[Topic 5022]

Kaspersky Next XDR Expert Help

New features

• What's new in Kaspersky Next XDR Expert

Key features

• Managing alerts and security incidents
• Threat hunting tools
• Investigation graph
• Predefined and custom playbooks
• Manual threat response actions
• Dashboard and widgets

Compatibility and hardware and software requirements

• Hardware and software requirements
• Compatible applications and solutions
• Integration with other solutions and third-party systems

Getting started

• Walk-through scenario of deployment, activation and initial configuration of Kaspersky Next XDR Expert
• Deployment of Kaspersky Next XDR Expert
• Migration to Kaspersky Next XDR Expert
• Using the threat monitoring, detection and hunting capabilities
• Example of incident investigation with Kaspersky Next XDR Expert

Working with Open Single Management Platform

• Installing Kaspersky security applications on devices on a corporate network
• Remotely run scan and update tasks
• Managing the security policies of managed applications

[Topic 271062]

What's new

Kaspersky Next XDR Expert 1.1

Kaspersky Next XDR Expert has several new features and improvements:

• An updated version of Bootstrap is used in the application. Before you install the new version of Kaspersky Next XDR Expert, update Bootstrap by running the following command:

  ./kdt apply -k <path_to_XDR_updates_archive> -i <path_to_configuration_file> --force-bootstrap

• New design of the user interface.
• Reduced hardware and software requirements.
• Increased application stability.
• A new deployment wizard for the simplified configuration of the installation parameters.
• Addition of predefined playbooks.
• Kaspersky Next XDR Expert now supports the following EPP-applications:
  • Kaspersky Endpoint Security 12.0 for Mac
  • Kaspersky Industrial CyberSecurity for Nodes 3.2
  • Kaspersky Endpoint Agent 3.16
• New Dashboard widgets for monitoring responses performed through playbooks.
• Migration from Kaspersky Security Center to Kaspersky Next XDR Expert, including migration of users and tenants, and the binding of tenants to Administration Servers of Kaspersky Security Center.
• Kaspersky Next XDR Expert is now compatible with Kaspersky Anti Targeted Attack Platform 6.0.
• New features and improvements introduced in the August 2024 update of Kaspersky Unified Monitoring and Analysis Platform.

[Topic 247185]

About Kaspersky Next XDR Expert

Kaspersky Next XDR Expert (XDR) is a robust cybersecurity solution that defends your corporate IT infrastructure against sophisticated cyberthreats, including those that cannot be detected by EPP applications installed on corporate assets. It provides full visibility, correlation, and automation; and leverages a diverse range of response tools and data sources, including endpoint assets, and network and cloud data. To protect your IT infrastructure effectively, Kaspersky Next XDR Expert analyzes the data from these sources to identify threats, create alerts for potential incidents, and provide the tools to respond to them. Kaspersky XDR is backed by advanced analytics capabilities and a strong track record of security expertise.

This solution provides a unified detection and response process through integrated components and holistic scenarios in a single interface to improve the efficiency of security professionals.

The detection tools include:

• Threat hunting tools to proactively search for threats and vulnerabilities by analyzing events.
• Advanced threat detection and cross-correlation: real-time correlation of events from different sources, more than 350 correlation rules out-of-the-box for different scenarios with MITRE ATT&CK matrix mapping, ability to create new rules and customize existing ones, and retrospective scans for detecting zero-day vulnerabilities.
• An investigation graph to visualize and facilitate an incident investigation and identify the root causes of the alert.
• Use of Kaspersky Threat Intelligence Portal to get the latest detailed threat intelligence, for example, about web addresses, domains, IP addresses, file hashes, statistical and behavioral data, and WHOIS and DNS data.

The response tools include:

• Manual response actions: asset isolation, run commands, create prevention rules, launch tasks on an asset, Kaspersky Threat Intelligence Portal reputation enrichment, and training assignments for users.
• Playbooks, both predefined and user-created, to automate typical response operations.
• Third-party application response actions and cross-application response scenarios.

Kaspersky Next XDR Expert also takes advantage of the Open Single Management Platform component for asset management and the centralized run of security administration and maintenance tasks:

• Deploying Kaspersky applications on the assets in the corporate network.
• Remotely launching scan and update tasks.
• Obtaining detailed information about asset protection.
• Configuring all the security components by using Kaspersky applications.

Kaspersky Next XDR Expert supports the hierarchy of tenants.

Kaspersky Next XDR Expert is integrated with Active Directory, includes APIs, and supports a wide range of integrations both with Kaspersky applications and third-party solutions for data obtaining and responding. For information about the applications and solutions that XDR supports, see the Compatible Kaspersky applications and Integration with other solutions sections.

Updates functionality (including providing anti-virus signature updates and codebase updates), as well as KSN functionality may not be available in the software in the U.S.

[Topic 247187]

Hardware and software requirements

This article describes hardware requirements of single node deployment scheme and distributed deployment scheme, software requirements of Open Single Management Platform, hardware and software requirements of Kaspersky Deployment Toolkit and OSMP components.

Single node deployment: hardware requirements

Single node scheme only supports up to 10,000 devices in the network.

Additional nodes are required for KATA/KEDR.

In case of single node deployment, it is strongly recommended that you first install the DBMS manually on the host that will act as a primary node. After that, you can deploy Kaspersky Next XDR Expert on the same host.

Minimum hardware requirements

* The requirements do not take into account hosts for KUMA services. Refer to the following topic for details: Requirements for hosts with KUMA services.

To deploy the solution correctly, ensure that CPU of the target host supports the BMI, AVX, and SSE 4.2 instruction set.

Distributed deployment: hardware requirements

Multi-node cluster scheme is recommended for networks that exceed 10,000 devices.

Minimum hardware requirements

* The requirements do not take into account hosts for KUMA services. Refer to the following topic for details: Requirements for hosts with KUMA services.

** The database can be hosted either inside the cluster or on a separate host outside the cluster.

To deploy the solution correctly, ensure that CPUs of target hosts support the BMI/AVX instruction set.

Open Single Management Platform: Software requirements

Software requirements and supported systems and platforms

Kaspersky Deployment Toolkit

All Open Single Management Platform components are installed by using Kaspersky Deployment Toolkit.

Kaspersky Deployment Toolkit has the following hardware and software requirements:

Open Single Management Platform components

To view the hardware and software requirements for an Open Single Management Platform component, click its name:

• OSMP Console
• Kaspersky Unified Monitoring and Analysis Platform (hereinafter KUMA)
• Secondary Kaspersky Security Center Administration Servers
• Kaspersky Security Center Network Agent
• Kaspersky Endpoint Security for Windows
• Kaspersky Anti Targeted Attack Platform (hereinafter KATA)
• Kaspersky Industrial CyberSecurity for Networks
• Kaspersky Industrial CyberSecurity for Nodes
• Kaspersky CyberTrace
• Kaspersky Threat Intelligence Portal
• Kaspersky Automated Security Awareness Platform (hereinafter KASAP)

[Topic 265299]

Requirements for hosts with KUMA services

The KUMA services (collectors, correlators, and storages) are installed on the hosts that are outside of the Kubernetes cluster. Hardware and software requirements for these hosts are described in this article.

Recommended hardware and software requirements

This section lists the hardware and software requirements for processing a data stream of up to 40,000 events per second (EPS). The KUMA load value depends on the type of events being parsed and the efficiency of the normalizer.

For event processing efficiency, the CPU core count is more important than the clock rate. For example, 8 CPU cores with a medium clock rate can process events more efficiently than 4 CPU cores with a high clock rate. The table below lists the hardware and software requirements of KUMA components.

The amount of RAM utilized by the collector depends on configured enrichment methods (DNS, accounts, assets, enrichment with data from Kaspersky CyberTrace) and whether aggregation is used. RAM consumption is influenced by the data aggregation window setting, the number of fields used for aggregation of data, volume of data in fields being aggregated.

For example, with an event stream of 1000 EPS and event enrichment disabled (event enrichment is disabled, event aggregation is disabled, 5000 accounts, 5000 assets per tenant), one collector requires the following resources:

• 1 CPU core or 1 virtual CPU
• 512 MB of RAM
• 1 GB of disk space (not counting event cache)

For example, to support 5 collectors that do not perform event enrichment, you must allocate the following resources: 5 CPU cores, 2.5 GB of RAM, and 5 GB of free disk space.

Recommended hardware and software requirements for installation of the KUMA services

Installation of KUMA is supported in the following virtual environments:

• VMware 6.5 or later
• Hyper-V for Windows Server 2012 R2 or later
• QEMU-KVM 4.2 or later
• Software package of virtualization tools "Brest" RDTSP.10001-02

Kaspersky recommendations for storage servers

For storage servers Kaspersky specialists recommend the following:

• Put ClickHouse on solid state drives (SSD). SSDs help improve data access speed. Hard drives can be used to store data using the HDFS technology.
• To connect a data storage system to storage servers, use high-speed protocols, such as Fibre Channel or iSCSI 10G. We do not recommend using application-level protocols such as NFS and SMB to connect data storage systems.
• Use the ext4 file system on ClickHouse cluster servers.
• If you are using RAID arrays, use RAID 0 for high performance, or RAID 10 for high performance and fault tolerance.
• To ensure fault tolerance and performance of the data storage subsystem, make sure that ClickHouse nodes are deployed strictly on different disk arrays.
• If you are using a virtualized infrastructure to host system components, deploy ClickHouse cluster nodes on different hypervisors. In this case, it is necessary to prevent two virtual machines with ClickHouse from working on the same hypervisor.
• For high-load KUMA installations, install ClickHouse on physical servers.

Requirements for devices for installing agents

To have data sent to the KUMA collector, you must install agents on the network infrastructure devices. Hardware and software requirements are listed in the table below.

Recommended hardware and software requirements for installation of agents

[Topic 255792]

OSMP Console requirements

OSMP Console Server

For hardware and software requirements, refer to the requirements for a worker node.

Client devices

For a client device, use of OSMP Console requires only a browser.

The minimum screen resolution is 1366x768 pixels.

The hardware and software requirements for the device are identical to the requirements of the browser that is used with OSMP Console.

Browsers:

• Google Chrome 100.0.4896.88 or later (official build)
• Microsoft Edge 100 or later
• Safari 15 on macOS
• "Yandex" Browser 23.5.0.2271 or later
• Mozilla Firefox Extended Support Release 102.0 or later

[Topic 255797]

Network Agent requirements

Minimum hardware requirements:

• CPU with operating frequency of 1 GHz or higher. For a 64-bit operating system, the minimum CPU frequency is 1.4 GHz.
• RAM: 512 MB.
• Available disk space: 1 GB.

Software requirement for Linux-based devices: the Perl language interpreter version 5.10 or higher must be installed.

