Managing assets

Assets represent the computers of the organization. You can add assets to KUMA; in that case, KUMA automatically adds asset IDs when enriching events, and when you analyze events, you can get additional information about computers in the organization.

You can add assets to KUMA in the following ways:

• Import assets:
  • From the MaxPatrol report.
  • On a schedule from Kaspersky Security Center and KICS for Networks.

    By default, assets are imported every 12 hours, this frequency can be configured. On-demand import of assets is also possible; such on-demand import does not affect the scheduled import time. From the Kaspersky Security Center database, KUMA imports information about devices with installed Kaspersky Security Center Network Agent that has connected to Kaspersky Security Center, that is, has a non-empty 'Connection time' field in the SQL database. KUMA imports the following information about hte computer: name, address, time of connection to Kaspersky Security Center, information about hardware and software, including the operating system, and information about vulnerabilities. That is, the information that is collected by means of the Kaspersky Security Center Network Agent.

• Create assets manually through the web interface or via the API.

  You can add assets manually. In this case, you must manually specify the following information: address, FQDN, name and version of the operating system, hardware information. Information about the vulnerabilities of assets cannot be added through the web interface. You can provide information about vulnerabilities if you add assets using the API.

You can manage KUMA assets: view information about assets, search for assets, add, edit or delete assets, and export asset data to a CSV file.

Asset categories

You can categorize the assets and then use the categories in filter conditions or correlation rules. For example, you can create alerts of a higher severity level for assets from a higher-severity category. By default, all assets fall into the Uncategorized assets category. A device can be added to multiple categories.

By default, KUMA assigns the following severity levels to asset categories: Low, Medium, High, Critical. You can create custom categories, categories can be nested.

Categories can be populated in the following ways:

• Manually
• Active: dynamic if the asset meets the specified conditions. For example, the moment the asset is upgraded to a specified OS version or placed in a specified subnet, the asset is moved to the specified category.
  1. In the Repeat categorization every drop-down list, specify how often assets will be linked to a category. You can select values ranging from once per hour to once per 24 hours.

     You can forcibly start categorization by selecting Start categorization in the category context menu.

  2. In the Conditions settings block, specify the filter for matching assets to attach to an asset category.

     You can add conditions by clicking the Add condition buttons. Groups of conditions can be added by using the Add group buttons. Group operators can be switched between AND, OR, and NOT values.

     Categorization filter operands and operators

     Operand	Operators	Comment
     Build number	>, >=, =, <=, <
     OS	=, like	The "like" operator ensures that the search is not case sensitive.
     IP address	inSubnet, inRange	The IP address is indicated in CIDR notation (for example: 192.168.0.0/24). When the inRange operator is selected, you can indicate only addresses from private ranges of IP addresses (for example: 10.0.0.0–10.255.255.255). Both addresses must be in the same range.
     FQDN	=, like	The "like" operator ensures that the search is not case sensitive.
     CVE	=, in	The "in" operator lets you specify an array of values.
     Software	=, like
     CII	in	More than one value can be selected.
     Anti-virus databases last updated	>=,<=
     Last update of the information	>=,<=
     Protection last updated	>=,<=
     System last started	>=,<=
     KSC extended status	in	Extended status of the device. More than one value can be selected.
     Real-time protection status	=	Status of Kaspersky applications installed on the managed device.
     Encryption status	=
     Spam protection status	=
     Anti-virus protection status of mail servers	=
     Data Leakage Prevention status	=
     KSC extended status ID	=
     Endpoint Sensor status	=
     Last visible	>=,<=

  3. Use the Test conditions button to make sure that the specified filter is correct. When you click the button, you should see the Assets for given conditions window containing a list of assets that satisfy the search conditions.
• Reactive—When a correlation rule is triggered, the asset is moved to the specified group.

In KUMA, assets are categorized by tenant and by category. Assets are arranged in a tree structure, where the tenants are located at the root, and the asset categories branch from them. You can view the tree of tenants and categories in the Assets → All assets section of the KUMA web interface. When a tree node is selected, the assets assigned to it are displayed in the right part of the window. Assets from the subcategories of the selected category are displayed if you specify that you want to display assets recursively. You can select the check boxes next to the tenants whose assets you want to view.

To open the context menu of a category, hover the mouse cursor over the category and click the ellipsis icon that is displayed to the right of the category name. The following actions are available in the context menu:

Category context menu items

Adding an asset category

To add an asset category:

1. Open the Assets section in the KUMA web interface.
2. Open the category creation window:
   • Click the Add category button.
   • If you want to create a subcategory, select Add subcategory in the context menu of the parent category.

   The Add category details area appears in the right part of the web interface window.

3. Add information about the category:
   • In the Name field, enter the name of the category. The name must contain 1 to 128 Unicode characters.
   • In the Parent field, indicate the position of the category within the categories tree hierarchy:
     1. Click the button.

        This opens the Select categories window showing the categories tree. If you are creating a new category and not a subcategory, the window may show multiple asset category trees, one for each tenant that you can access. Your tenant selection in this window cannot be undone.

     2. Select the parent category for the category you are creating.
     3. Click Save.

     Selected category appears in Parent fields.

   • The Tenant field displays the tenant whose structure contains your selected parent category. The tenant category cannot be changed.
   • Assign a severity to the category in the Priority drop-down list.
   • If necessary, in the Description field, you can add a note consisting of up to 256 Unicode characters.
4. In the Categorization kind drop-down list, select how the category will be populated with assets. Depending on your selection, you may need to specify additional settings:
   • Manually—assets can only be manually linked to a category.
   • Active—assets will be assigned to a category at regular intervals if they satisfy the defined filter.

