Kaspersky CyberTrace supports distributed Splunk environments. The integration scheme for distributed Splunk environments is called the distributed integration scheme.
About the apps and services used in the distributed integration scheme
In the distributed integration scheme, Kaspersky CyberTrace is divided into two apps and one service:
This service matches Splunk events against Kaspersky Threat Data Feeds.
Feed Service sends the resulting events to a single indexer that keeps the index with events from Kaspersky CyberTrace.
This service can be installed on a separate computer.
This app contains Kaspersky CyberTrace App dashboards, alert templates, and the lookup script.
This app is intended for installation on a Splunk instance that acts as a search head and sends search requests to the indexer that keeps the index with events from Kaspersky CyberTrace.
This app contains rules for forwarding events from Splunk to Feed Service. It also receives events from Feed Service.
This app is intended for installation on Splunk instances that must forward events to Feed Service.
Kaspersky CyberTrace App Forwarder is divided into two apps, depending on the type of Splunk forwarder used in your distributed integration scheme:
About the integration scheme variants
The following variants of the distributed integration scheme demonstrate a general approach to integrating Kaspersky CyberTrace with your distributed Splunk environment. Depending on how your distributed Splunk environment is organized, you may have to change or combine these variants.
One indexer, multiple forwarders variant
One indexer, multiple forwarders
In the one indexer, multiple forwarders variant, several Heavy or Universal forwarders receive and forward events directly to Feed Service. These forwarders must use Forwarder App (for the respective forwarder type). One of the forwarders receives matches from Feed Service. The forwarder sends the matches to the indexer that stores them in the main index used by Kaspersky CyberTrace for Splunk Search Head App.
Multiple indexers, multiple forwarders variant
In the multiple indexers, multiple forwarders variant, several Heavy or Universal forwarders receive and forward events directly to Feed Service. These forwarders must use Forwarder App (for the respective forwarder type). One of the forwarders receives matches from Feed Service. The forwarder sends the matches to the indexers that store them in the main index used by Kaspersky CyberTrace App.
Default ports and addresses
By default, Forwarder App and Feed Service are configured to use certain addresses and ports for forwarding events and receiving matches. You must change these addresses and ports based on the organization of your distributed Splunk environment.
You must change the default addresses and ports that are used by Forwarder App and Feed Service.
By default, Forwarder App:
:3000
port.:9998
port. These events are stored in the main
index.127.0.0.1:9999
.
By default, Feed Service does the following:
127.0.0.1:9999
.127.0.0.1:9998
.Event format
By default, Kaspersky CyberTrace App and Feed Service are configured to receive events in a certain format: