Yandex Cloud Detection and Response overview

Yandex Cloud Detection and Response is a service that monitors and responds to Yandex Cloud infrastructure incidents. YCDR is developed based on Yandex Cloud's in-house Security Operations Center (SOC). It collects data from the cloud infrastructure to detect anomalies. When YCDR detects an anomaly, it creates alerts indicating a potential incident.

The Yandex Cloud SIEM system analyzes the collected data. Events are sent to the SIEM system via a collector. The collector is installed in a Managed Service for Kubernetes cluster, which ensures its scalability and fault-tolerance.

The collector must have access to the external network to send events to the Yandex Cloud SIEM. Yet, since events are sent over the TLS protocol and SIEM is physically located in the Yandex Cloud infrastructure, the data remains inside the data center.

The collector works at the cloud level. Each cloud must have a dedicated collector for sending events.

The collector architecture comprises two modules:

1. Vector-based component for collecting and sending events. It enables receiving events from osquery agents and random events over HTTP.
2. syslog event collection component which collects events and sends them to the Vector-based component for further processing.

In Yandex Cloud Detection and Response, you can access a list of detected incidents and select one to get troubleshooting recommendations with additional context and view the incident details and category. To see the statistics on detected incidents, refer to the dashboard on the service's home page.