fault tolerance. Use the k0s.inventory.yml inventory file for the description.

[Topic 231034]

Program installation requirements

General application installation requirements

Before deploying the application, make sure the following conditions are met:

• Servers on which you want to install the components satisfy the hardware and software requirements.
• Ports used by the installed instance of KUMA are available.
• KUMA components are addressed using the fully qualified domain name (FQDN) of the host. Before you install the application, make sure that the correct host FQDN is returned in the Static hostname field. For this purpose, execute the following command:

  hostnamectl status

• The server where the installer is run does not have the name localhost or localhost.<domain>.
• Time synchronization over Network Time Protocol (NTP) is configured on all servers with KUMA services.

Installation requirements for Oracle Linux and Astra Linux operating systems

[Topic 217770]

Ports used by KUMA during installation

For the program to run correctly, you need to ensure that the KUMA components are able to interact with other components and programs over the network via the protocols and ports specified during the installation of the KUMA components.

Before installing the Core on the device, make sure that the following ports are free:

• 9090: used by Victoria Metrics.
• 8880: used by VMalert.
• 27017: used by MongoDB.

The table below shows the default network ports values. The installer automatically opens the ports during KUMA installation

Network ports used for the interaction of KUMA components

Ports used by the OOTB predefined resources

The installer automatically opens the ports during KUMA installation.

Ports used by the OOTB predefined resources:

• 7230/tcp
• 7231/tcp
• 7232/tcp
• 7233/tcp
• 7234/tcp
• 7235/tcp
• 5140/tcp
• 5140/udp
• 5141/tcp
• 5144/udp

KUMA Core traffic in a fault-tolerant configuration

The "KUMA Core traffic in a fault-tolerant configuration" table shows the initiator of the connection (the source) and the destination. The port number on the initiator can be dynamic. Return traffic within the established connection must not be blocked.

KUMA Core traffic in a fault-tolerant configuration

[Topic 255123]

Synchronizing time on servers

To configure time synchronization on servers:

1. Install chrony:

   sudo apt install chrony

2. Configure the system time to synchronize with the NTP server:
   1. Make sure the virtual machine has Internet access.

      If access is available, go to step b.

      If internet access is not available, edit the /etc/chrony.conf file to replace 2.pool.ntp.org with the name or IP address of your organization's internal NTP server.

   2. Start the system time synchronization service by executing the following command:

      sudo systemctl enable --now chronyd

   3. Wait a few seconds and run the following command:

      sudo timedatectl | grep 'System clock synchronized'

      If the system time is synchronized correctly, the output will contain the line "System clock synchronized: yes".

Synchronization is configured.

[Topic 255188]

About the inventory file

KUMA components can be installed, updated, and removed from the directory with the unpacked kuma-ansible-installer using the Ansible tool and the inventory file you created. You can specify values ​​for KUMA configuration settings in the inventory file; the installer uses these values ​​when deploying, updating, and removing the program. The inventory file uses the YAML format.

You can create an inventory file based on the templates included in the distribution kit. The following templates are available:

• single.inventory.yml.template—Used to install KUMA on a single server. It contains the minimum set of settings optimized for installation on a single device without the use of a Kubernetes cluster.
• distributed.inventory.yml.template—Used for the initial distributed installation of KUMA without using a Kubernetes cluster, for expanding the all-in-one installation to a distributed installation, and for updating KUMA.
• expand.inventory.yml.template—Used in some reconfiguration scenarios: for adding collector and correlator servers, for expanding an existing storage cluster, and for adding a new storage cluster. If you use this inventory file to edit the configuration, the installer does not stop services in the entire infrastructure. If you reuse the inventory file, the installer can stop only services on hosts that are listed in the expand.inventory.yml inventory file.
• k0s.inventory.yml.template—Used to install or migrate KUMA to a Kubernetes cluster.

We recommend backing up the inventory file that you used to install the program. You can use it to add components to the system or remove KUMA.

[Topic 244406]

KUMA settings in the inventory file

The inventory file may include the following blocks:

• all
• kuma
• kuma_k0s

For each host, you must specify the FQDN in the <host name>.<domain> format or an ipv4 or ipv6 IP address.

all block

In this block the variables that are applied to all hosts indicated in the inventory are specified, including the implicit localhost where the installation is started. Variables can be redefined at the level of host groups or even for individual hosts.

Example of redefining variables in the inventory file

The following table lists possible variables in the 'vars' section and their descriptions.

List of possible variables in the vars section

kuma block

This block lists the settings of KUMA components deployed outside of the Kubernetes cluster.

The following sections are available in the block:

• In the vars section, you can specify the variables that are applied to all hosts indicated in the kuma block.
• In the children section you can list groups of component settings:
  • kuma_core—KUMA Core settings. This may contain only one host.
  • kuma_collector—settings of KUMA collectors. Can contain multiple hosts.
  • kuma_correlator—settings of KUMA correlators. Can contain multiple hosts.
  • kuma_storage—settings of KUMA storage nodes. Can contain multiple hosts.

kuma_k0s block

This block defines the settings of the Kubernetes cluster that ensures fault tolerance of KUMA. This block is only available in an inventory file that is based on k0s.inventory.yml.template.

The minimum configuration allowed for installation is one controller combined with a worker node. This configuration does not provide fault tolerance for the Core and is only intended for demonstration of its capabilities or for testing the software environment.

To implement fault tolerance, 2 dedicated cluster controllers and a load balancer are required. For industrial operation, it is recommended to use dedicated worker nodes and controllers. If a cluster controller is under workload and the pod with the KUMA Core is hosted on the controller, disabling the controller will result in a complete loss of access to the Core.

The following sections are available in the block:

• In the vars section, you can specify the variables that are applied to all hosts indicated in the kuma block.
• The children section defines the settings of the Kubernetes cluster that ensures fault tolerance of KUMA.

The table below shows a list of possible variables in the vars section and their descriptions.

List of possible variables in the vars section

Each host in this block must have its unique FQDN or IP address indicated in the ansible_host parameter, except for the host in the kuma_lb section which must have its FQDN indicated. Hosts must not be duplicated in groups.

The parameter extra_args: "--labels=kaspersky.com/kuma-core=true,kaspersky.com/kuma-ingress=true,node.longhorn.io/create-default-disk=true" must be indicated for each cluster node and for a cluster controller that is combined with a worker node.

[Topic 217908]

Installation on a single server

To install KUMA components on a single server, complete the following steps:

1. Ensure that hardware, software, and installation requirements for KUMA are met.
2. Prepare the single.inventory.yml inventory file.

   Use the single.yml.template inventory file template from the distribution kit to create a single.inventory.yml inventory file and describe the network structure of program components in that file. The installer uses the single.inventory.yml file to deploy KUMA.

3. Install the program.

   Install the program and log in to the web interface using the default credentials.

If necessary, you can move application components to different servers to continue with a distributed configuration.

[Topic 222158]

Preparing the single.inventory.yml inventory file

KUMA components can be installed, updated, and removed in the directory containing the unpacked installer by using the Ansible tool and the user-created YML inventory file containing a list of the hosts of KUMA components and other settings. If you want to install all KUMA components on the same server, you must specify the same host for all components in the inventory file.

To create an inventory file for installation on a single server:

1. Copy the archive with the kuma-ansible-installer-<version name>.tar.gz installer to the server and unpack it using the following command (about 2 GB of disk space is required):

   sudo tar -xpf kuma-ansible-installer-<version name>.tar.gz

2. Go to the KUMA installer folder by executing the following command:

   cd kuma-ansible-installer

3. Copy the single.inventory.yml.template template and create an inventory file named single.inventory.yml:

   cp single.inventory.yml.template single.inventory.yml

4. Edit the settings in the single.inventory.yml inventory file.

   If you want predefined services to be created during the installation, set deploy_example_services to true.

   deploy_example_services: true

   The predefined services will appear only as a result of the initial installation of KUMA. If you are upgrading the system using the same inventory file, the predefined services are not re-created.

5. Replace all kuma.example.com strings in the inventory file with the name of the host on which you want to install KUMA components.

The inventory file is created. Now you can use it to install KUMA on a single server.

We recommend backing up the inventory file that you used to install the program. You can use it to add components to the system or remove KUMA.

Sample inventory file for installation on a single server

[Topic 222159]

Installing the program on a single server

You can install all KUMA components on a single server using the Ansible tool and the single.inventory.yml inventory file.

To install Kuma on a single server:

1. Download the kuma-ansible-installer-<build number>.tar.gz KUMA distribution kit to the server and extract it. The archive is unpacked into the kuma-ansibleinstaller directory.
2. Go to the directory with the unpacked installer.
3. Place the license key file in the <installer directory>/roles/kuma/files/ directory.

   The key file must be named license.key.

   sudo cp <key file>.key <installer directory>/roles/kuma/files/license.key

4. Run the following command to start the component installation with your prepared single.inventory.yml inventory file:

   sudo ./install.sh single.inventory.yml

5. Accept the terms of the End User License Agreement.

   If you do not accept the terms of the End User License Agreement, the program will not be installed.

As a result, all KUMA components are installed. After the installation is complete, log in to the KUMA web interface and enter the address of the KUMA web interface in the address bar of your browser, then enter your credentials on the login page.

The address of the KUMA web interface is https://<FQDN of the host where KUMA is installed>:7220.

Default login credentials:
- login – admin
- password – mustB3Ch@ng3d!

After the first login, change the password of the admin account

We recommend backing up the inventory file that you used to install the program. You can use this inventory file to add components to the system or remove KUMA.

You can expand the installation to a distributed installation.

[Topic 217917]

Distributed installation

Distributed installation of KUMA involves multiple steps:

1. Verifying that the hardware, software, and installation requirements for KUMA are satisfied.
2. Preparing the test machine.

   The test machine is used during the program installation process: the installer files are unpacked and run on it.

3. Preparing the target machines.

   The program components are installed on the target machines.

4. Preparing the distributed.inventory.yml inventory file.

   Create an inventory file with a description of the network structure of program components. The installer uses this inventory file to deploy KUMA.

5. Installing the program.

   Install the program and log in to the web interface.

6. Creating services.

   Create the client part of the services in the KUMA web interface and install the server part of the services on the target machines.

   Make sure the KUMA installation is complete before you install KUMA services. We recommend installing services in the following order: storage, collectors, correlators, and agents.