     Active category of assets

     1. In the Repeat categorization every drop-down list, specify how often assets will be linked to a category. You can select values ranging from once per hour to once per 24 hours.

        You can forcibly start categorization by selecting Start categorization in the category context menu.

     2. In the Conditions settings block, specify the filter for matching assets to attach to an asset category.

        You can add conditions by clicking the Add condition buttons. Groups of conditions can be added by using the Add group buttons. Group operators can be switched between AND, OR, and NOT values.

        Categorization filter operands and operators

        Operand	Operators	Comment
        Build number	>, >=, =, <=, <
        OS	=, like	The "like" operator ensures that the search is not case sensitive.
        IP address	inSubnet, inRange	The IP address is indicated in CIDR notation (for example: 192.168.0.0/24). When the inRange operator is selected, you can indicate only addresses from private ranges of IP addresses (for example: 10.0.0.0–10.255.255.255). Both addresses must be in the same range.
        FQDN	=, like	The "like" operator ensures that the search is not case sensitive.
        CVE	=, in	The "in" operator lets you specify an array of values.
        Software	=, like
        CII	in	More than one value can be selected.
        Anti-virus databases last updated	>=,<=
        Last update of the information	>=,<=
        Protection last updated	>=,<=
        System last started	>=,<=
        KSC extended status	in	Extended status of the device. More than one value can be selected.
        Real-time protection status	=	Status of Kaspersky applications installed on the managed device.
        Encryption status	=
        Spam protection status	=
        Anti-virus protection status of mail servers	=
        Data Leakage Prevention status	=
        KSC extended status ID	=
        Endpoint Sensor status	=
        Last visible	>=,<=

     3. Use the Test conditions button to make sure that the specified filter is correct. When you click the button, you should see the Assets for given conditions window containing a list of assets that satisfy the search conditions.
   • Reactive—the category will be filled with assets by using correlation rules.
5. Click Save.

The new category will be added to the asset categories tree.

Configuring the table of assets

In KUMA, you can configure the contents and order of columns displayed in the assets table. These settings are stored locally on your machine.

To configure the settings for displaying the assets table:

1. Open the Assets section in the KUMA web interface.
2. Click the icon in the upper-right corner of the assets table.
3. In the drop-down list, select the check boxes next to the parameters that you want to view in the table:
   • FQDN
   • IP address
   • Asset source
   • Owner
   • MAC address
   • Created by
   • Updated
   • Tenant
   • CII category

   When you select a check box, the assets table is updated and a new column is added. When a check box is cleared, the column disappears. The table can be sorted based on multiple columns.

4. If you need to change the order of columns, click the left mouse button on the column name and drag it to the desired location in the table.

The assets table display settings are configured.

Searching assets

KUMA has two asset search modes. You can switch between the search modes using the buttons in the upper left part of the window:

• – simple search by the following asset settings: Name, FQDN, IP address, MAC address, and Owner.
• – advanced search for assets using filters by conditions and condition groups.

You can select the check boxes next to the found assets to export their data to a CSV file.

Simple search

To find an asset:

1. Make sure that the button is enabled in the upper left part of the Assets section of the KUMA web interface.

   The Search field is displayed at the top of the window.

2. Enter your search query in the Search field and press ENTER or click the icon.

The table displays the assets with the Name, FQDN, IP address, MAC address, and Owner settings matching the search criteria.

Advanced search

An advanced asset search is performed using the filtering conditions that can be specified in the upper part of the window:

• You can use the Add condition button to add a string containing fields for identifying the condition.
• You can use the Add group button to add a group of filters. Group operators can be switched between AND, OR, and NOT.
• Conditions and condition groups can be dragged with the mouse.
• Conditions, groups, and filters can be deleted by using the button.
• You can collapse the filtering options by clicking the Collapse button. In this case, the resulting search expression is displayed. Clicking it displays the search criteria in full again.
• The filtering options can be reset by clicking the Clear button.
• The condition operators and available values of the right operand depend on the selected left operand:

