Configuring Kaspersky CyberTrace instances

This section describes how to configure Kaspersky CyberTrace instances for using them in High Availability mode.

To use Kaspersky CyberTrace in High Availability mode, configure all instances of Kaspersky CyberTrace as follows:

1. Import the same certificate for Kaspersky Threat Data Feeds.
2. Enable the same Kaspersky Threat Data Feeds.
3. Enable the same OSINT feeds, and add and configure identical custom and third-party feeds, if required.

   Manually added context fields, as well as indicators in the FalsePositive and InternalTI suppliers that were added by using Kaspersky CyberTrace Web or REST API, must be identical in all Kaspersky CyberTrace instances.

4. Add the same license key or use Community Edition in all instances.
5. Add indicators export tasks with identical names and filtering rules.
6. Specify identical regular expressions for matching the incoming events from Balancer as follows:

   Regular expression for matching the incoming events from Balancer

   Indicator type	Rule name	Regular expression
   CONTEXT	REQ	^(\d+)\s

   You can use any allowed name for the regular expression, but make sure to use the same regular expression name in the configuration steps below.

   You can specify the regular expression in the default event source or create a new one.

7. Specify identical event format settings for detection and informational events.

   Each event must start with the value that was extracted from the incoming event by the REQ regular expression. For example: %REQ% category=%Category% %RecordContext%.

8. Configure the format of events that are generated by Kaspersky CyberTrace in response to each received event:
   1. Stop Feed Service by running the following command:
      • systemctl stop cybertrace.service (in Linux)
      • %service_dir%\bin\kl_control.bat stop (in Windows)
   2. In the OutputSettings > FinishedEventFormat element of the Feed Service configuration file, specify the format of informational events as follows:

      <FinishedEventFormat enabled="true">%REQ% LookupFinished</FinishedEventFormat>

      These events are for internal use only. They are not sent to a SIEM.

   3. Save the configuration file.
   4. Start Feed Service:
      • systemctl start cybertrace.service (in Linux)
      • %service_dir%\bin\kl_control.bat start (in Windows)

Optionally, specify the connection settings for sending alert events to Balancer in the Connection settings section of the Settings > Service tab. Use the following parameters from the kl_balancer.conf file:

• IP address specified in the Balancer element
• Port specified in the cybertrace_port parameter of the Balancer element

You can send alert events directly to the SIEM.

The settings for sending detection events are not used in High Availability mode, because Balancer receives results of events matching in ReplyBack mode.

Page top