   When deploying several KUMA services on the same host, you must specify unique ports for each service using the --api.port <port> parameters during installation.

If necessary, you can change the KUMA web console certificate to your company's certificate.

[Topic 222083]

Preparing the test machine

To prepare the test machine for the KUMA installation:

1. Ensure that hardware, software, and installation requirements of the program are met.
2. Generate an SSH key for authentication on the SSH servers of the target machines by executing the following command:

   sudo ssh-keygen -f /root/.ssh/id_rsa -N "" -C kuma-ansible-installer

   If SSH root access is blocked on the test machine, generate an SSH key for authentication on the SSH servers of the target machines using a user from the sudo group:

   If the user does not have sudo rights, add the user to the sudo group:

   usermod -aG sudo user

   sudo ssh-keygen -f /home/<name of the user from sudo group>/.ssh/id_rsa -N "" -C kuma-ansible-installer

   As a result, the key is generated and saved in the user's home directory. You should specify the full path to the key in the inventory file in the value of the ansible_ssh_private_key_file parameter so that the key is available during installation.

3. Make sure that the test machine has network access to all the target machines by host name and copy the SSH key to each target machine by carrying out the following command:

   sudo ssh-copy-id -i /root/.ssh/id_rsa root@<host name of the test machine>

   If SSH root access is blocked on the test machine and you want to use the SSH key from the home directory of the sudo group user, make sure that the test machine has network access to all target machines by host name and copy the SSH key to each target machine using the following command:

   sudo ssh-copy-id -i /home/<name of a user in the sudo group>/.ssh/id_rsa root@<host name of the test machine>

4. Copy the archive with the kuma-ansible-installer-<version>.tar.gz installer to the test machine and unpack it using the following command (about 2 GB of disk space is required):

   sudo tar -xpf kuma-ansible-installer-<version name>.tar.gz

The test machine is ready for the KUMA installation.

[Topic 217955]

Preparing the target machine

To prepare the target machine for the installation of KUMA components:

1. Ensure that hardware, software, and installation requirements are met.
2. Specify the host name. We recommend specifying the FQDN. For example, kuma1.example.com.

   You should not change the KUMA host name after installation: this will make it impossible to verify the authenticity of certificates and will disrupt the network communication between the program components.

3. Register the target machine in your organization's DNS zone to allow host names to be translated to IP addresses.

   If your organization does not use a DNS server, you can use the /etc/hosts file for name resolution. The content of the files can be automatically generated for each target machine when installing KUMA.

4. To get the hostname that you must specify when installing KUMA, run the following command and record the result:

   hostname -f

   The test machine must be able to access the target machine using this name.

The target machine is ready for the installation of KUMA components.

[Topic 222085]

Preparing the distributed.inventory.yml inventory file

To create the distributed.inventory.yml inventory file:

1. Go to the KUMA installer folder by executing the following command:

   cd kuma-ansible-installer

2. Copy the distributed.inventory.yml.template template and create an inventory file named distributed.inventory.yml:

   cp distributed.inventory.yml.template distributed.inventory.yml

3. Edit the settings in the distributed.inventory.yml inventory file.

We recommend backing up the inventory file that you used to install the program. You can use it to add components to the system or remove KUMA.

Sample inventory file for distributed installation

[Topic 217914]

Installing the program in a distributed configuration

KUMA is installed using the Ansible tool and the YML inventory file. The installation is performed using the test machine, where all of the KUMA components are installed on the target machines.

To install KUMA:

1. On the test machine, open the folder containing the unpacked installer.

   cd kuma-ansible-installer

2. Place the license key file in the <installer directory>/roles/kuma/files/ directory.

   The key file must be named license.key.

3. Run the installer from the folder with the unpacked installer:

   sudo ./install.sh distributed.inventory.yml

4. Accept the terms of the End User License Agreement.

   If you do not accept the terms of the End User License Agreement, the program will not be installed.

KUMA components are installed. The screen will display the URL of the KUMA web interface and the user name and password that must be used to access the web interface.

By default, the KUMA web interface address is https://<FQDN or IP address of the core component>:7220.

Default login credentials (after the first login, you must change the password of the admin account):
- user name — admin
- password— mustB3Ch@ng3d!

We recommend backing up the inventory file that you used to install the program. You can use it to add components to the system or remove KUMA.

[Topic 217747]

Modifying the self-signed web console certificate

Before changing KUMA certificate, make sure to back up the previous certificate and key with the names external.cert.old and external.key.old respectively.

After installing the KUMA Core, the installer creates the following certificates in the /opt/kaspersky/kuma/core/certificates folder:

• Self-signed root certificate ca.cert with the ca.key.

  Signs all other certificates that are used for internal communication between KUMA components.

• The internal.cert certificate signed with the root certificate, and the Core server internal.key.

  Used for internal communication between KUMA components.

• KUMA web console external.cert certificate and external.key.

  Used in the KUMA web console and for REST API requests.

  You can use your company certificate and key instead of self-signed web console certificate. For example, if you want to replace self-signed CA Core certificate with a certificate issued by an enterprise CA, you must provide an external.cert and an unencrypted external.key in PEM format.

  The following example shows how to replace a self-signed CA Core certificate with an enterprise certificate in PFX format. You can use the instructions as an example and adapt the steps according to your needs.

To replace the KUMA web console certificate with an external certificate:

1. Switch to root user operation:

   sudo -i

2. Go to the certificates directory:

   cd /opt/kaspersky/kuma/core/certificates

3. Make a backup copy of the current certificate and key:

   mv external.cert external.cert.old && mv external.key external.key.old

4. In OpenSSL, convert the PFX file to a certificate and an encrypted key in PEM format:

   openssl pkcs12 -in kumaWebIssuedByCorporateCA.pfx -nokeys -out external.cert

   openssl pkcs12 -in kumaWebIssuedByCorporateCA.pfx -nocerts -nodes -out external.key

   When carrying out the command, you are required to specify the PFX key password (Enter Import Password).

   As a result, the external.cert certificate and the external.key in PEM format are returned.

5. Place the returned external.cert certificate and external.key files in the /opt/kaspersky/kuma/core/certificates directory.
6. Change the owner of the key files:

   chown kuma:kuma external.cert external.key

7. Restart KUMA:

   systemctl restart kuma-core

8. Refresh the web page or restart the browser hosting the KUMA web interface.

Your company certificate and key have been replaced.

[Topic 244396]

Distributed installation in a fault-tolerant configuration

KUMA fault-tolerant configuration is provided by injecting KUMA Core into a Kubernetes cluster deployed by the KUMA installer.

The Kubernetes cluster configuration is defined in the inventory file. It must include one controller (dedicated or combined with a worker node), at least one worker node (dedicated or combined with a controller), and 0 or more dedicated worker nodes.

To install a fault-tolerant configuration of KUMA, you must use the kuma-ansible-installer-ha-<build number>.tar.gz installer.

When installing the fault-tolerant application configuration, the KUMA Core is placed into a Kubernetes cluster using the installer and the inventory file. The KUMA Core can be placed in a Kubernetes cluster in the following ways:

• Install KUMA in a Kubernetes cluster.
• Migrate the Core of the existing KUMA installation to the Kubernetes cluster.

[Topic 244722]

About KUMA fault tolerance

KUMA fault tolerance is ensured by implementing the KUMA Core into the Kubernetes cluster deployed by the KUMA installer, and by using an external TCP traffic balancer.

There are 2 possible roles for nodes in Kubernetes:

• Controllers (control-plane)—nodes with this role manage the cluster, store metadata, and distribute the workload.
• Workers—nodes with this role bear the workload by hosting KUMA processes.

Learn more about the requirements for cluster nodes.

For product installations of the KUMA Core in Kubernetes, it is critically important to allocate 3 separate nodes with a single controller role. This will provide fault tolerance for the Kubernetes cluster and will ensure that the workload (KUMA processes and others) cannot affect the tasks associated with managing the Kubernetes cluster. If you are using virtualization tools, you should make sure that these nodes reside on different physical servers and ensure that there are no worker nodes on the same physical servers.

In cases where KUMA is installed for demo purposes, nodes that combine the roles of a controller and worker node are allowed. However, if you are expanding an installation to a distributed installation, you must reinstall the entire Kubernetes cluster while allocating 3 separate nodes with the controller role and at least 2 nodes with the worker node role. KUMA cannot be upgraded to later versions if there are nodes that combine the roles of a controller and worker node.

You can combine different roles on the same cluster node only for demo deployment of the application.

KUMA Core availability under various scenarios:

• Malfunction or network disconnection of the worker node where the KUMA Core service is deployed.

  Access to the KUMA web interface is lost. After 6 minutes, Kubernetes initiates migration of the Core bucket to an operational node of the cluster. After deployment is complete, which takes less than one minute, the KUMA web interface becomes available again via URLs that use the FQDN of the load balancer. To determine on which of the hosts the Core is running, run the following command in the terminal of one of the controllers:

  k0s kubectl get pod -n kuma -o wide

  When the malfunctioning worker node or access to it is restored, the Core bucket is not migrated from its current worker node. A restored node can participate in replication of a disk volume of the Core service.

• Malfunction or network disconnection of a worker node containing a replica of the KUMA Core drive on which the Core service is not currently deployed.

  Access to the KUMA web interface is not lost via URLs that use the FQDN of the load balancer. The network storage creates a replica of the running Core disk volume on other running nodes. When accessing KUMA via a URL with the FQDN of running nodes, there is no disruption.

• Loss of availability of one or more cluster controllers when quorum is maintained.

  Worker nodes operate in normal mode. Access to KUMA is not disrupted. A failure of cluster controllers extensive enough to break quorum leads to the loss of control over the cluster.

  Correspondence of the number of machines in use to ensure fault tolerance

  Number of controllers when installing a cluster	Minimum number of controllers required for the operation of the cluster (quorum)	Admissible number of failed controllers
  1	1	0
  2	2	0
  3	2	1
  4	3	1
  5	3	2
  6	4	2
  7	4	3
  8	5	3
  9	5	4

• Simultaneous failure of all Kubernetes cluster controllers.

  The cluster cannot be managed and therefore will have impaired performance.

• Simultaneous loss of availability of all worker nodes of a cluster with replicas of the Core volume and the Core pod.

  Access to the KUMA web interface is lost. If all replicas are lost, information will be lost.

