Kaspersky NEXT XDR Expert RFX Tender Requirements 0724 en
Kaspersky NEXT XDR Expert RFX Tender Requirements 0724 en
Expert
RFx/Tender requirements
Kaspersky
03.07.2024
Changelog
27.06.2024 Version 1.0 has been created for the following applications:
Vendor requirements
8. Vendor must have premium technical support proposition for ATP and
EDR solution
10. The proposed solution must support the operating systems below:
Windows 7 Home / Professional / Ultimate / Enterprise Service
Pack 1 or later
Windows 8 Professional / Enterprise
Windows 8.1 Professional / Enterprise
Windows 10 Home / Pro / Pro for Workstations / Education /
Enterprise / Enterprise multi-session
Windows 11 Home / Pro / Pro for Workstations / Education /
Enterprise
Servers
Windows Small Business Server 2011 Essentials / Standard
(64-bit)
Windows MultiPoint Server 2011 (64-bit)
Windows Server 2008 R2 Foundation / Standard / Enterprise /
Datacenter Service Pack 1 or later
Windows Web Server 2008 R2 Service Pack 1 or later
Windows Server 2012 Foundation / Essentials / Standard /
Datacenter (including Core Mode)
Windows Server 2012 R2 Foundation / Essentials / Standard /
Datacenter (including Core Mode)
Windows Server 2016 Essentials / Standard / Datacenter
(including Core Mode)
Windows Server 2019 Essentials / Standard / Datacenter
(including Core Mode)
Windows Server 2022 Standard / Datacenter / Datacenter:
Azure Edition (including Core Mode)
Microsoft Terminal Servers
Microsoft Remote Desktop Services based on Windows Server
2008 R2 SP1
Microsoft Remote Desktop Services based on Windows Server
2012
Microsoft Remote Desktop Services based on Windows Server
2012 R2
Microsoft Remote Desktop Services based on Windows Server
2016
Microsoft Remote Desktop Services based on Windows Server
2019
Microsoft Remote Desktop Services based on Windows Server
2022
32-bit Linux operating systems:
CentOS 6.7 and later
Debian GNU / Linux 11.0 and later
Debian GNU / Linux 12.0 and later
Mageia 4
Red Hat Enterprise Linux 6.7 and later
ALT 8 SP Workstation.
ALT 8 SP Server.
ALT Workstation 10
ALT SP Workstation release 10
64-bit Linux operating systems:
AlmaLinux OS 8 and later.
AlmaLinux OS 9 and later.
AlterOS 7.5 and later.
Amazon Linux 2.
Astra Linux Common Edition 2.12.
Astra Linux Special Edition RUSB.10015-01 (operational
update 1.5).
Astra Linux Special Edition RUSB.10015-01 (operational
update 1.6).
Astra Linux Special Edition RUSB.10015-01 (operational
update 1.7).
Astra Linux Special Edition RUSB.10015-16 (release 1)
(operational update 1.6)
CentOS 6.7 and later
CentOS 7.2 and later.
CentOS Stream 8.
CentOS Stream 9.
Debian GNU/Linux 11.0 and later.
Debian GNU/Linux 12.0 and later.
EMIAS 1.0 and later.
EulerOS 2.0 SP5.
Kylin 10.
Linux Mint 20.3 and up.
Linux Mint 21.1 and later.
openSUSE Leap 15.0 and later.
Oracle Linux 7.3 and later.
Oracle Linux 8.0 and later.
Oracle Linux 9.0 and later.
Red Hat Enterprise Linux 6.7 and later
Red Hat Enterprise Linux 7.2 and later.
Red Hat Enterprise Linux 8.0 and later.
Red Hat Enterprise Linux 9.0 and later.
Rocky Linux 8.5 and later.
Rocky Linux 9.1.
SberLinux 8.8 (Dykhtau).
SUSE Linux Enterprise Server 12.5 or later.
SUSE Linux Enterprise Server 15 or later.
Ubuntu 20.04 LTS.
Ubuntu 22.04 LTS.
ALT 8 SP Workstation.
ALT 8 SP Server.
ALT Workstation 10
ALT Server 10.
ALT SP Workstation release 10.
