Integration with other solutions

Integration with other solutions allows you to enrich the functionality of Kaspersky Next XDR Expert.

Kaspersky Next XDR Expert supports integration with the following Kaspersky and third-party solutions:

• Kaspersky Automated Security Awareness Platform
• Kaspersky Threat Intelligence Portal
• Kaspersky Anti-Targeted Attack Platform / Kaspersky Endpoint Detection and Response
• Active Directory
• UserGate
• Ideco NGFW
• Ideco UTM
• Redmine
• Check Point NGFW
• Sophos Firewall
• Continent 4
• SKDPU NT

Kaspersky Next XDR Expert also supports more than 100 event sources. For the full list of supported event sources, refer to the Supported event sources section.

Integration settings can be specified for a tenant of any level. Parent integration settings are copied to a child tenant. You can edit the copied child integration settings, since child and parent settings are not related and changes in child settings do not affect the settings in the parent tenant.

For the shared tenant, you do not need to configure the integration settings.

If you need to disable integration, you can do it manually in the Settings → Tenants.

Integration with a Kaspersky solution is removed automatically when the tenant for which the integration was specified is removed. The delay when removing data is up to 24 hours. Restoring integration settings is not available.

Integration with Kaspersky Automated Security Awareness Platform

Kaspersky Automated Security Awareness Platform (hereinafter also referred to as KASAP) is an online learning platform that allows users to learn the rules of information security and related threats in their daily work, as well as to practice with real examples.

After configuring integration, you can perform the following tasks in Kaspersky Next XDR Expert:

• Assign learning courses to users who are associated with alerts and incidents.
• Change user learning groups.
• View information about the courses taken by the users and the certificates they received.

KASAP is considered to be integrated with Kaspersky Next XDR Expert after the integration between KASAP and KUMA is configured.

Before configuring integration between KASAP and KUMA, you need to create an authorization token and obtain a URL for API requests in KASAP.

Creating a token in KASAP and getting a URL for API requests

Creating a token

To authorize API requests from KUMA to KASAP, the requests must be signed with a token created in KASAP.

Only the company's administrator can create a token.

To create a token:

1. Sign in to the KASAP web interface.
2. In the Dashboard section, select the Import and sync section, and then open the OpenAPI tab.
3. Click the New token button.
4. In the window that opens, select the token rights available during integration:
   • GET /openapi/v1/groups
   • POST /openapi/v1/report
   • PATCH /openapi/v1/user/:userid
5. Click the Generate token button.

   The generated token is displayed on the screen.

6. Copy the token and save it in any convenient way. This token is required to configure integration between KASAP and KUMA.

   The token is not stored in the KASAP system in the open form. After you close the Create token window, the token is unavailable for viewing. If you close the window without copying the token, you will need to click the Reissue token button for the system to generate a new token.

The issued token is valid for 12 months.

Getting a URL for API requests

The URL is used for interacting with KASAP via OpenAPI. You have to specify this URL when configuring integration between KASAP and KUMA.

To get the URL used in KASAP for API requests:

1. Sign in to the KASAP web interface.
2. In the Dashboard section, select the Import and sync section, and then open the OpenAPI tab.
3. In the OpenAPI URL field, copy the URL, and then save it in any convenient way.

Integration with Kaspersky Threat Intelligence Portal

You must configure integration with Kaspersky Threat Intelligence Portal (hereinafter also referred to as Kaspersky TIP) to obtain information about the reputation of the observable objects.

Before configuring the settings, you have to create an authorization token for API requests on Kaspersky TIP or Kaspersky OpenTIP.

To configure integration between Kaspersky Next XDR Expert and Kaspersky TIP:

1. In the main menu, go to Settings → Tenants.

   The list of tenants is displayed on the screen.

2. Click the name of the required tenant.

   The tenant's properties window opens.

3. Go to the Settings tab, and then select the Kaspersky TIP section.

   You can edit the Kaspersky TIP section if you are assigned one of the following XDR roles: Main administrator, Tenant administrator, or SOC administrator.

4. If at step 2 you selected the Root tenant, you can turn on the Proxy toggle button to use a proxy server for interaction with Kaspersky TIP.

   The proxy server is configured in the root Administration Server properties.

5. In the Cache TTL field, specify the period of cache storage and the units: days or hours.

   By default, 7 days is set. If you do not specify any value, the period of cache storage is unlimited.

   You set the period of cache storage for all connections.

6. Turn on the Integration toggle button for one of the following services:
   • Kaspersky TIP (General access)

     After you add an authorization token, you will be able to obtain information from Kaspersky TIP about the following types of observables listed at the Observables tab in the alert or incident details: domain, URL, IP, MD5, SHA256. The information is updated in the Enrichment column. Quota is consumed when you request data.