[Topic 244399]

Additional application installation requirements

To protect the KUMA network infrastructure using Kaspersky Endpoint Security for Linux, first install KUMA in a Kubernetes cluster and then deploy Kaspersky Endpoint Security for Linux.

When you install a fault-tolerant configuration of KUMA, the following requirements must be met:

• General application installation requirements.
• The hosts that are planned to be used for Kubernetes cluster nodes do not use IP addresses from the following Kubernetes blocks:
  • serviceCIDR: 10.96.0.0/12
  • podCIDR: 10.244.0.0/16

  The traffic to the proxy servers is also excluded for the addresses of these blocks.

• The nginx load balancer is installed and configured (more details about configuring nginx). For example, you can use the following command for installation:

  sudo yum install nginx

  If you want nginx to be configured automatically during the KUMA installation, install nginx and provide access to it via SSH in the same way as for the Kubernetes cluster hosts.

  Example of an automatically created nginx configuration

  The installer creates the /etc/nginx/kuma_nginx_lb.conf configuration file. An example of the file contents is shown below. The upstream sections are generated dynamically and contain the IP addresses of the Kubernetes cluster controllers (in the example, 10.0.0.2-4 in the upstream kubeAPI_backend, upstream konnectivity_backend, controllerJoinAPI_backend sections) and the IP addresses of the worker nodes (in the example 10.0.1.2-3), for which the inventory file contains the "kaspersky.com/kuma-ingress=true" value for the extra_args variable.

  The "include /etc/nginx/kuma_nginx_lb.conf;" line is added to the end of the /etc/nginx/nginx.conf file to apply the generated configuration file.

  Configuration file example:

  # Ansible managed # # LB KUMA cluster #   stream {     server {         listen          6443;         proxy_pass      kubeAPI_backend;     }     server {         listen          8132;         proxy_pass      konnectivity_backend;     }     server {         listen          9443;         proxy_pass      controllerJoinAPI_backend;     }     server {         listen          7209;         proxy_pass      kuma-core-hierarchy_backend;         proxy_timeout   86400s;     }     server {         listen          7210;         proxy_pass      kuma-core-services_backend;         proxy_timeout   86400s;     }     server {         listen          7220;         proxy_pass      kuma-core-ui_backend;         proxy_timeout   86400s;     }     server {         listen          7222;         proxy_pass      kuma-core-cybertrace_backend;         proxy_timeout   86400s;     }     server {         listen          7223;         proxy_pass      kuma-core-rest_backend;         proxy_timeout   86400s;     }     upstream kubeAPI_backend {         server 10.0.0.2:6443;         server 10.0.0.3:6443;         server 10.0.0.4:6443;     }     upstream konnectivity_backend {         server 10.0.0.2:8132;         server 10.0.0.3:8132;         server 10.0.0.4:8132;     }     upstream controllerJoinAPI_backend {         server 10.0.0.2:9443;         server 10.0.0.3:9443;         server 10.0.0.4:9443;     }     upstream kuma-core-hierarchy_backend {         server 10.0.1.2:7209;         server 10.0.1.3:7209;     }     upstream kuma-core-services_backend {         server 10.0.1.2:7210;         server 10.0.1.3:7210;     }     upstream kuma-core-ui_backend {         server 10.0.1.2:7220;         server 10.0.1.3:7220;     }     upstream kuma-core-cybertrace_backend {         server 10.0.1.2:7222;         server 10.0.1.3:7222;     }     upstream kuma-core-rest_backend {         server 10.0.1.2:7223;         server 10.0.1.3:7223;     } }

• An access key from the device on which KUMA is installed is added to the load balancer server.
• The SELinux module is NOT enabled on the balancer server in the operating system.
• The tar, systemctl, setfacl packages are installed on the hosts.

During KUMA installation, the hosts are automatically checked to meet the following hardware requirements. If these conditions are not met, the installation is terminated.

For demonstration purposes, you can disable the check of these conditions during installation by specifying the low_resources: true variable in the inventory file.

• Number of CPU cores (threads) – 12 or more.
• RAM – 22,528 MB or more.
• Available disk space in the /opt/ section – 1,000 GB or more.
• For initial installation, the /var/lib/ section must have at least 32 GB of available space. If the cluster is already installed on this node, the size of the required available space is reduced by the size of the /var/lib/k0s directory.

Additional requirements for the application installation in the Astra Linux Special Edition operating system

• Installing a fault-tolerant configuration of KUMA is supported for the Astra Linux Special Edition RUSB.10015-01 operating system (2022-1011SE17MD, update 1.7.2.UU.1). Core version 5.15.0.33 or higher is required.
• The following packages are installed on the machines intended for deploying a Kubernetes cluster:
  • open-iscsi
  • wireguard
  • wireguard-tools

  The packages can be installed using the following command:

  sudo apt install open-iscsi wireguard wireguard-tools

Additional requirements for the application installation in the Oracle Linux operating system

The following packages are installed on the machines intended for deploying a Kubernetes cluster:

• iscsi-initiator-utils
• wireguard-tools

Before installing the packages, add the EPEL repository as a source: sudo yum install oracle-epel-release-el8.

The packages can be installed using the following command:

sudo yum install iscsi-initiator-utils wireguard-tools

[Topic 244730]

Managing Kubernetes and accessing KUMA

When installing KUMA in a fault-tolerant configuration, the file named artifacts/k0s-kubeconfig.yml is created in the installer directory. This file contains the details required for connecting to the created Kubernetes cluster. The same file is created on the main controller in the home directory of the user set as ansible_user in the inventory file.

To ensure that the Kubernetes cluster can be monitored and managed, the k0s-kubeconfig.yml file must be saved in a location available for the cluster administrators. Access to the file must be restricted.

Managing a Kubernetes cluster

To monitor and manage a cluster, you can use the k0s application that is installed on all cluster nodes during KUMA deployment. For example, you can use the following command to view the load on worker nodes:

k0s kubectl top nodes

Access to the KUMA Core

The KUMA Core can be accessed at the URL https://<worker node FQDN>:<worker node port>. Available ports: 7209, 7210, 7220, 7222, 7223. Port 7220 is used by default to connect to the KUMA Core web interface. Access can be obtained through any worker node whose extra_args parameter contains the value kaspersky.com/kuma-ingress=true.

It is not possible to log in to the KUMA web interface on multiple worker nodes simultaneously using the same account credentials. Only the most recently established connection remains active.

If you are using an external load balancer in a fault-tolerant Kubernetes cluster configuration, the ports of the KUMA Core are accessed via the FQDN of the load balancer.

[Topic 246518]

Time zone in a Kubernetes cluster

The time zone within a Kubernetes cluster is always UTC+0, so this time difference should be taken into account when handling data created by the KUMA Core deployed in a fault-tolerant configuration:

• In audit events, the time zone is UTC+0 in the DeviceTimeZone field.
• In generated reports, the user will see the difference between the time the report was generated and the time in the browser.
• In the dashboard, the user will see the difference between the time in the widget (the time of the user's browser is displayed) and the time in the exported widget data in the CSV file (the time within the Kubernetes cluster is displayed).

[Topic 222208]

KUMA backup

KUMA allows you to back up the KUMA Core database and certificates. The backup function is intended for restoring KUMA. To move or copy the resources, use the resource export and import functions.

Backup can be done in the following ways:

• Using the REST API
• Using the /opt/kaspersky/kuma/kuma executable file

  The KUMA backup using the kuma executable file is not available in KUMA higher than 2.1.

Special considerations for KUMA backup

• Data may only be restored from a backup if it is restored to the KUMA of the same version as the backup one.
• Backup of collectors is not required unless the collectors have an SQL connection. When restoring such collectors, you should revert to the original initial value of the ID.
• If KUMA cannot start after the restore, it is recommended to reset the kuma database in MongoDB.

  How to reset a database in MongoDB

  If the KUMA Core fails to start after data recovery, the recovery must be performed again but this time the kuma database in MongoDB must be reset.

  To restore KUMA data and reset the MongoDB database:

  1. Log in to the OS of the server where the KUMA Core is installed.
  2. On the KUMA Core server, run the following command:

     sudo systemctl stop kuma-core

  3. Log in to MongoDB by running the following commands:
     1. cd /opt/kaspersky/kuma/mongodb/bin/
     2. ./mongo
  4. Reset the MongoDB database by running the following commands:
     1. use kuma
     2. db.dropDatabase()
  5. Log out of the MongoDB database by pressing Ctrl+C.
  6. Restore data from a backup copy by running the following command:

     sudo /opt/kaspersky/kuma/kuma tools restore --src <path to folder containing backup copy> --certificates

     The --certificates flag is optional and is used to restore certificates.

  7. Start KUMA by running the following command:

     sudo systemctl start kuma-core

  8. Rebuild the services using the recovered service resource sets.

  Data is restored from the backup.

[Topic 244996]

KUMA backup using the kuma file

To perform a backup:

1. Log in to the OS of the server where the KUMA Core is installed.
2. Execute the following command of the kuma executable file:

   sudo /opt/kaspersky/kuma/kuma tools backup --dst <path to folder for backup copy> --certificates

The backup copy has been created.

To restore data from a backup:

1. Log in to the OS of the server where the KUMA Core is installed.
2. On the KUMA Core server, run the following command:

   sudo systemctl stop kuma-core

3. Execute the following command:

   sudo /opt/kaspersky/kuma/kuma tools restore --src <path to folder containing backup copy> --certificates

4. Start KUMA by running the following command:

   sudo systemctl start kuma-core

5. In the KUMA web interface, in the Resources → Active services section, select all services and click the Reset certificate button.
6. Reinstall the services with the same ports and IDs.

Data is restored from the backup.

[Topic 222160]

Modifying the configuration of KUMA

The following KUMA configuration changes can be performed.

• Extending an all-in-one installation to a distributed installation.

  To expand an all-in-one installation to a distributed installation:

  1. Create a backup copy of KUMA.
  2. Remove the pre-installed correlator, collector, and storage services from the server.
     1. In the KUMA web interface, under Resources → Active services, select a service and click Copy ID. On the server where the services were installed, run the service removal command:

        sudo /opt/kaspersky/kuma/kuma <collector/correlator/storage> --id <service ID copied from the KUMA web interface> --uninstall

        Repeat the removal command for each service.

     2. Then remove the services in the KUMA web interface:

     As a result, only the KUMA Core remains on the initial installation server.

  3. Prepare the distributed.inventory.yml inventory file and in that file, specify the initial all-in-one initial installation server in the kuma_core group.