ALT SP Server release 10.
Atlant, Alcyone build, version 2022.02.
GosLinux 7.17.
GosLinux 7.2.
MSVSPHERE 9.2 SERVER.
MSVSPHERE 9.2 ARM.
RED OS 7.3.
ROSA Cobalt 7.9.
ROSA Chrome 12.
SynthesisM Client 8.6.
SynthesisM Server 8.6.
64-bit Arm operating systems:
Astra Linux Special Edition RUSB.10152-02 (operational
update 4.7).
CentOS Stream 9.
EulerOS 2.0 SP8.
SUSE Linux Enterprise Server 15.
Ubuntu 22.04 LTS.
ALT Workstation 10.
ALT Server 10.
ALT SP Workstation release 10.
ALT SP Server release 10.
RED OS 7.3.
MAC OS operating systems:
macOS 12 – 14
MAC OS virtualization tools:
Parallels Desktop 16 for Mac Business Edition
VMware Fusion 11.5 Professional
VMware Fusion 12 Professional
11. The proposed solution must support the following virtual platforms:
Oracle Linux 8.6 and later
Ubuntu Server 22.04 and later
13. The proposed solution must support protection of the latest Operating
Systems versions across all platforms (Windows, Linux, MacOS, iOS,
Android).
1. The solution must provide a single web-based user interface for central
management, incident investigation and response, so administrators and
analysts can monitor the entire infrastructure briefly.
6. The solution must provide the ability to export reports to HTML, PDF,
CSV, Split CSV, Excel.
7. The solution must provide the ability to export event search results into
at least one of the following formats: CSV, TXT, TSV.
9. The proposed solution must have the ability to integrate with Windows
Defender Security Center.
11. The proposed solution must provide next gen protection technologies.
For example:
protection against file-less threats
provision of multi-layered Machine Learning (ML) based
protection and behavioral analysis during different stages of the
kill-chain
12. The proposed solution must provide Memory Scanning for Windows
workstations.
13. The proposed solution must provide Kernel Memory Scanning for Linux
workstations.
14. The proposed solution must provide the ability to switch to cloud mode
for threat protection, decreasing RAM and hard disk drive usage for
resource-limited machines.
17. The proposed solution must provide behavioral analysis based on ML.
18. The proposed solution must provide the ability to integrate with the
vendor’s own Endpoint Detection and Response (EDR) and Anti-APT
solutions, for active threat hunting and automated incident response.
20. The proposed solution must include the ability to configure and manage
firewall settings built into the Windows Server and Linux operating
systems, through its management console.
22. The proposed solution must provide Application and Device Controls for
Windows workstations.
23. The proposed solution must include Application Launch/Start Control for
the Windows Server operating system.
24. The proposed solution’s protection for servers and workstations must
include a dedicated component for protection against
ransomware/crypto virus activity on shared resources.
25. The proposed solution must, on detecting ransomware/cryptor-like
activity, automatically block the attacking computer for a specified
interval and list information about the attacking computer IP and
timestamp, and the threat type.
26. The proposed solution must provide a pre-defined list of scan exclusions
for Microsoft applications and services.
28. The proposed solution must enable the following for endpoints:
Manual Scanning
On-Access Scanning
On-Demand Scanning
Compressed File Scanning
Scan Individual File, Folder and Drive
Script Blocking and Scanning
Registry Guard
Buffer Overflow Protection
Background/Idle Scanning
Removable Drive Scanning on connection with system
The ability to detect and block untrusted hosts on detection of
encryption-like activities on server shared resources.
30. The proposed solution must have both local and global reputation
databases.
31. The proposed solution must be able to scan HTTPS, HTTP and FTP
traffic against viruses and spyware, or any other malware.
34. The proposed solution must be able to block network attacks and report
the source of the infection.
35. The proposed solution must have local storage on endpoints to keep
copies of files that have been deleted or modified during disinfection.
These files must be stored in a specific format that ensures they cannot
pose any threat.
36. The proposed solution must have a proactive approach to preventing
malware from exploiting existing vulnerabilities on servers and
workstations.
