Quick start guide

The following scenarios are step-by-step walkthroughs from the purchase of Kaspersky Next XDR Expert to incident investigation and threat hunting.

Start with installation and initial setup of Kaspersky Next XDR Expert, then explore Kaspersky Next XDR Expert threat detection and hunting features, and then check out an example of an incident investigation workflow.

Deployment and initial setup of Kaspersky Next XDR Expert

Following this scenario, you can deploy Open Single Management Platform with all the components necessary for operation of the Kaspersky Next XDR Expert solution, and then perform the required preliminary configurations and integrations.

Prerequisites

Before you start, make sure that:

• You have a license key for Kaspersky Next XDR Expert and the compatible EPP applications.
• Your infrastructure meets the hardware and software requirements.

Stages

The main installation and initial setup scenario proceeds in stages:

1. Deployment

   Prepare your infrastructure for the deployment of Open Single Management Platform and all the required components for Kaspersky Next XDR Expert, and then deploy the solution by using the Kaspersky Deployment Toolkit utility.

2. Activation

   Activate the Kaspersky Next XDR Expert solution under your license.

3. Configuring multitenancy

   If necessary, you can use the multitenancy features:

   1. Plan and create the required hierarchy of tenants.
   2. Create the matching hierarchy of Administration Servers in Open Single Management Platform.
   3. Bind tenants to the corresponding Administration Servers.
   4. Create user accounts for all Kaspersky Next XDR Expert users, and then assign roles.
4. Adding assets

   The devices in your infrastructure that must be protected are represented as assets in Kaspersky Next XDR Expert. Open Single Management Platform allows you to discover the devices in your network and manage their protection. You will also be able to add assets manually or import them from other sources during stage 8.

   User accounts are also represented as assets in Kaspersky Next XDR Expert. Make sure to configure the integration with Active Directory during stage 9, to enable the display of affected user accounts in the related events, alerts, and incidents.

5. Adding users and assigning roles

   Assign roles to the user accounts, to define their access rights to various Kaspersky Next XDR Expert features depending on their tasks.

6. Connecting to an SMTP server

   Configure the connection to an SMTP server for email notifications about events occurring in Kaspersky Next XDR Expert.

7. Installing endpoint protection applications and solutions

   Kaspersky Next XDR Expert works with events received from security applications installed on your assets. Check the list of compatible Kaspersky applications and solutions. You can use Open Single Management Platform to deploy Kaspersky applications on the devices in your infrastructure.

   Ensure that endpoint protection applications are integrated with Kaspersky Anti Targeted Attack Platform. For example, if you use Kaspersky Endpoint Security on your assets, refer to one of the following Help documentations to learn how to configure integration with KATA:

   • Kaspersky Endpoint Security for Windows
   • Kaspersky Endpoint Security for Linux
   • Kaspersky Endpoint Security for Mac
8. Configuring event sources, storage, and correlation

   Specify where the events must be received from, and how they must be stored and processed:

   1. Log in to the KUMA Console.
   2. Set up integration of Kaspersky Unified Monitoring and Analysis Platform and Open Single Management Platform.
   3. Import assets from Open Single Management Platform.
   4. Add assets manually or import them from other sources (optional action).
   5. Configure the event sources to specify where you want to receive the events from.
   6. Create a storage for events.
   7. Create collectors for receiving, processing (normalizing), and transmitting the events.
   8. Create correlators for initial analysis of normalized events and their further processing.

      During the collector creation, you can create correlation rules to define the rules of processing and responding to the events.You can also import the previously saved correlation rules or use the ready-made set of correlation rules provided with the Kaspersky Next XDR Expert solution. After the correlator is created, you can link correlation rules to the correlator, if needed.

      We strongly recommended configuring the exclusions on this stage, to avoid false positives and irrelevant data.

9. Configuring the integrations

   Configure the integration of Kaspersky Next XDR Expert with Active Directory and with other Kaspersky solutions, to extend its possibilities and to enrich data available for incident investigation.

   1. Integration with Active Directory (strongly recommended).
   2. Integration with KATA/EDR (license is required).
   3. Integration with Kaspersky CyberTrace (optional integration; license is required).
   4. Integration with Kaspersky TIP (optional integration; license is required) or Kaspersky Open TIP.
   5. Integration with Kaspersky Automated Security Awareness Platform (optional integration; license is required).
10. Configuring updates

    Create the Download updates to the Administration Server repository task.

11. Verify correctness of configuration

    Use the EICAR test file on one of the assets. If the initial setup was performed correctly and the necessary correlation rules were configured, this event will trigger creation of an alert in the alerts list.

After the initial setup is complete, events from the protected assets will be received and processed by Kaspersky Next XDR Expert, and an alert will be created in the event a correlation rule is triggered.

Verifying correctness of the Kaspersky Next XDR Expert configuration

You can use the EICAR test virus on one of the assets, to ensure that Kaspersky Next XDR Expert is deployed and configured correctly. If the initial setup was performed correctly and the necessary correlation rules were configured, the correlation event will trigger the creation of an alert in the alerts list.

To verify correctness of the Kaspersky Next XDR Expert configuration:

1. Create a new correlator in KUMA Console.

   When creating the correlator, do not specify parameters in the Correlation section.