   • Kaspersky TIP (Premium access)

     After you add an authorization token, you will be able to do the following:

     • Obtain information from Kaspersky TIP about the following types of observables listed at the Observables tab in the alert or incident details: domain, URL, IP, MD5, SHA256. The information is updated in the Enrichment column. Quota is consumed when you request data.
     • Obtain information from Kaspersky TIP about the following types of observables listed at the Observables tab in the alert or incident details: domain, URL, IP, MD5, SHA256. The information is updated in the Status update column. Quota is not consumed when you request data.
7. Click the Add token button.
8. In the window that opens, enter the authorization token, and then click the Add button.

   For details about generating an authorization token for API requests, refer to the Kaspersky TIP or Kaspersky OpenTIP help.

   After you add the token, you can change it by clicking the Replace button, and then entering a new token in the window that opens. This may be necessary if the token is expired.

9. Click the Save button.

Integration with KATA/KEDR

Kaspersky Endpoint Detection and Response (hereinafter also referred to as KEDR) is a functional block of Kaspersky Anti Targeted Attack Platform (hereinafter also referred to as KATA) that protects assets in an enterprise LAN.

You can configure integration between Kaspersky Next XDR Expert and KATA/KEDR to manage threat response actions on assets connected to Kaspersky Endpoint Detection and Response servers. Commands to perform operations are received by the Kaspersky Endpoint Detection and Response server, which then relays those commands to Kaspersky Endpoint Agent installed on assets.

To configure integration between Kaspersky Next XDR Expert and KATA/KEDR:

1. In the main menu, go to Settings → Tenants.

   The list of tenants is displayed on the screen.

2. Click the name of the required tenant.

   The tenant's properties window opens.

3. Go to the Settings tab, and then select the KATA/KEDR section.

   You can edit the KATA/KEDR section, if you are assigned one of the following XDR roles: Main administrator, Tenant administrator or SOC administrator.

4. Turn on the KATA integration toggle button.
5. Click the Add connection button, and then in the window that opens do the following:
   1. In the IP address or host name field, enter one of the following:
      • hostname
      • IPv4
      • IPv6
   2. In the Port field, set a port.
   3. Click the Save button.

   The window is closed.

   If the connection is not added, an error message is displayed.

   If the connection is added successfully, an appropriate message is displayed on the screen. An XDR ID, certificate, and private key are generated and displayed in the corresponding fields. If necessary, you can generate the new certificate and private key by clicking the Generate button.

   To ensure that the connection is established successfully, click the Check connection button. The result is displayed in the Connection status parameter.

6. Click the Save button to save the settings.

   After you add the connection, you can edit or delete it by clicking the corresponding icons. You can also add another connection by performing steps 1–6.

If you want to receive information about Kaspersky Endpoint Detection and Response alerts, you need to configure integration between the KUMA component and KATA/KEDR.

Configuring custom integrations

You can respond to alerts and incidents via external systems by launching third-party scripts on remote client devices. To enable this option, you have to configure the environment and integration between Kaspersky Next XDR Expert and the script launch service.

To configure environment for launching third-party custom scripts, you must:

• Set a device on which the third-party custom script is launched.
• Configure integration between Kaspersky Next XDR Expert and the script launch service.
• Create a playbook that will be used to launch the script.

It is the customer who provides access to third-party custom scripts and updates the scripts.

To configure integration between Kaspersky Next XDR Expert and the script launch service:

1. In the main menu, go to Settings → Tenants.

   The list of tenants is displayed on the screen.

2. Click the name of the required tenant.

   The tenant's properties window opens.

3. Go to the Settings tab, and then in the Custom integration section:
   • Turn on the Custom integration toggle button.
   • In the Remote host verification section, turn on the Verify the host before connecting toggle button, and then fill in the Public key field to enable verification of a client device in Kaspersky Next XDR Expert.
   • In the Remote host connection section, do the following:
     • Fill in the IP address or host name and Ports fields.
     • Select an SSH authentication method that will be used to establish a secure connection with a remote device:
       • User name and password. If you select this authentication method, at the next step you must enter the user name and password.
       • SSH key. If you select this authentication method, at the next step you must enter the user name and SSH key.
     • Click the Add data button.
4. In the window that opens, enter the required data, and then click the Save button.

   If you want to edit the data you saved, click the Replace button, enter new data in the window that opens, and then save the edits.

   To ensure that the connection is established successfully, click the Check connection button. The result is displayed in the Connection status parameter.

5. Click the Save button to save the settings.

Integration between Kaspersky Next XDR Expert and the script launch service is configured. You can perform response actions on remote devices by launching playbooks.