38. The proposed solution must include protection against attacks that
exploit vulnerabilities in the ARP protocol to spoof the device MAC
address.
39. The proposed solution must include a control component able to learn
to recognize typical user behavior in a specific individual or group of
protected computers, then identify and block anomalous and potentially
harmful actions made by that endpoint or user.
42. The proposed solution must be able to decrypt and scan network traffic
transmitted over encrypted connections.
43. The proposed solution must have the ability to automatically exclude
web resources when a scan error occurs while performing an encrypted
connection scan. This exclusion must be unique to the host and must
not be shared with other endpoints.
44. The proposed solution must include functionality to remotely wipe data
on the endpoint (for workstations).
47. The proposed solution should have the ability to raise an alert on, clean,
and delete a detected threat.
48. The proposed solution should have the ability to accelerate scanning
tasks, skipping those objects that have not changed since the previous
scan.
49. The proposed solution should have the ability to prioritize custom and
on-demand scanning tasks for Linux workstations.
50. The proposed solution must allow the administrator to exclude specified
files/ folders/applications/digital certificates from being scanned, either
on-access (real-time protection) or during on-demand scans.
51. The proposed solution should include the functionality to isolate infected
computers.
52. The proposed solution must automatically scan removable drives for
malware when they are attached to any endpoint. Scan control should
be based on drive size.
53. The proposed solution must be able to block the use of USB storage
devices or allow access only to permitted devices and allow read/write
access only by domain users, to reduce data theft and enforce lock
policies.
55. The proposed solution must be able to log file operations (Write and
Delete) on USB storage devices. This should not require any additional
license or component to be installed on the endpoint.
56. The proposed solution must have ability to block the execution of any
executable from the USB storage device.
57. The proposed solution must have ability to block/allow user access to
web resources based on websites, content type, user and time of day.
58. The proposed solution must have a specific detection category to block
website banners.
59. The proposed solution must provide the ability to configure Wi-Fi
networks based on Network Name, Authentication Type, Encryption
Type, so these can later be used to block or allow the Wi-Fi connections.
60. The proposed solution must support user-based policies for Device,
Web, and Application Control.
61. The proposed solution should specifically allow the blocking of the
following devices:
Bluetooth
Mobile devices
External modems
CD/DVDs
Cameras and Scanners
MTPs
And the transfer of data to mobile devices
62. The proposed solution should feature cloud integration, to provide the
fastest possible updates on malware and potential threats.
63. The proposed solution must have ability to manage user access rights
for Read and Write operations on CDs/DVDs, removable storage
devices and MTP devices.
64. The proposed solution must feature firewall filtering by local address,
physical interface, and packet Time-To-Live (TTL).
65. The proposed solution must allow the administrator to monitor the
application’s use of custom/random ports after it has launched.
66. The proposed solution must support the blocking of prohibited (Deny-
List) applications from being launched on the endpoint, and the blocking
of all applications other than those included in Allow-Lists.
69. The proposed solution must include traffic malware filtering, web link
verification and web-resource control based on cloud categories.
71. The proposed solution must have the ability to allow applications based
on their digital signature certificates, MD5, SHA256, META Data, File
Path, and pre-defined security categories.
72. The proposed solution must have controls for the download of DLL and
Drivers.
74. The proposed solution must support the control of scripts from
PowerShell.
75. The proposed solution must support Test Mode with report generation
on the launch of blocked applications.
76. The proposed solution must have the ability to restrict application
activities within the system according to the trust level assigned to the
application, and to limit the rights of applications to access certain
resources, including system and user files “HIPS functionality”.
77. The proposed solution must have the ability to control system/user
application access to audio and video recording devices.
78. The proposed solution must provide a facility to check applications listed
in each cloud-based category.
79. The proposed solution must have ability to integrate with a vendor-
specific Advanced Threat Protection system.
80. The proposed solution must have ability to automatically regulate the
activity of programs running, including access to the file system and
registry as well as interaction with other programs.
81. The proposed solution must have the ability to automatically delete
Application Control rules if an application is not launched during a
specified interval. The interval must be configurable.
83. The proposed solution must have endpoint mail threat protection with:
Attachment filter and the ability to rename attachments.