     In this way, the KUMA Core remains on the original server, and you can deploy the other components on other servers. Specify the servers on which you want to install the KUMA components in the inventory file.

     Sample inventory file for expanding an all-in-one installation to a distributed installation

     

  4. Create and install the storage, collector, correlator, and agent services on other machines.
     1. After you specify the settings ​​for all sections in the distributed.inventory.yml inventory file, run the installer on the test machine.

        sudo ./install.sh distributed.inventory.yml

        Running the command causes the files necessary to install the KUMA components (storages, collectors, correlators) to appear on each target machine specified in the distributed.inventory.yml inventory file.

     2. Create storage, collector, and correlator services.

  The expansion of the installation is completed.

• Adding servers for collectors to a distributed installation.

  The following instructions show how to add one or more servers to an existing infrastructure and then install collectors on these servers to balance the load. You can use these instructions as an example and adapt them to your requirements.

  To add servers to a distributed installation:

  1. Ensure that the target machines meet hardware, software, and installation requirements.
  2. On the test machine, go to the directory with the unpacked KUMA installer by running the following command:

     cd kuma-ansible-installer

  3. Copy the expand.inventory.yml.template template to create an inventory file called expand.inventory.yml:

     cp expand.inventory.yml.template expand.inventory.yml

  4. Edit the settings in the expand.inventory.yml inventory file and specify the servers that you want to add in the kuma_collector section.

     Sample expand.inventory.yml inventory file for adding collector servers

     

  5. On the test machine start expand.inventory.playbook by running the following command as root in the directory with the unpacked installer:

     PYTHONPATH="$(pwd)/ansible/site-packages:${PYTHONPATH}" python3 ./ansible/bin/ansible-playbook -i expand.inventory.yml expand.inventory.playbook.yml

     Running this command on each target machine specified in the expand.inventory.yml inventory file creates files for creating and installing the collector.

  6. Create and install the collectors. A KUMA collector consists of a client part and a server part, therefore creating a collector involves two steps.
     1. Creating the client part of the collector, which includes a set of resources and the collector service.

        To create a set of resources for a collector, in the KUMA web interface, under Resources → Collectors, click Add collector and edit the settings. For more details, see Creating a collector.

        At the last step of the configuration wizard, after you click Create and save, a resource set for the collector is created and the collector service is automatically created. The command for installing the service on the server is also automatically generated and displayed on the screen. Copy the installation command and proceed to the next step.

     2. Creating the server part of the collector.
     1. On the target machine, run the command you copied at the previous step. The command looks as follows, but all parameters are filled in automatically.

        sudo /opt/kaspersky/kuma/kuma <storage> --core https://<KUMA Core server FQDN>:<port used by KUMA Core for internal communication (port 7210 by default)> --id <service ID copied from the KUMA web interface> --install

        The collector service is installed on the target machine. You can check the status of the service in the web interface under Resources → Active services.

     2. Run the same command on each target machine specified in the expand.inventory.yml inventory file.
  7. Specify the added servers in the distributed.inventory.yml inventory file so that it has up-to-date information in case of a KUMA update.

  Servers are successfully added.

• Adding servers for correlators to a distributed installation.

  The following instructions show how to add one or more servers to an existing infrastructure and then install correlators on these servers to balance the load. You can use these instructions as an example and adapt them to your requirements.

  To add servers to a distributed installation:

  1. Ensure that the target machines meet hardware, software, and installation requirements.
  2. On the test machine, go to the directory with the unpacked KUMA installer by running the following command:

     cd kuma-ansible-installer

  3. Copy the expand.inventory.yml.template template to create an inventory file called expand.inventory.yml:

     cp expand.inventory.yml.template expand.inventory.yml

  4. Edit the settings in the expand.inventory.yml inventory file and specify the servers that you want to add in the kuma_correlator section.

     Sample expand.inventory.yml inventory file for adding correlator servers

     

  5. On the test machine, start expand.inventory.playbook by running the following command as root in the directory with the unpacked installer:

     PYTHONPATH="$(pwd)/ansible/site-packages:${PYTHONPATH}" python3 ./ansible/bin/ansible-playbook -i expand.inventory.yml expand.inventory.playbook.yml

     Running this command on each target machine specified in the expand.inventory.yml inventory file creates files for creating and installing the correlator.

  6. Create and install the correlators. A KUMA correlator consists of a client part and a server part, therefore creating a correlator involves two steps.
     1. Creating the client part of the correlator, which includes a set of resources and the correlator service.

        To create a resource set for a correlator, in the KUMA web interface, under Resources → Correlators, click Add correlator and edit the settings. For more details, see Creating a correlator.

        At the last step of the configuration wizard, after you click Create and save, a resource set for the correlator is created and the correlator service is automatically created. The command for installing the service on the server is also automatically generated and displayed on the screen. Copy the installation command and proceed to the next step.

     2. Creating the server part of the correlator.
     1. On the target machine, run the command you copied at the previous step. The command looks as follows, but all parameter values are assigned automatically.

        sudo /opt/kaspersky/kuma/kuma <storage> --core https://<KUMA Core server FQDN>:<port used by KUMA Core for internal communication (port 7210 by default)> --id <service ID copied from the KUMA web interface> --install

        The correlator service is installed on the target machine. You can check the status of the service in the web interface under Resources → Active services.

     2. Run the same command on each target machine specified in the expand.inventory.yml inventory file.
  7. Specify the added servers in the distributed.inventory.yml inventory file so that it has up-to-date information in case of a KUMA update.

  Servers are successfully added.

• Adding servers to an existing storage cluster.

  The following instructions show how to add multiple servers to an existing storage cluster. You can use these instructions as an example and adapt them to your requirements.

  To add servers to an existing storage cluster:

  1. Ensure that the target machines meet hardware, software, and installation requirements.
  2. On the test machine, go to the directory with the unpacked KUMA installer by running the following command:

     cd kuma-ansible-installer

  3. Copy the expand.inventory.yml.template template to create an inventory file called expand.inventory.yml:

     cp expand.inventory.yml.template expand.inventory.yml

  4. Edit the settings in the expand.inventory.yml inventory file and specify the servers that you want to add in the 'storage' section. In the following example, the 'storage' section specifies servers for installing two shards, each of which contains two replicas. In the expand.inventory.yml inventory file, you must only specify the FQDN, the roles of shards and replicas are assigned later in the KUMA web interface by following the steps of the instructions. You can adapt this example to suit your needs.

     Sample expand.inventory.yml inventory file for adding servers to an existing storage cluster

     

  5. On the test machine, start expand.inventory.playbook by running the following command as root in the directory with the unpacked installer:

     PYTHONPATH="$(pwd)/ansible/site-packages:${PYTHONPATH}" python3 ./ansible/bin/ansible-playbook -i expand.inventory.yml expand.inventory.playbook.yml

     Running this command on each target machine specified in the expand.inventory.yml inventory file creates files for creating and installing the storage.

  6. You do not need to create a separate storage because you are adding servers to an existing storage cluster. You must edit the storage settings of the existing cluster:
     1. In the Resources → Storages section, select an existing storage and open the storage for editing.
     2. In the ClickHouse cluster nodes section, click Add nodes and specify roles in the fields for the new node. The following example shows how to specify identifiers to add two shards, containing two replicas each, to an existing cluster. You can adapt the example to suit your needs.

        Example:

        ClickHouse cluster nodes

        <existing nodes>

        FQDN: kuma-storage-cluster1server8.example.com

        Shard ID: 1

        Replica ID: 1

        Keeper ID: 0

        FQDN: kuma-storage-cluster1server9.example.com

        Shard ID: 1

        Replica ID: 2

        Keeper ID: 0

        FQDN: kuma-storage-cluster1server9.example.com

        Shard ID: 2

        Replica ID: 1

        Keeper ID: 0

        FQDN: kuma-storage-cluster1server10.example.com

        Shard ID: 2

        Replica ID: 2

        Keeper ID: 0

     3. Save the storage settings.

        Now you can create storage services for each ClickHouse cluster node.

  7. To create a storage service, in the KUMA web interface, in the Resources → Active services section, click Add service.

     This opens the Choose a service window; in that window, select the storage you edited at the previous step and click Create service. Do the same for each ClickHouse storage node you are adding.

     As a result, the number of created services must be the same as the number of nodes added to the ClickHouse cluster, that is, four services for four nodes. The created storage services are displayed in the KUMA web interface in the Resources → Active services section. Now storage services must be installed on each server by using the service ID.

  8. Now storage services must be installed on each server by using the service ID.
     1. In the KUMA web interface, in the Resources → Active services section, select the storage service that you need and click Copy ID.

        The service ID is copied to the clipboard; you need it for running the service installation command.

     2. Compose and run the following command on the target machine:

        sudo /opt/kaspersky/kuma/kuma <storage> --core https://<KUMA Core server FQDN>:<port used by KUMA Core for internal communication (port 7210 by default)> --id <service ID copied from the KUMA web interface> --install

        The storage service is installed on the target machine. You can check the status of the service in the web interface under Resources → Active services.

     3. Run the storage service installation command on each target machine listed in the 'storage' section of the expand.inventory.yml inventory file, one machine at a time. On each machine, the unique service ID within the cluster must be specified in the installation command.
  9. To apply changes to a running cluster, in the KUMA web interface, under Resources → Active services, select the check box next to all storage services in the cluster that you are expanding and click Update configuration. Changes are applied without stopping services.
  10. Specify the added servers in the distributed.inventory.yml inventory file so that it has up-to-date information in case of a KUMA update.

  Servers are successfully added to a storage cluster.

• Adding an additional storage cluster.

  The following instructions show how to add an additional storage cluster to existing infrastructure. You can use these instructions as an example and adapt them to your requirements.

  To add an additional storage cluster:

  1. Ensure that the target machines meet hardware, software, and installation requirements.
  2. On the test machine, go to the directory with the unpacked KUMA installer by running the following command:

     cd kuma-ansible-installer

  3. Copy the expand.inventory.yml.template template to create an inventory file called expand.inventory.yml:

     cp expand.inventory.yml.template expand.inventory.yml

  4. Edit the settings in the expand.inventory.yml inventory file and specify the servers that you want to add in the 'storage' section. In the following example, the 'storage' section specifies servers for installing three dedicated keepers and two shards, each of which contains two replicas. In the expand.inventory.yml inventory file, you must only specify the FQDN, the roles of keepers, shards, and replicas are assigned later in the KUMA web interface by following the steps of the instructions. You can adapt this example to suit your needs.