The following operating systems are supported:

• Microsoft Windows Embedded POSReady 2009 with latest Service Pack 32-bit
• Microsoft Windows Embedded 7 Standard with Service Pack 1 32-bit/64-bit
• Microsoft Windows Embedded 8.1 Industry Pro 32-bit/64-bit
• Microsoft Windows 10 Enterprise 2015 LTSB 32-bit/64-bit
• Microsoft Windows 10 Enterprise 2016 LTSB 32-bit/64-bit
• Microsoft Windows 10 IoT Enterprise 2015 LTSB 32-bit/64-bit
• Microsoft Windows 10 IoT Enterprise 2016 LTSB 32-bit/64-bit
• Microsoft Windows 10 Enterprise 2019 LTSC 32-bit/64-bit
• Microsoft Windows 10 IoT Enterprise version 1703 32-bit/64-bit
• Microsoft Windows 10 IoT Enterprise version 1709 32-bit/64-bit
• Microsoft Windows 10 IoT Enterprise version 1803 32-bit/64-bit
• Microsoft Windows 10 IoT Enterprise version 1809 32-bit/64-bit
• Microsoft Windows 10 20H2 IoT Enterprise 32-bit/64-bit
• Microsoft Windows 10 21H2 IoT Enterprise 32-bit/64-bit
• Microsoft Windows 10 IoT Enterprise 32-bit/64-bit
• Microsoft Windows 10 IoT Enterprise version 1909 32-bit/64-bit
• Microsoft Windows 10 IoT Enterprise LTSC 2021 32-bit/64-bit
• Microsoft Windows 10 IoT Enterprise version 1607 32-bit/64-bit
• Microsoft Windows 10 Home RS3 (Fall Creators Update, v1709) 32-bit/64-bit
• Microsoft Windows 10 Pro RS3 (Fall Creators Update, v1709) 32-bit/64-bit
• Microsoft Windows 10 Pro for Workstations RS3 (Fall Creators Update, v1709) 32-bit/64-bit
• Microsoft Windows 10 Enterprise RS3 (Fall Creators Update, v1709) 32-bit/64-bit
• Microsoft Windows 10 Education RS3 (Fall Creators Update, v1709) 32-bit/64-bit
• Microsoft Windows 10 Home RS4 (April 2018 Update, 17134) 32-bit/64-bit
• Microsoft Windows 10 Pro RS4 (April 2018 Update, 17134) 32-bit/64-bit
• Microsoft Windows 10 Pro for Workstations RS4 (April 2018 Update, 17134) 32-bit/64-bit
• Microsoft Windows 10 Enterprise RS4 (April 2018 Update, 17134) 32-bit/64-bit
• Microsoft Windows 10 Education RS4 (April 2018 Update, 17134) 32-bit/64-bit
• Microsoft Windows 10 Home RS5 (October 2018) 32-bit/64-bit
• Microsoft Windows 10 Pro RS5 (October 2018) 32-bit/64-bit
• Microsoft Windows 10 Pro for Workstations RS5 (October 2018) 32-bit/64-bit
• Microsoft Windows 10 Enterprise RS5 (October 2018) 32-bit/64-bit
• Microsoft Windows 10 Education RS5 (October 2018) 32-bit/64-bit
• Microsoft Windows 10 Home 19H1 32-bit/64-bit
• Microsoft Windows 10 Pro 19H1 32-bit/64-bit
• Microsoft Windows 10 Pro for Workstations 19H1 32-bit/64-bit
• Microsoft Windows 10 Enterprise 19H1 32-bit/64-bit
• Microsoft Windows 10 Education 19H1 32-bit/64-bit
• Microsoft Windows 10 Home 19H2 32-bit/64-bit
• Microsoft Windows 10 Pro 19H2 32-bit/64-bit
• Microsoft Windows 10 Pro for Workstations 19H2 32-bit/64-bit
• Microsoft Windows 10 Enterprise 19H2 32-bit/64-bit
• Microsoft Windows 10 Education 19H2 32-bit/64-bit
• Microsoft Windows 10 Home 20H1 (May 2020 Update) 32-bit/64-bit
• Microsoft Windows 10 Pro 20H1 (May 2020 Update) 32-bit/64-bit
• Microsoft Windows 10 Enterprise 20H1 (May 2020 Update) 32-bit/64-bit
• Microsoft Windows 10 Education 20H1 (May 2020 Update) 32-bit/64-bit
• Microsoft Windows 10 Home 20H2 (October 2020 Update) 32-bit/64-bit
• Microsoft Windows 10 Pro 20H2 (October 2020 Update) 32-bit/64-bit
• Microsoft Windows 10 Enterprise 20H2 (October 2020 Update) 32-bit/64-bit
• Microsoft Windows 10 Education 20H2 (October 2020 Update) 32-bit/64-bit
• Microsoft Windows 10 Home 21H1 (May 2021 Update) 32-bit/64-bit
• Microsoft Windows 10 Pro 21H1 (May 2021 Update) 32-bit/64-bit
• Microsoft Windows 10 Enterprise 21H1 (May 2021 Update) 32-bit/64-bit
• Microsoft Windows 10 Education 21H1 (May 2021 Update) 32-bit/64-bit
• Microsoft Windows 10 Home 21H2 (October 2021 Update) 32-bit/64-bit
• Microsoft Windows 10 Pro 21H2 (October 2021 Update) 32-bit/64-bit
• Microsoft Windows 10 Enterprise 21H2 (October 2021 Update) 32-bit/64-bit
• Microsoft Windows 10 Education 21H2 (October 2021 Update) 32-bit/64-bit
• Microsoft Windows 10 Home 22H2 (October 2023 Update) 32-bit/64-bit
• Microsoft Windows 10 Pro 22H2 (October 2023 Update) 32-bit/64-bit
• Microsoft Windows 10 Enterprise 22H2 (October 2023 Update) 32-bit/64-bit
• Microsoft Windows 10 Education 22H2 (October 2023 Update) 32-bit/64-bit
• Microsoft Windows 11 Home 64-bit
• Microsoft Windows 11 Pro 64-bit
• Microsoft Windows 11 Enterprise 64-bit
• Microsoft Windows 11 Education 64-bit
• Microsoft Windows 11 22H2
• Microsoft Windows 8.1 Pro 32-bit/64-bit
• Microsoft Windows 8.1 Enterprise 32-bit/64-bit
• Microsoft Windows 8 Pro 32-bit/64-bit
• Microsoft Windows 8 Enterprise 32-bit/64-bit
• Microsoft Windows 7 Professional with Service Pack 1 and later 32-bit/64-bit
• Microsoft Windows 7 Enterprise/Ultimate with Service Pack 1 and later 32-bit/64-bit
• Microsoft Windows 7 Home Basic/Premium with Service Pack 1 and later 32-bit/64-bit
• Microsoft Windows XP Professional with Service Pack 2 32-bit/64-bit (supported by Network Agent version 10.5.1781 only)
• Microsoft Windows XP Professional with Service Pack 3 and later 32-bit (supported by Network Agent version 14.0.0.20023)
• Microsoft Windows XP Professional for Embedded Systems with Service Pack 3 32-bit (supported by Network Agent version 14.0.0.20023)
• Windows MultiPoint Server 2011 Standard/Premium 64-bit
• Windows Server 2003 SP1 32-bit/64-bit (supported only by Network Agent version 10.5.1781, which you can request through Technical Support)
• Windows Server 2008 Foundation with Service Pack 2 32-bit/64-bit
• Windows Server 2008 with Service Pack 2 (all editions) 32-bit/64-bit
• Windows Server 2008 R2 Datacenter with Service Pack 1 and later 64-bit
• Windows Server 2008 R2 Enterprise with Service Pack 1 and later 64-bit
• Windows Server 2008 R2 Foundation with Service Pack 1 and later 64-bit
• Windows Server 2008 R2 Core Mode with Service Pack 1 and later 64-bit
• Windows Server 2008 R2 Standard with Service Pack 1 and later 64-bit
• Windows Server 2008 R2 with Service Pack 1 (all editions) 64-bit
• Windows Server 2012 Server Core 64-bit
• Windows Server 2012 Datacenter 64-bit
• Windows Server 2012 Essentials 64-bit
• Windows Server 2012 Foundation 64-bit
• Windows Server 2012 Standard 64-bit
• Windows Server 2012 R2 Server Core 64-bit
• Windows Server 2012 R2 Datacenter 64-bit
• Windows Server 2012 R2 Essentials 64-bit
• Windows Server 2012 R2 Foundation 64-bit
• Windows Server 2012 R2 Standard 64-bit
• Windows Server 2016 Datacenter (LTSB) 64-bit
• Windows Server 2016 Standard (LTSB) 64-bit
• Windows Server 2016 Server Core (Installation Option) (LTSB) 64-bit
• Windows Server 2019 Standard 64-bit
• Windows Server 2019 Datacenter 64-bit
• Windows Server 2019 Core 64-bit
• Windows Server 2022 Standard 64-bit
• Windows Server 2022 Datacenter 64-bit
• Windows Server 2022 Core 64-bit
• Debian GNU/Linux 10.х (Buster) 32-bit/64-bit
• Debian GNU/Linux 11.х (Bullseye) 32-bit/64-bit
• Debian GNU/Linux 12 (Bookworm) 32-bit/64-bit
• Ubuntu Server 18.04 LTS (Bionic Beaver) 32-bit/64-bit
• Ubuntu Server 20.04 LTS (Focal Fossa) 32-bit/64-bit
• Ubuntu Server 22.04 LTS (Jammy Jellyfish) 64-bit
• CentOS 7.x 64-bit
• CentOS Stream 9 64-bit
• Red Hat Enterprise Linux Server 6.x 32-bit/64-bit
• Red Hat Enterprise Linux Server 7.x 64-bit
• Red Hat Enterprise Linux Server 8.x 64-bit
• Red Hat Enterprise Linux Server 9.x 64-bit
• SUSE Linux Enterprise Server 12 (all Service Packs) 64-bit
• SUSE Linux Enterprise Server 15 (all Service Packs) 64-bit
• SUSE Linux Enterprise Desktop 15 with Service Pack 3 ARM 64-bit
• openSUSE 15 64-bit
• EulerOS 2.0 SP8 ARM 64-bit
• Astra Linux Special Edition RUSB.10015-01 (operational update 1.6) 64-bit
• Astra Linux Special Edition RUSB.10015-01 (operational update 1.7) 64-bit
• Astra Linux Special Edition RUSB.10015-01 (operational update 1.8) 64-bit
• Astra Linux Common Edition (operational update 2.12) 64-bit
• Astra Linux Special Edition RUSB.10152-02 (operational update 4.7) ARM 64-bit
• ALT SP Server 10 64-bit
• ALT SP Workstation 10 64-bit
• ALT Server 10 64-bit
• ALT Server 9.2 64-bit
• ALT Workstation 9.2 32-bit/64-bit
• ALT Workstation 10 32-bit/64-bit
• ALT 8 SP Server (LKNV.11100-01) 64-bit
• ALT 8 SP Server (LKNV.11100-02) 64-bit
• ALT 8 SP Server (LKNV.11100-03) 64-bit
• ALT 8 SP Workstation (LKNV.11100-01) 32-bit/64-bit
• ALT 8 SP Workstation (LKNV.11100-02) 32-bit/64-bit
• ALT 8 SP Workstation (LKNV.11100-03) 32-bit/64-bit
• Mageia 4 32-bit
• Oracle Linux 7 64-bit
• Oracle Linux 8 64-bit
• Oracle Linux 9 64-bit
• Linux Mint 20.x 64-bit
• AlterOS 7.5 and later 64-bit
• GosLinux IC6 64-bit
• RED OS 7.3 Server 64-bit
• RED OS 7.3 Certified Edition 64-bit
• ROSA COBALT 7.9 64-bit
• ROSA CHROME 12 64-bit
• macOS Big Sur (11.x)
• macOS Monterey (12.x)
• macOS Ventura (13.x)
• macOS Sonoma (14.x)

  For Network Agent, the Apple Silicon (M1) architecture is also supported, as well as Intel.

The following virtualization platforms are supported:

• VMware vSphere 6.7
• VMware vSphere 7.0
• VMware vSphere 8.0
• VMware Workstation 16 Pro
• VMware Workstation 17 Pro
• Microsoft Hyper-V Server 2012 64-bit
• Microsoft Hyper-V Server 2012 R2 64-bit
• Microsoft Hyper-V Server 2016 64-bit
• Microsoft Hyper-V Server 2019 64-bit
• Microsoft Hyper-V Server 2022 64-bit
• Citrix XenServer 7.1 LTSR
• Citrix XenServer 8.x
• Parallels Desktop 17
• Oracle VM VirtualBox 6.x
• Oracle VM VirtualBox 7.x
• Kernel-based Virtual Machine (all Linux operating systems supported by Network Agent)

On the devices running Windows 10 version RS4 or RS5, Kaspersky Security Center might be unable to detect some vulnerabilities in folders where case sensitivity is enabled.

Before installing Network Agent on the devices running Windows 7, Windows Server 2008, Windows Server 2008 R2 or Windows MultiPoint Server 2011, make sure that you have installed the security update KB3063858 for OS Windows (Security Update for Windows 7 (KB3063858), Security Update for Windows 7 for x64-based Systems (KB3063858), Security Update for Windows Server 2008 (KB3063858), Security Update for Windows Server 2008 x64 Edition (KB3063858), Security Update for Windows Server 2008 R2 x64 Edition (KB3063858).

In Microsoft Windows XP, Network Agent might not perform some operations correctly.

You can install or update Network Agent for Windows XP in Microsoft Windows XP only. The supported editions of Microsoft Windows XP and their corresponding versions of the Network Agent are listed in the list of supported operating systems. You can download the required version of the Network Agent for Microsoft Windows XP from this page.