  Left operand	Available operators	Right operand
  Build number	=, >, >=, <, <=	An arbitrary value.
  OS	=, ilike	An arbitrary value.
  IP address	inSubnet, inRange	An arbitrary value or a range of values. The filtering condition for the inSubnet operator is met if the IP address in the left operand is included in the subnet that is specified in the right operand. For example, the subnet for the IP address 10.80.16.206 should be specified in the right operand using slash notation as follows: 10.80.16.206/25.
  FQDN	=, ilike	An arbitrary value.
  CVE	=, in	An arbitrary value.
  Asset source	in	Kaspersky Security Center KICS for Networks Imported via API Created manually
  RAM	=, >, >=, <, <=	Number.
  Number of disks	=, >, >=, <, <=	Number.
  Number of network cards	=, >, >=, <, <=	Number.
  Disk free bytes	=, >, >=, <, <=	Number.
  Anti-virus databases last updated	>=, <=	Date.
  Last update of the information	>=, <=	Date.
  Protection last updated	>=, <=	Date.
  System last started	>=, <=	Date.
  KSC extended status	in	The host with the Network Agent installed is connected to the network, but the Network Agent is not active The anti-virus application is installed, but real-time protection is not enabled Anti-virus application is installed but not running The number of detected viruses is too large The anti-virus application is installed, but the real-time protection status differs from the one set by the security administrator The anti-virus application is not installed A full virus scan was performed too long ago The anti-virus databases were updated too long ago The Network Agent is inactive for too long License expired The number of untreated objects is too large Restart required Incompatible applications are installed on the host Vulnerabilities are detected on the host The last scan for operating system updates on the host was too long ago Invalid encryption status of the host Mobile device settings do not comply with security policy requirements Unprocessed incidents detected Host status is suggested by a managed product Insufficient disk space on the host. Synchronization errors occur, or not enough disk space
  Real-time protection status	=	Suspended Starting Running (if the anti-virus application does not support the Running status categories) Performed with maximum protection Performed with maximum performance Performed with recommended settings Performed with custom settings Error
  Encryption status	=	Encryption rules are not configured on the host. Encryption is in progress. Encryption was canceled by the user. Encryption error occurred. All host encryption rules are met. Encryption is in progress, the host must be restarted. Encrypted files without specified encryption rules are detected on the host.
  Spam protection status	=	Unknown Stopped Suspended Starting In progress Error Not installed License is missing
  Anti-virus protection status of mail servers	=	Unknown Stopped Suspended Starting In progress Error Not installed License is missing
  Data Leakage Prevention status	=	Unknown Stopped Suspended Starting In progress Error Not installed License is missing
  KSC extended status ID	=	OK Critical Attention required
  Endpoint Sensor status	=	Unknown Stopped Suspended Starting In progress Error Not installed License is missing
  Last visible	>=, <=	Date

To find an asset:

1. Make sure that the button is enabled in the upper left part of the Assets section of the KUMA web interface.

   The asset filtering settings are displayed in the upper part of the window.

2. Specify the asset filtering settings and click the Search button.

The table displays the assets that meet the search criteria.

Exporting asset data

You can export data about the assets displayed in the assets table as a CSV file.

To export asset data:

1. Configure the assets table.

   Only the data specified in the table is written to the file. The display order of the asset table columns is preserved in the exported file.

2. Find the desired assets and select the check boxes next to them.

   You can select all the assets in the table at a time by selecting the check box in the left part of the assets table header.

3. Click the Export CSV button.

The asset data is written to the assets_<export date>_<export time>.csv file. The file is downloaded according to your browser settings.

Viewing asset details

To view information about an asset, open the asset information window in one of the following ways:

• In the KUMA web interface, select Assets → select a category with the relevant assets → select an asset.
• In the KUMA web interface, select Alerts → click the link with the relevant alert → select the asset in the Related endpoints section.
• In the KUMA web interface, select Events → search and filter events → select the relevant event → click the link in one of the following fields: SourceAssetID, DestinationAssetID, or DeviceAssetID.

The following information may be displayed in the asset details window:

• Name—asset name.

  Assets imported into KUMA retain the names that were assigned to them at the source. You can change these names in the KUMA web interface.

• Tenant—the name of the tenant that owns the asset.
• Asset source—source of information about the asset. There may be several sources. For instance, information can be added in the KUMA web interface or by using the API, or it can be imported from Kaspersky Security Center, KICS for Networks, and MaxPatrol reports.

  When using multiple sources to add information about the same asset to KUMA, you should take into account the rules for merging asset data.

• Created—date and time when the asset was added to KUMA.
• Updated—date and time when the asset information was most recently modified.
• Owner—owner of the asset, if provided.
• IP address—IP address of the asset (if any).

  If there are several assets with identical IP addresses in KUMA, the asset that was added the latest is returned in all cases when assets are searched by IP address. If assets with identical IP addresses can coexist in your organization's network, plan accordingly and use additional attributes to identify the assets. For example, this may become important during correlation.

• FQDN—Fully Qualified Domain Name of the asset, if provided.
• MAC address—MAC address of the asset (if any).
• Operating system—operating system of the asset.
• Related alerts—alerts associated with the asset (if any).

  To view the list of alerts related to an asset, click the Find in Alerts link. The Alerts tab opens with the search expression set to filter all assets with the corresponding asset ID.

• Software info and Hardware info—if the asset software and hardware parameters are provided, they are displayed in this section.
• Asset vulnerability information:
  • Kaspersky Security Center vulnerabilities—vulnerabilities of the asset, if provided. This information is available for the assets imported from Kaspersky Security Center.

    You can learn more about the vulnerability by clicking the icon, which opens the Kaspersky Threats portal. You can also update the vulnerabilities list by clicking the Update link and requesting updated information from Kaspersky Security Center.

  • KICS for Networks vulnerabilities—vulnerabilities of the asset, if provided. This information is available for the assets imported from KICS for Networks.
• Asset source information:
  • Last visible—time when information about the asset was last received from Kaspersky Security Center. This information is available for the assets imported from Kaspersky Security Center.
  • Host ID—ID of the Kaspersky Security Center Network Agent from which the asset information was received. This information is available for the assets imported from Kaspersky Security Center. This ID is used to determine the uniqueness of the asset in Kaspersky Security Center.
  • KICS for Networks server IP address and KICS for Networks connector ID—data on the KICS for Networks instance from which the asset was imported.
• Custom fields—data written to the asset custom fields.
• Additional information about the protection settings of an asset with Kaspersky Endpoint Security for Windows or Kaspersky Endpoint Security for Linux installed:
  • KSC extended status ID – asset status. It can have the following values:
    • OK
    • Critical
    • Warning
  • KSC extended status – information about the asset status. For example, "The anti-virus databases were updated too long ago".
  • Real-time protection status – status of Kaspersky applications installed on the asset. For example: "Running (if the anti-virus application does not support the Running status categories)".
  • Encryption status – information about asset encryption. For example: "Encryption rules are not configured on the host".
  • Spam protection status – status of anti-spam protection. For example, "Started".
  • Anti-virus protection status of mail servers – status of the virus protection of mail servers. For example, "Started".
  • Data Leakage Prevention status – status of data leak protection. For example, "Started".
  • Endpoint Sensor status – status of data leak protection. For example, "Started".
  • Anti-virus databases last updated – the version of the downloaded anti-virus databases.
  • Protection last updated – the time when the anti-virus databases were last updated.
  • System last started – the time when the system was last started.

