Responding through Active Directory
You can integrate Kaspersky Next XDR Expert with the Active Directory services that are used in your organization. Active Directory is considered to be integrated with Kaspersky Next XDR Expert after the integration between Active Directory and KUMA is configured.
The process of configuring integration between Kaspersky Next XDR Expert and Active Directory consists of configuring connections to LDAP. You must configure connections to LDAP separately for each tenant.
As a result, if an alert or an incident occurs, you will be able to perform response actions in relation to the associated users of that tenant.
You can perform a response action through Active Directory in one of the following ways:
- From the alert or incident details
- From a telemetry event (if you open it from alert details)
- From an investigation graph
This option is available if the investigation graph is built.
You can also configure a response action to run automatically when creating or editing a playbook.
To perform a response action through Active Directory, you must have one of the following XDR roles: Main administrator, Tenant administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst.
To perform a response action through Active Directory:
- In the main menu, go to the Monitoring & reporting section, and then select the Alerts or Incidents section.
If you want to respond from the telemetry event, select the Alerts section.
If you respond from an investigation graph, select the Incidents section.
- Click the ID of the required alert or incident.
- In the window that opens, do one of the following:
- If you want to respond through the alert or incident details, go to the Assets tab, and then click the name of the user.
- If you want to respond through a telemetry event, go to the Details tab, and either click the name of the required event, and then select the user; or click the Find in Threat hunting button to go to the Threat Hunting section, and then select the required user.
- If you want to respond through an investigation graph, click the View on graph button. In the investigation graph that opens, click the name of the user.
The Account details window opens on the right side of the screen.
- In the Response through Active Directory drop-down list, select an action that you want to perform:
- Lock account
If the user account is locked in response to the related alert or incident, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.
- Reset password
If the user account password is reset in response to the related alert or incident, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.
- Add user to security group
In the window that opens, in the mandatory field Security group DN, specify a full path to the security group to which you want to add the user. For example, CN = HQ Team, OU = Groups, OU = ExchangeObjects, DC = avp, DC = ru. Then click the Add button. Only one group can be specified within one operation.
If the user is added to the security group in response to the related alert or incident, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.
- Delete user from security group
In the window that opens, in the mandatory field Security group DN, specify a full path to the security group from which you want to delete the user. For example, CN = HQ Team, OU = Groups, OU = ExchangeObjects, DC = avp, DC = ru. Then click the Delete button. Only one group can be specified within one operation.
If the user is deleted from the security group in response to the related alert or incident, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.
- Lock account