We recommend that you install the same version of the Network Agent for Linux as Open Single Management Platform.

Open Single Management Platform fully supports Network Agent of the same or newer versions.

Network Agent for macOS is provided together with Kaspersky security application for this operating system.

[Topic 250553]

Compatible applications and solutions

Kaspersky Next XDR Expert can be integrated with the following versions of applications and solutions:

• Kaspersky Security Center 15 Linux (as secondary Administration Servers)
• Kaspersky Security Center 14.2 Windows (as secondary Administration Servers)
• Kaspersky Anti Targeted Attack Platform 5.1
• Kaspersky Anti Targeted Attack Platform 6.0
• Kaspersky Endpoint Security for Windows 12.3 or later (supports file servers)
• Kaspersky Endpoint Security 12.4 for Windows
• Kaspersky Endpoint Security 12.0 for Mac
• Kaspersky CyberTrace 4.2 (integration can only be configured in the KUMA Console)
• Kaspersky Industrial CyberSecurity for Nodes 3.2 or later
• Kaspersky Endpoint Agent 3.16
• Kaspersky Industrial CyberSecurity for Networks 4.0 (integration can only be configured in the KUMA Console)
• Kaspersky Secure Mail Gateway 2.0 and later (integration can only be configured in the KUMA Console)
• Kaspersky Security for Linux Mail Server 10 and later (integration can only be configured in the KUMA Console)
• Kaspersky Web Traffic Security 6.0 and later (integration can only be configured in the KUMA Console)
• UserGate 7
• Kaspersky Automated Security Awareness Platform
• Kaspersky Threat Intelligence Portal

Refer to the Application Support Lifecycle webpage for the versions of the applications.

Known issues

Open Single Management Platform supports management of Kaspersky Endpoint Security for Windows with the following limitations:

• The Adaptive Anomaly Control component is not supported. Open Single Management Platform does not support Adaptive Anomaly Control rules.
• Kaspersky Sandbox components are not supported.
• The Seamless updates functionality is not available.

[Topic 247191]

Architecture of Kaspersky Next XDR Expert

This section provides a description of the components of Kaspersky Next XDR Expert and their interaction.

Kaspersky Next XDR Expert architecture

Kaspersky Next XDR Expert comprises the following main components:

• Open Single Management Platform (OSMP). The technology basis on which Kaspersky Next XDR Expert is built. OSMP integrates all of the solution components and provides interaction between the components. OSMP is scalable and supports integration with both Kaspersky applications and third-party solutions.
• OSMP Console. Provides a web interface for OSMP.
• KUMA Console. Provides a web interface for Kaspersky Unified Monitoring and Analysis Platform (KUMA).
• KUMA Core. The central component of KUMA. KUMA receives, processes, and stores information security events and then analyzes the events by using correlation rules. As a result of the analysis, if the conditions of a correlation rule are met, KUMA creates an alert and sends it to Incident Response Platform.
• Incident Response Platform. A Kaspersky Next XDR Expert component that allows you to create incidents automatically or manually, manage alert and incident life cycle, assign alerts and incidents to SOC analysts, and respond to the incidents automatically or manually, including responses through playbooks.
• Administration Server (also referred to as Server). The key component of endpoint protection of a client organization. Administration Server provides centralized deployment and management of endpoint protection through EPP-applications, and allows you to monitor the endpoint protection status.
• Data sources. Information security hardware and software that generates the events. After you integrate Kaspersky Next XDR Expert with the required data sources, KUMA receives the events to store and analyze them.
• Integrations. Kaspersky applications and third-party solutions integrated with OSMP. Through integrated solutions, an SOC analyst can enrich the data required for incident investigation, and then respond to incidents.

[Topic 247197]

OSMP Console interface

Kaspersky Next XDR Expert is managed through the OSMP Console and KUMA Console interfaces.

The OSMP Console window contains the following items:

• Main menu in the left part of the window
• Work area in the right part of the window

Main menu

The main menu contains the following sections:

• Administration Server. Displays the name of the Administration Server that you are currently connected to. Click the settings icon () to open the Administration Server properties.
• Monitoring & Reporting. Provides an overview of your infrastructure, protection statuses, and statistics, including threat hunting, alerts and incidents, and playbooks.
• Assets (Devices). Contains tools for assets, as well as tasks and Kaspersky application policies.
• Users & Roles. Allows you to manage users and roles, configure user rights by assigning roles to the users, and associate policy profiles with roles.
• Operations. Contains a variety of operations, including application licensing, viewing and managing encrypted drives and encryption events, and third-party application management. This also provides you access to application repositories.
• Discovery & Deployment. Allows you to poll the network to discover client devices, and distribute the devices to administration groups manually or automatically. This section also contains the quick start wizard and Protection deployment wizard.
• Marketplace. Contains information about the entire range of Kaspersky business solutions and allows you to select the ones you need, and then proceed to purchase those solutions at the Kaspersky website.
• Settings. Contains settings to integrate Kaspersky Next XDR Expert with other Kaspersky applications and allows you to go to the KUMA Console. It also contains your personal settings related to the interface appearance, such as interface language or theme.
• Your account menu. Contains a link to Kaspersky Next XDR Expert Help. It also allows you to sign out of Kaspersky Next XDR Expert, and view the OSMP Console version and the list of installed management web plug-ins.

Work area

The work area displays the information you choose to view in the sections of the OSMP Console interface window. It also contains control elements that you can use to configure how the information is displayed.

[Topic 272710]

Pinning and unpinning sections of the main menu

You can pin sections of OSMP Console to add them to favorites and access them quickly from the Pinned section in the main menu.

If there are no pinned elements, the Pinned section is not displayed in the main menu.

You can pin sections that display pages only. For example, if you go to Assets (Devices) → Managed devices, a page with the table of devices opens, which means you can pin the Managed devices section. If a window or no element is displayed after you select the section in the main menu, then you cannot pin such a section.

To pin a section:

1. In the main menu, hover the mouse cursor over the section you want to pin.

   The pin () icon is displayed.

2. Click the pin () icon.

The section is pinned and displayed in the Pinned section.

The maximum number of elements that you can pin is five.

You can also remove elements from favorites by unpinning them.

To unpin a section:

1. In the main menu, go to the Pinned section.
2. Hover the mouse cursor over the section you want to unpin, and then click the unpin () icon.

The section is removed from favorites.

[Topic 256056]

Changing the language of the OSMP Console interface

You can select the language of the OSMP Console interface.

To change the interface language:

1. In the main menu, go to Settings → Language.
2. Select one of the supported localization languages.

[Topic 247196]

Licensing

This section covers the main aspects of Open Single Management Platform licensing.

[Topic 73374]

About the End User License Agreement

The End User License Agreement (License Agreement) is a binding agreement between you and AO Kaspersky Lab stipulating the terms on which you may use the application.

Carefully read the License Agreement before you start using the application.

You can view the terms of the End User License Agreement by using the following methods:

• During installation of Open Single Management Platform.
• By reading the license.txt document. This document is included in the application distribution kit.

You accept the terms of the End User License Agreement by confirming that you agree with the End User License Agreement when installing the application. If you do not accept the terms of the License Agreement, cancel application installation and do not use the application.

[Topic 69295]

About the license key

A license key is a sequence of bits that you can apply to activate and then use the application in accordance with the terms of the End User License Agreement. License keys are generated by Kaspersky specialists.

You can add a license key to the application using one of the following methods: by applying a key file or by entering an activation code. The license key is displayed in the application interface as a unique alphanumeric sequence after you add it to the application.

The license key may be blocked by Kaspersky in case the terms of the License Agreement have been violated. If the license key has been blocked, you need to add another one if you want to use the application.

A license key may be active or additional (or reserve).

An active license key is a license key that is currently used by the application. An active license key can be added for a trial or commercial license. The application cannot have more than one active license key.

An additional (or reserve) license key is a license key that entitles the user to use the application, but is not currently in use. The additional license key automatically becomes active when the license associated with the current active license key expires. An additional license key can be added only if an active license key has already been added.

A license key for a trial license can be added as an active license key. A license key for a trial license cannot be added as an additional license key.

[Topic 69430]

About the activation code

An activation code is a unique sequence of 20 letters and numbers. You have to enter an activation code in order to add a license key for activating Open Single Management Platform. You receive the activation code at the email address that you provided when you bought Open Single Management Platform or requested the trial version of Open Single Management Platform.

To activate the application by using the activation code, you need internet access in order to connect to Kaspersky activation servers.

If you have lost your activation code after installing the application, contact the Kaspersky partner from whom you purchased the license.

[Topic 69431]

About the key file

A key file is a file with the .key extension provided to you by Kaspersky. Key files are designed to activate the application by adding a license key.

You receive a key file at the email address that you provided when you bought Open Single Management Platform or ordered the trial version of Open Single Management Platform.

You do not need to connect to Kaspersky activation servers in order to activate the application with a key file.

You can restore a key file if it has been accidentally deleted. You may need a key file to register a Kaspersky CompanyAccount, for example.

To restore your key file, perform any of the following actions:

• Contact the license seller.
• Receive a key file through Kaspersky website by using your available activation code.

[Topic 269808]

License limits

When you purchase a Kaspersky Next XDR Expert license, you determine the number of users you want to protect. You can exceed the license limit by no more than 5%. If you exceed the license limit by more than 5%, the extra devices and extra accounts are added to the Restricted assets list.

If the license limit is exceeded, a notification appears at the top of the OSMP Console.

It is not possible to launch response actions or playbooks for restricted assets.

To view the list of restricted assets:

1. In the main menu, go to Settings → Tenants.
2. In the Tenants section, click the Root tenant.

   The Root tenant's properties window opens.

3. Select the Licenses tab.
4. Click the link with the number of restricted assets.

The Restricted assets window opens.

The list shows a maximum of 2000 restricted assets.

[Topic 265011]

Activating Kaspersky Next XDR Expert

After you install Kaspersky Next XDR Expert, you must activate the application in the Administration Server properties.

To activate Kaspersky Next XDR Expert:

1. In the main menu, click the settings icon () next to the name of the root Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the License keys section.
3. Under Current license, click the Select button.
4. In the window that opens, select the license key that you want to use to activate Kaspersky Next XDR Expert. If the license key is not listed, click the Add new license key button, and then specify a new license key.
5. If necessary, you can also add a
   reserve license key

   

   A license key that entitles the user to use the application, but is not currently in use. The reserve license key automatically becomes active when the license associated with the current active license key expires.

   . To do this, under Reserve license key, click the Select button, and then select an existing license key or add a new one. Note that you cannot add a reserve license key if there is no active license key.
6. Click the Save button.

[Topic 266610]

Viewing information about license keys in use

To view active and reserve license keys:

1. In the main menu, go to Settings → Tenants.
2. In the Tenants section, click the root tenant.

   The root tenant's properties window opens.

3. Select the Licenses tab.

   The active and reserve license keys are displayed.

The displayed license key is applied to all child tenants of the root tenant. Specifying a separate license key for a child tenant is not available. The properties window for child tenants does not include the Licenses tab.

If the license keys limit is exceeded, a notification is shown, and the information about the license key shows a warning.

You can click the Go to Administration Server button to manage Kaspersky Next XDR Expert license keys.

On the Licenses tab, you can also view the list of licensed objects. To do this, click the button.

The availability of the licensed object depends on the purchased license type. For more information about license types, see Licensing and features of Kaspersky Next XDR Expert.

[Topic 214791]

Renewing licenses for Kaspersky applications

You can renew licenses for Kaspersky Next XDR Expert and included Kaspersky applications, such as Kaspersky Unified Monitoring and Analysis Platform, and Kaspersky Endpoint Detection and Response Expert. You can renew licenses that have expired or are going to expire within 30 days.

An email with an archive containing the new license keys will be sent to your email address after you purchase a new Kaspersky Next XDR Expert license.

To renew a license of Kaspersky Next XDR Expert:

1. Extract the new license keys from the archive sent to your email address.
2. Follow the steps described in Activating Kaspersky Next XDR Expert.

The license is renewed.

If you need to renew the licenses of the included Kaspersky applications, you must add new license keys to the web interfaces of these solutions.