  This information is displayed if the asset was imported from Kaspersky Security Center.

• Categories—categories associated with the asset (if any).
• CII category—information about whether an asset is a critical information infrastructure (CII) object.

Clicking the KSC response button starts Kaspersky Security Center task on the asset and clicking the Move to KSC group button moves the asset being viewed between Kaspersky Security Center administration groups.

This is available if KUMA is integrated with Kaspersky Security Center.

Adding assets

You can add asset information in the following ways:

• Manually.

  You can add an asset using the KUMA web interface or the API.

• Import assets.

  You can import assets from Kaspersky Security Center, KICS for Networks, and MaxPatrol reports.

When assets are added, assets that already exist in KUMA can be merged with the assets being added.

Asset merging algorithm:

1. Checking uniqueness of Kaspersky Security Center or KICS for Networks assets.
   • The uniqueness of an asset imported from Kaspersky Security Center is determined by the Host ID parameter, which contains the Kaspersky Security Center Network Agent Network Agent identifier. If two assets' IDs differ, they are considered to be separate assets and are not merged.
   • The uniqueness of an asset imported from KICS for Networks is determined by the combination of the IP address, KICS for Networks server IP address, and KICS for Networks connector ID parameters. If any of the parameters of two assets differ they are considered to be separate assets and are not merged.

   If the compared assets match, the algorithm is performed further.

2. Make sure that the values in the IP, MAC, and FQDN fields match.

   If at least two of the specified fields match, the assets are combined, provided that the other fields are blank.

   Possible matches:

   • The FQDN and IP address of the assets match. The MAC field is blank.

     The check is performed against the entire array of IP address values. If the IP address of an asset is included in the FQDN, the values are considered to match.

   • The FQDN and MAC address of the assets match. The IP field is blank.

     The check is performed against the entire array of MAC address values. If at least one value of the array fully matches the FQDN, the values are considered to match.

   • The IP address and MAC address of the assets match. The FQDN field is blank.

     The check is performed against the entire array of IP- and MAC address values. If at least one value in the arrays is fully matched, the values are considered to match.

3. Make sure that the values of at least one of the IP, MAC, or FQDN fields match, provided that the other two fields are not filled in for one or both assets.

   Assets are merged if the values in the field match. For example, if the FQDN and IP address are specified for a KUMA asset, but only the IP address with the same value is specified for an imported asset, the fields match. In this case, the assets are merged.

   For each field, verification is performed separately and ends on the first match.

You can see examples of asset field comparison here.

Information about assets can be generated from various sources. If the added asset and the KUMA asset contain data received from the same source, this data is overwritten. For example, a Kaspersky Security Center asset receives a fully qualified domain name, software information, and host ID when imported into KUMA. When importing an asset from Kaspersky Security Center with an equivalent fully qualified domain name, all this data will be overwritten (if it has been defined for the added asset). All fields in which the data can be refreshed are listed in the Updatable data table.

Updatable data

The updated data is displayed in the asset details. You can view asset details in the KUMA web interface.

This data may be overwritten when new assets are added. If the data used to generate asset information is not updated from sources for more than 30 days, the asset is deleted. The next time you add an asset from the same sources, a new asset is created.

If the KUMA web interface is used to edit asset information that was received from Kaspersky Security Center or KICS for Networks, you can edit the following asset data:

• Name.
• Category.

If asset information was added manually, you can edit the following asset data when editing these assets in the KUMA web interface:

• Name.
• Name of the tenant that owns the asset.
• IP address.
• Fully qualified domain name.
• MAC address.
• Owner.
• Category.
• Operating system.
• Hardware info.

Asset data cannot be edited via the REST API. When importing from the REST API, the data is updated according to the rules for merging asset details provided above.

Adding asset information in the KUMA web interface

To add an asset in the KUMA web interface:

1. In the Assets section of the KUMA web interface, click the Add asset button.

   The Add asset details area opens in the right part of the window.

2. Enter the asset parameters:
   • Asset name (required)
   • Tenant (required)
   • IP address and/or FQDN (required)
   • MAC address
   • Owner
3. If required, assign one or multiple categories to the asset:
   1. Click the button.

      Select categories window opens.

   2. Select the check boxes next to the categories that should be assigned to the asset. You can use the and icons to expand or collapse the lists of categories.
   3. Click Save.

   The selected categories appear in the Categories fields.

4. If required, add information about the operating system installed on the asset in the Software section.
5. If required, add information about asset hardware in the Hardware info section.
6. Click Add.

The asset is created and displayed in the assets table in the category assigned to it or in the Uncategorized assets category.

Importing asset information from Kaspersky Security Center

All assets that are protected by this program are registered in Kaspersky Security Center. Information about assets protected by Kaspersky Security Center can be imported into KUMA. To do so, you need to configure integration between the applications in advance.

KUMA supports the following types of asset imports from KSC:

• Import of information about all assets of all KSC servers.
• Import of information about assets of the selected KSC server.

