Installation and initial setup of Kaspersky XDR Expert

Following this scenario, you can install Kaspersky Single Management Platform with all the components necessary for operation of the Kaspersky XDR Expert solution and then perform the required preliminary configurations and integrations.

Prerequisites

Before you start, make sure that:

• You have a license to use Kaspersky XDR Expert and the compatible EPP applications.
• Your infrastructure meets the hardware and software requirements.

Stages

The main installation and initial setup scenario proceeds in stages:

1. Installation

   Use Kaspersky Deployment Toolkit to install Kaspersky Single Management Platform and all the required components for Kaspersky XDR Expert in your infrastructure.

2. Activation

   Activate the Kaspersky XDR Expert solution under your license.

3. Configuring multitenancy

   If necessary, you can use the multitenancy features:

   1. Plan and create the required hierarchy of tenants.
   2. Create the matching hierarchy of Administration Servers in Kaspersky Single Management Platform.
   3. Bind tenants to the corresponding Administration Servers.
4. Adding assets

   The devices in your infrastructure that must be protected are represented as assets in Kaspersky XDR Expert. Kaspersky Single Management Platform allows you to discover the devices in your network and manage their protection. You will also be able to add assets manually or import them from other sources during the stage 8.

   User accounts are also represented as assets in Kaspersky XDR Expert. Make sure to configure the integration with Active Directory during stage 9 to enable the display of affected user accounts in the related events, alerts and incidents.

5. Adding users and assigning roles

   Create user accounts for all Kaspersky XDR Expert users. Assign roles to the user accounts to define their access rights to various Kaspersky XDR Expert features depending on their tasks.

6. Connecting to an SMTP server

   Configure the connection to an SMTP server for email notifications about events occurring in Kaspersky XDR Expert.

7. Installing endpoint protection applications and solutions

   Kaspersky XDR Expert works with events received from security applications installed on your assets. Check the list of compatible Kaspersky applications and solutions. You can use Kaspersky Single Management Platform to deploy Kaspersky applications on the devices in your infrastructure.

8. Configuring event sources, storage and correlation

   Specify where the events must be received from and how they must be stored and processed:

   1. Log in to the web console of Kaspersky Unified Monitoring and Analysis Platform.
   2. Set up integration of Kaspersky Unified Monitoring and Analysis Platform and Kaspersky Single Management Platform.
   3. Import assets from Kaspersky Single Management Platform.
   4. [OPTIONAL] Add assets manually or import them from other sources.
   5. Configure the event sources to specify where you want to receive the events from.
   6. Create a storage for events.
   7. Create collectors for receiving, processing (normalizing) and transmitting the events.
   8. Create correlators for initial analysis of normalized events and their further processing.

      During the collector creation you can create correlation rules to define the rules of processing and responding to the events.You can also import the previously saved correlation rules or use the ready-made set of correlation rules provided with the Kaspersky XDR Expert solution. After the correlator was created, you can link correlation rules to the correlator if needed.

      It is strongly recommended to configure the exclusions on this stage to avoid false positives and irrelevant data.

9. Configuring the integrations

   Configure the integration of Kaspersky XDR Expert with Active Directory and with other Kaspersky solutions to extend its possibilities and to enrich data available for incident investigation.

   1. Integration with Active Directory (strongly recommended).
   2. [OPTIONAL] Integration with KATA/EDR (license is required).
   3. [OPTIONAL] Integration with Kaspersky CyberTrace (license is required)
   4. [OPTIONAL] Integration with Kaspersky TIP (license is required) or Kaspersky Open TIP.
   5. [OPTIONAL] Integration with Kaspersky Automated Security Awareness Platform (license is required).
10. Verify correctness of configuration

    Use the eicar test file on one of the assets. If the initial setup was performed correctly and necessary correlation rules were configured, this event will trigger creation of an alert in the alerts list.

After the initial setup is complete, events from the protected assets will be received and processed by Kaspersky XDR Expert and in the event a correlation rule is triggered, an alert will be created.

See also: Using the threat monitoring, detection and hunting features Example of incident investigation with Kaspersky XDR Expert

Page top