For how to renew a license of Kaspersky Unified Monitoring and Analysis Platform, see the Adding a license key to the program web interface section of the Kaspersky Unified Monitoring and Analysis Platform Help.

For how to renew a license of Kaspersky Endpoint Detection and Response Expert, see the Adding a key section of the Kaspersky Anti Targeted Attack Platform Help.

In OSMP Console, the notifications are displayed when a license is about to expire, according to the following schedule:

• 30 days before the expiration
• 7 days before the expiration
• 3 days before the expiration
• 24 hours before the expiration
• When a license has expired

[Topic 249153]

About data provision

Data processed locally

Kaspersky Next XDR Expert is designed to optimize threat detection, incident investigation, threat response (including automatic), and proactive threat hunting in real time. 

Kaspersky Next XDR Expert performs the following main functions:

• Receiving, processing, and storing information security events.
• Analysis and correlation of incoming data.
• Incidents and alerts investigation, manual response.
• Automatic response by using the predefined and custom playbooks.
• Event-based threat hunting in real time.

To perform its main functions, Kaspersky Next XDR Expert can receive, store and process the following information:

• Information about the devices on which all Kaspersky Next XDR Expert components are installed:
  • Technical specifications: device name, MAC address, operating system vendor, operating system build number, OS kernel version, required installed packages, account rights, service management tool type, and port status. This data is collected by Kaspersky Deployment Toolkit during installation.
  • Technical specifications: IPv4 address. This data is specified by the user in the Kaspersky Deployment Toolkit configuration file.
  • Device access data: account names and SSH keys. This data is specified by the user in the Kaspersky Deployment Toolkit configuration file.
  • Database access data: IP/DNS name, port, user name, and password. This data is specified by the user in the Kaspersky Deployment Toolkit configuration file.
  • KUMA inventory and license keys. This data is specified by the user in the Kaspersky Deployment Toolkit configuration file.
  • DNS zone. This data is specified by the user in the Kaspersky Deployment Toolkit configuration file.
  • Certificates for secure connection of devices to OSMP components. This data is specified by the user in the Kaspersky Deployment Toolkit configuration file.

  Information is saved in the installation log, which is stored in the Kaspersky Deployment Toolkit database. The installation log of the initial infrastructure is saved to a file on the user's device. The storage period is indefinite; the installation log file will be deleted when Kaspersky Next XDR Expert is uninstalled. User names and passwords are stored in an encrypted form.

• Information about user accounts: full name and email address. The user enters data in the OSMP and KUMA Consoles. The data is stored in the database until the user deletes it.
• Information about tenants: tenant name, parent tenant name, description. The user enters data in the OSMP and KUMA Consoles. The data is stored in the database until the user deletes it.
• Alerts and incidents data:
  • Alert data: triggered rules, compliance with the MITRE matrix, alert status, resolution, assigned operator, affected assets (devices and accounts), observables (IP, MD5, SHA256, URL, DNS domain, or DNS name) user name, host name, comments, and the changelog. This information is generated in the OSMP Console automatically, based on correlation events obtained from Kaspersky Unified Monitoring and Analysis Platform.
  • Incident data: linked alerts, triggered rules, compliance with the MITRE matrix, incident status, resolution, affected assets (devices and accounts), observables (from the alert), comments, and the changelog. This information is generated in the OSMP Console automatically, according to the rules or manually by the user.
  • Data on configuring the segmentation rules for generating incidents from alerts: the name and the rule triggering conditions, the template for the name of a new incident, a rule description, and the rule launch priority. The user enters data in the OSMP Console.
  • Information about notification templates: template name, message subject, message template, template description, and detection rules. When the detection rules are triggered, notifications are sent. The user enters data in the OSMP Console.

  The above data is stored in the database until the user deletes it.

• Playbook data:
  • Playbook operational data, including data on response action parameters: name, description, tags, trigger, and algorithm. The user enters data in the OSMP console.
  • Data on the execution of response actions within a playbook: data from integrated systems, data from devices.
  • The full response history of alerts and incidents.

  The data listed above is stored in the database for three days and then deleted. Data is completely deleted when Kaspersky Next XDR Expert is uninstalled.

•  Integration settings data (both with Kaspersky solutions or services, and with third-party solutions that participate in Kaspersky Next XDR Expert scenarios):
  • Kaspersky Threat Intelligence Portal integration: API access token for connecting to Kaspersky Threat Intelligence Portal, cache retention period, whether the connection is through a proxy, or service type. The user enters data in the OSMP console.
  • KATA and KEDR integration: KATA and KEDR server address: IP address or host name, port, unique ID for connecting to KATA and KEDR, certificate file, and a private key for connecting to KATA and KEDR. The user enters data in the OSMP console.
  • Connection to the host where the custom script will be run: IP address or host name, port, user name and SSH key, and password or key. The user enters data in the OSMP console.
  • OSMP Administration Server integration: Administration Server name, full path to the Administration Server in the hierarchy. The user enters data in the OSMP console.
  • Kaspersky CyberTrace integration: IPv4 address or hostname and port through which Kaspersky CyberTrace is available, name, and password. The user enters data in the KUMA Console.
  • Kaspersky Automated Security Awareness Platform (KASAP) integration: API access token for connecting to KASAP, KASAP portal URL, KASAP administrator email, and whether the connection is through a proxy. The user enters data in the KUMA Console.
  • Active Directory integration: addresses of domain controllers, user name and password for connecting to domain controllers, and certificate. The user enters data in the KUMA Console.
  • External system integration (such as UserGate): account name and SSH key or password for remote access to the client device.

  The above data is stored in the database until the user deletes it. This data is completely deleted when the application is uninstalled.

For detailed information about other data received, stored, and processed to perform the main functions of Kaspersky Next XDR Expert, refer to the application Help:

• Kaspersky Security Center 15 Linux
• Kaspersky Unified Monitoring and Analysis Platform

All data processed locally can be transferred to Kaspersky only through the dump files, trace files, or log files of Kaspersky Next XDR Expert components, including log files created by installers and utilities. The dump files, trace files, or log files of Kaspersky Next XDR Expert components contain personal or confidential data. The dump files, trace files, and log files are stored on the devices in an unencrypted form. The dump files, trace files, or log files are not transferred to Kaspersky automatically, but an administrator may transfer those files to Kaspersky manually by request from Technical Support to resolve issues related to Kaspersky Next XDR Expert performance. Kaspersky protects any information received in accordance with the law and applicable Kaspersky rules. Data is transmitted over a secure channel. The default storage term for this information (rotation period) is 7 days.

Data transferred to AO Kaspersky Lab

By following the links from the OSMP console to Kaspersky Next XDR Expert Help, the user agrees to the automatic transfer of the following data to Kaspersky:

• Kaspersky Next XDR Expert code
• Kaspersky Next XDR Expert version
• Kaspersky Next XDR Expert localization

To assign a training course to an employee, Kaspersky Next XDR Expert transfers the following data to Kaspersky Automated Security Awareness Platform:

• user email
• Kaspersky Automated Security Awareness Platform ID
• training group ID

To obtain additional alert data, Kaspersky Next XDR Expert transfers the type and value of observables related to alerts, incidents and events to Kaspersky Threat Intelligence Portal.

Data transferred to third parties

By following the link from the alert or incident details for receiving information about the MITRE tactics or technique, the following information about MITRE tactics or techniques is transferred to the MITRE website: ID and type.

[Topic 265008]

Data provision in Open Single Management Platform

Data processed locally

Open Single Management Platform is designed for centralized execution of basic administration and maintenance tasks on an organization's network. Open Single Management Platform provides the administrator with access to detailed information about the organization's network security level; Open Single Management Platform lets an administrator configure all the components of protection based on Kaspersky applications. Open Single Management Platform performs the following main functions:

• Detecting devices and their users on the organization's network
• Creating a hierarchy of administration groups for device management
• Installing Kaspersky applications on devices
• Managing the settings and tasks of installed applications
• Activating Kaspersky applications on devices
• Managing user accounts
• Viewing information about the operation of Kaspersky applications on devices
• Viewing reports

To perform its main functions Open Single Management Platform can receive, store, and process the following information:

• Information about the devices on the organization's network received through scanning of Active Directory or Samba domain controllers or through scanning of IP intervals. Administration Server gets data independently or receives data from Network Agent.
• Information from Active Directory and Samba about organizational units, domains, users, and groups. Administration Server gets data by itself or receives data from Network Agent assigned to work as a distribution point.
• Details of managed devices. Network Agent transfers the data listed below from the device to Administration Server. The user enters the display name and description of the device in the OSMP Console interface:
  • Technical specifications of the managed device and its components required for device identification: device display name and description, Windows domain name and type (for devices belonging to a Windows domain), device name in Windows environment (for devices belonging to a Windows domain), DNS domain and DNS name, IPv4 address, IPv6 address, network location, MAC address, operating system type, whether the device is a virtual machine together with hypervisor type, and whether the device is a dynamic virtual machine as part of VDI.
  • Other specifications of managed devices and their components required for audit of managed devices: operating system architecture, operating system vendor, operating system build number, operating system release ID, operating system location folder, if the device is a virtual machine—the virtual machine type, name of the virtual Administration Server that manages the device.
  • Details of actions on managed devices: date and time of the last update, time the device was last visible on the network, restart waiting status, and time the device was turned on.
  • Details of device user accounts and their work sessions.
• Data received by running remote diagnostics on a managed device: trace files, system information, details of Kaspersky applications installed on the device, dump files, event logs, the results of running the diagnostic scripts received from Kaspersky Technical Support.
• Distribution point operation statistics if the device is a distribution point. Network Agent transfers data from the device to Administration Server.
• Distribution point settings entered by the User in OSMP Console.
• Details of Kaspersky applications installed on the device. The managed application transfers data from the device to Administration Server through Network Agent:
  • Settings of Kaspersky applications installed on the managed device: Kaspersky application name and version, status, real-time protection status, last device scan date and time, number of threats detected, number of objects that failed to be disinfected, availability and status of the application components, details of Kaspersky application settings and tasks, information about the active and reserve license keys, application installation date and ID.
  • Application operation statistics: events related to the changes in the status of Kaspersky application components on the managed device and to the performance of tasks initiated by the application components.
  • Device status defined by the Kaspersky application.
  • Tags assigned by the Kaspersky application.
• Data contained in events from Open Single Management Platform components and Kaspersky managed applications. Network Agent transfers data from the device to Administration Server.
• Settings of Open Single Management Platform components and Kaspersky managed applications presented in policies and policy profiles. The User enters data in the OSMP Console interface.
• Task settings of Open Single Management Platform components and Kaspersky managed applications. The User enters data in the OSMP Console interface.
• Data processed by the System management feature. Network Agent transfers from the device to Administration Server the following information:
  • Information about the hardware detected on managed devices (Hardware registry).
  • Information about the software installed on managed devices (Software registry). The software can be compared with the information about the executable files detected on the devices by the Application Control function.
• User categories of applications. The User enters data in the OSMP Console interface.
• Details of executable files detected on managed devices by the Application Control feature. The managed application transfers data from the device to Administration Server through Network Agent. A complete list of data is provided in the Help files of the corresponding application.
• Information about encrypted Windows-based devices and the encryption status. The managed application transfers data from the device to Administration Server through Network Agent.
• Details of data encryption errors on Windows-based devices performed using the Data encryption feature of Kaspersky applications. The managed application transfers data from the device to Administration Server through Network Agent. A complete list of data is provided in the Help files of the corresponding application.
• Details of files placed in Backup. The managed application transfers data from the device to Administration Server through Network Agent. A complete list of data is provided in the Help files of the corresponding application.
• Details of files placed in Quarantine. The managed application transfers data from the device to Administration Server through Network Agent. A complete list of data is provided in the Help files of the corresponding application.
• Details of files requested by Kaspersky specialists for detailed analysis. The managed application transfers data from the device to Administration Server through Network Agent. A complete list of data is provided in the Help files of the corresponding application.
• Details of external devices (memory units, information transfer tools, information hardcopy tools, and connection buses) installed or connected to the managed device and detected by the Device Control feature. The managed application transfers data from the device to Administration Server through Network Agent. A complete list of data is provided in the Help files of the corresponding application.
• Information about encrypted devices and the encryption status. A managed application transfers data from the device to Administration Server through Network Agent.
• Information about data encryption errors on the devices. The encryption is performed by the Encryption data function of Kaspersky applications. A managed application transfers data from the device to Administration Server through Network Agent. The full list of data is provided in the Online Help of the corresponding application.
• List of managed programmable logic controllers (PLCs). The managed application transfers data from the device to Administration Server through Network Agent. A complete list of data is provided in the Help files of the corresponding application.
• Data required for creation of a threat development chain. The managed application transfers data from the device to Administration Server through Network Agent. A complete list of data is provided in the Help files of the corresponding application.
• Details of the entered activation codes and key files. The User enters data in the Administration Console or OSMP Console interface.
• User accounts: name, description, full name, email address, main phone number, and password. The User enters data in the OSMP Console interface.
• Revision history of management objects. The User enters data in the OSMP Console interface.
• Registry of deleted management objects. The User enters data in the OSMP Console interface.
• Installation packages created from the file, as well as installation settings. The User enters data in the OSMP Console interface.
• Data required for the display of announcements from Kaspersky in OSMP Console. The User enters data in the OSMP Console interface.
• Data required for the functioning of plug-ins of managed applications in OSMP Console and saved by the plug-ins in the Administration Server database during their routine operation. The description and ways of providing the data are provided in the Help files of the corresponding application.
• OSMP Console user settings: localization language and theme of the interface, Monitoring panel display settings, information about the status of notifications (Already read / Not yet read), status of columns in spreadsheets (Show / Hide), Training mode progress. The User enters data in the OSMP Console interface.
• Certificate for secure connection of managed devices to the Open Single Management Platform components. The User enters data in the OSMP Console interface.
• Information on which Kaspersky legal agreement terms have been accepted by the user.
• The Administration Server data that the User enters in the OSMP Console or program interface Kaspersky Security Center OpenAPI.
• Any data that the User enters in the OSMP Console interface.