2. Import correlation rules from the SOC Content package to obtain the predefined correlation rules used to detect the EICAR test virus.
3. Specify the correlation rule for the created correlator.

   You can use one of the following methods to specify the correlation rule:

   • Link the predefined correlation rule to the created correlator:
     1. Go to Resources, click Correlation rules, and then select the tenant to which the correlation rule will be applied.
     2. In the list of the predefined correlation rules, select the R077_02_KSC.Malware detected rule to detect events from Kaspersky Security Center.
     3. Click Link to correlator, and then select the created correlator to link the selected correlation rule to the correlator.
   • Create the correlation rule with the predefined filters manually:
     1. Open the created correlator settings, go to the Correlation section, and then click Add.
     2. In the Create correlation rule window, on the General tab, set the following parameters, as well as other rule parameters:
        • Kind: simple.
        • Propagated fields: DestinationAddress, DestinationHostName, DestinationAccountID, DestinationAssetID, DestinationNtDomain, DestinationProcessName, DestinationUserName, DestinationUserID, SourceAccountID, SourceUserName.
     3. Go to Selectors → Settings, and then specify the expression to filter the required events:
        • In builder mode, add the f: KSC events, f: KSC virus found, and f: Base events filters with the AND operator.
        • Alternatively, you can specify this expression in the source code mode as follows:

          filter='b308fc22-fa79-4324-8fc6-291d94ef2999'

          AND filter='a1bf2e45-75f4-45c1-920d-55f5e1b8843f'

          AND filter='1ffa756c-e8d9-466a-a44b-ed8007ca80ca'

     4. In the Actions section of the correlation rule settings, select only the Output check box (the Loop to correlator and No alert check boxes must be cleared). In this case, when the EICAR test virus is detected, a correlation event will be created and an alert will be created in the alert list of Kaspersky Next XDR Expert.
     5. Click Create new to save the correlation rule settings linked to the correlator.
4. Create, and then configure, a collector in KUMA Console for receiving information about Administration Server events from an MS SQL database.

   Alternatively, you can use the predefined [OOTB] KSC SQL collector.

5. In the Routing section of the collector settings, set Type to correlator, and then specify the created correlator in the URL field, to forward the processed events to it.
6. Install Network Agent and the endpoint protection application (for example, Kaspersky Endpoint Security) on an asset of your organization network. Ensure that the asset is connected to Administration Server.
7. Place the EICAR test file on the asset, and then detect the test virus by using the endpoint protection application.

After that, Administration Server will be notified about the event on the asset. This event will be forwarded to the KUMA component, transformed to the correlation event, and then this event will trigger creation of an alert in the alerts list in Kaspersky Next XDR Expert. If the alert has been created, it means that Kaspersky Next XDR Expert is working correctly.

Using the threat monitoring, detection and hunting features

After you have installed and configured Kaspersky Next XDR Expert, you can use Kaspersky Next XDR Expert features for monitoring the security of your infrastructure, investigating security incidents, automating workflows and proactive searching for threats:

• Using dashboard and customizing widgets

  The Detection and response tab of the dashboard can contain widgets that display information about detected and registered alerts and incidents, and response actions to them. You can use and customize the preconfigured layouts of widgets for your dashboard or create new layouts and widgets.

  Open Single Management Platform also provides various security monitoring and reporting tools.

• Using reports

  You can configure the generation of reports in Kaspersky Unified Monitoring and Analysis Platform to receive the required summary data according to the specified schedule.

• Using threat hunting

  You can use threat hunting tools to analyze events to search for threats and vulnerabilities that have not been detected automatically. Threat hunting can be used both for alert and incident investigation and for proactive search for threats.

• Using playbooks

  You can use playbooks to automate response to alerts and incidents according to the specified algorithm. There are a number of predefined playbooks that you can launch in various operation modes. You can create custom playbooks.

Example of incident investigation with Kaspersky Next XDR Expert

This scenario represents a sample workflow of an incident investigation.

Incident investigation proceeds in stages:

1. Assigning an alert to a user

   You can assign an alert to yourself or to another user.

2. Checking if the triggered correlation rule matches the data of the alert events

   View the information about the alert and make sure that the alert event data matches the triggered correlation rule.

3. Analyzing alert information

   Analyze the information about the alert to determine what data is required for further analysis of the alert.

4. Manual enrichment

   Launch the available solutions for additional enrichment of an event (for example, Kaspersky TIP).

5. False positive check

   Make sure that the activity that triggered the correlation rule is abnormal for the organization IT infrastructure.

6. Incident creation

   If steps from 3 to 5 reveal that the alert requires investigation, you can create an incident or link the alert to an existing incident.

   You can also merge incidents.

7. Investigation

   This step includes viewing information about the assets, user accounts, and alerts related to the incident. You can use the investigation graph and threat hunting tools to get additional information.

8. Searching for related assets

   You can view the alerts that occurred on the assets related to the incident.

9. Searching for related events

   You can expand your investigation scope by searching for events of related alerts.

10. Recording the causes of the incident

    You can record the information necessary for the investigation in the incident change log.

11. Response

    You can perform response actions manually.

12. Closing the incident

    After taking measures to clean up the traces of the attacker's presence from the organization's IT infrastructure, you can close the incident.