About the standard integration scheme (QRadar)

This section describes the standard integration scheme for QRadar and Kaspersky CyberTrace.

For the standard integration scheme to work properly, you must install the update DSM-KasperskyCyberTrace-%version%-20180802144954.noarch.rpm, where %version% is the version of QRadar. Usually, you receive these updates as part of the auto-update process, but you can also visit IBM Fix Central and download them manually.

About the components of the standard integration scheme

The following components are used in the standard integration scheme for QRadar:

• Feed Service

  This service matches QRadar events against Kaspersky Threat Data Feeds.

• QRadar

  The SIEM solution used in this integration.

• Security controls

  These are sources of events for QRadar such as firewalls, proxies, intrusion detection systems, and other networking devices.

  Security controls can send events to QRadar by any method supported by QRadar.

Standard integration scheme

In the standard integration scheme, Feed Service by default is configured to listen for incoming events from QRadar on 0.0.0.0:9999 (all interfaces).

Feed Service sends detection events to port 514 of the interface defined in QRadar configuration. The address of this interface is specified when you install Kaspersky CyberTrace.

Security controls can send events to QRadar in any format that is supported by QRadar, for example, Syslog, JDBC, OPSEC, File, or SNMP.

Standard integration scheme for QRadar

Page top