Scanning of mail messages when receiving, reading, and
sending.
84. The proposed solution must have the ability to scan multiple redirects,
shortened URLs, hijacked URLs, and time-based delays.
85. The proposed solution must enable the user of the computer to perform
a check on a file’s reputation from the File Context menu.
86. The proposed solution must include the scanning of all scripts, including
those developed in Microsoft Internet Explorer, as well as any WSH
scripts (JavaScript, Visual Basic Script WSH scripts (JavaScript, Visual
Basic Script etc.), launched when the user works on the computer,
including the internet.
87. The proposed solution must provide protection against as yet unknown
malware based of the analysis of their behavior and examination of
changes in the system register, together with a strong remediation
engine to automatically restore any system changes made by the
malware.
88. The proposed solution must provide protection against hacker attacks by
using a firewall with an intrusion detection and prevention system
(IDS/IPS) and network activity rules for more popular applications when
working in computer networks of any type, including wireless networks.
90. The proposed solution must offer scanning of critical sections of the
computer as a standalone task.
92. The proposed solution must offer the ability to choose which threat
protection components to install.
93. The proposed solution must include the antivirus checking and
disinfection of files that have been packed using programs like PKLITE,
LZEXE, DIET, EXEPACK, etc.
94. The proposed solution must include the anti-malware checking and
disinfection of files in archives using the RAR, ARJ, ZIP, CAB, LHA,
JAR, ICE formats, including password-protected files.
95. The proposed solution must protect against yet unknown malware
belonging to registered families, based on heuristic analysis.
96. The proposed solution must include multiple ways to notify the
administrator about important events which have taken place (mail
notification, audible announcement, pop-up window, log entry).
97. The proposed solution must allow the administrator to create a single
installer with the required configuration, for use by non-IT literate users.
98. The proposed solution must allow to monitor the use of cloud services
on managed devices running Windows.
100. The proposed solution must support usage in Light Agent mode to
protect virtual environments or in standalone mode.
6. The proposed solution must have the ability to block malicious sites
designed to spread malicious code, and phishing websites designed to
steal confidential user data and access the user's financial information.
10. The proposed solution must have the functionality to detect the location
of the mobile device location via GPS and show this on Google Maps.
11. The proposed solution must enable the administrator to take a picture
(Mugshot) from the front camera of the mobile when it’s locked.
13. The proposed solution must have the functionality to remotely wipe the
following from Android devices:
containerized data
corporate email accounts
settings for connecting to the corporate Wi-Fi network and VPN
Access Point Name (APN)
Android for Work profile
KNOX container
KNOX License Manager key
14. The proposed solution must have the functionality to remotely wipe the
following from iOS devices:
All installed configuration profiles.
All provisioning profiles.
The iOS MDM profile
Applications for which Remove, and the iOS MDM profile check
box have been selected
15. The proposed solution must allow the encryption of all data on the
device (including user account data, removable drives, and apps, as
well as email messages, SMS messages, contacts, photos, and other
files). Access to encrypted data should only be possible on an
unlocked device through a special key or device unlock password.
16. The proposed solution must offer controls to ensure that all devices
comply with corporate security requirements. Compliance Control
should be based on a set of rules which should include the following
components:
Device check criteria
Time period allocated for the user to fix the non-compliance.
action that will be taken on the device if the user does not fix
the non-compliance within the set period.
Ability to remediate non-compliant devices
17. The proposed solution must have the functionality to detect and to notify
the administrator about device hacks (e.g., rooting, jailbreak).
20. The proposed solution must support all the below deployment methods
for the mobile agent:
Google Play, Huawei App Gallery and Apple App Store
KNOX Mobile Enrollment portal
Standalone preconfigured installation packages
21. The proposed solution must allow the configuration of Access Point
Names (APN) to connect a mobile device to data transfer services on a
mobile network.
22. The proposed solution must allow the PIN on a mobile device to be
reset remotely.
23. The proposed solution must include the option to enroll Android devices
using 3rd party EMM systems:
VMware AirWatch 9.3 or later
MobileIron 10.0 or later
IBM MaaS360 10.68 or later
Microsoft Intune 1908 or later
SOTI MobiControl 14.1.4 (1693) or later
24. The proposed solution must have the functionality to enforce the
installation of a mandatory app on the device.
