About Kaspersky CyberTrace

Welcome to Kaspersky CyberTrace documentation.

What is Kaspersky CyberTrace

Kaspersky CyberTrace is a threat intelligence fusion and analysis tool that integrates threat data feeds with SIEM solutions so that users can immediately leverage threat intelligence for security monitoring and IR activities in their existing security operations workflow.

Kaspersky CyberTrace uses continuously updated threat data feeds to identify existing breaches or newly launched attacks, and to inform your business or clients about the risks and implications associated with the threat.

Kaspersky CyberTrace integrates with threat intelligence sources (threat intelligence feeds from Kaspersky, other vendors, OSINT, or even custom sources), SIEM solutions, and log sources. As indicators of compromise (IoC) from the threat intelligence feeds are found in your environment, Kaspersky CyberTrace automatically sends alerts to SIEM solutions for ongoing monitoring, validation, and discovery of additional contextual evidence for ongoing security incidents. Kaspersky CyberTrace provides analysts with a set of instruments for conducting alert triage and response through categorization and assessment of identified matches.

Kaspersky CyberTrace inside a corporate network

Features of Kaspersky CyberTrace:

• Automatic high-performance matching of incoming logs and events with Kaspersky Threat Data Feeds, OSINT feeds, or any other custom feeds in the most popular formats (JSON, STIX, XML, CSV, MISP). Demo feeds from Kaspersky and OSINT are available out of the box.
• Internalized process of parsing and matching incoming data significantly reduces SIEM solution load. Kaspersky CyberTrace parses incoming logs and events, matches the resulting data to feeds, and generates its own alerts on threat detection. Consequently, a SIEM solution has to process less data.
• Generates feed usage statistics for measuring the effectiveness of feeds.
• In-depth threat investigation by using on-demand search of indicators (hashes, IP addresses, domains, URLs). Bulk scanning of logs and files is also supported.
• Universal approach to integration of threat matching capabilities with SIEM solutions and other security controls. SIEM connectors for a wide range of SIEM solutions can be used to visualize and manage data about threat detections.
• IoC and related context are efficiently stored in RAM for rapid access and filtering.
• Kaspersky CyberTrace Web, a web user interface for Kaspersky CyberTrace, provides data visualization, on-demand IoC search functionality, and access to Kaspersky CyberTrace configuration. Kaspersky CyberTrace Web also supports the management of feeds, log parsing rules, Internal TI and false positives lists, and event sources.
• Command-line interface for Windows and Linux platforms.
• Advanced filtering for feeds and log events. Feeds can be converted and filtered based on a broad set of criteria such as time, popularity, geographical location, and threat type. Log events can be filtered based on custom conditions.
• DMZ integration support. The computer on which event data is matched against feeds can be located in DMZ and isolated from the Internet.
• In standalone mode, where Kaspersky CyberTrace is not integrated with a SIEM solution, Kaspersky CyberTrace receives logs from various sources such as networking devices, processes these logs according to the defined normalizing rules, and parses the logs according to the defined regular expressions.
• Export lookup results that match feeds to CSV format for integration with other systems (firewalls, network and host IDS, custom tools).
• Exposes obfuscation techniques used by some threats to hide malicious activities in logs.

The main parts of Kaspersky CyberTrace are Feed Service, Feed Utility, Log Scanner, and Kaspersky CyberTrace Web.

Main components of Kaspersky CyberTrace

Documentation contents

This documentation is divided into several chapters:

• Installation and integration guides

  This chapter provides guides about installing Kaspersky CyberTrace, integrating it with SIEM solutions and event sources, and configuring Kaspersky CyberTrace after the integration is completed.

  For a starting point of the installation and integration process, see Getting started.

• User guides

  This chapter provides information about Kaspersky CyberTrace Web, which is a web interface of Kaspersky CyberTrace, and about apps and dashboards that provide access to Kaspersky CyberTrace from a SIEM solution.

• Administrator guides

  This chapter provides information about managing Kaspersky CyberTrace and covers advanced topics of Kaspersky CyberTrace usage. Descriptions of Kaspersky CyberTrace components and workflow of these components can also be found in this chapter.

• Troubleshooting

  This section provides solutions to common problems encountered while using Kaspersky CyberTrace.

• Risk mitigation

  This section provides guidelines for mitigating potential security risks when working with Kaspersky CyberTrace.

What's new

Kaspersky CyberTrace offers the following new features and improvements:

What's new in version 4.0

• A database of indicators with full text search capability and the ability to search by using advanced search queries was added to enable complex searches across all indicator fields, including the context fields. The ability to filter results by Intelligence supplier simplifies the process of analyzing threat intelligence data.
• Pages with detailed information about each indicator were added for deeper analysis. Each page presents all information about an indicator from all threat intelligence suppliers (deduplication) and allows analysts to discuss threats in comments, as well as add internal threat intelligence about the indicator. If the indicator was detected, information about detection dates and links to the detections list will be available.
• Storage for detections was added to simplify the security monitoring and alerts triage processes. The raw event from the source and full information about the detection are saved to the database, for future analysis. The detection list supports searching saved data, to find all detections by threat, source IP address, user name, or any other field.
• An indicators export feature was added to support exporting indicator sets to security controls such as policies lists (block lists) and to support the sharing of threat data between Kaspersky CyberTrace instances or with other TI Platforms.
• A historical correlation feature (retroscan) was added to allow analyzing observables from previously checked events by using the latest feeds to find previously uncovered threats. All historical detections will be included in the report, for future investigations.
• Filter for sending detection events to SIEM solutions was added to reduce the load on the solutions and on the Analyst (fighting with alerts fatigue). It allows sending SIEM solutions only the most dangerous and confident detections that must be treated as incidents. All other detections will be saved to the internal database, and can be used during root cause analysis or in threat hunting.
• Multitenancy feature was added to support MSSP or Large Enterprise use cases when a service provider (central office) needs to handle events from different branches (tenants) separately. The feature allows connecting a single Kaspersky CyberTrace instance with different SIEM solutions from different tenants and configuring what feeds must be used for each tenant.
• HTTP REST API for looking up and managing threat intelligence was added. By using the REST API, Kaspersky CyberTrace can be easily integrated into complex environments for automation and orchestration. The API supports observables lookup, as well as TI indicators and TI suppliers managing scenarios.
• Integration with Kaspersky Unified Monitoring and Analysis Platform (KUMA) was added, including Web UI integration (single UI).
• New components were added to the Dashboard:
  • Table with last feed update statuses was added to inform the user about the updating of statistics for feeds.
  • Graph with checked events count was added to inform the user about the current and historical load on the system (in Event Per Second – EPS).
  • Feeds intersection matrix was added to help with choosing the most valuable threat intelligence suppliers.
• Scenario for auto-updatable dashboard on TV was added, to allow displaying key metrics on a TV screen in the user's office.
• Authentication with LDAP (MS Active Directory) was added.
• Ability to load feeds from Kaspersky as custom feeds was added, to simplify the process of adding new Kaspersky feeds to Kaspersky CyberTrace.
• UI style was updated in accordance with the Kaspersky rebranding guidelines.
• Process of creating format strings for events that will be sent to SIEM solutions was simplified. A wizard that automatically composes event format strings based on the selected set of event fields has been added.
• Installers for Windows and Linux were updated:
  • Kaspersky CyberTrace will be delivered as a single package for all SIEM solutions. The LogRhythm SIEM solution is supported out of the box.
  • Initial configuration was moved from installers to CyberTrace Web and must be performed after the first launch in Web UI.
• In Linux packages, init.d management scripts were replaced with systemd unit files.
• URL normalization for third-party intelligence sources was added to simplify the process of integrating third-party intelligence into Kaspersky CyberTrace.
• New X-KF-SaveStatistic flag was added to support saving detection statistics when X-KF-ReplyBack mode is used.
• Integration with RSA was updated (“:rfc3164” mode for forwarding from SIEM solutions is recommended instead of using EventDelimiter on the Kaspersky CyberTrace side).
• Windows Server 2019 is now supported; and support for Windows Server 2008 and Desktop versions of Windows was limited.
• Feed Service can send alerts to a specific IP address or hostname separately from detection events. The connection settings for alert events can be specified in Kaspersky CyberTrace Web.
• If an error occurs while sending a detection event, Feed Service will try to resend it after a specific period of time. The number of attempts and the time interval between them is specified in the configuration file of Feed Service.
• When adding a custom or third-party feed, the level of confidence is specified.This information is further included in detection events.
• When adding a custom or third-party feed, the vendor name must be specified. Such feeds and suppliers are listed separately from OSINT feeds.
• Kaspersky Threat Data Feeds now include ICS Hash Data Feed for protection against malicious applications that are aimed at Industrial Control Systems.
• Adding custom feeds in the MISP format is supported. Such feeds can be loaded from a local folder or via HTTP(S).
• The basic authentication scheme is available for each custom feed that is loaded via HTTP(S) or FTP(S).
• Information about the running and finished tasks is now available on the Tasks tab.
• The following OSINT feeds are no longer supported:
  • Abuse.ch_Ransomware_Common
  • Abuse.ch_Ransomware_BlockUrl
  • Abuse.ch_Ransomware_BlockDomain
  • Abuse.ch_Ransomware_BlockIP
  • Abuse.ch_Feodo_MalwareHash