To import information about all assets of all KSC servers:

1. In the KUMA web interface, select the Assets section.
2. Click the Import assets button.

   The Import Kaspersky Security Center assets window opens.

3. In the drop-down list, select the tenant for which you want to perform the import.

   In this case, the program downloads information about all assets of all KSC servers that have been configured to connect to the selected tenant.

   If you want to import information about all assets of all KSC servers for all tenants, select All tenants.

4. Click OK.

The asset information will be imported.

To import information about the assets of one KSC server:

1. Open the KUMA web interface and select Settings → Kaspersky Security Center.

   The Kaspersky Security Center integration by tenant window opens.

2. Select the tenant for which you want to import assets.

   The Kaspersky Security Center integration window opens.

3. Click the connection for the relevant Kaspersky Security Center server.

   This opens a window containing the settings of this connection to Kaspersky Security Center.

4. Do one of the following:
   • If you want to import all assets connected to the selected KSC server, click the Import assets button.
   • If you want to import only assets that are connected to a secondary server or included in one of the groups (for example, the Unassigned devices group), do the following:
     1. Click the Load hierarchy button.
     2. Select the check boxes next to the names of the secondary servers or groups from which you want to import asset information.
     3. Select the Import assets from new groups check box if you want to import assets from new groups.

        If no check boxes are selected, information about all assets of the selected KSC server is uploaded during the import.

     4. Click Save.
     5. Click the Import assets button.

The asset information will be imported.

Importing asset information from MaxPatrol

You can import asset information from MaxPatrol network device scan reports into KUMA. The import is performed through the API using the maxpatrol-tool on the server where the KUMA Core is installed. Imported assets are displayed in the KUMA web interface in the Assets section. If necessary, you can edit the settings of assets.

The tool is included in the KUMA distribution kit and is located in the installer archive in the /kuma-ansible-installer/roles/kuma/files directory.

Imports from MaxPatrol 8 are supported.

To import asset information from a MaxPatrol report:

1. In MaxPatrol, generate a network asset scan report in XML file format and copy the report file to the KUMA Core server. For more details about scan tasks and output file formats, refer to the MaxPatrol documentation.

   Data cannot be imported from reports in SIEM integration file format. The XML file format must be selected.

2. Create a file with the token for accessing the KUMA REST API. For convenience, it is recommended to place it into the MaxPatrol report folder. The file must not contain anything except the token.

   Requirements imposed on accounts for which the API token is generated:

   • Administrator or Analyst role.
   • Access to the tenant into which the assets will be imported.
   • Permissions for using API requests GET /users/whoami and POST /api/v1/assets/import have been configured.

     To import assets from MaxPatrol, it is recommended to create a separate user with the minimum necessary set of rights to use API requests.

3. Copy the maxpatrol-tool to the server hosting the KUMA Core and make the tool's file executable by running the following command:

   chmod +x <path to the maxpatrol-tool file on the server hosting the KUMA Core>

4. Run the maxpatrol-tool:

   ./maxpatrol-tool --kuma-rest <KUMA REST API server address and port> --token <path and name of API token file> --tenant <name of tenant where assets will reside> <path and name of MaxPatrol report file> --cert <path to the KUMA Core certificate file>

   Example: ./maxpatrol-tool --kuma-rest example.kuma.com:7223 --token token.txt --tenant Main example.xml --cert /opt/kaspersky/kuma/core/certificates/ca.cert

You can use additional flags and commands for import operations. For example, the command --verbose, -v will display a full report on the received assets. A detailed description of the available flags and commands is provided in the table titled Flags and commands of maxpatrol-tool. You can also use the --help command to view information on the available flags and commands.

The asset information will be imported from the MaxPatrol report to KUMA. The console displays information on the number of new and updated assets.

The tool works as follows when importing assets:

• KUMA overwrites the data of assets imported through the API, and deletes information about their resolved vulnerabilities.
• KUMA skips assets with invalid data. Error information is displayed when using the --verbose flag.
• If there are assets with identical IP addresses and fully qualified domain names (FQDN) in the same MaxPatrol report, these assets are merged. The information about their vulnerabilities and software is also merged into one asset.

  When uploading assets from MaxPatrol, assets that have equivalent IP addresses and fully qualified domain names (FQDN) that were previously imported from Kaspersky Security Center are overwritten.

  To avoid this problem, you must configure range-based asset filtering by running the following command:

  --ignore <IP address ranges> or -i <IP address ranges>

  Assets that satisfy the filtering criteria are not uploaded. For a description of this command, please refer to the table titled Flags and commands of maxpatrol-tool.

Flags and commands of maxpatrol-tool

Examples:

• ./maxpatrol-tool --kuma-rest example.kuma.com:7223 --token token.txt --tenant Main example.xml --cert /example-directory/ca.cert – import assets to KUMA from MaxPatrol report example.xml.
• ./maxpatrol-tool help—get reference information on the tool.

Possible errors

Importing asset information from KICS for Networks

After configuring KICS for Networks integration, tasks to obtain data about KICS for Networks assets are created automatically. This occurs:

• Immediately after creating a new integration.
• Immediately after changing the settings of an existing integration.
• According to a regular schedule every several hours. Every 12 hours by default. The schedule can be changed.

Account data update tasks can be created manually.

To start a task to update KICS for Networks asset data for a tenant:

1. In the KUMA web interface, open Settings → Kaspersky Industrial CyberSecurity for Networks.
2. Select the relevant tenant.

