Step 4. Performing the verification test (Splunk, single-instance integration)

This section explains how to check the capabilities of Kaspersky CyberTrace by performing the verification test.

Please make sure you perform the verification test before editing any matching process settings.

About the verification test

The verification test is a procedure that is used to check the capabilities of Kaspersky CyberTrace and to confirm the accuracy of the integration.

During this test you will check whether events from Splunk are received by Feed Service, whether events from Feed Service are received by Splunk, and whether events are correctly parsed by Feed Service using the regular expressions.

This section describes the verification scenario for the default integration scheme (in this scheme, the forwarder, indexer, and search head are installed on a single computer), but you can also use the verification test after changes were made to the configuration parameters to check that Kaspersky CyberTrace and the SIEM solution work correctly.

Verification test file

The %service_dir%/verification/kl_verification_test_cef.txt file is a verification test file. It contains a collection of events with URLs, IP addresses, and hashes.

Verification test scenario (in brief)

To perform the verification test:

  1. Specify the Splunk Forwarder address in the Log Scanner utility configuration file.
  2. Send the verification file to Feed Service by using the Log Scanner utility.
  3. Compare the verification test results with the target numbers displayed on the Kaspersky CyberTrace Matches dashboard.
  4. Perform the Self-test.

    The Self-test is an automatic feed test performed by Kaspersky CyberTrace App.

  5. Optionally, clear Splunk of events that arrived when the verification test was being performed.

Verification test scenario

The verification test scenario proceeds in stages:

Stage 1. Specifying the Splunk Forwarder address in the Log Scanner configuration file

Specify the address and port that Splunk Forwarder listens on in the Connection element of the Log Scanner configuration file.

Stage 2. Sending the verification file to Splunk Forwarder

You must send the verification file to Splunk Forwarder by using the Log Scanner utility.

Before you send the file, make sure that Feed Service is running.

The following commands send the contents of the kl_verification_test_cef.txt file to Feed Service:

After receiving data from Log Scanner, Splunk Forwarder sends the test results to CyberTrace. The detected indicators from the verification file will be sent back to Splunk Forwarder. The address of Splunk Forwarder is specified in the Service settings of Kaspersky CyberTrace. Also, this address is specified during the installation or reconfiguration of Kaspersky CyberTrace.

Stage 3. Checking the verification test results

In this step, you must verify that URLs, IP addresses, and hashes are processed correctly by Kaspersky CyberTrace App.

IP addresses from the test records used for verification are not displayed on the Location of matched IPs map. To check that the map works correctly, we recommend using other records from the Kaspersky CyberTrace database. You can get records containing IP addresses on the Indicators tab of Kaspersky CyberTrace web.

To check the verification test results:

  1. In Kaspersky CyberTrace App, on the navigation bar select Kaspersky CyberTrace Matches.

    The Kaspersky CyberTrace Matches Dashboard opens.

  2. Compare numbers in the Matches by eventName panel to the numbers of the detected objects in the table shown below.

    The verification test results depends on the feeds you use. The following table summarizes target numbers for the verification test when all commercial feeds are used.

    Verification test results (commercial feeds)

    Feed used

    eventName value

    Detected objects

    Malicious URL Data Feed

    KL_Malicious_URL

    http://fakess123.nu

    http://badb86360457963b90faac9ae17578ed.com

    Phishing URL Data Feed

    KL_Phishing_URL

    http://fakess123ap.nu

    http://e77716a952f640b42e4371759a661663.com

    Botnet CnC URL Data Feed

    KL_BotnetCnC_URL

    http://fakess123bn.nu

    http://a7396d61caffe18a4cffbb3b428c9b60.com

    IP Reputation Data Feed

    KL_IP_Reputation

    192.0.2.0

    192.0.2.3

    Malicious Hash Data Feed

    KL_Malicious_Hash_MD5

    FEAF2058298C1E174C2B79AFFC7CF4DF

    44D88612FEA8A8F36DE82E1278ABB02F

    C912705B4BBB14EC7E78FA8B370532C9

    Mobile Malicious Hash Data Feed

    KL_Mobile_Malicious_Hash_MD5

    60300A92E1D0A55C7FDD360EE40A9DC1

    Mobile Botnet CnC URL Data Feed

    KL_Mobile_BotnetCnC_Hash_MD5

    001F6251169E6916C455495050A3FB8D

    Mobile Botnet CnC URL Data Feed

    KL_Mobile_BotnetCnC_URL

    http://sdfed7233dsfg93acvbhl.su/steallallsms.php

    Ransomware URL Data Feed

    KL_Ransomware_URL

    http://fakess123r.nu

    http://fa7830b4811fbef1b187913665e6733c.com

    APT URL Data Feed

    KL_APT_URL

    http://b046f5b25458638f6705d53539c79f62.com

    APT Hash Data Feed

    KL_APT_Hash_MD5

    7A2E65A0F70EE0615EC0CA34240CF082

    APT IP Data Feed

    KL_APT_IP

    192.0.2.4

    IoT URL Data Feed

    KL_IoT_URL

    http://e593461621ee0f9134c632d00bf108fd.com/.i

    ICS Hash Data Feed

    KL_ICS_Hash_MD5

    7A8F30B40C6564EFF95E678F7C43346C

The following table summarizes target numbers for the verification test when only demo feeds are used.

Verification test results (demo feeds)

Feed used

eventName value

Detected objects

DEMO Botnet_CnC_URL_Data_Feed

KL_BotnetCnC_URL

http://5a015004f9fc05290d87e86d69c4b237.com

http://fakess123bn.nu

DEMO IP_Reputation_Data_Feed

KL_IP_Reputation

192.0.2.1

192.0.2.3

DEMO Malicious_Hash_Data_Feed

KL_Malicious_Hash_MD5

776735A8CA96DB15B422879DA599F474

FEAF2058298C1E174C2B79AFFC7CF4DF

44D88612FEA8A8F36DE82E1278ABB02F

Stage 4. Performing the Self-test

The Self-test is an automatic feed test performed by Kaspersky CyberTrace App using the lookup script. You must verify that results of this test are correct.

To perform a Self-test:

  1. In Kaspersky CyberTrace App, on the navigation bar select Kaspersky CyberTrace Status.

    The Kaspersky CyberTrace Status dashboard opens.

  2. For all the feeds that you use, check the status values in the Self-test panel:
    • If you use only demo feeds, the value for demo feeds must be OK and values for all other feeds must be FALSE.
    • If you use commercial feeds, the value for all feeds that you use must be OK. All other values including values for demo feeds must be FALSE.

The following figure shows an example of a Self-test results for commercial feeds. In this example, all commercial feeds are used, and demo feeds are not used. The value for demo feeds is FALSE, as expected.

Self-test results

Stage 5 (optional). Clearing Splunk of events received when the verification test was performed

To clear Splunk of events received from Kaspersky CyberTrace when the verification test was performed:

  1. On the Search dashboard of the Splunk Web, click the Search & Reporting button to run the Search & Reporting app.
  2. Delete the events from Kaspersky CyberTrace:

    Deleting events from the main index can be done only under the user account that has the can_delete role. You can add this role to a user account by selecting Settings > Roles in the Splunk main menu.

    1. In the Search field, type the following command:

      index="main" sourcetype="kl_cybertrace_events" | delete

    2. Click the All time split button next to the Search field.

      If the split button has another name, click it and in the drop-down list select All time.

    3. Click Search ().

    Search & Reporting app

Page top