Kaspersky CyberTrace
Administrator guides > Upgrading and managing the installation > Upgrading Kaspersky CyberTrace from a previous version > Upgrading Kaspersky CyberTrace integration (QRadar)

Upgrading Kaspersky CyberTrace integration (QRadar)

This section describes how to finish the integration of Kaspersky CyberTrace with QRadar after the upgrade of the Kaspersky CyberTrace files.

The upgrade process described in this section applies to Kaspersky CyberTrace versions 3.1.0 and above. If you have an older version of Kaspersky CyberTrace or Kaspersky Threat Feed Service, contact your Technical Account Manager (TAM).

Finishing the integration of Kaspersky CyberTrace with QRadar consists of the following actions:

  • Adding support of ICS Hash Data Feed
  • Adding support of new alert events
  • Adding events that correspond to new categories for APT feeds
  • Adding events that correspond to new categories for the Internal TI list

    In Kaspersky CyberTrace version 4.0, these categories are used instead of the following:

    • KL_BlackList_URL
    • KL_BlackList_IP
    • KL_BlackList_Hash_MD5
    • KL_BlackList_Hash_SHA1
    • KL_BlackList_Hash_SHA256

If QRadar automatically receives configuration updates (including configuration file changes, vulnerabilities, QID maps, supportability scripts, and security threat information updates), the following features are included:

  • Support of ICS Hash Data Feed
  • Support of new alert events
  • New categories of APT feeds
  • New categories of the Internal TI list

Perform the procedure above manually only if it does not receive configuration updates automatically. To add these categories to QRadar, perform the actions described in sections "Importing QIDs to QRadar", "Sending a set of events to QRadar", and "Mapping events to QIDs". The categories mentioned above are included in the sample_initiallog.txt and sample_qid.txt files of the latest distribution kit of CyberTrace.

To finish the integration of Kaspersky CyberTrace with QRadar:

  1. Add the following categories to support ICS Hash Data Feed:
    • KL_ICS_Hash_MD5
    • KL_ICS_Hash_SHA1
    • KL_ICS_Hash_SHA256
  2. Add new alert events:
    • KL_ALERT_RetroScanError
    • KL_ALERT_RetroScanCompleted
    • KL_ALERT_RetroScanStorageExceeded
    • KL_ALERT_IndicatorsStoreLimitExceeded
    • KL_ALERT_IndicatorsStoreHardLimit
    • KL_ALERT_FreeSpaceEnds
  3. Add new categories to support APT feeds:
    • KL_APT_Hash_SHA1
    • KL_APT_Hash_SHA256
  4. Add new categories to support the Internal TI list:
    • KL_InternalTI_URL
    • KL_InternalTI_IP
    • KL_InternalTI_Hash_MD5
    • KL_InternalTI_Hash_SHA1
    • KL_InternalTI_Hash_SHA256
Article ID: 190003, Last review: Apr 14, 2021
Page top