Deployment and initial setup of Kaspersky Next XDR Expert

Following this scenario, you can deploy Open Single Management Platform with all the components necessary for operation of the Kaspersky Next XDR Expert solution, and then perform the required preliminary configurations and integrations.

Prerequisites

Before you start, make sure that:

• You have a license key for Kaspersky Next XDR Expert and the compatible EPP applications.
• Your infrastructure meets the hardware and software requirements.

Stages

The main installation and initial setup scenario proceeds in stages:

1. Deployment

   Prepare your infrastructure for the deployment of Open Single Management Platform and all the required components for Kaspersky Next XDR Expert, and then deploy the solution by using the Kaspersky Deployment Toolkit utility.

2. Activation

   Activate the Kaspersky Next XDR Expert solution under your license.

3. Configuring multitenancy

   If necessary, you can use the multitenancy features:

   1. Plan and create the required hierarchy of tenants.
   2. Create the matching hierarchy of Administration Servers in Open Single Management Platform.
   3. Bind tenants to the corresponding Administration Servers.
   4. Create user accounts for all Kaspersky Next XDR Expert users, and then assign roles.
4. Adding assets

   The devices in your infrastructure that must be protected are represented as assets in Kaspersky Next XDR Expert. Open Single Management Platform allows you to discover the devices in your network and manage their protection. You will also be able to add assets manually or import them from other sources during stage 8.

   User accounts are also represented as assets in Kaspersky Next XDR Expert. Make sure to configure the integration with Active Directory during stage 9, to enable the display of affected user accounts in the related events, alerts, and incidents.

5. Adding users and assigning roles

   Assign roles to the user accounts, to define their access rights to various Kaspersky Next XDR Expert features depending on their tasks.

6. Connecting to an SMTP server

   Configure the connection to an SMTP server for email notifications about events occurring in Kaspersky Next XDR Expert.

7. Installing endpoint protection applications and solutions

   Kaspersky Next XDR Expert works with events received from security applications installed on your assets. Check the list of compatible Kaspersky applications and solutions. You can use Open Single Management Platform to deploy Kaspersky applications on the devices in your infrastructure.

   Ensure that endpoint protection applications are integrated with Kaspersky Anti Targeted Attack Platform. For example, if you use Kaspersky Endpoint Security on your assets, refer to one of the following Help documentations to learn how to configure integration with KATA:

   • Kaspersky Endpoint Security for Windows
   • Kaspersky Endpoint Security for Linux
   • Kaspersky Endpoint Security for Mac
8. Configuring event sources, storage, and correlation

   Specify where the events must be received from, and how they must be stored and processed:

   1. Log in to the KUMA Console.
   2. Set up integration of Kaspersky Unified Monitoring and Analysis Platform and Open Single Management Platform.
   3. Import assets from Open Single Management Platform.
   4. Add assets manually or import them from other sources (optional action).
   5. Configure the event sources to specify where you want to receive the events from.
   6. Create a storage for events.
   7. Create collectors for receiving, processing (normalizing), and transmitting the events.
   8. Create correlators for initial analysis of normalized events and their further processing.

      During the collector creation, you can create correlation rules to define the rules of processing and responding to the events.You can also import the previously saved correlation rules or use the ready-made set of correlation rules provided with the Kaspersky Next XDR Expert solution. After the correlator is created, you can link correlation rules to the correlator, if needed.

      We strongly recommended configuring the exclusions on this stage, to avoid false positives and irrelevant data.

9. Configuring the integrations

   Configure the integration of Kaspersky Next XDR Expert with Active Directory and with other Kaspersky solutions, to extend its possibilities and to enrich data available for incident investigation.

   1. Integration with Active Directory (strongly recommended).
   2. Integration with KATA/EDR (license is required).
   3. Integration with Kaspersky CyberTrace (optional integration; license is required).
   4. Integration with Kaspersky TIP (optional integration; license is required) or Kaspersky Open TIP.
   5. Integration with Kaspersky Automated Security Awareness Platform (optional integration; license is required).
10. Configuring updates

    Create the Download updates to the Administration Server repository task.

11. Verify correctness of configuration

    Use the EICAR test file on one of the assets. If the initial setup was performed correctly and the necessary correlation rules were configured, this event will trigger creation of an alert in the alerts list.

After the initial setup is complete, events from the protected assets will be received and processed by Kaspersky Next XDR Expert, and an alert will be created in the event a correlation rule is triggered.

See also: Verifying correctness of the Kaspersky Next XDR Expert configuration Using the threat monitoring, detection and hunting features Example of incident investigation with Kaspersky Next XDR Expert

Page top