     Sample expand.inventory.yml inventory file for adding an additional storage cluster

     

  5. On the test machine, start expand.inventory.playbook by running the following command as root in the directory with the unpacked installer:

     PYTHONPATH="$(pwd)/ansible/site-packages:${PYTHONPATH}" python3 ./ansible/bin/ansible-playbook -i expand.inventory.yml expand.inventory.playbook.yml

     Running this command on each target machine specified in the expand.inventory.yml inventory file creates files for creating and installing the storage.

  6. Create and install a storage. For each storage cluster, you must create a separate storage, that is, three storages for three storage clusters. A storage consists of a client part and a server part, therefore creating a storage involves two steps.
     1. Creating the client part of the storage, which includes a set of resources and the storage service.
        1. To create a resource set for a storage, in the KUMA web interface, under Resources → Storages, click Add storage and edit the settings. In the ClickHouse cluster nodes section, specify roles for each server that you are adding: keeper, shard, replica. For more details, see Creating a set of resources for a storage.

           The created set of resources for the storage is displayed in the Resources → Storages section. Now you can create storage services for each ClickHouse cluster node.

        2. To create a storage service, in the KUMA web interface, in the Resources → Active services section, click Add service.

           This opens the Choose a service window; in that window, select the set of resources that you created for the storage at the previous step and click Create service. Do the same for each ClickHouse storage.

           As a result, the number of created services must be the same as the number of nodes in the ClickHouse cluster, that is, fifty services for fifty nodes. The created storage services are displayed in the KUMA web interface in the Resources → Active services section. Now storage services must be installed to each node of the ClickHouse cluster by using the service ID.

     2. Creating the server part of the storage.
     1. On the target machine, create the server part of the storage: in the KUMA web interface, in the Resources → Active services section, select the relevant storage service and click Copy ID.

        The service ID is copied to the clipboard; you need it for running the service installation command.

     2. Compose and run the following command on the target machine:

        sudo /opt/kaspersky/kuma/kuma <storage> --core https://<KUMA Core server FQDN>:<port used by KUMA Core for internal communication (port 7210 by default)> --id <service ID copied from the KUMA web interface> --install

        The storage service is installed on the target machine. You can check the status of the service in the web interface under Resources → Active services.

     3. Run the storage service installation command on each target machine listed in the 'storage' section of the expand.inventory.yml inventory file, one machine at a time. On each machine, the unique service ID within the cluster must be specified in the installation command.
     4. Dedicated keepers are automatically started immediately after installation and are displayed in the Resources → Active services section with a green status. Services on other storage nodes may not start until services are installed for all nodes in that cluster. Up to that point, services can be displayed with a red status. This is normal behavior for creating a new storage cluster or adding nodes to an existing storage cluster. As soon as the command to install services on all nodes of the cluster is executed, all services acquire the green status.
  7. Specify the added servers in the distributed.inventory.yml inventory file so that it has up-to-date information in case of a KUMA update.

  An additional storage cluster is successfully added.

• Removing servers from a distributed installation.

  To remove a server from a distributed installation:

  1. Remove all services from the server that you want to remove from the distributed installation.
     1. Remove the server part of the service. Copy the service ID in the KUMA web interface and run the following command on the target machine:

        sudo /opt/kaspersky/kuma/kuma <collector/correlator/storage> --core https://<KUMA Core server FQDN>:<port used by KUMA Core for internal communication (port 7210 by default)> --id <service ID copied from the KUMA web interface> --install

     2. Remove the client part of the service in the KUMA web interface in the Active services → Delete section.

        The service is removed.

  2. Repeat step 1 for each server that you want to remove from the infrastructure.
  3. Remove servers from the relevant sections of the distributed.inventory.yml inventory file to make sure the inventory file has up-to-date information in case of a KUMA update.

  The servers are removed from the distributed installation.

• Removing a storage cluster from a distributed installation.

  To remove one or more storage clusters from a distributed installation:

  1. Remove the storage service on each cluster server that you want to removed from the distributed installation.
     1. Remove the server part of the storage service. Copy the service ID in the KUMA web interface and run the following command on the target machine:

        sudo /opt/kaspersky/kuma/kuma <storage> --id <service ID> --uninstall

        Repeat for each server.

     2. Remove the client part of the service in the KUMA web interface in the Resources → Active services → Delete section.

        The service is removed.

  2. Remove servers from the 'storage' section of the distributed.inventory.yml inventory file to make sure the inventory file has up-to-date information in case of a KUMA update or a configuration change.

  The cluster is removed from the distributed installation.

• Migrating the KUMA Core to a new Kubernetes cluster.

  Preparing the inventory file

  When migrating the KUMA Core to a Kubernetes cluster, it is recommended to use the template file named k0s.inventory.yml.template when creating the inventory file.

  The kuma_core, kuma_ collector, kuma_correlator, and kuma_storage sections of your inventory file must contain the same hosts that were used when upgrading KUMA from version 2.0.x to version 2.1 or when performing a new installation of the application. In the inventory file, set the deploy_to_k8s, need_transfer and airgap parameters to true. The deploy_example_services parameter must be set to false.

  Example inventory file with 1 dedicated controller and 2 worker nodes

  all:

  vars:

  ansible_connection: ssh

  ansible_user: root

  deploy_to_k8s: True

  need_transfer: True

  airgap: True

  deploy_example_services: False

  kuma:

  children:

  kuma_core:

  hosts:

  kuma.example.com:

  mongo_log_archives_number: 14

  mongo_log_frequency_rotation: daily

  mongo_log_file_size: 1G

  kuma_collector:

  hosts:

  kuma.example.com:

  kuma_correlator:

  hosts:

  kuma.example.com:

  kuma_storage:

  hosts:

  kuma.example.com:

  shard: 1

  replica: 1

  keeper: 1

  kuma_k0s:

  children:

  kuma_control_plane_master:

  hosts:

  kuma2.example.com:

  ansible_host: 10.0.1.10

  kuma_control_plane_master_worker:

  kuma_control_plane:

  kuma_control_plane_worker:

  kuma_worker:

  hosts:

  kuma.example.com:

  ansible_host: 10.0.1.11

  extra_args: "--labels=kaspersky.com/kuma-core=true,kaspersky.com/kuma-ingress=true,node.longhorn.io/create-default-disk=true"

  kuma3.example.com:

  ansible_host: 10.0.1.12

  extra_args: "--labels=kaspersky.com/kuma-core=true,kaspersky.com/kuma-ingress=true,node.longhorn.io/create-default-disk=true"

  Migrating the KUMA Core to a new Kubernetes cluster

  When the installer is started with this template file, it searches for the installed KUMA Core on all hosts where you intend to deploy worker nodes of the cluster. The found Core will be moved from the host to within the newly created Kubernetes cluster.

  If the component is not detected on the worker nodes, a clean installation of the KUMA Core is performed in the cluster without migrating resources to it. Existing components must be manually rebuilt with the new Core in the KUMA web interface.

  Certificates for collectors, correlators and storages will be re-issued from the inventory file for communication with the Core within the cluster. This does not change the Core URL for components.

  On the Core host, the installer does the following:

  • Removes the following systemd services from the host: kuma-core, kuma-mongodb, kuma-victoria-metrics, kuma-vmalert, and kuma-grafana.
  • Deletes the internal certificate of the Core.
  • Deletes the certificate files of all other components and deletes their records from MongoDB.
  • Deletes the following directories:
    • /opt/kaspersky/kuma/core/bin
    • /opt/kaspersky/kuma/core/certificates
    • /opt/kaspersky/kuma/core/log
    • /opt/kaspersky/kuma/core/logs
    • /opt/kaspersky/kuma/grafana/bin
    • /opt/kaspersky/kuma/mongodb/bin
    • /opt/kaspersky/kuma/mongodb/log
    • /opt/kaspersky/kuma/victoria-metrics/bin
  • Migrates data from the Core and its dependencies to a network drive within the Kubernetes cluster.
  • On the Core host, it migrates the following directories:
    • /opt/kaspersky/kuma/core
    • /opt/kaspersky/kuma/grafana
    • /opt/kaspersky/kuma/mongodb
    • /opt/kaspersky/kuma/victoria-metrics

    to the following directories:

    • /opt/kaspersky/kuma/core.moved
    • /opt/kaspersky/kuma/grafana.moved
    • /opt/kaspersky/kuma/mongodb.moved
    • /opt/kaspersky/kuma/victoria-metrics.moved

    After you have verified that the Core was correctly migrated to the cluster, these directories can be deleted.

  If you encounter problems with the migration, analyze the logs of the core-transfer migration task in the kuma namespace in the cluster (this task is available for 1 hour after the migration).

  If you need to perform migration again, you must convert the names of the /opt/kaspersky/kuma/*.moved directories back to their original format.

  If an /etc/hosts file with lines not related to addresses in the range 127.X.X.X was used on the Core host, the contents of the /etc/hosts file from the Core host is entered into the CoreDNS ConfigMap when the Core is migrated to the Kubernetes cluster. If the Core is not migrated, the contents of /etc/hosts from the host where the primary controller is deployed are entered into the ConfigMap.

[Topic 222156]

Updating previous versions of KUMA

The update is performed the same way on all hosts using the installer and inventory file. If you are using version 1.5 or 1.6 and want to update to KUMA 2.1.x, please update to 2.0.x first, and then from 2.0.x to 2.1.x.

Upgrading from version 2.0.x to 2.1.x

Upgrading from version 2.1.x to 2.1.3

[Topic 247287]

Troubleshooting update errors

When updating KUMA, you may encounter the following errors:

• Timeout error

  When upgrading from version 2.0.x on systems that contain large amounts of data and are operating with limited resources, the system may return the Wrong admin password error message after you enter the administrator password. If you specify the correct password, KUMA may still return an error because KUMA could not start the Core service due to resource limit and a timeout error. If you enter the administrator password three times without waiting for the installation to complete, the update may end with a fatal error.

  Follow these steps to resolve the timeout error and successfully complete the update:

  1. Open a separate second terminal and run the following command to verify that the command output contains the timeout error line:

     journalctl -u kuma-core | grep 'start operation timed out' 

     Timeout error message:

     kuma-core.service: start operation timed out. Terminating.

