Upgrading Kaspersky CyberTrace integration (LogRhythm)

This section describes how to finish the integration of Kaspersky CyberTrace with LogRhythm after the upgrade of the Kaspersky CyberTrace files.

Finishing the integration of Kaspersky CyberTrace with LogRhythm consists of the following steps:

• Adding new events to LogRhythm
• Removing obsolete events from LogRhythm

Step 1. Adding new events

To add new events to LogRhythm:

Add the following categories and alert events automatically or manually (as described in sections "Step 3 (optional). Adding Kaspersky CyberTrace events" and "Step 4 (optional). Adding Kaspersky CyberTrace rules"):

• KL_ICS_Hash_MD5
• KL_ICS_Hash_SHA1
• KL_ICS_Hash_SHA256
• KL_APT_Hash_SHA1
• KL_APT_Hash_SHA256
• KL_ALERT_RetroScanError
• KL_ALERT_RetroScanCompleted
• KL_ALERT_RetroScanStorageExceeded
• KL_ALERT_IndicatorsStoreLimitExceeded
• KL_ALERT_IndicatorsStoreHardLimit
• KL_ALERT_FreeSpaceEnds
• KL_InternalTI_URL
• KL_InternalTI_IP
• KL_InternalTI_Hash_MD5
• KL_InternalTI_Hash_SHA1
• KL_InternalTI_Hash_SHA256

Step 2. Removing obsolete events

To remove obsolete events from LogRhythm:

1. Run LogRhythm Console.
2. Select Deployment Manager > Tools > Knowledge > MPE Rule Builder.

   The Rule Builder form opens.

3. Click the Open rule library () button.
4. Double-click the rule you want to retire.

   A preview window for the rule opens.

   Rules for the following events must be retired:

   • KL_BlackList_URL
   • KL_BlackList_IP
   • KL_BlackList_Hash_MD5
   • KL_BlackList_Hash_SHA1
   • KL_BlackList_Hash_SHA256
   • KL_ALERT_FeedLoadedPartially
5. Click the Retire rule () button.
6. In the Verify Retire window, click Yes.

   

   Verify Retire window

Page top