This section explains the installation and integration process for Kaspersky CyberTrace.
Introduction
Kaspersky CyberTrace can integrate with many different event sources. Because of this, the procedure for installation and integration is split into two parts:
We recommend installing Kaspersky CyberTrace by using one of the installer packages for your operating system. On Linux, you can install DEB and RPM packages. On Windows, you can use an executable installer.
Another way to install Kaspersky CyberTrace is to extract the TAR archive, and then perform several additional configuration steps manually.
After Kaspersky CyberTrace is installed, you can perform the post-installation configuration by using a wizard in the web interface of Kaspersky CyberTrace. During this process, you select an event source, such as a SIEM solution, provide connection parameters for it, and configure feed updates.
If you want to use diff versions of Kaspersky Threat Data Feeds, you need to enable them before you perform the post-installation configuration of Kaspersky CyberTrace.
After the post-installation configuration is completed, Kaspersky CyberTrace uses the default parameters for a chosen event source. For example, Kaspersky CyberTrace parses the incoming events by using the default regular expressions, and uses the default format for alert and detection events.
In this part, you configure the event source so that it can send its events to Kaspersky CyberTrace and receive detection events from Kaspersky CyberTrace. Depending on the chosen event source, you can also install specific applications and tools that work with Kaspersky CyberTrace events. For example, Kaspersky CyberTrace provides applications for Splunk and QRadar, and a preconfigured dashboard for RSA NetWitness. In addition to applications for specific event sources, you can use the LogScanner application to send log files, URLs, and hashes for checking to Kaspersky CyberTrace.
Before you begin
Make sure that the computer you plan to use for running Kaspersky CyberTrace meets the hardware and software requirements.
Make sure the date and time settings are correct on the server where you are installing Kaspersky CyberTrace. You can use an NTP server to get the correct date and time.
For ArcSight products, ArcSight SmartConnector must be installed before the installation of Kaspersky CyberTrace. For more information, see sections "Before you begin (ArcSight)" and "Integration guide (ArcSight)".
Part 1. Installing Kaspersky CyberTrace
When you install Kaspersky CyberTrace, all of the components required for working with feeds, such as Feed Service and Feed Utility, are installed and configured.
Kaspersky CyberTrace can be installed on any computer that can receive events from your chosen event source, such as a SIEM solution, a firewall, or a proxy server. By configuring Kaspersky CyberTrace during its installation, you specify how it will receive and send events.
Make sure to install Kaspersky CyberTrace according to your chosen integration scheme. For example, if you must install Kaspersky CyberTrace and a SIEM solution on separate computers, check the available integration schemes for your SIEM solution and decide where to install Kaspersky CyberTrace.
Depending on your operating system, install Kaspersky CyberTrace as described in the following sections:
After you install Kaspersky CyberTrace perform the following:
Part 2. Integrating Kaspersky CyberTrace with an event source
Kaspersky CyberTrace must be integrated with an event source. This event source can either be a standalone event source (for example, a firewall or a proxy server) or a SIEM solution. The event source then sends events to Kaspersky CyberTrace, and Kaspersky CyberTrace sends its own events to a SIEM or other application, as configured.
Kaspersky CyberTrace supports integration with the following SIEM solutions:
Page top