About feeds and certificates

This chapter describes feeds and certificates used with Kaspersky CyberTrace.

About Kaspersky Threat Data Feeds

This section describes Kaspersky Threat Data Feeds available for Kaspersky CyberTrace.

Basics of Kaspersky Threat Data Feeds

First-tier security vendors and enterprises use time-tested and authoritative Kaspersky Threat Data Feeds to produce premium security solutions or to protect their business.

Cyber attacks happen every day. Cyber threats are constantly growing in frequency, complexity, and obfuscation, as they try to compromise your defenses. Adversaries currently use complicated intrusion kill chains, campaigns, and customized Tactics, Techniques, and Procedures (TTPs) to disrupt business or damage clients.

Kaspersky offers continuously updated Threat Data Feeds to inform your business or clients about risks and implications associated with cyber threats, helping you to mitigate threats more effectively and defend against attacks even before they are launched.

Information contained in Kaspersky Threat Data Feeds

Kaspersky Threat Data Feeds contain thoroughly vetted threat indicator data sourced from the real world in real time.

Every record in each feed is enriched with actionable context (threat names, time stamps, geolocation, resolved IPs, addresses of infected web resources, hashes, popularity, and so on). Contextual data helps to reveal the "big picture", further validating and supporting wide-ranging use of the data.

Set in context, the data can more readily be used to answer the who, what, where, and when questions that lead to the identification of adversaries, helping you make timely decisions and actions specific to your organization.

Available feed groups

Kaspersky Threat Data Feeds available for Kaspersky CyberTrace can be divided into the following major groups:

• Commercial feeds

  This group contains regular commercial feeds that can be accessed with a commercial certificate. Feeds from this group cover a wide variety of cyberthreats.

• APT feeds

  APT feeds are commercial feeds that contain information about cyber threats related to advanced persistent threat (APT) campaigns.

• Demo feeds

  Demo feeds can be used for evaluation purposes. These feeds do not require a commercial certificate. Demo feeds provide lower detection rates in comparison with their corresponding commercial versions.

Commercial feeds

The following feeds are available in this group:

• Botnet CnC URL Data Feed

  A set of URLs and hashes with context that cover desktop botnet C&C servers and related malicious objects. Masked and non-masked records are available.

• IP Reputation Data Feed

  A set of IP addresses with context that cover different categories of suspicious and malicious hosts.

• Malicious Hash Data Feed

  A set of file hashes with context that cover the most dangerous, prevalent, or emerging malware.

• Malicious URL Data Feed

  A set of URLs with context that cover malicious websites and web pages. Masked and non-masked records are available.

• Mobile Botnet CnC URL Data Feed

  A set of URLs with context that cover mobile botnet C&C servers.

• Mobile Malicious Hash Data Feed

  A set of file hashes with context for detecting malicious objects that infect mobile Google Android and Apple iPhone devices.

• Phishing URL Data Feed

  A set of URLs with context that cover phishing websites and web pages. Masked and non-masked records are available.

• Ransomware URL Data Feed

  A set of URLs, domains, and hosts with context that cover ransomware links and websites.

• Vulnerability Data Feed

  A set of file hashes with context that cover vulnerabilities in applications and cover exploits that use those vulnerabilities.

  Kaspersky CyberTrace does not support the cpes field of the Vulnerability Data Feed.

• IoT URL Data Feed

  A set of URLs with context that cover malicious links used to download malware targeting Internet of Things-enabled devices.

• ICS Hash Data Feed

  A set of hashes of malicious applications that are used to attack the ICS (Industrial Control Systems) infrastructure.

APT Feeds

The following demo feeds are available in this group:

• APT Hash Data Feed

  A set of hashes that cover malicious artifacts used by APT actors to conduct APT campaigns.

• APT IP Data Feed

  A set of IP addresses that belong to the infrastructure used in APT campaigns.

• APT URL Data Feed

  A set of domains that belong to the infrastructure used in APT campaigns.

Demo feeds

The following demo feeds are available in this group:

• Demo Botnet CnC URL Data Feed

  Provides lower detection rates in comparison with Botnet CnC URL Data Feed.

• Demo IP Reputation Data Feed

  Provides lower detection rates in comparison with IP Reputation Data Feed.

• Demo Malicious Hash Data Feed

  Provides lower detection rates in comparison with Malicious Hash Data Feed.

Sorting order for records in feeds

Feed records are sorted as follows:

• Records in IP Reputation Data Feed are sorted by threat score in descending order.
• Records in all other feeds are sorted by popularity in descending order.

About OSINT feeds

This section describes OSINT feeds supported by Kaspersky CyberTrace.

OSINT feeds are publicly available threat intelligence data sources provided by organizations and individuals.

OSINT feeds supported by Kaspersky CyberTrace

Kaspersky Feed Utility supports OSINT feeds from the following sources:

• Abuse.ch

  This source has several associated sources of information:

  • Feodo Tracker is an abuse.ch project that has the goal of sharing botnet C&C servers associated with the Feodo malware family (Dridex, Emotet/Heodo).
  • SSLBL is an abuse.ch project that has the goal of detecting malicious SSL connections by identifying the SSL certificates used by botnet C&C servers and adding them to a denylist.
• Proofpoint ET intelligence

  This source provides information about emerging threats.

• BlockList.de

  This is a free and voluntary service provided by a Fraud/Abuse specialist, whose servers are often attacked on SSH, Mail Login, FTP, Webserver, and other services.

  BlockList.de has reported more than 70,000 attacks in twelve hours in real time and uses the Whois (abuse-mailbox, abuse@, security@, email, remarks), the RIPE Abuse Finder, and the contact-database from abusix.org to find the abuse address assigned to the attacking host.

