Architecture of Kaspersky XDR Expert
This section provides a description of the components of Kaspersky XDR Expert and their interaction.
Kaspersky XDR Expert architecture
Kaspersky XDR Expert comprises the following main components:
- Kaspersky Single Management Platform (KSMP). The technology basis on which Kaspersky XDR Expert is built. KSMP integrates all of the solution components and provides interaction between the components. KSMP is scalable and supports integration with both Kaspersky applications and third-party solutions.
- KSMP Console. Provides a web interface for KSMP.
- KUMA Console. Provides a web interface for Kaspersky Unified Monitoring and Analysis Platform (KUMA).
- KUMA Core. The central component of KUMA. KUMA receives, processes, and stores information security events and then analyzes the events by using correlation rules. As a result of the analysis, if the conditions of a correlation rule are met, KUMA creates an alert and sends it to Incident Response Platform.
- Incident Response Platform. A Kaspersky XDR Expert component that allows you to create incidents automatically or manually, manage alert and incident life cycle, assign alerts and incidents to SOC analysts, and respond to the incidents automatically or manually, including responses through playbooks.
- Administration Server (also referred to as Server). The key component of endpoint protection of a client organization. Administration Server provides centralized deployment and management of endpoint protection through EPP-applications, and allows you to monitor the endpoint protection status.
- Data sources. Information security hardware and software that generates the events. After you integrate Kaspersky XDR Expert with the required data sources, KUMA receives the events to store and analyze them.
- Integrations. Kaspersky applications and third-party solutions integrated with KSMP. Through integrated solutions, an SOC analyst can enrich the data required for incident investigation, and then respond to incidents.