Glossary
Administrator host
A device that is used to deploy and manage the Kubernetes cluster and Kaspersky Next XDR Expert. The administrator host is not included in the Kubernetes cluster.
Agent
A KUMA service that is used to receive events on remote devices and forward them to KUMA collectors.
Alert
An event in the organization's IT infrastructure that was marked by Open Single Management Platform as unusual or suspicious, and that may pose a threat to the security of the organization's IT infrastructure.
Asset
A device or user of the infrastructure to be protected. If an alert or incident is detected on an asset, you can perform response actions for this asset.
Bootstrap
The basic execution environment that includes the Kubernetes cluster and infrastructure components for the function of Kaspersky Next XDR Expert. Bootstrap is included in the transport archive and it is automatically installed the during deployment of Kaspersky Next XDR Expert.
Collector
A KUMA service that receives messages from event sources, processes them, and then transmits them to a storage, correlator, and/or third-party services to identify alerts.
Configuration file
A file in the YAML format that contains the list of target hosts for the Kaspersky Next XDR Expert deployment and a set of installation parameters of the Kaspersky Next XDR Expert components. Configuration file is used by KDT.
Context
A set of access parameters that define the Kubernetes cluster that the user can select to interact with. The context also includes data for connecting to the cluster by using KDT.
Correlation rule
A KUMA resource used to recognize the defined sequences of processed events and perform specific actions after recognition.
Correlator
A KUMA service that analyzes normalized events.
Custom actions
KDT commands that allows you to perform additional operations specific to the Kaspersky Next XDR Expert components (except installation, update, deletion).
Distribution package
An archive that contains the transport archive with Kaspersky Next XDR Expert components, the template of the configuration file, the template of the KUMA inventory file, the KDT utility for deploying Kaspersky Next XDR Expert, and End User License Agreements for Kaspersky Next XDR Expert and KDT.
Event
Information security events registered on the monitored elements of the organization's IT infrastructure. For example, events include login attempts, interactions with a database, and sensor information broadcasts. Each separate event may seem meaningless, but when considered together they form a bigger picture of network activities to help identify security threats.
Incident
A container of alerts that normally indicates a true positive issue in the organization's IT infrastructure. An incident may contain a single or several alerts. By using incidents, analysts can investigate multiple alerts as a single issue.
Investigation graph
A visual analysis tool that shows the relationships between events, alerts, incidents, observables, and assets (devices). Also, the investigation graph displays the details for an incident: the corresponding alerts, users, assets and their common properties.
Kaspersky Deployment Toolkit
A utility used to deploy and manage a Kubernetes cluster, Kaspersky Next XDR Expert components, and management web plug-ins.
Kubernetes cluster
A set of hosts combined by means of Kubernetes into one computing resource. The Kubernetes cluster is used for the function of Kaspersky Next XDR Expert components (except for KUMA services). The Kubernetes cluster includes only the target hosts.
KUMA inventory file
A file in the YAML format that contains the parameters for installation of the KUMA services that are not included in the Kubernetes cluster. The path to the KUMA inventory file is included in the configuration file that is used by KDT for the Kaspersky Next XDR Expert deployment.
KUMA services
The main components of KUMA that help the system to manage events. Services allow you to receive events from event sources and subsequently bring them to a common form that is convenient for finding correlation, as well as for storage and manual analysis. KUMA services are agents, collectors, correlators, and storages that are installed on the hosts that are located outside the Kubernetes cluster.
Multitenancy
A mode that enables the main administrator to provide the Kaspersky Next XDR Expert functionality to multiple clients independently, or to separate assets, application settings, and objects for different offices. Also the multitenancy mode allows you to copy and inherit tenant settings and objects from the parent tenant and automatically apply a license key for Kaspersky Next XDR Expert to all of the tenants in the hierarchy.
Node
A physical or virtual machine on which Kaspersky Next XDR Expert is deployed. There are primary and worker nodes. The primary node is intended for managing the cluster, storing metadata, and distributing of the workload. The worker nodes are intended for performing the workload of the Kaspersky Next XDR Expert components.
Normalized event
An event that is processed in accordance with the KUMA normalized event data model.
Observables
Objects related to the alert and incident, such as MD5 and SHA256 hashes, IP address, URL, Domain name, UserName, or HostName.
Playbook
An object that respond to alerts or incidents according to the specified algorithm (playbook algorithm). Playbooks allow you to automate workflows and reduce the time it takes to process alerts and incidents.
Playbook algorithm
An algorithm that includes a sequence of response actions that help analyze and handle alerts or incidents.
Registry
Infrastructure component that stores the application containers and is used for the installation and storing of the Kaspersky Next XDR Expert components.
Response actions
Actions that are launched within playbooks.
Segmentation rules
Rules that allow you to automatically split related alerts into different incidents based on specified conditions.
Storage
A KUMA service that is used to store normalized events so that they can be quickly and continually accessed from KUMA for the purpose of extracting analytical data.
Target hosts
Devices included in the Kubernetes cluster and which perform the workload of the Kaspersky Next XDR Expert components.
Tenant
A logical entity that corresponds to an organization unit (a client or an office) to which the Kaspersky Next XDR Expert functionality is provided. Each tenant can include assets, users and their access rights, events, alerts, incidents, playbooks, and integration with other Kaspersky applications, services, and third-party solutions. Also a tenant defines a set of available operations on the included objects.
Threat development chain
A series of steps that trace the stages of a cyber attack. Threat development chain allows you to analyze the reasons of the threat. To create a threat development chain, the managed application transfers data from the device to Administration Server through Network Agent.
Transport archive
An archive that contains Kaspersky Next XDR Expert components and management web plug-ins. The transport archive is included in the distribution package.