The data listed above can be present in Open Single Management Platform if one of the following methods is applied:

• The User enters data in the OSMP Console interface.
• Network Agent automatically receives data from the device and transfers it to Administration Server.
• Network Agent receives data retrieved by the Kaspersky managed application and transfers it to Administration Server. The lists of data processed by Kaspersky managed applications are provided in the Help files for the corresponding applications.
• Administration Server gets the information about the networked devices by itself or receives data from Network Agent assigned to work as a distribution point.

The listed data is stored in the Administration Server database. User names and passwords are stored in encrypted form.

All data processed locally can be transferred to Kaspersky only through dump files, trace files, or log files of Open Single Management Platform components, including log files created by installers and utilities.

The dump files, trace files, or log files of Open Single Management Platform components contain arbitrary data of Administration Server, Network Agent, and OSMP Console. The files may contain personal or confidential data. The dump files, trace files, or log files are stored on the devices in an unencrypted form. The dump files, trace files, or log files are not transferred to Kaspersky automatically, but an administrator may transfer those files to Kaspersky manually by request from Technical Support to resolve issues related to Open Single Management Platform performance.

Kaspersky protects any information received in accordance with law and applicable Kaspersky rules. Data is transmitted over a secure channel.

Following the links in the Administration Console or OSMP Console, the User agrees to the automatic transfer of the following data:

• Open Single Management Platform code
• Open Single Management Platform version
• Open Single Management Platform localization
• License ID
• License type
• Whether the license was purchased through a partner

The list of data provided via each link depends on the purpose and location of the link.

Kaspersky uses the received data in anonymized form and for general statistics only. Summary statistics are generated automatically from the originally received information and do not contain any personal or confidential data. As soon as new data is accumulated, the previous data is wiped (once a year). Summary statistics are stored indefinitely.

[Topic 261327]

Data provision in Kaspersky Unified Monitoring and Analysis Platform

Data provided to third parties

KUMA functionality does not involve automatic provision of user data to third parties.

Locally processed data

Kaspersky Unified Monitoring and Analysis Platform (hereinafter KUMA or "program") is an integrated software solution that includes the following primary functions:

• Receiving, processing, and storing information security events.
• Analysis and correlation of incoming data.
• Search within the obtained events.
• Creation of notifications upon detecting symptoms of information security threats.
• Creation of alerts and incidents for processing information security threats.
• Displaying information about the status of the customer's infrastructure on the dashboard and in reports.
• Monitoring event sources.
• Device (asset) management — viewing information about assets, searching, adding, editing, and deleting assets, exporting asset information to a CSV file.

To perform its primary functions, KUMA may receive, store and process the following information:

• Information about devices on the corporate network.

  The KUMA Core server receives data if the corresponding integration is configured. You can add assets to KUMA in the following ways:

  • Import assets:
    • On demand from MaxPatrol.
    • On a schedule from Open Single Management Platform and KICS for Networks.
  • Create assets manually through the web interface or via the API.

  KUMA stores the following device information:

  • Technical characteristics of the device.
  • Information specific to the source of the asset.
• Additional technical attributes of devices on the corporate network that the user specifies to send an incident to NCIRCC: IP addresses, domain names, URIs, email address of the attacked object, attacked network service, and port/protocol.
• Information about the organization: name, tax ID, address, email address for sending notifications.
• Active Directory information about organizational units, domains, users, and groups obtained as a result of querying the Active Directory network.

  The KUMA Core server receives this information if the corresponding integration is configured. To ensure the security of the connection to the LDAP server, the user must enter the server URL, the Base DN, connection credentials, and certificate in the KUMA Console.

• Information for domain authentication of users in KUMA: root DN for searching access groups in the Active Directory directory service, URL of the domain controller, certificate (the root public key that the AD certificate is signed with), full path to the access group of users in AD (distinguished name).
• Information contained in events from configured sources.

  In the collector, the event source is configured, KUMA events are generated and sent to other KUMA services. Sometimes events can arrive first at the agent service, which relays events from the source to the collector.

• Information required for the integration of KUMA with other applications (Kaspersky Threat Lookup, Kaspersky CyberTrace, Open Single Management Platform, Kaspersky Industrial CyberSecurity for Networks, Kaspersky Automated Security Awareness Platform, Kaspersky Endpoint Detection and Response, Security Orchestration, Automation and Response).

  It can include certificates, tokens, URLs or credentials for establishing a connection with the other application, or other data necessary for the basic functionality of KUMA, for example, email. The user enters this data in the KUMA Console

• Information about sources from which event receipt is configured.

  It can include the source name, host name, IP address, the monitoring policy assigned to the source. The monitoring policy specifies the email address of the person responsible, to whom a notification will be sent if the policy is violated.

• User accounts: name, username, email address. The user can view their profile data in the KUMA Console.
• User profile settings:
  • User role in KUMA. A user can see their assigned roles.
  • Localization language, notification settings, display of non-printable characters.

    The user enters this data in the KUMA interface.

  • List of asset categories in the Assets section, default dashboard, TV mode flag for the dashboard, SQL query for default events, default preset.

    The user specifies these settings in the corresponding sections of the KUMA Console.

• Data for domain authentication of users in KUMA:
  • Active Directory: root DN for searching access groups in the Active Directory directory service, URL of the domain controller, certificate (the root public key that the AD certificate is signed with), full path to the access group of users in AD (distinguished name).
  • Active Directory Federation Services: trusted party ID (KUMA ID in ADFS), URI for getting Connect metadata, URL for redirection from ADFS, and the ADFS server certificate.
  • FreeIPA: Base DN, URL, certificate (the public root key that was used to signed the FreeIPA certificate), custom integration credentials, connection credentials.
• Audit events

  KUMA automatically records audit events.

• KUMA log

  The user can enable extended logging in the KUMA Console. Log entries are stored on the user's device, no data is transmitted automatically.

• Information about the user accepting the terms and conditions of legal agreements with Kaspersky.
• Any information that the user enters in the KUMA interface.

The information listed above can find its way into KUMA in the following ways:

• The user enters information in the KUMA Console.
• KUMA services (agent or collector) receive data if the user has configured a connection to event sources.
• Through the KUMA REST API.
• Device information can be obtained using the utility from MaxPatrol.

The listed information is stored in the KUMA database (MongoDB, ClickHouse, SQLite). Passwords are stored in an encrypted form (the hash of the password is stored).

All of the information listed above can be transmitted to Kaspersky only in dump files, trace files, or log files of KUMA components, including log files created by the installer and utilities.

Dump files, trace files, and log files of KUMA components may contain personal and confidential information. Dump files, trace files, and log files are stored on the device in unencrypted form. Dump files, trace files, and log files are not automatically submitted to Kaspersky, but the administrator can manually submit this information to Kaspersky at the request of Technical Support to help troubleshoot KUMA problems.

Kaspersky uses the received data in anonymized form and only for general statistical purposes. Summary statistics are generated from the received raw data automatically and does not contain any personal or other confidential information. When new data accumulates, older data is erased (once a year). Summary statistics are stored indefinitely.

Kaspersky protects all received data in accordance with applicable law and Kaspersky policies. Data is transmitted over secure communication channels.

[Topic 264017]

Quick start guide

The following scenarios are step-by-step walkthroughs from the purchase of Kaspersky Next XDR Expert to incident investigation and threat hunting.

Start with installation and initial setup of Kaspersky Next XDR Expert, then explore Kaspersky Next XDR Expert threat detection and hunting features, and then check out an example of an incident investigation workflow.

[Topic 263892]

Deployment and initial setup of Kaspersky Next XDR Expert

Following this scenario, you can deploy Open Single Management Platform with all the components necessary for operation of the Kaspersky Next XDR Expert solution, and then perform the required preliminary configurations and integrations.

Prerequisites

Before you start, make sure that:

• You have a license key for Kaspersky Next XDR Expert and the compatible EPP applications.
• Your infrastructure meets the hardware and software requirements.

Stages

The main installation and initial setup scenario proceeds in stages:

1. Deployment

   Prepare your infrastructure for the deployment of Open Single Management Platform and all the required components for Kaspersky Next XDR Expert, and then deploy the solution by using the Kaspersky Deployment Toolkit utility.

2. Activation

   Activate the Kaspersky Next XDR Expert solution under your license.

3. Configuring multitenancy

   If necessary, you can use the multitenancy features:

   1. Plan and create the required hierarchy of tenants.
   2. Create the matching hierarchy of Administration Servers in Open Single Management Platform.
   3. Bind tenants to the corresponding Administration Servers.
   4. Create user accounts for all Kaspersky Next XDR Expert users, and then assign roles.
4. Adding assets

   The devices in your infrastructure that must be protected are represented as assets in Kaspersky Next XDR Expert. Open Single Management Platform allows you to discover the devices in your network and manage their protection. You will also be able to add assets manually or import them from other sources during stage 8.

   User accounts are also represented as assets in Kaspersky Next XDR Expert. Make sure to configure the integration with Active Directory during stage 9, to enable the display of affected user accounts in the related events, alerts, and incidents.

5. Adding users and assigning roles

   Assign roles to the user accounts, to define their access rights to various Kaspersky Next XDR Expert features depending on their tasks.

6. Connecting to an SMTP server

   Configure the connection to an SMTP server for email notifications about events occurring in Kaspersky Next XDR Expert.

7. Installing endpoint protection applications and solutions

   Kaspersky Next XDR Expert works with events received from security applications installed on your assets. Check the list of compatible Kaspersky applications and solutions. You can use Open Single Management Platform to deploy Kaspersky applications on the devices in your infrastructure.

   Ensure that endpoint protection applications are integrated with Kaspersky Anti Targeted Attack Platform. For example, if you use Kaspersky Endpoint Security on your assets, refer to one of the following Help documentations to learn how to configure integration with KATA:

   • Kaspersky Endpoint Security for Windows
   • Kaspersky Endpoint Security for Linux
   • Kaspersky Endpoint Security for Mac
8. Configuring event sources, storage, and correlation

   Specify where the events must be received from, and how they must be stored and processed:

   1. Log in to the KUMA Console.
   2. Set up integration of Kaspersky Unified Monitoring and Analysis Platform and Open Single Management Platform.
   3. Import assets from Open Single Management Platform.
   4. Add assets manually or import them from other sources (optional action).
   5. Configure the event sources to specify where you want to receive the events from.
   6. Create a storage for events.
   7. Create collectors for receiving, processing (normalizing), and transmitting the events.
   8. Create correlators for initial analysis of normalized events and their further processing.