• Cyber Crime Tracker

  Cyber Crime Tracker monitors and tracks various malware families that are used to perpetrate cyber crimes, such as banking trojans and ransomware. It lists mainly malware C&Cs, and file hashes of Zeus and Zeus-originated malware families.

The following table lists supported OSINT feeds:

OSINT feeds

The OSINT feeds in the table above are maintained by third parties only. Some URLs in the table may, for various reasons, become obsolete over time.

About the certificates

Kaspersky CyberTrace uses a certificate to download feeds. The certificate determines which feeds can be downloaded from the update servers.

Certificate types

Kaspersky CyberTrace can use two types of certificates:

• Demo certificate

  This certificate is shipped in the distribution kit. It allows access to the demo Kaspersky Threat Data Feeds.

• Commercial certificate

  This certificate allows access to one or more Kaspersky Threat Data Feeds.

  To obtain a commercial certificate, contact Kaspersky Cybersecurity Service team at intelligence@kaspersky.com.

Certificates and security

When Kaspersky CyberTrace establishes a connection with Kaspersky servers, it passes the certificate in encrypted form to Kaspersky. The connection between Kaspersky CyberTrace and Kaspersky servers is encrypted to ensure that all data is protected.

Installation and integration guides

This chapter describes how to install Kaspersky CyberTrace, configure it, and integrate it with different SIEM solutions.

Installation and integration overview

This section explains the installation and integration process for Kaspersky CyberTrace.

Introduction

Kaspersky CyberTrace can integrate with many different event sources. Because of this, the procedure for installation and integration is split into two parts:

1. Installing Kaspersky CyberTrace

   We recommend installing Kaspersky CyberTrace by using one of the installer packages for your operating system. On Linux, you can install DEB and RPM packages. On Windows, you can use an executable installer.

   Another way to install Kaspersky CyberTrace is to extract the TAR archive, and then perform several additional configuration steps manually.

   After Kaspersky CyberTrace is installed, you can perform the post-installation configuration by using a wizard in the web interface of Kaspersky CyberTrace. During this process, you select an event source, such as a SIEM solution, provide connection parameters for it, and configure feed updates.

   After the post-installation configuration is completed, Kaspersky CyberTrace uses the default parameters for a chosen event source. For example, Kaspersky CyberTrace parses the incoming events by using the default regular expressions, and uses the default format for alert and detection events.

2. Integrating Kaspersky CyberTrace with an event source

   In this part, you configure the event source so that it can send its events to Kaspersky CyberTrace and receive detection events from Kaspersky CyberTrace. Depending on the chosen event source, you can also install specific applications and tools that work with Kaspersky CyberTrace events. For example, Kaspersky CyberTrace provides applications for Splunk and QRadar, and a preconfigured dashboard for RSA NetWitness. In addition to applications for specific event sources, you can use the LogScanner application to send log files, URLs, and hashes for checking to Kaspersky CyberTrace.

Before you begin

Make sure that the computer you plan to use for running Kaspersky CyberTrace meets the hardware and software requirements.

For ArcSight products, ArcSight SmartConnector must be installed before the installation of Kaspersky CyberTrace. For more information, see Before you begin (ArcSight) and Integration guide (ArcSight).

Part 1. Installing Kaspersky CyberTrace

When you install Kaspersky CyberTrace, all of the components required for working with feeds, such as Feed Service and Feed Utility, are installed and configured.

Kaspersky CyberTrace can be installed on any computer that can receive events from your chosen event source, such as a SIEM solution, a firewall, or a proxy server. By configuring Kaspersky CyberTrace during its installation, you specify how it will receive and send events.

Make sure to install Kaspersky CyberTrace according to your chosen integration scheme. For example, if you must install Kaspersky CyberTrace and a SIEM solution on separate computers, check the available integration schemes for your SIEM solution and decide where to install Kaspersky CyberTrace.

Depending on your operating system, install Kaspersky CyberTrace as described in the following sections:

• Installation on Linux systems
• Installation on Windows systems

After you install Kaspersky CyberTrace, configure it from Kaspersky CyberTrace Web by using the Initial Setup Wizard.

Part 2. Integrating Kaspersky CyberTrace with an event source

Kaspersky CyberTrace must be integrated with an event source. This event source can either be a standalone event source (for example, a firewall or a proxy server) or a SIEM solution. The event source then sends events to Kaspersky CyberTrace, and Kaspersky CyberTrace sends its own events to a SIEM or other application, as configured.

Kaspersky CyberTrace supports integration with the following SIEM solutions:

• Splunk
• ArcSight
• QRadar
• RSA NetWitness
• LogRhythm
• Other SIEM and non-SIEM solutions

Hardware and software requirements

This section lists the system requirements of Kaspersky CyberTrace.

Supported operating systems

Kaspersky CyberTrace can run on the following operating systems:

• Linux x64
• Microsoft Windows Server 2019
• Microsoft Windows Server 2012 x64
• Microsoft Windows Server 2012 R2 x64

Dependencies for Linux

In Linux, Kaspersky CyberTrace has the following dependencies:

• The more utility must be installed.

Software requirements for integrations with SIEM solutions

When integrating with SIEM solutions, Kaspersky CyberTrace has the following software requirements.

Software requirements for integrations with SIEM solutions

Integrations with other SIEM solutions are available. For more information, see https://support.kaspersky.com/datafeeds.

Supported browsers

Kaspersky CyberTrace Web can be used by using the following web browsers:

• Microsoft Edge 42 or later
• Microsoft Internet Explorer 11 or later
• Mozilla Firefox 61 or later
• Safari 11 or later
• Google Chrome 68 or later

CPU requirements

Kaspersky CyberTrace has the following CPU requirements:

• Support of x86-64 instruction set.

It is recommended to use Kaspersky CyberTrace on high-end servers.

RAM and hard disk space requirements

System requirements depend on your use case and the feeds that you use. For more detail about the system requirements, contact your technical account manager (TAM).

The actual amount of hard disk space for each feed depends on the size of the original feed file. This size changes when feeds are updated. Over time, the size of the feed files may change significantly, which can change the required amount of hard disk and memory space.

The RAM and hard disk space requirements listed in the two tables below apply only to Kaspersky Threat Data Feeds. Using third-party feeds requires additional disk and memory resources.

The table below lists the RAM and hard-disk space requirements for using only demo feeds and for using all commercial feeds on Linux-based systems.

Hardware requirements for using different feeds on Linux

The table below lists the RAM and hard disk space requirements for using only demo feeds and for using all commercial feeds on Windows-based systems.

Hardware requirements for using different feeds on Windows

Network requirements

The computer on which Feed Utility runs must have access to the website https://wlinfo.kaspersky.com/.

The computer on which Kaspersky CyberTrace runs must have access to the computer with the SIEM solution.

The computers of users who want to gain access to Kaspersky CyberTrace Web must have access to the address and port that Kaspersky CyberTrace uses for the web UI.

Distribution kit contents

This section describes the contents of the Kaspersky CyberTrace distribution kit.

Distribution kit types

Kaspersky CyberTrace is distributed in the following types of distribution kits:

• As an RPM package and a set of additional files

  This type of distribution kit is intended for installation on Linux systems.

• As a DEB package and a set of additional files

  This type of distribution kit is intended for installation on Linux systems.

• As an executable installer and a set of additional files

  This type of distribution kit is intended for installation on Windows systems.