  2. After you find the timeout error message, in the /usr/lib/systemd/system/kuma-core.service file, change the value of the TimeoutSec parameter from 300 to 0 to remove the timeout limit and temporarily prevent the error from recurring.
  3. After modifying the service file, run the following commands in sequence:

     systemctl daemon-reload

     service kuma-core restart

  4. After executing the commands and successfully starting the service in the second terminal, enter the administrator password again in the original first terminal when the installer prompts you for the password.

     KUMA will continue the installation. In resource-limited environments, installation may take up to an hour.

  5. After installation finishes successfully, in the /usr/lib/systemd/system/kuma-core.service file, set the TimeoutSec parameter back to 300.
  6. After modifying the service file, run the following commands in the second terminal:

     systemctl daemon-reload

     service kuma-core restart

  After the commands are executed, the update will be completed.

• Invalid administrator password

  The admin user password is required to automatically populate the storage settings during an update. If you entered an incorrect admin user password nine times during the TASK [Prompt for admin password], the installer still performs the update, and the web interface is still available. However, the storage settings are not migrated, and the storages will show a red status.

  To fix the error and make the repositories available for use, update the storage settings:

  1. Go to the storage settings, manually fill in the ClickHouse cluster fields, and click Save.
  2. Restart the storage service.

  The storage service will start with the specified parameters and will show a green status.

• DB::Exception error

  After updating KUMA, the storage may be in a red status, and its logs may show errors about suspicious strings.

  Example error:

  DB::Exception::Exception(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, int, bool) @ 0xda0553a in /opt/kaspersky/kuma/clickhouse/bin/clickhouse

  To restart ClickHouse, carry out the following command on the KUMA storage server:

  touch /opt/kaspersky/kuma/clickhouse/data/flags/force_restore_data && systemctl restart kuma-storage-<ID of the storage where the error was detected>

Fix the errors to successfully complete the update.

[Topic 217962]

Delete KUMA

To remove KUMA, use the Ansible tool and the user-generated inventory file.

To remove KUMA:

1. On the test machine, go to the installer folder:

   cd kuma-ansible-installer

2. Execute the following command:

   sudo ./uninstall.sh <inventory file>

KUMA and all of the program data will be removed from the server.

The databases that were used by KUMA (for example, the ClickHouse storage database) and the information they contain must be deleted separately.

Special considerations for removing a fault-tolerant configuration of KUMA

The composition of the removed components depends on the value of the deploy_to_k8s parameter in the inventory file used to remove KUMA:

• true – the Kubernetes cluster created during the KUMA installation is deleted.
• false – all KUMA components except for the Core are deleted from the Kubernetes cluster. The cluster is not deleted.

In addition to the KUMA components installed outside the cluster, the following directories and files are deleted on the cluster nodes:

• /usr/bin/k0s
• /etc/k0s/
• /var/lib/k0s/
• /usr/libexec/k0s/
• ~/k0s/ (for the ansible_user)
• /opt/longhorn/
• /opt/cni/
• /opt/containerd

When a cluster is being deleted, error messages may appear, however, it does not interrupt the installer.

• You can ignore such messages for the Delete KUMA transfer job and Delete KUMA pod tasks.
• For the Reset k0s task (if an error message contains the following text: "To ensure a full reset, a node reboot is recommended.") and the Delete k0s Directories and files task (if an error message contains the following text: "I/O error: '/var/lib/k0s/kubelet/plugins/kubernetes.io/csi/driver.longhorn.io/"), it is recommended to restart the host the error is related to and try to uninstall KUMA again with the same inventory file.

After removing KUMA, restart the hosts on which the KUMA or Kubernetes components were installed.

[Topic 221499]

Working with tenants

Access to tenants is regulated in the settings of users. The general administrator has access to the data of all tenants. Only a user with this role can create and disable tenants.

Tenants are displayed in the table under Settings → Tenants in the KUMA web interface. You can sort the table by clicking on columns.

Available columns:

• Name—tenant name. The table can be filtered by this column.
• EPS limit—quota size for EPS (events processed per second) allocated to the tenant out of the overall EPS quota determined by the license.
• Description—description of the tenant.
• Disabled—indicates that the tenant is inactive.

  By default, inactive tenants are not displayed in the table. You can view them by selecting the Show disabled check box.

• Created—tenant creation date.

To create a tenant:

1. In the KUMA web interface under Settings → Tenants, click Add.

   The Add tenant window opens.

2. Specify the tenant name in the Name field. The name must contain 1 to 128 Unicode characters.
3. In the EPS limit field, specify the EPS quota for the tenant. The cumulative EPS of all tenants cannot exceed the EPS of the license.
4. If necessary, add a Description of the tenant. The description can contain no more than 256 Unicode characters.
5. Click Save.

The tenant will be added and displayed in the tenants table.

To disable or enable a tenant:

1. In the KUMA web interface under Settings → Tenants, select the relevant tenant.

   If the tenant is disabled and not displayed in the table, select the Show disabled check box.

2. Click Disable or Enable.

When a tenant is disabled, its services are automatically stopped, it no longer receives or processes events, and the EPS of the tenant is no longer taken into account for the cumulative EPS of the license.

When a tenant is enabled, its services must be manually started.

[Topic 221455]

Selecting a tenant

If you have access to multiple tenants, KUMA lets you select which tenants' data will be displayed in the KUMA web interface.

To select a tenant for displaying data:

1. In the KUMA web interface, click Selected tenants.

   The tenant selection area opens.

2. Select the check boxes next to the tenants whose data you want to see in sections of the KUMA web interface.
3. You must select at least one tenant. You can use the Search field to search for tenants.
4. Click the tenant selection area by clicking Selected tenants.

Sections of the KUMA web interface will display only the data and analytics related to the selected tenants.

Your selection of tenants for data display will determine which tenants can be specified when creating resources, services, layouts, report templates, widgets, incidents, assets, and other KUMA settings that let you select a tenant.

[Topic 221469]

Tenant affiliation rules

Tenant inheritance rules

It is important to track which tenant owns specific objects created in KUMA because this determines who will have access to the objects and whether or not interaction with specific objects can be configured. Tenant identification rules:

• The tenant of an object (such as a service or resource) is determined by the user when the object is created.

  After the object is created, the tenant selected for that object cannot be changed. However, resources can be exported then imported into another tenant.

• The tenant of an alert and correlation event is inherited from the correlator that created them.

  The tenant name is indicated in the TenantId event field.

• If events of different tenants that are processed by the same correlator are not merged, the correlation events created by the correlator inherit the tenant of the event.
• The incident tenant is inherited from the alert.

Examples of multitenant interactions

Multitenancy in KUMA provides the capability to centrally investigate alerts and incidents that occur in different tenants. Below are some examples that illustrate which tenants own certain objects that are created.

When correlating events from different tenants in a common stream, you should not group events by tenant. In other words, the TenantId event field should not be specified in the Identical fields field in correlation rules. Events must be grouped by tenant only if you must not merge events from different tenants.

Services that must be accommodated by the capacities of the main tenant can be deployed only by a user with the general administrator role.

• Correlation of events for one tenant, correlator is allocated for this tenant and deployed at the tenant

  Condition:

  The collector and correlator are owned by tenant 2 (tenantID=2)

  Scenario:

  1. The collector of tenant 2 receives and forwards events to the correlator of tenant 2.
  2. When correlation rules are triggered, the correlator creates correlation events with tenantID=2.
  3. The correlator forwards the correlation events to the storage partition for tenant 2.
  4. An alert is created and linked to the tenant with tenantID=2.
  5. The events that triggered the alert are appended to the alert.

  An incident is created manually by the user. The incident tenant is determined by the tenant of the user. An alert is linked to an incident either manually or automatically.

• Correlation of events for one tenant, correlator is allocated for this tenant and deployed at the main tenant

  Condition:

  • The collector is deployed at tenant 2 and is owned by this tenant (tenantID=2).
  • The correlator is deployed at the main tenant.

    The owner of the correlator is determined by the general administrator depending on who will investigate incidents of tenant 2: employees of the main tenant or employees of tenant 2. The owner of the alert and incident depends on the owner of the correlator.

  Scenario 1. The correlator belongs to tenant 2 (tenantID=2):

  1. The collector of tenant 2 receives and forwards events to the correlator.
  2. When correlation rules are triggered, the correlator creates correlation events with tenantID=2.
  3. The correlator forwards the correlation events to the storage partition of tenant 2.
  4. An alert is created and linked to the tenant with tenantID=2.
  5. The events that triggered the alert are appended to the alert.

  Result 1:

  • The created alert and its linked events can be accessed by employees of tenant 2.

  Scenario 2. The correlator belongs to the main tenant (tenantID=1):

  1. The collector of tenant 2 receives and forwards events to the correlator.
  2. When correlation rules are triggered, the correlator creates correlation events with tenantID=1.
  3. The correlator forwards the correlation events to the storage partition of the main tenant.
  4. An alert is created and linked to the tenant with tenantID=1.
  5. The events that triggered the alert are appended to the alert.

  Result 2:

  • The alert and its linked events cannot be accessed by employees of tenant 2.
  • The alert and its linked events can be accessed by employees of the main tenant.
• Centralized correlation of events received from different tenants

  Condition:

  • Two collectors are deployed: one at tenant 2 and one at tenant 3. Both collectors forward events to the same correlator.
  • The correlator is owned by the main tenant. A correlation rule waits for events from both tenants.

  Scenario:

  1. The collector of tenant 2 receives and forwards events to the correlator of the main tenant.
  2. The collector of tenant 3 receives and forwards events to the correlator of the main tenant.
  3. When a correlation rule is triggered, the correlator creates correlation events with tenantID=1.
  4. The correlator forwards the correlation events to the storage partition of the main tenant.
  5. An alert is created and linked to the main tenant with tenantID=1.
  6. The events that triggered the alert are appended to the alert.

  Result:

  • The alert and its linked events cannot be accessed by employees of tenant 2.
  • The alert and its linked events cannot be accessed by employees of tenant 3.
  • The alert and its linked events can be accessed by employees of the main tenant.
• The tenant correlates its own events, but the main tenant additionally provides centralized correlation of events.

  Condition:

  • Two collectors are deployed: one on the main tenant and one on tenant 2.
  • Two correlators are deployed:
    • Correlator 1 is owned by the main tenant and receives events from the collector of the main tenant and correlator 2.
    • Correlator 2 is owned by tenant 2 and receives events from the collector of tenant 2.