   The Kaspersky Industrial CyberSecurity for Networks integration window opens.

3. Click the Import assets button.

A task to receive account data from the selected tenant is added to the Task manager section of the KUMA web interface.

Examples of asset field comparison during import

Each imported asset is compared to the matching KUMA asset.

Checking for two-field value match in the IP, MAC, and FQDN fields

Comparison results:

• Imported asset 1 and KUMA asset: the FQDN and IP fields are filled in and match, no conflict in the MAC fields between the two assets. The assets are merged.
• Imported asset 2 and KUMA asset: the FQDN and IP fields are filled in and match. The assets are merged.
• Imported asset 3 and KUMA asset: the FQDN and MAC fields are filled in and match, no conflict in the IP fields between the two assets. The assets are merged.
• Imported asset 4 and KUMA asset: the IP fields are filled in and match, no conflict in the FQDN and MAC fields between the two assets. The assets are merged.
• Imported asset 5 and KUMA asset: the FQDN fields are filled in and match, no conflict in the IP and MAC fields between the two assets. The assets are merged.
• Imported asset 6 and KUMA asset: no matching fields. The assets are not merged.

Checking for single-field value match in the IP, MAC, and FQDN fields

Comparison results:

• Imported asset 1 and KUMA asset: the IP fields are filled in and match, no conflict in the FQDN and MAC fields between the two assets. The assets are merged.
• Imported asset 2 and KUMA asset: the IP fields are filled in and match, no conflict in the FQDN and MAC fields between the two assets. The assets are merged.
• Imported asset 3 and KUMA asset: no matching fields. The assets are not merged.
• Imported asset 4 and KUMA asset: no matching fields. The assets are not merged.

Assigning a category to an asset

To assign a category to one asset:

1. In the KUMA web interface, go to the Assets section.
2. Select the category with the relevant assets.

   The assets table is displayed.

3. Select an asset.
4. In the opened window, click the Edit button.
5. In the Categories field, click the button.
6. Select a category.

   If you want to move an asset to the Uncategorized assets section, you must delete the existing categories for the asset by clicking the button.

7. Click the Save button.

The category will be assigned.

To assign a category to multiple assets:

1. In the KUMA web interface, go to the Assets section.
2. Select the category with the relevant assets.

   The assets table is displayed.

3. Select the check boxes next to the assets for which you want to change the category.
4. Click the Link to category button.
5. In the opened window, select a category.
6. Click the Save button.

The category will be assigned.

Do not assign the Categorized assets category to assets.

Editing the parameters of assets

In KUMA, you can edit asset parameters. All the parameters of manually added assets can be edited. For assets imported from Kaspersky Security Center, you can only change the name of the asset and its category.

To change the parameters of an asset:

1. In the Assets section of the KUMA web interface, click the asset that you want to edit.

   The Asset details area opens in the right part of the window.

2. Click the Edit button.

   The Edit asset window opens.

3. Make the changes you need in the available fields:
   • Asset name (required. This is the only field available for editing if the asset was imported from Kaspersky Security Center or KICS for Networks.)
   • IP address and/or FQDN (required)
   • MAC address
   • Owner
   • Software info:
     • OS name
     • OS build
   • Hardware info:

     Hardware parameters

     You can add information about asset hardware to the Hardware info section:

     Available fields for describing the asset CPU:

     • CPU name
     • CPU frequency
     • CPU core count

     You can add CPUs to the asset by using the Add CPU link.

     Available fields for describing the asset disk:

     • Disk free bytes
     • Disk volume

     You can add disks to the asset by using the Add disk link.

     Available fields for describing the asset RAM:

     • RAM frequency
     • RAM total bytes

     Available fields for describing the asset network card:

     • Network card name
     • Network card manufacture
     • Network card driver version

     You can add network cards to the asset by using the Add network card link.

   • Custom fields.
   • CII category.
4. Assign or change the category of the asset:
   1. Click the button.

      Select categories window opens.

   2. Select the check boxes next to the categories that should be assigned to the asset.
   3. Click Save.

   The selected categories appear in the Categories fields.

   You can also select the asset and then drag and drop it into the relevant category. This category will be added to the list of asset categories.

   Do not assign the Categorized assets category to assets.

5. Click the Save button.

Asset parameters have been changed.

Deleting assets

In KUMA, you can delete assets in the following ways:

• Automatically.

  Only imported assets are automatically deleted. Manually added assets are not automatically deleted except the case when a manually added asset is merged with an asset imported from KSC or KICS for Networks. In that case, the asset is considered imported and can be deleted automatically.

  Imported assets are automatically deleted if information about assets from Kaspersky Security Center has not been updated in KUMA for 30 days (90 days for KICS for Networks assets). An asset may not be updated if Kaspersky Security Center or KICS for Networks do not have information about the asset, or if connection with the Kaspersky Security Center server could not be established for over 30 days (90 days for KICS for Networks). If an asset was deleted, but KUMA resumes receiving information about that asset from Kaspersky Security Center or KICS for Networks, KUMA recreates the asset with a new ID.

• Manually.

To delete an asset manually:

1. In the Assets section of the KUMA web interface, click the asset that you want to delete.

   The Asset details area opens in the right part of the window.

2. Click the Delete button.

   A confirmation window opens.

3. Click OK.

The asset is deleted.

Updating third-party applications and fixing vulnerabilities on Kaspersky Security Center assets

You can update third-party applications (including Microsoft applications) that are installed on Kaspersky Security Center assets, and fix vulnerabilities in these applications.

