Verifying correctness of the Kaspersky Next XDR Expert configuration

You can use the EICAR test virus on one of the assets, to ensure that Kaspersky Next XDR Expert is deployed and configured correctly. If the initial setup was performed correctly and the necessary correlation rules were configured, the correlation event will trigger the creation of an alert in the alerts list.

To verify correctness of the Kaspersky Next XDR Expert configuration:

1. Create a new correlator in KUMA Console.

   When creating the correlator, do not specify parameters in the Correlation section.

2. Import correlation rules from the SOC Content package to obtain the predefined correlation rules used to detect the EICAR test virus.
3. Specify the correlation rule for the created correlator.

   You can use one of the following methods to specify the correlation rule:

   • Link the predefined correlation rule to the created correlator:
     1. Go to Resources, click Correlation rules, and then select the tenant to which the correlation rule will be applied.
     2. In the list of the predefined correlation rules, select the R077_02_KSC.Malware detected rule to detect events from Kaspersky Security Center.
     3. Click Link to correlator, and then select the created correlator to link the selected correlation rule to the correlator.
   • Create the correlation rule with the predefined filters manually:
     1. Open the created correlator settings, go to the Correlation section, and then click Add.
     2. In the Create correlation rule window, on the General tab, set the following parameters, as well as other rule parameters:
        • Kind: simple.
        • Propagated fields: DestinationAddress, DestinationHostName, DestinationAccountID, DestinationAssetID, DestinationNtDomain, DestinationProcessName, DestinationUserName, DestinationUserID, SourceAccountID, SourceUserName.
     3. Go to Selectors → Settings, and then specify the expression to filter the required events:
        • In builder mode, add the f: KSC events, f: KSC virus found, and f: Base events filters with the AND operator.
        • Alternatively, you can specify this expression in the source code mode as follows:

          filter='b308fc22-fa79-4324-8fc6-291d94ef2999'

          AND filter='a1bf2e45-75f4-45c1-920d-55f5e1b8843f'

          AND filter='1ffa756c-e8d9-466a-a44b-ed8007ca80ca'

     4. In the Actions section of the correlation rule settings, select only the Output check box (the Loop to correlator and No alert check boxes must be cleared). In this case, when the EICAR test virus is detected, a correlation event will be created and an alert will be created in the alert list of Kaspersky Next XDR Expert.
     5. Click Create new to save the correlation rule settings linked to the correlator.
4. Create, and then configure, a collector in KUMA Console for receiving information about Administration Server events from an MS SQL database.

   Alternatively, you can use the predefined [OOTB] KSC SQL collector.

5. In the Routing section of the collector settings, set Type to correlator, and then specify the created correlator in the URL field, to forward the processed events to it.
6. Install Network Agent and the endpoint protection application (for example, Kaspersky Endpoint Security) on an asset of your organization network. Ensure that the asset is connected to Administration Server.
7. Place the EICAR test file on the asset, and then detect the test virus by using the endpoint protection application.

After that, Administration Server will be notified about the event on the asset. This event will be forwarded to the KUMA component, transformed to the correlation event, and then this event will trigger creation of an alert in the alerts list in Kaspersky Next XDR Expert. If the alert has been created, it means that Kaspersky Next XDR Expert is working correctly.