  Scenario:

  1. The collector of tenant 2 receives and forwards events to correlator 2.
  2. When a correlation rule is triggered, the correlator of tenant 2 creates correlation events with tenantID=2.
     • Correlator 2 forwards the correlation events to the storage partition of tenant 2.
     • Alert 1 is created and linked to the tenant with tenantID=2.
     • The events that triggered the alert are appended to the alert.
     • Correlation events from the correlator of tenant 2 are forwarded to correlator 1.
  3. The collector of the main tenant receives and forwards events to correlator 1.
  4. Correlator 1 processes events of both tenants. When a correlation rule is triggered, correlation events with tenantID=1 are created.
     • Correlator 1 forwards the correlation events to the storage partition of the main tenant.
     • Alert 2 is created and linked to the tenant with tenantID=1.
     • The events that triggered the alert are appended to the alert.

  Result:

  • Alert 2 and its linked events cannot be accessed by employees of tenant 2.
  • Alert 2 and its linked events can be accessed by employees of the main tenant.
• One correlator for two tenants

  If you do not want events from different tenants to be merged during correlation, you should specify the TenantId event field in the Identical fields field in correlation rules. In this case, the alert inherits the tenant from the correlator.

  Condition:

  • Two collectors are deployed: one at tenant 2 and one at tenant 3.
  • One correlator owned by the main tenant (tenantID=1) is deployed. It receives events from both tenants but processes them irrespective of each other.

  Scenario:

  1. The collector of tenant 2 receives and forwards events to the correlator.
  2. The collector of tenant 3 receives and forwards events to the correlator.
  3. When a correlation rule is triggered, the correlator creates correlation events with tenantID=1.
     • The correlator forwards the correlation events to the storage partition of the main tenant.
     • An alert is created and linked to the main tenant with tenantID=1.
     • The events that triggered the alert are appended to the alert.

  Result:

  • Alerts that were created based on events from tenants 2 and 3 are not available to employees of these tenants.
  • Alerts and their linked events can be accessed by employees of the main tenant.

[Topic 217937]

Managing users

It is possible for multiple users to have access to KUMA. Users are assigned user roles, which affect the tasks the users can perform. The same user may have different roles with different tenants.

You can create or edit user accounts under Settings → Users in the KUMA web interface. Users are also created automatically in the program if KUMA integration with Active Directory is enabled and the user is logging in to the KUMA web interface for the first time using their domain account.

The table of user accounts is displayed in the Users window of the KUMA web interface. You can use the Search field to look for users. You can sort the table based on the User information column by clicking the column header and selecting Ascending or Descending.

User accounts can be created, edited, or disabled. When editing user accounts (your own or the accounts of others), you can generate an API token for them.

By default, disabled user accounts are not displayed in the users table. However, they can be viewed by clicking the User information column and selecting the Disabled users check box.

To disable a user:

In the KUMA web interface, under Settings → Users, select the check box next to the relevant user and click Disable user.

[Topic 218031]

User roles

KUMA users may have the following roles:

• General administrator—this role is designed for users who are responsible for the core functionality of KUMA systems. For example, they install system components, perform maintenance, work with services, create backups, and add users to the system. These users have full access to KUMA.
• Administrator—this role is for users responsible for the core functionality of KUMA systems owned by specific tenants.
• Analyst—this role is for users responsible for configuring the KUMA system to receive and process events of a specific tenant. They also create and tweak correlation rules.
• First line analyst—this role is for users responsible for configuring the KUMA system to receive and process events of a specific tenant. They also create and tweak correlation rules. Users with this role have fewer privileges than analysts.
• Operator—this role is for users dealing with immediate security threats of a specific tenant. A user with the operator role sees resources in a shared tenant through the REST API.