      During the collector creation, you can create correlation rules to define the rules of processing and responding to the events.You can also import the previously saved correlation rules or use the ready-made set of correlation rules provided with the Kaspersky Next XDR Expert solution. After the correlator is created, you can link correlation rules to the correlator, if needed.

      We strongly recommended configuring the exclusions on this stage, to avoid false positives and irrelevant data.

9. Configuring the integrations

   Configure the integration of Kaspersky Next XDR Expert with Active Directory and with other Kaspersky solutions, to extend its possibilities and to enrich data available for incident investigation.

   1. Integration with Active Directory (strongly recommended).
   2. Integration with KATA/EDR (license is required).
   3. Integration with Kaspersky CyberTrace (optional integration; license is required).
   4. Integration with Kaspersky TIP (optional integration; license is required) or Kaspersky Open TIP.
   5. Integration with Kaspersky Automated Security Awareness Platform (optional integration; license is required).
10. Configuring updates

    Create the Download updates to the Administration Server repository task.

11. Verify correctness of configuration

    Use the EICAR test file on one of the assets. If the initial setup was performed correctly and the necessary correlation rules were configured, this event will trigger creation of an alert in the alerts list.

After the initial setup is complete, events from the protected assets will be received and processed by Kaspersky Next XDR Expert, and an alert will be created in the event a correlation rule is triggered.

[Topic 274392]

Verifying correctness of the Kaspersky Next XDR Expert configuration

You can use the EICAR test virus on one of the assets, to ensure that Kaspersky Next XDR Expert is deployed and configured correctly. If the initial setup was performed correctly and the necessary correlation rules were configured, the correlation event will trigger the creation of an alert in the alerts list.

To verify correctness of the Kaspersky Next XDR Expert configuration:

1. Create a new correlator in KUMA Console.

   When creating the correlator, do not specify parameters in the Correlation section.

2. Import correlation rules from the SOC Content package to obtain the predefined correlation rules used to detect the EICAR test virus.
3. Specify the correlation rule for the created correlator.

   You can use one of the following methods to specify the correlation rule:

   • Link the predefined correlation rule to the created correlator:
     1. Go to Resources, click Correlation rules, and then select the tenant to which the correlation rule will be applied.
     2. In the list of the predefined correlation rules, select the R077_02_KSC.Malware detected rule to detect events from Kaspersky Security Center.
     3. Click Link to correlator, and then select the created correlator to link the selected correlation rule to the correlator.
   • Create the correlation rule with the predefined filters manually:
     1. Open the created correlator settings, go to the Correlation section, and then click Add.
     2. In the Create correlation rule window, on the General tab, set the following parameters, as well as other rule parameters:
        • Kind: simple.
        • Propagated fields: DestinationAddress, DestinationHostName, DestinationAccountID, DestinationAssetID, DestinationNtDomain, DestinationProcessName, DestinationUserName, DestinationUserID, SourceAccountID, SourceUserName.
     3. Go to Selectors → Settings, and then specify the expression to filter the required events:
        • In builder mode, add the f: KSC events, f: KSC virus found, and f: Base events filters with the AND operator.
        • Alternatively, you can specify this expression in the source code mode as follows:

          filter='b308fc22-fa79-4324-8fc6-291d94ef2999'

          AND filter='a1bf2e45-75f4-45c1-920d-55f5e1b8843f'

          AND filter='1ffa756c-e8d9-466a-a44b-ed8007ca80ca'

     4. In the Actions section of the correlation rule settings, select only the Output check box (the Loop to correlator and No alert check boxes must be cleared). In this case, when the EICAR test virus is detected, a correlation event will be created and an alert will be created in the alert list of Kaspersky Next XDR Expert.
     5. Click Create new to save the correlation rule settings linked to the correlator.
4. Create, and then configure, a collector in KUMA Console for receiving information about Administration Server events from an MS SQL database.

   Alternatively, you can use the predefined [OOTB] KSC SQL collector.

5. In the Routing section of the collector settings, set Type to correlator, and then specify the created correlator in the URL field, to forward the processed events to it.
6. Install Network Agent and the endpoint protection application (for example, Kaspersky Endpoint Security) on an asset of your organization network. Ensure that the asset is connected to Administration Server.
7. Place the EICAR test file on the asset, and then detect the test virus by using the endpoint protection application.

After that, Administration Server will be notified about the event on the asset. This event will be forwarded to the KUMA component, transformed to the correlation event, and then this event will trigger creation of an alert in the alerts list in Kaspersky Next XDR Expert. If the alert has been created, it means that Kaspersky Next XDR Expert is working correctly.

[Topic 264024]

Using the threat monitoring, detection and hunting features

After you have installed and configured Kaspersky Next XDR Expert, you can use Kaspersky Next XDR Expert features for monitoring the security of your infrastructure, investigating security incidents, automating workflows and proactive searching for threats:

• Using dashboard and customizing widgets

  The Detection and response tab of the dashboard can contain widgets that display information about detected and registered alerts and incidents, and response actions to them. You can use and customize the preconfigured layouts of widgets for your dashboard or create new layouts and widgets.

  Open Single Management Platform also provides various security monitoring and reporting tools.

• Using reports

  You can configure the generation of reports in Kaspersky Unified Monitoring and Analysis Platform to receive the required summary data according to the specified schedule.

• Using threat hunting

  You can use threat hunting tools to analyze events to search for threats and vulnerabilities that have not been detected automatically. Threat hunting can be used both for alert and incident investigation and for proactive search for threats.

• Using playbooks

  You can use playbooks to automate response to alerts and incidents according to the specified algorithm. There are a number of predefined playbooks that you can launch in various operation modes. You can create custom playbooks.

[Topic 264018]

Example of incident investigation with Kaspersky Next XDR Expert

This scenario represents a sample workflow of an incident investigation.

Incident investigation proceeds in stages:

1. Assigning an alert to a user

   You can assign an alert to yourself or to another user.

2. Checking if the triggered correlation rule matches the data of the alert events

   View the information about the alert and make sure that the alert event data matches the triggered correlation rule.

3. Analyzing alert information

   Analyze the information about the alert to determine what data is required for further analysis of the alert.

4. Manual enrichment

   Launch the available solutions for additional enrichment of an event (for example, Kaspersky TIP).

5. False positive check

   Make sure that the activity that triggered the correlation rule is abnormal for the organization IT infrastructure.

6. Incident creation

   If steps from 3 to 5 reveal that the alert requires investigation, you can create an incident or link the alert to an existing incident.

   You can also merge incidents.

7. Investigation

   This step includes viewing information about the assets, user accounts, and alerts related to the incident. You can use the investigation graph and threat hunting tools to get additional information.

8. Searching for related assets

   You can view the alerts that occurred on the assets related to the incident.

9. Searching for related events

   You can expand your investigation scope by searching for events of related alerts.

10. Recording the causes of the incident

    You can record the information necessary for the investigation in the incident change log.

11. Response

    You can perform response actions manually.

12. Closing the incident

    After taking measures to clean up the traces of the attacker's presence from the organization's IT infrastructure, you can close the incident.

[Topic 249211]

Deployment of Kaspersky Next XDR Expert

Expand all | Collapse all

Following this scenario, you can prepare your infrastructure for the deployment of Open Single Management Platform and all the required components for Kaspersky Next XDR Expert, prepare the configuration file containing the installation parameters, and deploy the solution by using the Kaspersky Deployment Toolkit utility (hereinafter referred to as KDT).

Before you deploy Open Single Management Platform and Kaspersky Next XDR Expert components, we recommend reading the Hardening Guide.

The deployment scenario proceeds in stages:

1. Selecting the option for deploying Kaspersky Next XDR Expert

   Select the configuration of Kaspersky Next XDR Expert that best suits your organization. You can use the sizing guide that describes the hardware requirements and the recommended deployment option in relation to the number of devices in the organization.

   Depending on the deployment option you choose, you may need the following hosts for the function of Kaspersky Next XDR Expert:

   • Administrator host

     The administrator host is a physical or virtual machine that is used to deploy and manage the Kubernetes cluster and Kaspersky Next XDR Expert. The administrator host is not included in the Kubernetes cluster.

     Since KDT runs on the administrator host, this host must meet the requirements for KDT.

   • Target hosts

     The target hosts are the physical or virtual machines that are used to deploy Kaspersky Next XDR Expert. The following target hosts are used:

     • Target hosts for installing the Kaspersky Next XDR Expert components

       The hosts that are included in the Kubernetes cluster and between which the workload is distributed.

       The target hosts must meet the requirements for the selected deployment option (the distributed or single node deployment).

     • KUMA target hosts for installing the KUMA services

       The target hosts that are not included in the Kubernetes cluster and that are used to install the KUMA services (collectors, correlators, and storages). The number of the KUMA target hosts depends on the amount of events that Kaspersky Next XDR Expert has to process.

       The KUMA target hosts must meet the hardware, software, and installation requirements that are necessary for installing the KUMA services.

   • DBMS host (only for the distributed deployment)

     The host for installing the DBMS is recommended to be a separate server that is located outside the Kubernetes cluster. The DBMS host can be included in the cluster only for evaluation and demonstration purposes.

     The DBMS host requirements are the same regardless of whether it is included in the cluster or not.

   • KATA/KEDR host (optional)

     If you want to receive telemetry from Kaspersky Anti Targeted Attack Platform and manage threat response actions on assets connected to Kaspersky Endpoint Detection and Response servers, you can install and configure Kaspersky Anti Targeted Attack Platform with Kaspersky Endpoint Detection and Response. Kaspersky Anti Targeted Attack Platform is a standalone solution that must be installed on a separate server that is not included in the Kubernetes cluster. For details about KATA deployment scenarios, refer to the KATA documentation.

   The distributed and single node deployment schemes are available:

   • Distributed deployment

     The recommended option for deploying Kaspersky Next XDR Expert. In the distributed deployment, the Kaspersky Next XDR Expert components are installed on several worker nodes of the Kubernetes cluster and if one node fails, the cluster can restore the operation of components on another node.

     In this configuration, you need at least seven hosts:

     • 1 administrator host
     • 4 target hosts for installing the Kubernetes cluster and the Kaspersky Next XDR Expert components
     • 1 host for installing the DBMS
     • 1 KUMA target host for installing the KUMA services

     In this configuration, the DBMS can be installed on a host that is located outside or inside the Kubernetes cluster.

   • Single node deployment

     In the single node deployment, all Kaspersky Next XDR Expert components are installed on a single node of the Kubernetes cluster. You can perform the single node deployment of Kaspersky Next XDR Expert if you need a solution that requires fewer computing resources (for example, for demonstration purposes).

     In this configuration, you need at least three hosts:

     • 1 administrator host
     • 1 target host for installing the Kubernetes cluster, the Kaspersky Next XDR Expert components, and the DBMS
     • 1 KUMA target host for installing the KUMA services

     In this configuration, the DBMS does not require a separate node but should be installed manually on the primary node before the Kaspersky Next XDR Expert deployment. The DBMS host can be included in the cluster only for evaluation and demonstration purposes.

2. Downloading the distribution package with the Kaspersky Next XDR Expert components

   The distribution package contains the following components:

   • Transport archive with the Kaspersky Next XDR Expert components and End User License Agreements for Kaspersky Next XDR Expert and KDT
   • Archive with the KDT utility, and templates of the configuration file and KUMA inventory file
3. Installing a database management system (DBMS)

   Manually install the DBMS on the separated server outside the Kubernetes cluster, if needed.

   Skip this step if you want to install the DBMS inside the cluster. KDT will install the DBMS during the Kaspersky Next XDR Expert deployment. In this case, the Kaspersky Next XDR Expert components and the DBMS will use one target host.

4. Preparing the administrator and target hosts

   Based on the selected deployment scheme, define the number of target hosts on which you will deploy the Kubernetes cluster and the Kaspersky Next XDR Expert components included in this cluster. Prepare the selected administrator and target hosts for deployment of Kaspersky Next XDR Expert.

   How-to instructions:

   • Distributed deployment: Preparing the administrator and target hosts
   • Single node deployment: Preparing the administrator and target hosts
5. Preparing the KUMA hosts

   Prepare the KUMA target hosts for the installation of the KUMA services (collectors, correlators, and storages).