• As a .tgz archive

  This type of distribution kit can be used on Linux systems instead of the RPM or DEB package.

About the integration files

All distribution kits of Kaspersky CyberTrace are customized for integration with a particular SIEM solution or for standalone integration. Each distribution kit contains a number of files that can be used for integration with this SIEM solution. In addition, the configuration files of Feed Service and other utilities contained in the distribution kit are also customized for easy integration with the SIEM solution.

For example, a distribution kit for Splunk contains all the Kaspersky CyberTrace components, and, in addition, has customized configuration files for Feed Service and Feed Utility that work with Splunk. The integration directory inside the distribution kit contains applications for all variants of Splunk integration schemes. These applications can be deployed and used in the Splunk infrastructure.

RPM and DEB distribution kits

This type of distribution kit contains the following files and directories.

Distribution kit contents (RPM and DEB package)

Executable installer distribution kit

This type of distribution kit contains the following files and directories.

Distribution kit contents (executable installer)

Files contained in archives and packages (Linux)

RPM and DEB packages and TGZ archives contain the following set of files.

Files contained in archives and packages (Linux)

Files contained in archives and packages (Windows)

Executable installers contain the following set of files.

Files contained in archives and packages (Windows)

Integration files (Splunk)

Integration files for Splunk are described in the following table.

Integration files (Splunk)

Integration files (ArcSight)

Integration files for ArcSight are described in the following table.

Integration files (ArcSight)

Integration files (QRadar)

Integration files for QRadar are described in the following table.

Integration files (QRadar)

Integration files (RSA NetWitness)

Integration files for RSA NetWitness are described in the following table.

Integration files (RSA NetWitness)

Integration files (LogRhythm)

Integration files for LogRhythm are described in the following table.

Integration files (LogRhythm)

Part 1: Installing Kaspersky CyberTrace

These sections describe how to install Kaspersky CyberTrace on Linux or Windows systems.

Installation on Linux systems

This section describes the process of installing Kaspersky CyberTrace on Linux systems.

After installation, make sure that only users with administrator rights have access to the folder where Kaspersky CyberTrace is installed.

We also recommend that you install and run anti-virus software before installing Kaspersky CyberTrace.

Installation methods

On Linux systems, you can install Kaspersky CyberTrace by three methods:

• RPM installation

  In this type of installation, you run the installation script, run.sh. The installation script installs the RPM package and runs the configurator. The configurator generates certificates for Kaspersky CyberTrace Web and configures the Elasticsearch indicator database.

• DEB installation

  The same as RPM installation.

• TGZ installation

  In this type of installation, you manually unpack the TGZ archive to the /opt/kaspersky/ktfs directory and create symbolic links for configuration files and startup scripts. You must then manually run the configurator binary file and accept the End User License Agreement.

  If you do not run the configurator after performing the TGZ installation, Kaspersky CyberTrace will not work. You must accept the End User License Agreement.

RPM installation

Kaspersky CyberTrace is installed in the /opt/kaspersky/ktfs directory. This directory is called %service_dir% in this document.

The user account that performs the RPM installation must have root privileges.

To perform the RPM installation of Kaspersky CyberTrace:

1. Unpack the distribution kit contents to any directory on your system. In the following command, substitute %temp_dir% with this directory and %VERSION% with the version of the installation package.

   tar -C %temp_dir% -xvzf Kaspersky_CyberTrace-Linux-x86_64-%VERSION%-Release-RPM.tar.gz --no-same-owner

   The RPM package, installation script, and documentation will be unpacked to this directory.

   The archive can have a different name, for example, %SIEM%-rpm.tar.gz. You can either use the existing name or rename the archive by using the mv command.

2. Run the installation script:

   ./run.sh install

   The installation script will install the RPM package and add Feed Service to the list of services by using chkconfig. Feed Service will start automatically on system boot.

   After the RPM package is installed, the installation script automatically runs the configurator.

3. In the configurator, accept the End User License Agreement.

   For more information about using the configurator, see the section "Interactive setup with the configurator" below.

   If you interrupt the configuration process, you can resume it by running the following command: /opt/kaspersky/ktfs/bin/configure –i.

4. Perform the post-installation configuration by using the Initial Setup Wizard.

DEB installation

Kaspersky CyberTrace is installed in the /opt/kaspersky/ktfs directory. This directory is called %service_dir% in this document.

The user account that performs the DEB installation must have root privileges.

To perform the DEB installation of Kaspersky CyberTrace:

1. Unpack the distribution kit contents to any directory on your system. In the following command, substitute %temp_dir% with this directory and %VERSION% with the version of the installation package.

   tar -C %temp_dir% -xvzf Kaspersky_CyberTrace-Linux-x86_64-%VERSION%-Release-DEB.tar.gz --no-same-owner

   The DEB package, installation script, and documentation will be unpacked to this directory.

   The archive can have a different name, for example, %SIEM%-deb.tar.gz. You can either use the existing name or rename the archive by using the mv command.

2. Run the installation script:

   ./run.sh install

   The installation script will install the DEB package and add Feed Service to the list of services started on boot by systemd. Feed Service will start automatically on system boot.

3. After the DEB package is installed, the installation script automatically runs the configurator.
4. In the configurator, accept the End User License Agreement.

   For more information about using the configurator, see the section "Interactive setup with the configurator" below.

   If you interrupt the configuration process, you can resume it by running the following command: /opt/kaspersky/ktfs/bin/configure –i.

5. Perform the post-installation configuration by using the Initial Setup Wizard.

TGZ installation

To perform the TGZ installation of Kaspersky CyberTrace:

1. Unpack the archive. The directory to which you unpack the archive is called %service_dir% in this document. To do this, run the following command:

   tar -C %service_dir% -xvzf Kaspersky_CyberTrace-Linux-x86_64-%VERSION%-Release.tar.gz --strip-components=1

2. Create the cybertrace_db account for the database service and set its login shell to /bin/nologin:

   id -u cybertrace_db > /dev/null 2>&1 || useradd -M cybertrace_db -d %service_dir%/db -s /sbin/nologin

3. Make cybertrace_db the owner of the database directory:

   chown -R cybertrace_db %service_dir%/db

4. Increase the system limit on the maximum number of memory regions allocated to a process:

   echo 'vm.max_map_count=262144' > /etc/sysctl.d/98-elasticsearch.conf && sysctl --system

5. Increase the limit on the maximum number of open files:

   echo -e "cybertrace_db\t-\tnofile\t65535" > /etc/security/limits.d/10-cybertrace.conf

6. Create a symlink for the database service:

   ln -s $%service_dir%/etc/systemd/system/cybertrace_db.service /etc/systemd/system/cybertrace_db.service

7. Create a symlink for the Kaspersky CyberTrace service:

   ln -s $%service_dir%/etc/systemd/system/cybertrace.service /etc/systemd/system/cybertrace.service

8. Reload the systemd daemon to make it reread the list of services:

   systemctl daemon-reload

9. Allow Kaspersky CyberTrace databases and services in systemd:

   systemctl enable cybertrace_db.service && systemctl enable cybertrace.service

10. Run the configurator:

    %service_dir%/bin/configure -i

11. Launch Kaspersky CyberTrace service:

    systemctl start cybertrace

12. Perform the post-installation configuration by using the Initial Setup Wizard.

Interactive setup with the configurator

To perform the interactive setup with the configurator:

1. In the configurator, accept the End User License Agreement:

   Use the PAGE UP and PAGE DOWN keys to navigate. Type q to quit.