26. The proposed solution must be able to scan files opened on the device.
27. The proposed solution must be able to scan programs installed from the
device interface.
28. The proposed solution must be able to scan file system objects on the
device or on connected memory extension cards on request of the user
or according to a schedule.
29. The proposed solution must provide the reliable isolation of infected
objects in a quarantine storage location.
30. The proposed solution must feature the updating of antivirus databases
used to search for malicious programs and deleting dangerous objects.
31. The proposed solution must be able to scan mobile devices for malware
and other unwanted objects on-demand and on-schedule and deal with
them automatically.
32. The proposed solution must be able to manage and monitor mobile
devices from same console as that used to manage computers and
servers.
33. The proposed solution must provide Anti-Theft functionality, so that lost
and/or displaced devices can be located, locked and wiped remotely.
34. The proposed solution must provide the facility to block forbidden
applications from being launched on the mobile device.
35. The proposed solution must be able to enforce security settings, such
as password restrictions and encryption, on mobile devices.
36. The proposed solution must have the ability to push applications
recommended/required by the administrator to the mobile phone.
37. The proposed solution must have Application Control with the
Forbidden/Allowed application modes.
39. The proposed solution must protect from online threats on iOS devices.
Centralized administration, monitoring, and update software requirements (SMP and SMP agents)
8. The proposed solution must have ability to read information from Active
Directory to obtain data about computer accounts in the organization.
9. The proposed solution must include a built-in web console for the
management of the endpoints, which should not require any additional
installation.
12. The proposed solution must provide for the centralized installation,
update and removal of anti-malware software, together with centralized
configuration, administration, and the viewing of reports and statistical
information about its operation.
13. The proposed solution must feature the centralized removal (manual
and automatic) of incompatible applications from the administration
center.
14. The proposed solution must provide flexible methods for anti-malware
agent installation: RPC, GPO, an administration agent for remote
installation and the option to create a standalone installation package
for local installation.
15. The proposed solution must enable the remote installation of anti-
malware software with the latest anti-malware databases.
16. The proposed solution must enable the automatic update of anti-
malware software and anti-malware databases.
17. The proposed solution must have automatic search facilities for
vulnerabilities in applications and in the operating system on protected
machines.
21. The proposed solution must allow for the testing of downloaded updates
by means of the centralized administration software prior to distributing
them to client machines, and the delivery of updates to user workplaces
immediately after receiving them.
24. The proposed solution must support Managed Services Mode for
administration servers, so that logically isolated administration server
instances can be set up for different users and user groups.
25. The proposed solution must give access to the anti-malware security
vendor’s cloud services via the administration server.
29. The proposed solution must enable the centralized installation of third-
party applications on all or selected computers.
30. The proposed solution must have the ability to specify any computer in
the organization as a center for relaying updates and installation
packages, in order to reduce the network load on the main
administration server system.
31. The proposed solution must have the ability to specify any computer in
the organization as a center for forwarding anti-malware agent events
from the selected group of client computers to the centralized
administration server, in order to reduce the network load on the main
administration server system.
32. The proposed solution must be able to generate graphical reports for
anti-malware software events, and data about the hardware and
software inventory, licensing, etc.
33. The proposed solution must be able to export of reports to PDF and
XML files.
35. The proposed solution must provide the creation of internal accounts to
authenticate administrators on the administration server.
39. The proposed solution must include some form of system to control
virus epidemics.
40. The proposed solution must include Role Based Access Control
(RBAC), and this must allow restrictions to be replicated throughout the
management servers in the hierarchy.
42. The proposed solution must have ability manage mobile devices
through remote commands.
43. The proposed solution must have ability to delete downloaded updates.
45. The proposed solution must enable the selection of an update agent for
client computers based on a network analysis.
46. The proposed solution must clearly show information about the
distribution of vulnerabilities across managed computers.
47. The proposed solution’s management server interface must support the
Arabic language.
51. The proposed solution must have the ability to define an IP address
range, to limit client traffic towards the management server based on
time and speed.