  User roles rights

  Web interface section and actions	General administrator	Administrator	Analyst	First line analyst	Operator	Comment
  Reports
  View and edit templates and reports	filled in	filled in	filled in	filled in	no	The first line analysts and analysts can: View and edit templates and reports that they created themselves. View reports sent to them by email. View predefined templates.
  Generate reports	filled in	filled in	filled in	filled in	no	The analysts can generate the reports they created or the predefined reports (from a template or a report). The analysts cannot generate reports sent to them by email.
  Export generated reports	filled in	filled in	filled in	filled in	no	The first line analysts and the analysts can upload: Reports that they created themselves. Predefined reports. Reports received by email.
  Delete templates and generated reports	filled in	filled in	filled in	filled in	no	The first line analysts and the analysts can delete the templates and reports they generated. The first line analysts and the analysts cannot delete: Predefined templates. Reports received by email. Only the general administrator can delete predefined templates and reports.
  Edit the settings for generating reports	filled in	filled in	filled in	filled in	no	The analysts can change the settings for generating predefined reports and the reports they created. The first line analysts can change the settings for generating the reports they created.
  Duplicate report template	filled in	filled in	filled in	filled in	no	The first line analysts and the analysts can duplicate their own reports and predefined reports.
  Receive the generated report by email	filled in	filled in	filled in	filled in	filled in	If a report is sent as a link, it is available to KUMA users only. If a report is sent as an attachment, it is available to all recipients in the list of email addresses.
  Dashboard
  View data on the dashboard and change layouts	filled in	filled in	filled in	filled in	filled in
  View the Universal layout	filled in	filled in	filled in	filled in	filled in
  Add layouts	filled in	filled in	filled in	filled in	no	This includes adding widgets to a layout. Only the general administrator can add a universal layout.
  Edit and rename layouts	filled in	filled in	filled in	only own	no	This includes adding, editing, and deleting widgets. Analysts may change/rename predefined layouts and layouts that were created using their account.
  Delete layouts	filled in	filled in	filled in	only own	no	Tenant administrators may delete layouts in the tenants available to them. Analysts may delete layouts that were created using their account. Only the general administrator can delete predefined layouts.
  Enable and disable the TV mode	filled in	filled in	filled in	filled in	filled in
  Resources → Services and Resources → Services → Active services
  View the list of active services	filled in	filled in	filled in	filled in	no	Only the general administrator can view and delete storage spaces. Access rights do not depend on the tenants selected in the menu.
  View the contents of the active list	filled in	filled in	filled in	filled in	no
  Import/export/clear the contents of the active list	filled in	filled in	filled in	filled in	no	First line analysts can: Export the contents of all the active lists they have access to. Import and clear the active lists they created.
  Create a set of resources for services	filled in	filled in	filled in	no	no	Analysts cannot create storages.
  Create a service under Resources → Services → Active services	filled in	filled in	no	no	no	Only the general administrator can create a service.
  Delete services	filled in	filled in	no	no	no
  Restart services	filled in	filled in	no	no	no
  Update the settings of services	filled in	filled in	filled in	no	no
  Reset certificates	filled in	filled in	no	no	no	A user with the administrator role can reset the certificates of services only in the tenants that are accessible to the user.
  Resources → Resources
  View the list of resources	filled in	filled in	filled in	filled in	no	Analysts cannot view the list of secret resources, but these resources are available to them when they create services.
  Add resources	filled in	filled in	filled in	filled in	no	Analysts cannot add secret resources.
  Duplicate resources	filled in	filled in	filled in	filled in	no	The first line analysts can duplicate a resource created by other users, including a set of service resources. However, the first line analysts cannot change the dependent resources in the copy of the set of service resources.
  Edit resources	filled in	filled in	filled in	filled in	no
  Create/edit/delete resources in a shared tenant	filled in	no	no	no	no
  Delete resources	filled in	filled in	filled in	filled in	no	Analysts cannot delete secret resources. The first line analysts can delete only their own resources.
  Import resources	filled in	filled in	filled in	no	no	Only the general administrator can import resources to a shared tenant.
  View the repository, import the resources from the repository	filled in	filled in	filled in	no	no	Only the general administrator can import resources to a shared tenant.
  Export resources	filled in	filled in	filled in	no	no	This includes resources from a shared tenant.
  View/edit collector or correlator drafts	filled in	filled in	filled in	filled in	no	The user may only access their own drafts, regardless of the selected tenant. The list of drafts is generated based on those that belong to the user.
  Source status → List of event sources
  View sources of events	filled in	filled in	filled in	filled in	filled in
  Change sources of events	filled in	filled in	filled in	no	no
  Delete sources of events	filled in	filled in	filled in	no	no
  Source status → Monitoring policies
  View monitoring policies	filled in	filled in	filled in	filled in	filled in
  Create monitoring policies	filled in	filled in	filled in	no	no
  Edit monitoring policies	filled in	filled in	filled in	no	no	Only the general administrator can edit the predefined monitoring policies.
  Delete monitoring policies	filled in	filled in	filled in	no	no	Predefined policies cannot be removed.
  Assets
  View assets and asset categories	filled in	filled in	filled in	filled in	filled in	This includes shared tenant categories.
  Add/edit/delete asset categories	filled in	filled in	filled in	filled in	no	Within the tenant available to the user.
  Add asset categories in a shared tenant	filled in	no	no	no	no	This includes editing and deleting shared tenant categories.
  Link assets to an asset category of the shared tenant	filled in	filled in	filled in	filled in	no
  Add assets	filled in	filled in	filled in	filled in	no
  Edit assets	filled in	filled in	filled in	filled in	no
  Delete assets	filled in	filled in	filled in	filled in	no
  Import assets from Kaspersky Security Center	filled in	filled in	filled in	filled in	no
  Start tasks on assets in Kaspersky Security Center	filled in	filled in	filled in	filled in	no
  Run tasks on Kaspersky Endpoint Detection and Response assets	filled in	filled in	filled in	filled in	no
  Confirm updates to fix the asset vulnerabilities and accept the licensing agreements	filled in	filled in	no	no	no
  Run the tasks on the assets in KEDR	filled in	filled in	filled in	filled in	no
  Editing custom fields of the assets (Settings → Assets)	filled in	filled in	filled in	filled in	no
  Alerts
  View the list of alerts	filled in	filled in	filled in	filled in	filled in
  Change the severity of alerts	filled in	filled in	filled in	filled in	filled in
  Open the details of alerts	filled in	filled in	filled in	filled in	filled in
  Assign responsible users	filled in	filled in	filled in	filled in	filled in
  Close alerts	filled in	filled in	filled in	filled in	filled in
  Add comments to alerts	filled in	filled in	filled in	filled in	filled in
  Attach an event to alerts	filled in	filled in	filled in	filled in	filled in
  Detach an event from alerts	filled in	filled in	filled in	filled in	filled in
  Edit and delete someone else's filters	filled in	filled in	no	no	no	Analysts and operators can edit or delete only their own filter resources.
  Incidents
  View the list of incidents	filled in	filled in	filled in	filled in	filled in
  Create blank incidents	filled in	filled in	filled in	filled in	filled in
  Manually create incidents from alerts	filled in	filled in	filled in	filled in	filled in
  Change the severity of incidents	filled in	filled in	filled in	filled in	filled in
  Open the incident details	filled in	filled in	filled in	filled in	filled in	Incident details display data from only those tenants to which the user has access.
  Assign executors	filled in	filled in	filled in	filled in	filled in
  Close incidents	filled in	filled in	filled in	filled in	filled in
  Add comments to incidents	filled in	filled in	filled in	filled in	filled in
  Attach alerts to incidents	filled in	filled in	filled in	filled in	filled in
  Detach alerts from incidents	filled in	filled in	filled in	filled in	filled in
  Edit and delete someone else's filters	filled in	filled in	no	no	no	Analysts and operators can edit or delete only their own filter resources.
  Export incidents to RuCERT	filled in	filled in	filled in	filled in	filled in	The export function is always available to the general administrator. Other users can perform export if the "Can interact with RuCERT" check box is selected in their profile. In the case of hierarchical KUMA deployment, interaction with RuCERT is performed from the main KUMA node.
  Send files to RuCERT	filled in	filled in	filled in	filled in	filled in
  Download files sent to RuCERT	filled in	filled in	filled in	filled in	filled in
  Export additional incident data to RuCERT upon request	filled in	filled in	filled in	filled in	filled in
  Send messages to RuCERT	filled in	filled in	filled in	filled in	filled in
  View messages from RuCERT	filled in	filled in	filled in	filled in	filled in
  View incident data exported to RuCERT	filled in	filled in	filled in	filled in	filled in
  Events
  View the list of events	filled in	filled in	filled in	filled in	filled in
  Search events	filled in	filled in	filled in	filled in	filled in
  Open the details of events	filled in	filled in	filled in	filled in	filled in
  Open statistics	filled in	filled in	filled in	filled in	filled in
  Conduct a retroscan	filled in	filled in	filled in	no	no
  Export events to a TSV file	filled in	filled in	filled in	filled in	filled in
  Edit and delete someone else's filters	filled in	filled in	no	no	no	Analysts and operators can edit or delete only their own filter resources.
  Start ktl enrichment	filled in	filled in	filled in	filled in	no
  Run tasks on Kaspersky Endpoint Detection and Response assets in event details	filled in	filled in	filled in	filled in	no
  Create presets	filled in	filled in	filled in	filled in	filled in
  Delete presets	filled in	filled in	filled in	filled in	filled in	The first line analysts and the operators can delete only their own presets.
  View and use presets	filled in	filled in	filled in	filled in	filled in
  Settings → Users
  View the list of users	filled in	no	no	no	no
  Add a user	filled in	no	no	no	no
  Edit a user	filled in	no	no	no	no
  Generate token	filled in	filled in	filled in	filled in	filled in	All users can generate their own tokens. The general administrator can generate a token for any user.
  Change access rights for a token	filled in	filled in	no	no	no	The general administrator can change access rights for any user, tenant administrators can change only their own access rights.
  View the data of their own profile	filled in	filled in	filled in	filled in	filled in
  Edit the data of their own profile	filled in	filled in	filled in	filled in	filled in	The user role is not available for change.
  Settings → LDAP server
  View the LDAP connection settings	filled in	filled in	filled in	filled in	no
  Edit the LDAP connection settings	filled in	filled in	no	no	no
  Delete the configuration of an entire tenant from the settings	filled in	filled in	no	no	no
  Import assets	filled in	filled in	no	no	no
  Settings → Tenants						This section is available only to the general administrator.
  View the list of tenants	filled in	no	no	no	no
  Add tenants	filled in	no	no	no	no
  Change tenants	filled in	no	no	no	no
  Disable tenants	filled in	no	no	no	no
  Settings → Domain authorization						This section is available only to the general administrator.
  View the Active Directory connection settings	filled in	no	no	no	no
  Edit the Active Directory connection settings	filled in	no	no	no	no
  Add filters based on roles for tenants	filled in	no	no	no	no
  Run tasks in Active Directory	filled in	filled in	filled in	no	no
  Settings → General						This section is available only to the general administrator.
  View the SMTP connection settings	filled in	no	no	no	no
  Edit the SMTP connection settings	filled in	no	no	no	no
  Settings → License						This section is available only to the general administrator.
  View the list of added license keys	filled in	no	no	no	no
  Add license keys	filled in	no	no	no	no
  Delete license keys	filled in	no	no	no	no
  Settings → Kaspersky Security Center
  View the list of successfully integrated Kaspersky Security Center servers	filled in	filled in	filled in	filled in	no
  Add Kaspersky Security Center connections	filled in	filled in	no	no	no
  Delete Kaspersky Security Center connections	filled in	filled in	no	no	no
  Delete the configuration of an entire tenant from the settings	filled in	filled in	no	no	no
  Start the tasks for importing Kaspersky Security Center assets	filled in	filled in	no	no	no
  Settings → Kaspersky Industrial CyberSecurity for Networks
  View a list of KICS for Networks servers with which integration has been configured	filled in	filled in	no	no	no
  Add and modify the settings of KICS for Networks integration	filled in	filled in	no	no	no
  Delete the settings of KICS for Networks integration	filled in	filled in	no	no	no
  Run the tasks to import assets from the KICS for Networks settings	filled in	filled in	no	no	no
  Settings → Kaspersky Automated Security Awareness Platform
  View the ASAP integration settings	filled in	no	no	no	no
  Edit the ASAP integration settings	filled in	no	no	no	no
  View information from ASAP in the user details window	filled in	filled in	filled in	filled in	filled in
  Assign users to an ASAP learning group	filled in	filled in	filled in	filled in	no
  Settings → Kaspersky Endpoint Detection and Response
  View the connection settings	filled in	filled in	filled in	filled in	no
  Add, edit and disconnect the connections when the distributed solution mode is enabled	filled in	no	no	no	no
  Enable the distributed solution mode	filled in	no	no	no	no
  Add connections when the distributed solution mode is disabled	filled in	filled in	no	no	no
  Delete the connections when the distributed solution mode is disabled	filled in	filled in	no	no	no
  Delete the configuration of an entire tenant from the settings	filled in	filled in	no	no	no
  Settings → Kaspersky CyberTrace						This section is available only to the general administrator.
  View the CyberTrace integration settings	filled in	no	no	no	no
  Edit the CyberTrace integration settings	filled in	no	no	no	no
  Settings → IRP / SOAR						This section is available only to the general administrator.
  View the settings for integration with IRP / SOAR	filled in	no	no	no	no
  Edit the IRP/SOAR integration settings	filled in	no	no	no	no
  Settings → Kaspersky Threat Lookup						This section is available only to the general administrator.
  View the Threat Lookup integration settings	filled in	no	no	no	no
  Edit the Threat Lookup integration settings	filled in	no	no	no	no
  Settings → Alerts
  View the parameters	filled in	filled in	filled in	filled in	no
  Edit the parameters	filled in	filled in	filled in	no	no
  Delete the configuration of an entire tenant from the settings	filled in	filled in	filled in	no	no
  Settings → Incidents → Automatic linking of alerts to incidents
  View the parameters	filled in	filled in	filled in	filled in	no
  Edit the parameters	filled in	no	no	no	no
  Settings → Incidents → Incident types
  View the categories reference	filled in	filled in	filled in	filled in	no
  View the categories charts	filled in	filled in	filled in	filled in	no
  Add categories	filled in	filled in	no	no	no
  Edit categories	filled in	filled in	no	no	no
  Delete categories	filled in	filled in	no	no	no
  Settings → RuCERT
  View the parameters	filled in	no	no	no	no
  Edit the parameters	filled in	no	no	no	no
  Settings → Hierarchy
  View the parameters	filled in	no	no	no	no
  Edit the parameters	filled in	no	no	no	no
  View incidents from child nodes	filled in	filled in	filled in	no	filled in	All users of the parent node have access to the incidents in the child nodes.
  Settings → Asset audit
  Create, clone and edit the settings	filled in	filled in	filled in	no	no
  View the parameters	filled in	filled in	filled in	filled in	no
  Delete settings	filled in	filled in	no	no	no
  Settings → Repository update
  View the parameters	filled in	filled in	filled in	no	no
  Edit the parameters	filled in	no	no	no	no
  Start the repository update task manually	filled in	filled in	filled in	no	no
  Settings → Assets
  Add, edit, and delete the asset fields	filled in	no	no	no	no
  Metrics
  Open metrics	filled in	no	no	no	no
  Task manager
  View a list of your own tasks	filled in	filled in	filled in	filled in	filled in	The section and tasks are not tied to a tenant. The tasks are available only to the user who created them.
  Finish your own tasks	filled in	filled in	filled in	filled in	filled in
  Restart your own tasks	filled in	filled in	filled in	filled in	filled in
  View a list of all tasks	filled in	no	no	no	no
  Finish any task	filled in	no	no	no	no
  Restart any task	filled in	no	no	no	no
  CyberTrace						This section is not displayed in the web interface unless CyberTrace integration is configured under Settings → CyberTrace.
  Open the section	filled in	no	no	no	no
  Access to the data of tenants
  Access to tenants	filled in	filled in	filled in	filled in	filled in	A user has access to the tenant if its name is indicated in the settings blocks of the roles assigned to the user account. The access level depends on which role is indicated for the tenant.
  Shared tenant	filled in	filled in	filled in	filled in	filled in	A shared tenant is used to store shared resources that must be available to all tenants. Although services cannot be owned by the shared tenant, these services may utilize resources that are owned by the shared tenant. These services are still owned by their respective tenants. Events, alerts and incidents cannot be shared. Permissions to access the shared tenant: Read/write—only the general administrator. Read—all other users, including users that have permissions to access the main tenant.
  Main tenant	filled in	filled in	filled in	filled in	filled in	A user has access to the main tenant if its name is indicated in the settings blocks of the roles assigned to the user account. The access level depends on which role is indicated for the tenant. Permissions to access the main tenant do not grant access to other tenants.