This section describes how to finish the integration of Kaspersky CyberTrace with QRadar after the upgrade of the Kaspersky CyberTrace files.
The upgrade process described in this section applies to Kaspersky CyberTrace versions 3.1.0 and above. If you have an older version of Kaspersky CyberTrace or Kaspersky Threat Feed Service, contact your Technical Account Manager (TAM).
Upgrading from Kaspersky CyberTrace 3.1
When upgrading from version 3.1, finishing the integration of Kaspersky CyberTrace with QRadar consists of the following:
Starting from Kaspersky CyberTrace version 4.0, these categories are used instead of the following:
If QRadar receives configuration updates (including configuration file changes, vulnerabilities, QID maps, supportability scripts, and security threat information updates), the following features will be delivered automatically:
If QRadar does not receive configuration updates automatically, add the following categories manually:
For information on how to add categories and alert events manually, see subsection "Upgrading the integration of Kaspersky CyberTrace with QRadar manually" below.
Upgrading from Kaspersky CyberTrace 4.0
When upgrading from version 4.0, finishing the integration of Kaspersky CyberTrace with QRadar consists of adding support of the KL_ALERT_DetectsStorageExceeded alert event.
If QRadar receives configuration updates (including configuration file changes, vulnerabilities, QID maps, supportability scripts, and security threat information updates), support of the KL_ALERT_DetectsStorageExceeded alert event will be delivered automatically.
If QRadar does not receive configuration updates automatically, add the KL_ALERT_DetectsStorageExceeded alert event manually.
For information on how to add alert events manually, see subsection "Upgrading the integration of Kaspersky CyberTrace with QRadar manually" below.
Upgrading the integration of Kaspersky CyberTrace with QRadar manually
To upgrade the integration of Kaspersky CyberTrace with QRadar manually:
Perform the actions described in sections "Importing QIDs to QRadar", "Sending a set of events to QRadar", and "Mapping events to QIDs" for the categories and alert events listed above. You can use the sample_initiallog.txt
and sample_qid.txt
files included in the distribution kit of Kaspersky CyberTrace.