52. The proposed solution must have the ability to perform inventory on
scripts and .dll files.
53. The proposed solution must have the ability to tag/mark computers
based on:
Network Attributes
o Name
o Domain and/or Domain Suffix
o IP address
o IP address to management server
Location in Active Directory
o Organizational Unit
o Group
Operating System
o Type and Version
o Architecture
o Service Pack number
Virtual Architecture
Application registry
o Application name
o Application version
o Manufacturer
54. The proposed solution must have the ability to create/define settings
based on a computer’s location in the network, rather than the group to
which it belongs in the management server.
56. The proposed solution must allow the administrator to define restricted
settings in policy/profile settings, so that a virus scan task can be
triggered automatically when a certain number of viruses are detected
over defined amount of time. The values for the number of viruses and
timescale must be configurable.
59. The proposed solution must have the functionality to detect non-
persistent virtual machines and automatically delete them and their
related data from the management server when powered off.
60. The proposed solution must enable the administrator to set a period
after which a computer not connected to the management server, and
its related data are automatically deleted from the server.
62. The proposed solution must allow the administrator to define different
status change conditions for groups of endpoints in the management
server.
63. The proposed solution must allow the administrator to add custom/3rd
party endpoint management tools into the management server.
68. The proposed solution must be able to retrieve information about the
equipment detected during a network poll. The resulting inventory
should cover all equipment connected to the organization's network.
Information about the equipment should update after each new network
poll. The list of detected equipment should cover the following:
devices
mobile devices
network devices
virtual devices
OEM components
computer peripherals
connected devices
VoIP phones
network repositories
The administrator must be able to add new devices to the equipment list
manually or edit information about equipment that already exists on the
network.
‘Device is Written Off’ functionality must be available, so that such
devices are not displayed in the equipment list.
71. The proposed solution must support the download of differential files
rather than full update packages.
72. The proposed solution must support OPEN API and include guidelines
for integration with 3rd party external systems.
73. The proposed solution must include a built-in tool to perform remote
diagnostics and collect troubleshooting logs without requiring physical
access to the computer.
74. The proposed solution must include Role Based Access Control
(RBAC) with customizable predefined roles.
76. The proposed solution’s reports must include information about each
threat and the technology that detected it.
77. The proposed solution report must include details about which endpoint
protection components are, or are not, installed on client devices,
regardless of the protection profile applied/existing for these devices.
79. The proposed solution must include the option for the customer to either
deploy an on-premises management console or use the vendor-
provided cloud-based management console.
80. The proposed solution must be able to integrate with the vendor’s
cloud-based management console for endpoint management at no
additional cost.
81. The proposed solution must enable swift migration from the on-
premises management console to the vendor cloud-based management
console.
82. The proposed solution’s agent must include support for cloud-based
deployment via:
Amazon Web Services
Microsoft Azure
84. The proposed solution must support Single Sign On (SSO) using NTLM
and Kerberos.
85. The proposed solution must allow to monitor vulnerabilities that exist on
managed devices
86. The proposed solution should allow to detect and root out advanced
attacks, perform root cause analysis with a visualized threat
development chain graph, and drill down to details for further review.
2. Integration with different log formats, with the ability to create user
custom normalizers (parsers).
11. Multitenancy.
16. The solution must support the ability to write the log of the installation
process to a file
18. Integration with different log formats, with the ability to create user
custom normalizers (parsers).
2. The solution must support both active and passive log collection
mechanisms from different types of equipment and systems
4. The solution must support the following log formats (i.e., normalizers,
parsers) ‘out-of-the-box’:
JSON
CEF (Common Event Format)
Regexp (Regular Expression)
Syslog (as per RFC3164 and RFC5424)
CSV (with custom delimiter)
Key-value
XML
NetFlow v5
NetFlow v9
Sflow5
Ipfix
SQL
5. The solution must support the following log transport mechanisms (i.e.,
connectors) ‘out-of-the-box’:
Internal
TCP
UDP
Netflow
Sflow
NATS-jetstream
Kafka
HTTP
SQL (MSSQL, MySQL, PostgreSQL, CockroachDB, SQLite3,
Oracle, Firebird)
File
1C-log
1C-xml
Diode
FTP
NFS
WMI (remote Windows Event Log collection)
WEC (local Windows Event Log collection)
SNMP
SNMP-trap
KATA/KEDR
VMware
6. The solution must support custom parser creation and modification via
a graphical web interface. The creation and modification of custom
parsers should not require any programming skills, or the mandatory
involvement of the solution vendor.