   To accept the End User License Agreement, print Yes.

2. If the configurator does not automatically determine ports for Kaspersky CyberTrace Web and the Elastic database, specify this information.
3. After that, Kaspersky CyberTrace will be launched. Two links will be displayed:
   • Link to the Kaspersky CyberTrace web user interface.
   • Link to the Kaspersky CyberTrace documentation, where you can find the credentials for logging into Kaspersky CyberTrace Web.

Configurator command-line parameters

The configurator is a binary file that configures and runs Kaspersky CyberTrace.

The file has the following command-line syntax:

configure [options]

The following options are available:

• -h [ --help ]

  Display a help message and exit.

• -i [ --install ]

  Perform the initial configuration of Kaspersky CyberTrace.

• -c [ --change ]

  Update the certificate used for Kaspersky CyberTrace Web.

Installation on Windows systems

This section describes the process of installing Kaspersky CyberTrace on Windows systems.

After installation, make sure that only users with administrator rights have access to the folder where Kaspersky CyberTrace is installed.

We also recommend that you install and run anti-virus software before installing Kaspersky CyberTrace.

Installation methods

On Windows systems, you can install Kaspersky CyberTrace by running an executable installer. During the installation process, the installer generates certificates for Kaspersky CyberTrace Web and configures the Elasticsearch indicator database.

To install Kaspersky CyberTrace by using an executable installer:

1. Make sure that the computer you plan to use for running Feed Service meets the hardware and software requirements.
2. Make sure that the computer can send events to the computer on which a SIEM solution is installed and can receive events from the SIEM computer.
3. Run the .exe file of the executable installer.

   You must run the executable installer from the Administrator account.

   As an option, you can specify the /accepteula parameter when you run the .exe file. In this case, the installer performs the installation without requiring any input. You can use this option only if you have read and accepted the End User License Agreement (EULA). A document with the End User License Agreement (EULA) is provided in the Distribution kit. We recommend installing Kaspersky CyberTrace without using this option.

4. Accept the End User License Agreement (EULA).

   If you continue the installation, Kaspersky CyberTrace is installed to C:\Program Files\Kaspersky Lab\Kaspersky CyberTrace. This folder is called %service_dir% in this document.

5. Kaspersky CyberTrace Web will be launched. The check box and the link to Kaspersky CyberTrace Web will be displayed:
   • By default, you will be directed to the Kaspersky CyberTrace Web page after installation. Clear this check box if you do not want to go to the web user interface.
   • Click the Kaspersky CyberTrace documentation link to find the credentials that are used to log on to Kaspersky CyberTrace Web.

To configure Kaspersky CyberTrace after it is installed:

1. Perform the post-installation configuration by using the Initial Setup Wizard.
2. Verify that everything is in working order. See subsection "Checking that the components of Kaspersky CyberTrace are running" below.

Perform the following procedure only if you cannot configure Kaspersky CyberTrace using Kaspersky CyberTrace Web.

To configure Kaspersky CyberTrace by editing its configuration files:

1. Select the feeds that must be downloaded and processed by Feed Utility:
   1. In the %service_dir%\bin\kl_feed_util.conf file, find the feeds that you want to download and process.
   2. For each of the feeds, find the following attribute:

      enabled="false"

   3. For each of the feeds, change the value of the attribute to true:

      enabled="true"

2. Specify the feeds that must not be processed by Feed Service:
   1. In the %service_dir%\bin\kl_feed_service.conf file, find the feeds that you will not use.
   2. For each of the feeds, find the following attribute:

      enabled="true"

   3. For each of the feeds, change the value of the attribute to false:

      enabled="false"

   The lists of the enabled feeds in the Feed Utility configuration file and the Feed Service configuration file must be the same.

3. Specify the IP address and port (or the Windows-named pipe) to which Feed Service will send outgoing events in the OutputSettings > ConnectionString element of the Feed Service configuration file.
4. Specify the IP address and port (or the Windows-named pipe) that Feed Service will listen on for incoming events in the InputSettings > ConnectionString element of the Feed Service configuration file.
5. If you want to use Log Scanner, specify the IP address and port (or the Windows-named pipe) that the utility will use to interact with Feed Service in the Connection element of the Log Scanner configuration file.

   The Log Scanner configuration file is located at %service_dir%\log_scanner\log_scanner.conf.

6. If you have a commercial certificate for downloading feeds, replace the %service_dir%\dmz\feeds.pem demo certificate with your commercial certificate.
7. If you want Feed Utility to access Kaspersky servers through a proxy server, specify the proxy setting by running the utility with the --set-proxy option:

   kl_feed_util --set-proxy 'user:pass@proxy.example.com:3128' -c ..\bin\kl_feed_util.conf

8. If you have a commercial license key, you can add it to Kaspersky CyberTrace by copying it to the %service_dir%\httpsrv\lic directory.
9. If you want to use normalizing rules to process the events sent by various sources or if you want to use custom regular expressions to parse the events, add the <Source> elements with normalizing rules and custom regular expressions to the Feed Service configuration file.
10. Restart Feed Service by running the %service_dir%\bin\kl_control.bat file as Administrator.

Checking that the components of Kaspersky CyberTrace are running

To check whether the components of Kaspersky CyberTrace are running:

Run the kl_control.bat script with the status option as Administrator. The result displayed in the console must be similar to that depicted in the figure below.

kl_control.bat output

If the result of these commands is not similar to the information displayed in the figures, contact your technical account manager (ТАМ) for assistance.

Post-installation configuration (Initial Setup Wizard)

This section explains how to configure Kaspersky CyberTrace by using the Initial Setup Wizard.

The Initial Setup Wizard is a sequence of web interface pages where you configure Kaspersky CyberTrace after it is installed. Once the wizard is completed, other pages of the web interface become available.

The wizard has the following pages:

• SIEM selection

  On this page, you must select your SIEM. The choice of a SIEM solution at this step affects the format of the Kaspersky CyberTrace configuration files, since these files are customized for integration with a particular SIEM solution.

  For the full list of supported SIEMs, see the subsection "Supported SIEM solutions" of the "Tenants settings" section.

• Connection settings

  On this page, you must specify connection parameters for your SIEM.

• Proxy server configuration

  On this page, you can specify proxy settings. This step is optional.

• Licensing configuration

  On this page, you can specify paths to the license key file and the certificate file. This step is optional.

• Feeds selection

  On this page, you must specify the required feeds.

Navigating to the Initial Setup Wizard

To navigate to the Initial Setup Wizard:

1. Open Kaspersky CyberTrace Web in your browser at https://127.0.0.1.
2. Log in to Kaspersky CyberTrace Web by using the default credentials.

Selecting a SIEM

To select your SIEM:

1. Choose a SIEM.

   The default parameters for this SIEM will be displayed on the page.

2. Click Next to proceed to the next page.

Configuring connection parameters

To specify connection parameters for your SIEM:

1. Specify the connection parameters that Kaspersky CyberTrace will use for incoming events:
   • Select what type of connection you want to use.
   • In the IP address and Port fields, specify an IP address and port.
   • In the UNIX socket field, specify a UNIX socket.
2. Specify an IP address and port that Kaspersky CyberTrace will use for outgoing events.
3. Specify an IP address or hostname to be used in Kaspersky CyberTrace events as the external address of the web interface.
4. Click Next to proceed to the next page.