First you need to create the Install required updates and fix vulnerabilities task on the selected Kaspersky Security Center Administration Server with the following settings:

• Application—Kaspersky Security Center.
• Task type—Install required updates and fix vulnerabilities.
• Devices to which the task will be assigned—you need to assign the task to the root administration group.
• Rules for installing updates:
  • Install approved updates only.
  • Fix vulnerabilities with a severity level equal to or higher than (optional setting).

    If this setting is enabled, updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

• Scheduled start—the task run schedule.

For details on how to create a task, please refer to the Kaspersky Security Center Help Guide.

The Install required updates and fix vulnerabilities task is available with a Vulnerability and Patch Management license.

Next, you need to install updates for third-party applications and fix vulnerabilities on assets in KUMA.

To install updates and fix vulnerabilities in third-party applications on an asset in KUMA:

1. Open the asset details window in one of the following ways:
   • In the KUMA web interface, select Assets → select a category with the relevant assets → select an asset.
   • In the KUMA web interface, select Alerts → click the link with the relevant alert → select the asset in the Related endpoints section.
   • In the KUMA web interface, select Events → search and filter events → select the relevant event → click the link in one of the following fields: SourceAssetID, DestinationAssetID, or DeviceAssetID.
2. In the asset details window, expand the list of Kaspersky Security Center vulnerabilities.
3. Select the check boxes next to the applications that you want to update.
4. Click the Upload updates link.
5. In the opened window, select the check box next to the ID of the vulnerability that you want to fix.
6. If No is displayed in the EULA accepted column for the selected ID, click the Approve updates button.
7. Click the link in the EULA URL column and carefully read the text of the End User License Agreement.
8. If you agree to it, click the Accept selected EULAs button in the KUMA web interface.

   The ID of the vulnerability for which the EULA was accepted shows Yes in the EULA accepted successfully column.

9. Repeat steps 7–10 for each required vulnerability ID.
10. Click OK.

Updates will be uploaded and installed on the assets managed by the Administration Server where the task was started, and on the assets of all secondary Administration Servers.

The terms of the End User License Agreement for updates and vulnerability patches must be accepted on each secondary Administration Server separately.

Updates are installed on assets where the vulnerability was detected.

You can update the list of vulnerabilities for an asset in the asset details window by clicking the Update link.

Moving assets to a selected administration group

You can move assets to a selected administration group of Kaspersky Security Center. In this case, the group policies and tasks will be applied to the assets. For more details on Kaspersky Security Center tasks and policies, please refer to the Kaspersky Security Center Help Guide.

Administration groups are added to KUMA when the hierarchy is loaded during import of assets from Kaspersky Security Center. First, you need to configure KUMA integration with Kaspersky Security Center.

To move an asset to a selected administration group:

1. Open the asset details window in one of the following ways:
   • In the KUMA web interface, select Assets → select a category with the relevant assets → select an asset.
   • In the KUMA web interface, select Alerts → click the link with the relevant alert → select the asset in the Related endpoints section.
   • In the KUMA web interface, select Events, find the event you need using search and filter functions, and click the link in the DeviceExternalID field of the event.
2. In the asset details window, click the Move to KSC group button.
3. Click the Move to KSC group button.
4. Select the group in the opened window.

   The selected group must be owned by the same tenant as the asset.

5. Click the Save button.

The selected asset will be moved.

To move multiple assets to a selected administration group:

1. In the KUMA web interface, select the Assets section.
2. Select the category with the relevant assets.
3. Select the check boxes next to the assets that you want to move to the group.
4. Click the Move to KSC group button.

   The button is active if all selected assets belong to the same Administration Server.

5. Select the group in the opened window.
6. Click the Save button.

The selected assets will be moved.

You can see the specific group of an asset in the asset details.

Kaspersky Security Center assets information is updated in KUMA when information about assets is imported from Kaspersky Security Center. This means that a situation may arise when assets have been moved between administration groups in Kaspersky Security Center, but this information is not yet displayed in KUMA. When an attempt is made to move such an asset to an administration group in which it is already located, KUMA returns the Failed to move assets to another KSC group error.

Asset audit

KUMA can be configured to generate asset audit events under the following conditions:

• Asset was added to KUMA. The application monitors manual asset creation, as well as creation during import via the REST API and during import from Kaspersky Security Center or KICS for Networks.
• Asset parameters have been changed. A change in the value of the following asset fields is monitored:
  • Name
  • IP address
  • MAC address
  • FQDN
  • Operating system

  Fields may be changed when an asset is updated during import.

• Asset was deleted from KUMA. The program monitors manual deletion of assets, as well as automatic deletion of assets imported from Kaspersky Security Center and KICS for Networks, whose data is no longer being received.
• Vulnerability info was added to the asset. The program monitors the appearance of new vulnerability data for assets. Information about vulnerabilities can be added to an asset, for example, when importing assets from Kaspersky Security Center or KICS for Networks.
• Asset vulnerability was resolved. The program monitors the removal of vulnerability information from an asset. A vulnerability is considered to be resolved if data about this vulnerability is no longer received from any sources from which information about its occurrence was previously obtained.
• Asset was added to a category. The program monitors the assignment of an asset category to an asset.
• Asset was removed from a category. The program monitors the deletion of an asset from an asset category.

By default, if asset audit is enabled, under the conditions described above, KUMA creates not only audit events (Type = 4), but also base events (Type = 1).

Asset audit events can be sent to storage or to correlators, for example.