7. Custom parser creation must include highlighting the log example (at
least for regex parsers) and fields mapping.
10. All parsers and connectors provided by the vendor, and those created
by the user, must be editable and open to modification
12. The solution must operate for an unlimited number of data sources.
13. The solution must support data sources monitoring, and notification in
the case of low EPS (Events Per Second).
14. The solution must support automatic updating of normalizers via the
Internet and via an update mirror.
15. The solution must support the ability to convert hex, base64,
baseful64url binary values at the event collection stage.
16. The solution must support the selection of several conditions for
switching between different levels of parsers.
17. The solution must support the ability to send events to third party
systems in CEF format
18. The solution must support sending all raw events for additional
normalization
19. The solution must support the ability to collect events of different
formats by a single collector
20. The solution must support the ability to create custom fields in
normalizers
21. The solution must support the ability to send test events to the system
23. The solution must support restoring the configuration from a backup
and importing/exporting the configuration parameters.
2. XDR solution must have unified console for administrators and analysts
12. The solution must provide web interface for management and analytics
(Incident related data, System status and health check data, Settings,
etc.).
13. The solution must provide API at least for following proposals:
API to execute remediation/response actions on endpoints.
API for tagged endpoint telemetry retrieval by 3rd party systems.
API for application alert information retrieval by 3rd party systems
14. Solution must provide an option to store endpoint telemetry data for a
necessary period (30 days or more). Local storage must be extendable
if required to accommodate data.
9. The solution must provide visibility into where else in your organization
particular threats (objects) may exist.
10. The solution must be able to detect advanced malware, also it must
discover zero-day malware that signature-based solutions miss
11. Solution should support alerts data and monitoring information delivery
via syslog
13. The solution Automated Malware Analysis subsystem must use multiple
virtual client operating systems of x64 and x86 architectures. The list
must contain at least the following: Windows 10, Windows 7 64 bit,
Windows XP 32 bit, CentOS 7.8 64 bit
23. EDR solution agent must have self-defense functionality to protect from
its removal
24. The solution must have the capability to run IOC scan inside centralized
collected endpoint telemetry database.
25. The solution must have the capability to force run IOC scan across all
hosts with installed agents.
26. EDR Solution should provide the ability to execute YARA scans on
endpoints
27. EDR solution must provide search interface with rich functionality for
analyst to build sophisticated lookup requests against telemetry
database.
28. EDR solution must provide means of isolating machine from the rest of
the network in case of emergency, while preserving controlled
communication with agents’ administration and control server.
29. EDR solution must provide means of remote remediation via agent (files
deletion and quarantine, process kill, preventing files from
running/opening, etc.)
30. The solution must have integration with Threat Intelligence analytical
portal which contains not only reputation data, but also connections
between internet resources, objects, etc.
33. The solution should provide the ability to tag critical resources that
could be protected using different rules
38. Alerts and events from endpoint sensors should be matched to TTPs
from MITRE ATT&CK Matrix
39. The solution must be able to take inputs for custom indicators of
compromise (IOC) and indicators of attack (IOA) for classifying and
analyzing events.
4. The solution must have the ability to create daily, weekly, and monthly
executive reports and allow reports export.
10. The solution must allow the synchronization of time with NTP server.
11. The solution must allow the creation of accounts with different roles
used to administer the solution, process the alerts, audit other actions,
or review changes
12. Analysis Centre upgrade must not require installation from scratch and
losing settings, incidents database, etc.
18. Actions of solution users must be logged both in local activity log and
remotely.
Licensing requirement
2. The solution must calculate the EPS licensing limit based on the daily
average EPS, not a peak EPS rate.
6. Technical support must include custom parsers (at least 10 types) for
data sources not supported by solution ‘out-of-the-box’.