Configuring a proxy server

To specify proxy server parameters:

1. Select Use proxy server.
2. In the IP address or hostname field, specify a proxy server IP address or host.
3. In the Proxy port field, specify a proxy server port.
4. If needed, select Use proxy credentials.
5. If you choose to use proxy credentials, specify the following:
   • In the User name field, specify a user name to access the proxy server
   • In the Password field, specify a password to access the proxy server
6. Click Next to proceed to the next page.

Configuring licensing

To import the license key and the certificate:

1. In the Kaspersky CyberTrace license key field, specify a path to the license key file.

   This field is optional.

2. In the Kaspersky Threat Data Feeds certificate field, specify a path to the certificate file.

   This field is optional.

3. Click Next to proceed to the next page.

Selecting feeds

To specify the required feeds:

1. Select the feeds that you want to use.
2. Click Next.

When the initial setup is complete, you will be asked to refer to the Kaspersky CyberTrace documentation. The displayed links are intended to be used for the following actions:

• Integrate Kaspersky CyberTrace with your SIEM solution
• Configure additional tenants
• Explore the Administrator guides section

To finish the initial setup wizard, click Close.

Part 2: Integrating Kaspersky CyberTrace with an event source

At this step, you must integrate Kaspersky CyberTrace with an event source. An event source can be either one of the SIEM solutions or a standalone event source.

Kaspersky CyberTrace supports integration with the following SIEM solutions:

• Integration steps (Splunk)
• Integration steps (ArcSight)
• Integration steps (QRadar)
• Integration steps (RSA NetWitness)
• Integration steps (LogRhythm)
• KUMA

Integrations with other SIEM solutions are available. For more information, see https://support.kaspersky.com/datafeeds.

Integration with Splunk

This chapter describes how to integrate Kaspersky CyberTrace with Splunk.

Integration steps (Splunk)

This chapter describes how to integrate Kaspersky CyberTrace with Splunk.

About the integration schemes

Kaspersky CyberTrace can be integrated with Splunk in two integration schemes:

• Single-instance integration scheme

  In the single-instance integration scheme, Feed Service and the Splunk instance are configured to work on the same computer or on different computers.

• Distributed integration scheme

  In the distributed integration scheme, you install Feed Service, Search Head App, and Forwarder App in your distributed Splunk environment and configure the service and the apps to interact with each other.

How to integrate Kaspersky CyberTrace with Splunk in the single-instance integration mode

To integrate Kaspersky CyberTrace with Splunk in the single-instance integration mode:

• Make sure that you have installed Kaspersky CyberTrace.

  In the single-instance integration scheme, Kaspersky CyberTrace and the Splunk instance are installed on the same computer or on different computers. By default, Kaspersky CyberTrace App for Splunk is configured to be installed on the same computer with Kaspersky CyberTrace. However, we recommend that you install Kaspersky CyberTrace on a separate computer; in this case, Feed Service must be configured during the installation, and Kaspersky CyberTrace App for Splunk must be configured in step 2 (below).

• Step 1. Install Kaspersky CyberTrace App for Splunk.
• Step 2 (optional). Configure Kaspersky CyberTrace App for Splunk.

  This step is optional. If you skip this step, Kaspersky CyberTrace App for Splunk will use the default configuration. Email alerts will not be sent in this case.

  By default, Kaspersky CyberTrace App for Splunk uses port 9999 to send events to Kaspersky CyberTrace and port 9998 to receive events from Kaspersky CyberTrace. If these ports are used by another application, you must configure either Kaspersky CyberTrace App for Splunk or the other application to use different ports.

• Step 3 (optional). Configure the lookup script.

  This step is optional. If you skip this step, the lookup script will use the default configuration.

• Step 4. Perform the verification test.

  Please make sure you perform the verification test before editing any matching process settings.

How to integrate with Splunk in the distributed integration mode

To integrate Kaspersky CyberTrace with Splunk in the distributed integration mode:

• Make sure that you have installed Kaspersky CyberTrace.

  In the distributed deployment scheme, you can install Kaspersky CyberTrace on one of the computers that has Forwarder or Indexer already installed, or on a separate computer.

  In the distributed deployment scheme, you must configure Feed Service during the installation to receive events from other Splunk entities such as heavy forwarders and indexers, and send its own events to the indexer that stores the index used by Kaspersky CyberTrace App for Splunk.

• Step 1. Install Forwarder App and Search Head App.
• Step 2. Configure Forwarder App and Search Head App so that they can interact with each other and forward events to Kaspersky CyberTrace.
• Step 3 (optional). Configure the lookup script.

  This step is optional. If you skip this step, the lookup script will use the default configuration.

• Step 4. Perform the verification test.

  Please make sure you perform the verification test before editing any matching process settings.

Single-instance integration (Splunk)

This section contains instructions for integrating Kaspersky CyberTrace and Splunk in the single-instance integration scheme.

About the single-instance integration scheme

By default, both Feed Service and Kaspersky CyberTrace App use the following integration scheme. This scheme is the single-instance integration scheme.

About apps and services

The single instance integration scheme uses one app and one service:

• Feed Service

  This service matches Splunk events against Kaspersky Threat Data Feeds.

  Feed Service sends the resulting events to Splunk. Splunk stores the events from Feed Service in the main index.

• Kaspersky CyberTrace App

  This app contains Kaspersky CyberTrace App dashboards, alert templates, and a lookup script. The app also contains parsing rules for Feed Service events and rules for forwarding events from Splunk to Feed Service.

Single-instance integration scheme

In the single-instance integration scheme, Splunk Apps and Feed Service work on the same computer by default (IP address is 127.0.0.1). Kaspersky CyberTrace App receives input on port 3000 and forwards it to Feed Service on port 9999. Feed Service then returns matches to Kaspersky CyberTrace App on port 9998.

If you want to install Feed Service on a separate computer, you must specify addresses and ports used by Feed Service and Kaspersky CyberTrace App when installing Kaspersky CyberTrace.

Single-instance integration scheme

Event format

By default, Kaspersky CyberTrace App and Feed Service receive events in a certain format:

• Feed Service uses regular expressions from its configuration file to parse events. You can view and configure these regular expressions on the Settings > Matching tab in Kaspersky CyberTrace Web. These regular expressions parse a specific format of inbound data. For example, the default regular expression for URLs matches strings that contains a protocol (for example, http:// or https://). If URLs in the events that come from your devices do not contain protocols, you must change the regular expression.
• The lookup script that comes with Kaspersky CyberTrace App sends events to Feed Service in a format that matches the regular expressions used by Feed Service. When you change the regular expressions, edit the lookup script so that it uses a format that matches the new regular expressions.

Step 1. Installing Kaspersky CyberTrace App (single-instance deployment)

This section describes the process of installing Kaspersky CyberTrace App.

Kaspersky CyberTrace App is installed from the %service_dir%/integration/splunk/Kaspersky-CyberTrace-App-for-Splunk.tar.gz file.

Installing the app

To install Kaspersky CyberTrace App:

1. In Splunk Web, go to the home page.
2. On the home page, click the Manage Apps button.

   

   Manage Apps button

3. On the Apps page, click the Install app from file button.

   

   Install app from file button

4. In the Upload an app window, click Choose File and select the Kaspersky CyberTrace App application file.

   

   Choose File button

5. In the Upload an app window, click the Upload button.

   

   Upload button

6. In the Restart required window, click the Restart Splunk button.

   This step can be skipped, depending on the Splunk version. If Splunk does not display the Restart required window, skip this step.

