Verifying correctness of the Kaspersky Next XDR Expert configuration
You can use the EICAR test virus on one of the assets, to ensure that Kaspersky Next XDR Expert is deployed and configured correctly. If the initial setup was performed correctly and the necessary correlation rules were configured, the correlation event will trigger the creation of an alert in the alerts list.
To verify correctness of the Kaspersky Next XDR Expert configuration:
In builder mode, add the f: KSC events, f: KSC virus found, and f: Base events filters with the AND operator.
Alternatively, you can specify this expression in the source code mode as follows:
filter='b308fc22-fa79-4324-8fc6-291d94ef2999'
AND filter='a1bf2e45-75f4-45c1-920d-55f5e1b8843f'
AND filter='1ffa756c-e8d9-466a-a44b-ed8007ca80ca'
In the Actions section of the correlation rule settings, select only the Output check box (the Loop to correlator and No alert check boxes must be cleared). In this case, when the EICAR test virus is detected, a correlation event will be created and an alert will be created in the alert list of Kaspersky Next XDR Expert.
Click Create new to save the correlation rule settings linked to the correlator.
Alternatively, you can use the predefined [OOTB] KSC SQL collector.
In the Routing section of the collector settings, set Type to correlator, and then specify the created correlator in the URL field, to forward the processed events to it.
Install Network Agent and the endpoint protection application (for example, Kaspersky Endpoint Security) on an asset of your organization network. Ensure that the asset is connected to Administration Server.
Place the EICAR test file on the asset, and then detect the test virus by using the endpoint protection application.
After that, Administration Server will be notified about the event on the asset. This event will be forwarded to the KUMA component, transformed to the correlation event, and then this event will trigger creation of an alert in the alerts list in Kaspersky Next XDR Expert. If the alert has been created, it means that Kaspersky Next XDR Expert is working correctly.