About Kaspersky CyberTrace

Welcome to Kaspersky CyberTrace documentation.

What is Kaspersky CyberTrace

Kaspersky CyberTrace is a threat intelligence fusion and analysis tool that integrates threat data feeds with SIEM solutions so that users can immediately leverage threat intelligence for security monitoring and IR activities in their existing security operations workflow.

Kaspersky CyberTrace uses continuously updated threat data feeds to identify existing breaches or newly launched attacks, and to inform your business or clients about the risks and implications associated with the threat.

Kaspersky CyberTrace integrates with threat intelligence sources (threat intelligence feeds from Kaspersky, other vendors, OSINT, or even custom sources), SIEM solutions, and log sources. As indicators of compromise (IoC) from the threat intelligence feeds are found in your environment, Kaspersky CyberTrace automatically sends alerts to SIEM solutions for ongoing monitoring, validation, and discovery of additional contextual evidence for ongoing security incidents. Kaspersky CyberTrace provides analysts with a set of instruments for conducting alert triage and response through categorization and assessment of identified matches.

Kaspersky CyberTrace inside a corporate network

Features of Kaspersky CyberTrace:

• Automatic high-performance matching of incoming logs and events with Kaspersky Threat Data Feeds, OSINT feeds, or any other custom feeds in the most popular formats (JSON, STIX, XML, CSV, MISP). Demo feeds from Kaspersky and OSINT are available out of the box.
• Internalized process of parsing and matching incoming data significantly reduces SIEM solution load. Kaspersky CyberTrace parses incoming logs and events, matches the resulting data to feeds, and generates its own alerts on threat detection. Consequently, a SIEM solution has to process less data.
• Generates feed usage statistics for measuring the effectiveness of feeds.
• In-depth threat investigation by using on-demand search of indicators (hashes, IP addresses, domains, URLs). Bulk scanning of logs and files is also supported.
• Universal approach to integration of threat matching capabilities with SIEM solutions and other security controls. SIEM connectors for a wide range of SIEM solutions can be used to visualize and manage data about threat detections.
• IoC and related context are efficiently stored in RAM for rapid access and filtering.
• Kaspersky CyberTrace Web, a web user interface for Kaspersky CyberTrace, provides data visualization, on-demand IoC search functionality, and access to Kaspersky CyberTrace configuration. Kaspersky CyberTrace Web also supports the management of feeds, log parsing rules, Internal TI and false positives lists, and event sources.
• Command-line interface for Windows and Linux® platforms.
• Advanced filtering for feeds and log events. Feeds can be converted and filtered based on a broad set of criteria such as time, popularity, geographical location, and threat type. Log events can be filtered based on custom conditions.
• DMZ integration support. The computer on which event data is matched against feeds can be located in DMZ and isolated from the Internet.
• In standalone mode, where Kaspersky CyberTrace is not integrated with a SIEM solution, Kaspersky CyberTrace receives logs from various sources such as networking devices, processes these logs according to the defined normalizing rules, and parses the logs according to the defined regular expressions.
• Export lookup results that match feeds to CSV format for integration with other systems (firewalls, network and host IDS, custom tools).
• Exposes obfuscation techniques used by some threats to hide malicious activities in logs.

The main parts of Kaspersky CyberTrace are Feed Service, Feed Utility, Log Scanner, and Kaspersky CyberTrace Web.

Main components of Kaspersky CyberTrace

For more information about how Kaspersky CyberTrace works, watch the video below:

Documentation contents

This documentation is divided into several chapters:

• Installation and integration guides

  This chapter provides guides about installing Kaspersky CyberTrace, integrating it with SIEM solutions and event sources, and configuring Kaspersky CyberTrace after the integration is completed.

  For a starting point of the installation and integration process, see section "Getting started".

• User guides

  This chapter provides information about Kaspersky CyberTrace Web, which is a web interface of Kaspersky CyberTrace, and about apps and dashboards that provide access to Kaspersky CyberTrace from a SIEM solution.

• Administrator guides

  This chapter provides information about managing Kaspersky CyberTrace and covers advanced topics of Kaspersky CyberTrace usage. Descriptions of Kaspersky CyberTrace components and workflow of these components can also be found in this chapter.

• Troubleshooting

  This section provides solutions to common problems encountered while using Kaspersky CyberTrace.

• Risk mitigation

  This section provides guidelines for mitigating potential security risks when working with Kaspersky CyberTrace.

In this section What's new About feeds and certificates

Page top