   

   Restart Splunk button

7. When Splunk starts again, the Apps page will open with information about the successful installation of Kaspersky CyberTrace App. Kaspersky CyberTrace App will appear in the list of apps on the Splunk home page.

   

   Kaspersky CyberTrace App for Splunk in the list of apps

Step 2 (optional). Configuring Kaspersky CyberTrace App (single-instance deployment)

Kaspersky CyberTrace App reads its parameters from the configuration files. These configuration files define input settings, output settings, and the event format used by Kaspersky CyberTrace App.

Restart Splunk after you have made changes to the Kaspersky CyberTrace App configuration files.

Edit only those Kaspersky CyberTrace App configuration files that are described in this section. Editing other Kaspersky CyberTrace App configuration files may result in unpredictable behavior.

About the configuration files

The following configuration files can be used to configure Kaspersky CyberTrace App ($SPLUNK_HOME is the Splunk installation directory):

• $SPLUNK_HOME/etc/apps/Kaspersky-CyberTrace-App-for-Splunk/default/commands.conf

  This configuration file specifies the command for the lookup script.

• $SPLUNK_HOME/etc/apps/Kaspersky-CyberTrace-App-for-Splunk/default/inputs.conf

  This configuration file specifies the Kaspersky CyberTrace App input settings. This includes ports and addresses for data from event sources and for incoming detection events from Feed Service.

• $SPLUNK_HOME/etc/apps/Kaspersky-CyberTrace-App-for-Splunk/default/outputs.conf

  This configuration file specifies the parameters for forwarding events to Feed Service.

• $SPLUNK_HOME/etc/apps/Kaspersky-CyberTrace-App-for-Splunk/default/props.conf

  This configuration file specifies the parameters for processing input data.

• $SPLUNK_HOME/etc/apps/Kaspersky-CyberTrace-App-for-Splunk/default/savedsearches.conf

  This configuration file specifies the parameters for alert templates.

Default commands.conf file

This file specifies the lookup script that Kaspersky CyberTrace App will use when the user runs the klsearch command.

Below, you can view the default contents of the commands.conf configuration file.

Default inputs.conf file

This file specifies input settings for Kaspersky CyberTrace App.

By default, Kaspersky CyberTrace App does the following:

• It receives detection events from Feed Service at address :9998.
• It receives data from sources at address :3000 (and then forwards it to address 127.0.0.1:9999, which is specified in outputs.conf).

Below, you can view the default contents of the inputs.conf configuration file.

Default outputs.conf file

This file specifies the output settings for Kaspersky CyberTrace App.

By default, Kaspersky CyberTrace App forwards data from the address :3000 to the Feed Service at the address 127.0.0.1:9999. The input port (:3000) is specified in inputs.conf.

Below, you can view the default contents of the outputs.conf configuration file.

Default props.conf file

This file specifies how Splunk processes incoming data.

By default, Kaspersky CyberTrace App does the following:

• It defines how time stamps are extracted from incoming data.
• It defines a delimiter (line breaker) between events for incoming data.

  For example, if the incoming data has the sequence "%data_1%\n\n%data_2%" and the line breaker is one or more \n symbols, Splunk splits this sequence into two events (%data_1% and %data_2%).

Below, you can view the default contents of the props.conf configuration file.

Managing event sources

You can change the port Kaspersky CyberTrace App listens on for incoming events from a source, or add new event sources.

To change the port Kaspersky CyberTrace App listens on for incoming events from a source:

1. In inputs.conf, change the default port number 3000 to the port number that you want.

   For example, if you want to change 3000 to 3010, the record in inputs.conf looks like the following:

   [tcp://:3010] _TCP_ROUTING = service9999

2. In props.conf, also change the default port number 3000 to the port number that you want.

   For example, if you want to change 3000 to 3010, the record in props.conf looks like the following:

   [source::tcp:3010] TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 17 TIME_FORMAT = %b %d %H:%M:%S LINE_BREAKER = ([\n]+) SHOULD_LINEMERGE = false

3. Restart Splunk.

To add a new event source:

1. In inputs.conf, specify a new event source that uses the service9999 TCP routing rule.

   All data from this input will be forwarded to Feed Service.

2. In props.conf, specify how data from this source must be processed.
3. Restart Splunk.

Make sure that data from the new event source matches the regular expressions used by Kaspersky CyberTrace.

Below is an example of adding the address :3001 as the event source; it specifies that data from :3001 must be processed as are other input data in the default integration scheme (in this scheme, the forwarder, indexer, and search head are installed on a single computer).

Changing the address and port for data from Feed Service

By default, Kaspersky CyberTrace App is configured to receive data from Feed Service at port 9998 at any available address. This is specified in the inputs.conf configuration file of Kaspersky CyberTrace App. If you want to receive data from Feed Service only at a specific address and port (for example, if Splunk has access to several network interfaces), edit the inputs.conf file accordingly.

Use the following rules to specify the address and port where data from Feed Service must be received by Kaspersky CyberTrace App:

• If Feed Service and Splunk are located on the same computer, use the following format to specify the port where data from Feed Service must be received by Kaspersky CyberTrace App:

  [tcp://127.0.0.1:<port>]

• If Feed Service and Splunk are located on different computers, use the following format to specify the address and port where data from Feed Service must be received by Kaspersky CyberTrace App:

  [tcp://<address>:<port>]

• To specify that Kaspersky CyberTrace App will receive data from Feed Service at any available address, use the following format:

  [tcp://:<port>]

  Note that this format can affect security, because Kaspersky CyberTrace App will receive information at the specified port of every available network interface.

In the format examples above, <address> and <port> are the IP address and port that Kaspersky CyberTrace App will listen on for incoming data from Feed Service.

You may also have to change the addresses and ports for outbound events used by Kaspersky CyberTrace.

Below are examples of specifying the address and port where data from Feed Service is to be received.

In the following example, Feed Service and Splunk are located on the same computer. Kaspersky CyberTrace App receives detection events at port 9998 port of that same computer.

In the following example, Feed Service and Splunk are located on different computers. Kaspersky CyberTrace App receives detection events from Feed Service at address 192.0.2.42:9997.

In the following example, Kaspersky CyberTrace App receives detection events from Feed Service at port 3000 of any available address.

Configuring alert templates

Kaspersky CyberTrace App comes with several alert templates that you can use and customize from the Alerts dashboard.

The following alert templates are available:

• Matches alert

  This alert is triggered if there were matches with Kaspersky Threat Data Feeds in the past 24 hours.

• No Matches alert

  This alert is triggered if there were no matches with Kaspersky Threat Data Feeds in the past 24 hours.

• Emergency alert

  This alert is triggered if there were 5000 matches with Kaspersky Threat Data Feeds in the course of one minute.

• Service Unavailable alert

  This alert is triggered if Feed Service is unavailable.

• Service Started alert

  This alert is triggered when Feed Service is started.

Following are the default Kaspersky CyberTrace App settings:

• All of the alerts included in Kaspersky CyberTrace App are turned on.

  To turn them off, use the Alerts dashboard.

• The "Add to Triggered Alerts" action is defined for all alerts.

  Splunk will display the alert in Triggered Alerts.

To enable email notifications for alerts:

1. In Kaspersky CyberTrace App, open Alerts.

   

2. Expand the parameters of an alert that you want to configure.

   

3. Locate the Actions field, and then click Edit.
4. Under Trigger Actions, click Add Actions.

   

5. From the list of options, select Send email.

   

6. Enter the email message parameters and save the changes.

   

Step 3 (optional). Configuring the lookup script (single-instance deployment)

The lookup script is used to match individual URLs, IP addresses, and hashes to Kaspersky Threat Data Feeds. It can be invoked from the Indicators lookup tab in Kaspersky CyberTrace App.

