Upgrading Kaspersky CyberTrace integration (LogRhythm)
This section describes how to finish the integration of Kaspersky CyberTrace with LogRhythm after the upgrade of the Kaspersky CyberTrace files.
Finishing the integration of Kaspersky CyberTrace with LogRhythm consists of the following steps:
- Adding new events to LogRhythm
- Removing obsolete events from LogRhythm
Upgrading from Kaspersky CyberTrace 3.1
When upgrading from Kaspersky CyberTrace version 3.1, you must add the following categories and alert events to LogRhythm:
- KL_ICS_Hash_MD5
- KL_ICS_Hash_SHA1
- KL_ICS_Hash_SHA256
- KL_APT_Hash_SHA1
- KL_APT_Hash_SHA256
- KL_ALERT_RetroScanError
- KL_ALERT_RetroScanCompleted
- KL_ALERT_RetroScanStorageExceeded
- KL_ALERT_IndicatorsStoreLimitExceeded
- KL_ALERT_IndicatorsStoreHardLimit
- KL_ALERT_FreeSpaceEnds
- KL_ALERT_DetectsStorageExceeded
- KL_InternalTI_URL
- KL_InternalTI_IP
- KL_InternalTI_Hash_MD5
- KL_InternalTI_Hash_SHA1
- KL_InternalTI_Hash_SHA256
For more information on how to add categories and alert events to LogRhythm, see subsection "Adding new events" below.
You must also remove the following obsolete events:
- KL_BlackList_URL
- KL_BlackList_IP
- KL_BlackList_Hash_MD5
- KL_BlackList_Hash_SHA1
- KL_BlackList_Hash_SHA256
- KL_psms_Hash_MD5
- KL_ALERT_FeedLoadedPartially
For more information on how to remove obsolete events from LogRhythm, see subsection "Removing obsolete events" below.
Upgrading from Kaspersky CyberTrace 4.0
When upgrading from Kaspersky CyberTrace version 4.0, you must add the KL_ALERT_DetectsStorageExceeded alert event to LogRhythm.
For more information on how to add categories and alert events to LogRhythm, see subsection "Adding new events" below.
You must also remove the KL_psms_Hash_MD5 event, which is obsolete.
For more information on how to remove obsolete events from LogRhythm, see subsection "Removing obsolete events" below.
Adding new events
To add new events to LogRhythm:
Add the required categories and alert events automatically or manually (as described in sections "Step 3 (optional). Adding Kaspersky CyberTrace events" and "Step 4 (optional). Adding Kaspersky CyberTrace rules").
Removing obsolete events
To remove obsolete events from LogRhythm:
- Run LogRhythm Console.
- Select Deployment Manager > Tools > Knowledge > MPE Rule Builder.
The Rule Builder form opens.
- Click the Open rule library (
) button. - For each obsolete event, perform the following:
- Double-click the rule you want to retire.
A preview window for the rule opens.
- Click the Retire rule (
) button. - In the Verify Retire window, click Yes.
Verify Retire window
- Double-click the rule you want to retire.