Integration steps (QRadar)
This chapter describes how to integrate Kaspersky CyberTrace with QRadar.
About the integration schemes
Kaspersky CyberTrace can be integrated with QRadar in two integration schemes:
- Standard integration
Use this scenario if it is possible to get QRadar updates. For more information about the standard integration scheme, see About the standard integration scheme (QRadar).
- Integration when QRadar cannot get updates
This is an additional scenario for a case when it is not possible to get QRadar updates. The procedure is outlined in Integration with QRadar when QRadar cannot get updates.
How to integrate Kaspersky CyberTrace with QRadar
Make sure that you have installed Kaspersky CyberTrace (see Part 1: Installing Kaspersky CyberTrace).
To integrate Kaspersky CyberTrace with QRadar in the standard integration scenario:
- Step 1. Configure QRadar to receive latest updates.
- Step 2. Send a set of events to QRadar so that QRadar will automatically add new log sources.
- Step 3. Forward events from QRadar to Feed Service.
- Step 4. Perform the verification test.
Please make sure you perform the verification test before editing any matching process settings.
- Step 5. Configure QRadar to retrieve custom event properties.
- Step 6. Configure QRadar to create a search filter for CyberTrace events.
- Step 7 (optional). Configure QRadar to display events in a dashboard.
After you have successfully integrated Kaspersky CyberTrace with QRadar, install Kaspersky Threat Feed App:
- Step 8 (optional). Configure QRadar to notify about incoming service events.
- Step 9 (optional). Install Kaspersky Threat Feed App.
- Step 10 (optional). Enable the indexes of the added custom event properties.
- Step 11 (optional). Configure Kaspersky Threat Feed App.