Configuring an asset audit

To configure an asset audit:

1. In the KUMA web interface, open Settings → Asset audit.
2. Perform one of the following actions with the tenant for which you want to configure asset audit:
   • Add the tenant by using the Add tenant button if this is the first time you are configuring asset audit for the relevant tenant.

     In the opened Asset audit window, select a name for the new tenant.

   • Select an existing tenant in the table if asset audit has already been configured for the relevant tenant.

     In the opened Asset audit window, the tenant name is already defined and cannot be edited.

   • Clone the settings of an existing tenant to create a copy of the conditions configuration for the tenant for which you are configuring asset audit for the first time. To do so, select the check box next to the tenant whose configuration you need to copy and click Clone. In the opened Asset audit window, select the name of the tenant to use the copied configuration.
3. For each condition for generating asset audit events, select the destination to where the created events will be sent:
   1. In the settings block of the relevant type of asset audit events, use the Add destination drop-down list to select the type of destination to which the created events should be sent:
      • Select Storage if you want events to be sent to storage.
      • Select Correlator if you want events to be sent to the correlator.
      • Select Other if you want to select a different destination.

        This type of resource includes correlator and storage services that were created in previous versions of the program.

      In the Add destination window that opens you must define the settings for event forwarding.

   2. Use the Destination drop-down list to select an existing destination or select Create if you want to create a new destination.

      If you are creating a new destination, fill in the settings as indicated in the destination description.

   3. Click Save.

   A destination has been added to the condition for generating asset audit events. Multiple destinations can be added for each condition.

4. Click Save.

The asset audit has been configured. Asset audit events will be generated for those conditions for which destinations have been added. Click Save.

Storing and searching asset audit events

Asset audit events are considered to be base events and do not replace audit events. Asset audit events can be searched based on the following parameters:

Enabling and disabling an asset audit

You can enable or disable asset audit for a tenant:

To enable or disable an asset audit for a tenant:

1. In the KUMA web interface, open Settings → Asset audit and select the tenant for which you want to enable or disable an asset audit.

   The Asset audit window opens.

2. Select or clear the Disabled check box in the upper part of the window.
3. Click Save.

By default, when asset audit is enabled in KUMA, when an audit condition occurs, two types of events are simultaneously created: a base event and an audit event.

You can disable the generation of base events with audit events.

To enable or disable the creation of base events for an individual condition:

1. In the KUMA web interface, open Settings → Asset audit and select the tenant for which you want to enable or disable a condition for generating asset audit events.

   The Asset audit window opens.

2. Select or clear the Disabled check box next to the relevant conditions.
3. Click Save.

For conditions with the Disabled check box selected, only audit events are created, and base events are not created.

Custom asset fields

In addition to the existing fields of the asset data model, you can create custom asset fields. Data from the custom asset fields is displayed when you view information about the asset. Custom fields can be filled in with data either manually or using the API.

You can create or edit the custom fields in the KUMA web interface in the Settings → Assets section, in the Custom fields table. The table has the following columns:

• Name – the name of the custom field that is displayed when you view information about the asset.
• Default value – the value that is written to the custom field when an asset is added to KUMA.
• Mask – a regular expression to which the value in the custom field must match.

To create a custom asset field:

1. In the KUMA web interface, in the Settings → Assets section, click the Add field button.

   An empty row is added to the Custom fields table. You can add multiple rows with the custom field settings at once.

2. Fill in the columns with the settings of the custom field:
   • Name (required)–from 1 to 128 characters in Unicode encoding.
   • Default value–from 1 to 1,024 Unicode characters.
   • Mask–from 1 to 1,024 Unicode characters.
3. Click Save.

A custom field is added to the asset data model.

To delete or edit a custom asset field:

1. In the KUMA web interface, open Settings → Assets.
2. Make the necessary changes in the Custom fields table:
   • To delete a custom field, click the icon next to the row with the settings of the required field. Deleting a field also deletes the data written in this field for all assets.
   • You can change the values of the field settings. Changing the default value does not affect the data written in the asset fields before.
   • To change the display order of the fields, drag the lines with the mouse by the
3. Click Save.

The changes are made.

Critical information infrastructure assets

In KUMA, you can tag assets related to the critical information infrastructure (CII) of the Russian Federation. This allows you to restrict the KUMA users capabilities to handle alerts and incidents, which are associated with the assets related to the CII objects.

You can assign the CII category to the assets if the license with the GosSOPKA module is active in KUMA.

General administrators and users with the Access to CII facilities check box selected in their profiles can assign the CII category to an asset. If none of these conditions are met, the following restrictions apply to the user:

• The CII category group of settings is not displayed in the Asset details and Edit asset windows. You cannot view or change the CII category of an asset.
• Alerts and incidents associated with the assets of the CII category are not available for viewing. You cannot perform any actions on such alerts and incidents; they are not displayed in the table of alerts and incidents.
• The CII column is not displayed in the Alerts and Incidents tables.
• Search and closing of the alerts using the REST API is not available.

The CII category of an asset is displayed in the Asset details window in the CII category group of settings.

To change the CII category of an asset:

1. In the KUMA web interface, in the Assets section, select the required asset.

   The Asset details window opens.

2. Click the Edit button and select one of the available values in the drop-down list:
   • Information resource is not a CII object – default value, indicating that the asset does not have a CII category. The users with the Access to CII facilities check box cleared in their profiles can work with such assets and the alerts and incidents related to these assets.
   • CII object without importance category.
   • CII object of the third importance category.
   • CII object of the second importance category.
   • CII object of the first importance category.
3. Click Save.