   How-to instruction: Preparing the hosts for installation of the KUMA services

6. Preparing the KUMA inventory file for installation of the KUMA services

   Prepare the KUMA inventory file in the YAML format. The KUMA inventory file contains parameters for installation of the KUMA services.

   How-to instruction: Preparing the KUMA inventory file

7. Preparing the configuration file

   Prepare the configuration file in the YAML format. The configuration file contains the list of target hosts for deployment and a set of installation parameters of the Kaspersky Next XDR Expert components.

   If you deploy Kaspersky Next XDR Expert on a single node, use the configuration file that contains the installation parameters specific for the single node deployment.

   How-to instructions:

   • Distributed deployment: Specifying the installation parameters
   • Single node deployment: Specifying the installation parameters

   You can fill out the configuration file template manually; or use the Configuration wizard to specify the installation parameters that are required for the Kaspersky Next XDR Expert deployment, and then generate the configuration file.

   How-to instruction: Specifying the installation parameters by using the Configuration wizard

8. Deployment of Kaspersky Next XDR Expert

   Deploy Kaspersky Next XDR Expert by using KDT. KDT automatically deploys the Kubernetes cluster within which the Kaspersky Next XDR Expert components and other infrastructure components are installed.

   How-to instruction: Installing Kaspersky Next XDR Expert

9. Installing the KUMA services

   Install the KUMA services (collectors, correlators, and storages) on the prepared KUMA target hosts that are located outside the Kubernetes cluster.

   How-to instruction: Installing KUMA services

10. Configuring integration with Kaspersky Anti Targeted Attack Platform

    Install Central Node to receive telemetry from Kaspersky Anti Targeted Attack Platform, and then configure integration between Kaspersky Next XDR Expert and KATA/KEDR to manage threat response actions on assets connected to Kaspersky Endpoint Detection and Response servers.

    If necessary, you can install multiple Central Node components to use them independently of each other or to combine them for centralized management in the distributed solution mode. To combine multiple Central Node components, you have to organize the servers with the components into a hierarchy.

    Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

    When configuring the Central Node servers, you have to specify the minimum possible value in the Storage field, to avoid duplication of data between the Kaspersky Next XDR Expert and KEDR databases.

[Topic 245736]

Hardening Guide

The Hardening Guide is intended for professionals who deploy and administer Kaspersky Next XDR Expert, as well as for those who provide technical support to organizations that use Kaspersky Next XDR Expert.

The Hardening Guide describes recommendations and features of configuring Kaspersky Next XDR Expert and its components, aimed to reduce the risks of its compromise.

The Hardening Guide contains the following information:

• Preparing the infrastructure for the Kaspersky Next XDR Expert deployment
• Configuring a secure connection to Kaspersky Next XDR Expert
• Configuring accounts to access Kaspersky Next XDR Expert
• Managing protection of Kaspersky Next XDR Expert
• Managing protection of client devices
• Configuring protection for managed applications
• Transferring information to third-party applications

Before you start to deploy Kaspersky Next XDR Expert, we recommend reading the Hardening Guide.

[Topic 270657]

Managing infrastructure of Kaspersky Next XDR Expert

This section describes the general principle of using the minimum required number of applications for the function of the operating system and Kaspersky Next XDR Expert. This section also describes the principle of least privilege, which boils down to the concept of Zero Trust.

Managing operating system accounts

To work with a Kubernetes cluster by using KDT, we recommend creating a separate user with minimal privileges. The optimal way is to implement management of user accounts of the operating system by using LDAP, with the ability to revoke user rights through LDAP. For the specific implementation of user revocation and blocking, see the user/administrator guide in your LDAP solution. We recommend using a password of at least 18 characters or a physical means of authentication (for example, token) to authenticate the operating system user.

We also recommend protecting the user home directory and all nested directories in such a way that only the user has access to them. Other users and the user group must not have rights to the home directory.

We recommend not granting the execute permission for the .ssh, .kube, .config, and .kdt directories, and all the contained files in these directories in the user's home directory.

Package management of the operating system

We recommend using the minimum set of applications required for the function of KDT and Kaspersky Next XDR Expert. For example, you do not need to use a graphical user interface for working in the Kubernetes cluster, so we recommend not installing graphical packages. If packages are installed, we recommend removing these packages, including graphical servers such as Xorg or Wayland.

We recommend regularly installing security updates for the system software and the Linux kernel. We also recommend enabling automatic updates as follows:

• For operating systems with the atp package manager:

  /etc/apt/apt.conf.d/50unattended-upgrades

  Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; "${distro_id}ESMApps:${distro_codename}-apps-security"; "${distro_id}ESM:${distro_codename}-infra-security"; };
• For operating systems with the rp, dnf, and yum package managers:

  /etc/dnf/automatic.conf

  [commands] # What kind of upgrade to perform: # default = all available upgrades # security = only the security upgrades upgrade_type = default # Whether updates should be downloaded when they are available, by # dnf-automatic.timer. notifyonly.timer, download.timer and # install.timer override this setting. download_updates = yes # Whether updates should be applied when they are available, by # dnf-automatic.timer. notifyonly.timer, download.timer and # install.timer override this setting. apply_updates = no

Operating system security settings

The Linux kernel security settings can be enabled in the /etc/sysctl.conf file or by using the sysctl command. The recommended Linux kernel security settings are listed in the /etc/sysctl.conf file snippet:

/etc/sysctl.conf

We recommend restricting access to the PID. This will reduce the possibility of one user tracking the processes of another user. You can restrict access to the PID while mounting the /proc file system, for example, by adding the following line to the /etc/fstab file:

If the operating system processes are managed by using the systemd system, the systemd-logind service can still monitor the processes of other users. In order for user sessions to work correctly in the systemd system, you need to create the /etc/systemd/system/systemd-logind.service.d/hidepid.conf file, and then add the following lines to it:

Since some systems may not have the proc group, we recommend adding the proc group in advance.

We recommend turning off the ctrl+alt+del key combination, to prevent an unexpected reboot of the operating system by using the systemctl mask ctrl-alt-del.target command.

We recommend prohibiting authentication of privileged users (root users) to establish a remote user connection.

We recommend using a firewall to limit network activity. For more information about the ports and protocols used, refer to Ports used by Kaspersky Next XDR Expert.

We recommend enabling auditd, to simplify the investigation of security incidents. For more information about enabling telemetry redirection, refer to Setting up receiving Auditd events.

We recommend regularly backing up the following configurations and data directories:

• Administration host: ~/kdt
• Target hosts: /etc/k0s/, /var/lib/k0s

Also we recommend encrypting these backups.

Hardening guides for various operating systems and for DBMS

If you need to configure the security settings of your operating system and software, you can use the recommendations provided by Center for Internet Security (CIS).

If you use the Astra Linux operating system, refer to the security recommendations that can be applied to your Astra Linux version.

If you need to configure security settings of PostgreSQL, use the server administration recommendations from the official PostgreSQL documentation.

[Topic 245773]

Connection safety

Strict TLS settings

We recommend using TLS protocol version 1.2 and later, and restricting or prohibiting insecure encryption algorithms.

You can configure encryption protocols (TLS) used by Administration Server. Please note that at the time of the release of a version of Kaspersky Next XDR Expert, the encryption protocol settings are configured by default to ensure secure data transfer.

Restricting access to the Kaspersky Next XDR Expert database

We recommend restricting access to the Kaspersky Next XDR Expert database. For example, grant access only from devices with Kaspersky Next XDR Expert deployed. This reduces the likelihood of the Kaspersky Next XDR Expert database being compromised due to known vulnerabilities.

You can configure the parameters according to the operating instructions of the used database, as well as provide closed ports on firewalls.

[Topic 245774]

Accounts and authentication

Using two-step verification with Kaspersky Next XDR Expert

Kaspersky Next XDR Expert provides two-step verification for users, based on the RFC 6238 standard (TOTP: Time-Based One-Time Password algorithm).

When two-step verification is enabled for your own account, every time you log in to Kaspersky Next XDR Expert through a browser, you enter your user name, password, and an additional single-use security code. To receive a single-use security code, you must install an authenticator app on your computer or your mobile device.

There are both software and hardware authenticators (tokens) that support the RFC 6238 standard. For example, software authenticators include Google Authenticator, Microsoft Authenticator, FreeOTP.

We strongly do not recommend installing the authenticator app on the same device from which the connection to Kaspersky Next XDR Expert is established. You can install an authenticator app on your mobile device.

Using two-factor authentication for an operating system

We recommend using multi-factor authentication (MFA) on devices with Kaspersky Next XDR Expert deployed, by using a token, a smart card, or other method (if possible).

Prohibition on saving the administrator password

If you use Kaspersky Next XDR Expert through a browser, we do not recommend saving the administrator password in the browser installed on the user device.

Authentication of an internal user account

By default, the password of an internal user account of Kaspersky Next XDR Expert must comply with the following rules:

• The password must be 8 to 16 characters long.

• The password must contain characters from at least three of the groups listed below:

  • Uppercase letters (A-Z)

  • Lowercase letters (a-z)

  • Numbers (0-9)

  • Special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;)

• The password must not contain any whitespaces, Unicode characters, or the combination of "." and "@", when "." is placed before "@".

By default, the maximum number of allowed attempts to enter a password is 10. You can change the number of allowed password entry attempts.

The user can enter an invalid password a limited number of times. After the limit is reached, the user account is blocked for one hour.

Restricting the assignment of the Main Administrator role

The user is assigned the Main Administrator role in the access control list (ACL) of Kaspersky Next XDR Expert. We do not recommend assigning the Main Administrator role to a large number of users.

Configuring access rights to application features

We recommend using flexible configuration of access rights to the features of Kaspersky Next XDR Expert for each user or group of users.

Role-based access control allows the creation of standard user roles with a predefined set of rights and the assignment of those roles to users depending on their scope of duties.

The main advantages of the role-based access control model:

• Ease of administration
• Role hierarchy
• Least privilege approach
• Segregation of duties

You can assign built-in roles to certain employees based on their positions, or create completely new roles.

While configuring roles, pay attention to the privileges associated with changing the protection state of the device with Kaspersky Next XDR Expert and remote installation of third-party software:

• Managing administration groups.
• Operations with Administration Server.
• Remote installation.
• Changing the parameters for storing events and sending notifications.

  This privilege allows you to set notifications that run a script or an executable module on the device with OSMP when an event occurs.

Separate account for remote installation of applications

In addition to the basic differentiation of access rights, we recommend restricting the remote installation of applications for all accounts (except for the Main Administrator or another specialized account).

We recommend using a separate account for remote installation of applications. You can assign a role or permissions to the separate account.

Regular audit of all users

We recommend conducting a regular audit of all users on devices with Kaspersky Next XDR Expert deployed. This allows you to respond to certain types of security threats associated with the possible compromise of a device.

[Topic 245776]

Managing protection of Kaspersky Next XDR Expert

Selecting protection software of Kaspersky Next XDR Expert

Depending on the type of the Kaspersky Next XDR Expert deployment and the general protection strategy, select the application to protect devices with Kaspersky Next XDR Expert deployed and the administrator host.

If you deploy Kaspersky Next XDR Expert on dedicated devices, we recommend selecting the Kaspersky Endpoint Security application to protect devices with Kaspersky Next XDR Expert deployed and the administrator host. This allows applying all available technologies to protect these devices, including behavioral analysis modules.

If Kaspersky Next XDR Expert is deployed on devices that exists in the infrastructure and has previously been used for other tasks, we recommend considering the following protection software:

• Kaspersky Industrial CyberSecurity for Nodes. We recommend installing this application on devices that are included in an industrial network. Kaspersky Industrial CyberSecurity for Nodes is an application that has certificates of compatibility with various manufacturers of industrial software.
• Recommended security applications. If Kaspersky Next XDR Expert is deployed on devices with other software, we recommend taking into account the recommendations from that software vendor on the compatibility of security applications (there may already be recommendations for selecting a security solution, and you may need to configure the trusted zone).

Protection modules

If there are no special recommendations from the vendor of the third-party software installed on the same devices as Kaspersky Next XDR Expert, we recommend activating and configuring all available protection modules (after checking the operation of these protection modules for a certain time).

