Kaspersky CyberTrace

Removing Kaspersky CyberTrace objects (RSA NetWitness)

This section describes how to remove objects related to Kaspersky CyberTrace from RSA NetWitness after Kaspersky CyberTrace is uninstalled. Note that after you have removed these objects, events from Kaspersky CyberTrace persist in RSA NetWitness.

To remove objects related to Kaspersky CyberTrace from RSA Net Witness:

  1. Remove the /etc/netwitness/ng/envision/etc/devices/cybertrace directory from the computer on which Log Decoder runs.
  2. From the Log Decoder settings, remove the cybertrace forwarding rule similarly to the way that it was added.
  3. If you will not forward events in future, disable the event forwarding by setting the /decoder/config/logs.forwarding.enabled parameter to false.
  4. Remove the Kaspersky CyberTrace dashboard similarly to the way that a dashboard can be created.
  5. Remove the Kaspersky CyberTrace charts similarly to the way that you enabled them.
  6. Remove the CyberTrace Report report similarly to the way that a report can be created.
  7. Remove the Feed Service rules simillarly to the way that they were imported.
  8. If you added fields to the index-concentrator-custom.xml or table-map-custom.xml files, remove them from there.
  9. Restart Concentrator if you have changed index-concentrator-custom.xml.
  10. Restart Log Decoder.