Configuring the firewall of devices with Kaspersky Next XDR Expert

On devices with Kaspersky Next XDR Expert deployed, we recommend configuring the firewall to restrict the number of devices from which administrators can connect to Kaspersky Next XDR Expert through a browser.

By default,

Kaspersky Next XDR Expert uses port 443 to log in through a browser. We recommend restricting the number of devices from which Kaspersky Next XDR Expert can be managed by using this port.

[Topic 245787]

Managing protection of client devices

Restricting of adding license keys to installation packages

Installation packages can be published through Web Server, which is included in Kaspersky Next XDR Expert. If you add a license key to the installation package that is published on Web Server, the license key will be available for all users to read.

To avoid compromising the license key, we do not recommend adding license keys to installation packages.

We recommend using automatic distribution of license keys to managed devices, deployment through the Add license key task for a managed application, and adding an activation code or a key file manually to the devices.

Automatic rules for moving devices between administration groups

We recommend restricting the use of automatic rules for moving devices between administration groups.

If you use automatic rules for moving devices, this may lead to propagation of policies that provide more privileges to the moved device than the device has before relocation.

Also, moving a client device to another administration group may lead to propagation of policy settings. These policy settings may be undesirable for distribution to guest and untrusted devices.

This recommendation does not apply for one-time initial allocation of devices to administration groups.

Security requirements for distribution points and connection gateways

Devices with Network Agent installed can act as a distribution point and perform the following functions:

• Distribute updates and installation packages received from Kaspersky Next XDR Expert to client devices within the group.
• Perform remote installation of third-party software and Kaspersky applications on client devices.
• Poll the network to detect new devices and update information about existing ones. The distribution point can use the same methods of device detection as Kaspersky Next XDR Expert.

Placing distribution points on the organization's network used for:

• Reducing the load on Kaspersky Next XDR Expert
• Traffic optimization
• Providing Kaspersky Next XDR Expert with access to devices in hard-to-reach parts of the network

Taking into account the available capabilities, we recommend protecting devices that act as distribution points from any type of unauthorized access (including physically).

Restricting automatic assignment of distribution points

To simplify administration and keep the network operability, we recommend using automatic assignment of distribution points. However, for industrial networks and small networks, we recommend that you avoid assigning distribution points automatically, since, for example, the private information of the accounts used for pushing remote installation tasks, can be transferred to distribution points by means of the operating system.

For industrial networks and small networks, you can manually assign devices to act as distribution points.

You can also view the Report on activity of distribution points.

[Topic 246284]

Configuring protection for managed applications

Managed application policies

We recommend creating a policy for each type of the used applications and for all components of Kaspersky Next XDR Expert (Network Agent, Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Agent, and others). This policy must be applied to all managed devices (the root administration group) or to a separate group to which new managed devices are automatically moved according to the configured movement rules.

Specifying the password for disabling protection and uninstalling the application

We strongly recommend enabling password protection to prevent intruders from disabling or uninstalling Kaspersky security applications. On platforms where password protection is supported, you can set the password, for example, for Kaspersky Endpoint Security, Network Agent, and other Kaspersky applications. After you enable password protection, we recommend locking the corresponding settings by closing the "lock."

Using Kaspersky Security Network

In all policies of managed applications and in the Kaspersky Next XDR Expert properties, we recommend enabling the use of Kaspersky Security Network (KSN) and accepting the KSN Statement. When you update Kaspersky Next XDR Expert, you can accept the updated KSN Statement. In some cases, when the use of cloud services is prohibited by law or other regulations, you can disable KSN.

Regular scan of managed devices

For all device groups, we recommend creating a task that periodically runs a full scan of devices.

Discovering new devices

We recommend properly configuring device discovery settings: set up integration with domain controllers and specify IP address ranges for discovering new devices.

For security purposes, you can use the default administration group that includes all new devices and the default policies affecting this group.

[Topic 245779]

Event transfer to third-party systems

This section describes the specifics of transferring security issues found on client devices to third-party systems.

Monitoring and reporting

For timely response to security issues, we recommend configuring the monitoring and reporting features.

Export of events to SIEM systems

For fast detection of security issues before significant damage occurs, we recommend using event export in a SIEM system.

Email notifications of audit events

For timely response to emergencies, we recommend configuring Administration Server to send notifications about the audit events, critical events, failure events, and warnings that it publishes.

Since these events are intra-system events, a small number of them can be expected, which is quite applicable for mailing.

[Topic 270598]

Deployment scheme: Distributed deployment

You have several options for deploying Kaspersky Next XDR Expert. Before you start, ensure that you are familiar with the different deployment schemes, and then choose the one that best meets your organization's requirements.

This section provides a description of the distributed deployment scheme.

Distributed deployment scheme of Kaspersky Next XDR Expert

The distributed deployment scheme of Kaspersky Next XDR Expert contains the following main components:

• Administrator host. On this host, an administrator uses Kaspersky Deployment Toolkit to deploy and manage the Kubernetes cluster and Kaspersky Next XDR Expert. The administrator host is not included in the Kubernetes cluster.
• Kubernetes cluster. A Kubernetes cluster includes the controller node (also referred to as primary node during the deployment procedure) and, at a minimum, three worker nodes. The number of worker nodes may vary. On the scheme, the distribution of Kaspersky Next XDR Expert components among the worker nodes is shown as an example. Actual component distribution may vary.
• DBMS server. A server with an installed database management system is required for the proper function of Kaspersky Next XDR Expert components. An administrator uses Kaspersky Deployment Toolkit to install the DBMS.
• Hosts with KUMA services. The KUMA services (collectors, correlators, and storages) are installed on the hosts that are located outside the Kubernetes cluster. The number of target hosts for KUMA services may vary.
• KATA with KEDR. Kaspersky Anti Targeted Attack Platform with the Kaspersky Endpoint Detection and Response functional block. For details about KATA deployment scenarios, refer to the KATA documentation.
• Kaspersky Next XDR Expert user host. A user device that is used to sign in to OSMP Console or KUMA Console.
• Secondary Administration Servers (optional). Secondary Administration Servers are used to create a Server hierarchy.
• Managed devices. Client devices protected by Kaspersky Next XDR Expert. Each managed device has Network Agent installed.

Ports

The scheme does not provide all of the ports required for successful deployment. For the full list of ports, refer to the Ports used by Kaspersky Next XDR Expert section.

Scheme legend:

On the scheme, the communication within the Kubernetes cluster between hosts and between Kaspersky Next XDR Expert components is not shown. For details, refer to the Ports used by Kaspersky Next XDR Expert section.

For the list of ports that must be opened on the managed devices, refer to the Ports used by Kaspersky Next XDR Expert section.

For details about integration with KATA, including KEDR functional block, refer to the Integration with KATA/KEDR section.

On the scheme, the KUMA services are deployed according to the distributed deployment scheme. The number of target hosts for KUMA services may vary. The list of ports to be opened depends on the selected deployment scheme. For the full list of ports, refer to the Ports used by Kaspersky Next XDR Expert section.

Port TCP 7221 and other ports to install services. You specify these ports as a value for --api.point <port>.

[Topic 271071]

Deployment scheme: Single node deployment

You have several options for deploying Kaspersky Next XDR Expert. Before you start, ensure that you are familiar with the different deployment schemes, and then choose the one that best meets your organization's requirements.

This section provides a description of the single node deployment scheme.

Single node deployment scheme of Kaspersky Next XDR Expert

The single node deployment scheme of Kaspersky Next XDR Expert contains the following main components:

• Administrator host. On this host, an administrator uses Kaspersky Deployment Toolkit to deploy and manage the Kubernetes cluster and Kaspersky Next XDR Expert. The administrator host is not included in the Kubernetes cluster.
• Kubernetes cluster. A Kubernetes cluster includes the host that acts both as a controller node (also referred to as primary node during the deployment procedure) and a worker node.
• DBMS server. A server with an installed database management system is required for the proper function of Kaspersky Next XDR Expert components. The DBMS server is not included in the Kubernetes cluster. An administrator installs the DBMS manually on the host that will act as a primary node before the Kaspersky Next XDR Expert deployment.
• Hosts with KUMA services. The KUMA services (collectors, correlators, and storages) are installed on the hosts that are located outside the Kubernetes cluster. The number of target hosts for KUMA services may vary.
• KATA with KEDR. Kaspersky Anti Targeted Attack Platform with the Kaspersky Endpoint Detection and Response functional block. For details about KATA deployment scenarios, refer to the KATA documentation.
• Kaspersky Next XDR Expert user host. A user device that is used to sign in to OSMP Console or KUMA Console.
• Secondary Administration Servers (optional). Secondary Administration Servers are used to create a Server hierarchy.
• Managed devices. Client devices protected by Kaspersky Next XDR Expert. Each managed device has Network Agent installed.

Ports

The scheme does not provide all of the ports required for successful deployment. For the full list of ports, refer to the Ports used by Kaspersky Next XDR Expert section.

Scheme legend:

For the list of ports that must be opened on the managed devices, refer to the Ports used by Kaspersky Next XDR Expert section.

For details about integration with KATA, including KEDR functional block, refer to the Integration with KATA/KEDR section.

On the scheme, the KUMA services are deployed according to the distributed deployment scheme. The number of target hosts for KUMA services may vary. The list of ports to be opened depends on the selected deployment scheme. For the full list of ports, refer to the Ports used by Kaspersky Next XDR Expert section.

Port TCP 7221 and other ports to install services. You specify these ports as a value for --api.point <port>.

[Topic 265794]

Ports used by Kaspersky Next XDR Expert

For correct interaction between the administrator host and target hosts, you must provide connection access from the administrator host to the target hosts by the ports listed in the table below. These ports cannot be changed.

For interaction between the administrator host and hosts that are used for the installation of the KUMA services and are located outside the Kubernetes cluster, you must provide access only by TCP 22 port.

Ports used for interaction between the administrator host and target hosts

For properly work of the Kaspersky Next XDR Expert components, the target hosts must be located in the same broadcast domain.

The table below contains the ports that must be opened on the firewalls of all target hosts of the cluster. These ports cannot be changed.

If you use the firewalld or UFW firewall on your target hosts, KDT opens the required ports on the firewalls automatically. Otherwise, you can open the listed ports manually before you deploy Kaspersky Next XDR Expert.

Required ports used by the Kaspersky Next XDR Expert components

The table below contains the ports that are not opened by default on the firewalls during the Kaspersky Next XDR Expert deployment. These ports cannot be changed.

If you need to perform actions listed in the Port purpose column of the table below, you can open the corresponding ports on the firewalls of all target hosts manually.

Optional ports on the firewall used by the Kaspersky Next XDR Expert components

The table below contains the ports that must be opened for functioning of the Kubernetes cluster and infrastructure components. These ports cannot be changed.

If you use the firewalld or UFW firewall on your target hosts, the KDT opens the required ports on the firewalls automatically. Otherwise, you can open the listed ports manually before you deploy Kaspersky Next XDR Expert.

Ports used by the Kubernetes cluster and infrastructure components

For correct work of the KUMA services that are not included in a Kubernetes cluster, you must open the ports listed in the table below. The table below shows the default network ports values. These ports automatically open during the KUMA installation.

Ports used for the interaction with the external KUMA services

If you create an additional KUMA service (collector, correlator or storage) on a server, you need to manually open a port that corresponds to the created service on the server. You can use port TCP 7221 or other port used for service installation.

If the out of the box example services are used, the following ports automatically open during the Kaspersky Next XDR Expert deployment:

• 7230 TCP
• 7231 TCP
• 7232 TCP
• 7233 TCP
• 7234 TCP
• 7235 TCP
• 5140 TCP
• 5140 UDP
• 5141 TCP
• 5144 UDP

[Topic 273808]

Preparation work and deployment

This section describes how to prepare the infrastructure for the Kaspersky Next XDR Expert deployment, set the installation parameters that are specific for the distributed or single node deployment, as well as how to use the Configuration wizard to generate the configuration file.

You will find out how to install Kaspersky Next XDR Expert according to the distributed and single node deployment schemes. Also, this section contains information on how to deploy multiple Kubernetes clusters with Kaspersky Next XDR Expert instances and switch between them by using KDT.

[Topic 249228]