To configure the lookup script:

1. In Kaspersky CyberTrace App, go to the Indicators lookup tab.
2. Specify Kaspersky CyberTrace connection strings:
   • In the Kaspersky CyberTrace address field, specify the IP address of Kaspersky CyberTrace
   • In the Kaspersky CyberTrace port field, specify the port that Kaspersky CyberTrace uses

The script is ready for use.

Step 4. Performing the verification test (Splunk, single-instance integration)

This section explains how to check the capabilities of Kaspersky CyberTrace by performing the verification test.

Please make sure you perform the verification test before editing any matching process settings.

About the verification test

The verification test is a procedure that is used to check the capabilities of Kaspersky CyberTrace and to confirm the accuracy of the integration.

During this test you will check whether events from Splunk are received by Feed Service, whether events from Feed Service are received by Splunk, and whether events are correctly parsed by Feed Service using the regular expressions.

This section describes the verification scenario for the default integration scheme (in this scheme, the forwarder, indexer, and search head are installed on a single computer), but you can also use the verification test after changes were made to the configuration parameters to check that Kaspersky CyberTrace and the SIEM solution work correctly.

Verification test file

The %service_dir%/verification/kl_verification_test_cef.txt file is a verification test file. It contains a collection of events with URLs, IP addresses, and hashes.

Verification test scenario

To perform the verification test:

1. Specify the Feed Service address in the Log Scanner utility configuration file.
2. Send the verification file to Feed Service by using the Log Scanner utility.

   If you run the Log Scanner utility, you cannot erase test data from the index.

3. Compare the verification test results with the target numbers displayed on the Kaspersky CyberTrace Matches dashboard.
4. Perform the Self-test.

   The Self-test is an automatic feed test performed by Kaspersky CyberTrace App.

5. Optionally, clear Splunk of events that arrived when the verification test was being performed.

Verification test scenario

The verification test scenario proceeds in stages:

Stage 1. Specifying the Feed Service address in the Log Scanner configuration file

Specify the address and port that Feed Service listens on in the Connection element of the Log Scanner configuration file.

Stage 2. Sending the verification file to Feed Service

You must send the verification file to Feed Service by using the Log Scanner utility.

Before you send the file, make sure that Feed Service is running.

The following commands send the contents of the kl_verification_test_cef.txt file to Feed Service:

• In Linux: ./log_scanner -p ../verification/kl_verification_test_cef.txt
• In Windows: log_scanner.exe -p ..\verification\kl_verification_test_cef.txt

After receiving data from Log Scanner, Feed Service sends the test results to Splunk. The address of Splunk is specified in the Service settings of Kaspersky CyberTrace. Also, this address is specified during the installation or reconfiguration of Kaspersky CyberTrace.

Stage 3. Checking the verification test results

In this step, you must verify that URLs, IP addresses, and hashes are processed correctly by Kaspersky CyberTrace App.

To check the verification test results:

1. In Kaspersky CyberTrace App, on the navigation bar select Kaspersky CyberTrace Matches.

   The Kaspersky CyberTrace Matches Dashboard opens.

2. Compare numbers in the Matches by eventName panel to the numbers of the detected objects in the table shown below.

   The verification test results depends on the feeds you use. The following table summarizes target numbers for the verification test when all commercial feeds are used.

   Verification test results (commercial feeds)

   Feed used	eventName value	Detected objects
   Malicious URL Data Feed	KL_Malicious_URL	http://fakess123.nu http://badb86360457963b90faac9ae17578ed.com
   Phishing URL Data Feed	KL_Phishing_URL	http://fakess123ap.nu http://e77716a952f640b42e4371759a661663.com
   Botnet CnC URL Data Feed	KL_BotnetCnC_URL	http://fakess123bn.nu http://a7396d61caffe18a4cffbb3b428c9b60.com
   IP Reputation Data Feed	KL_IP_Reputation	192.0.2.0 192.0.2.3
   Malicious Hash Data Feed	KL_Malicious_Hash_MD5	FEAF2058298C1E174C2B79AFFC7CF4DF 44D88612FEA8A8F36DE82E1278ABB02F C912705B4BBB14EC7E78FA8B370532C9
   Mobile Malicious Hash Data Feed	KL_Mobile_Malicious_Hash_MD5	60300A92E1D0A55C7FDD360EE40A9DC1
   Mobile Botnet CnC URL Data Feed	KL_Mobile_BotnetCnC_Hash_MD5	001F6251169E6916C455495050A3FB8D
   Mobile Botnet CnC URL Data Feed	KL_Mobile_BotnetCnC_URL	http://sdfed7233dsfg93acvbhl.su/steallallsms.php
   Ransomware URL Data Feed	KL_Ransomware_URL	http://fakess123r.nu http://fa7830b4811fbef1b187913665e6733c.com
   Vulnerability Data Feed	KL_Vulnerable_File_Hash_MD5	D8C1F5B4AD32296649FF46027177C594
   APT URL Data Feed	KL_APT_URL	http://b046f5b25458638f6705d53539c79f62.com
   APT Hash Data Feed	KL_APT_Hash_MD5	7A2E65A0F70EE0615EC0CA34240CF082
   APT IP Data Feed	KL_APT_IP	192.0.2.4
   IoT URL Data Feed	KL_IoT_URL	http://e593461621ee0f9134c632d00bf108fd.com/.i
   ICS Hash Data Feed	KL_ICS_Hash_MD5	7A8F30B40C6564EFF95E678F7C43346C

The following table summarizes target numbers for the verification test when only demo feeds are used.

Verification test results (demo feeds)

Stage 4. Performing the Self-test

The Self-test is an automatic feed test performed by Kaspersky CyberTrace App using the lookup script. You must verify that results of this test are correct.

To perform a Self-test:

1. In Kaspersky CyberTrace App, on the navigation bar select Kaspersky CyberTrace Status.

   The Kaspersky CyberTrace Status dashboard opens.

2. For all the feeds that you use, check the status values in the Self-test panel:
   • If you use only demo feeds, the value for demo feeds must be OK and values for all other feeds must be FALSE.
   • If you use commercial feeds, the value for all feeds that you use must be OK. All other values including values for demo feeds must be FALSE.

The following figure shows an example of a Self-test results for commercial feeds. In this example, all commercial feeds are used, and demo feeds are not used. The value for demo feeds is FALSE, as expected.

Self-test results

Stage 5 (optional). Clearing Splunk of events received when the verification test was performed

To clear Splunk of events received from Kaspersky CyberTrace when the verification test was performed:

1. On the Search dashboard of the Splunk GUI, click the Search & Reporting button to run the Search & Reporting app.
2. Delete the events from Kaspersky CyberTrace:
   1. In the Search field, type the following command:

      index="main" sourcetype="kl_cybertrace_events" | delete

   2. Click the All time split button next to the Search field.

      If the split button has another name, click it and in the drop-down list select All time.

   3. Click Search ().

   

   Search & Reporting app

Distributed integration scheme (Splunk)

This section contains instructions for integrating Kaspersky CyberTrace and Splunk in the distributed integration scheme.

For a description of the integration process, see Integration guide (Splunk).

For a description of distributed integration scheme, see About the distributed integration scheme.

About the distributed integration scheme

Kaspersky CyberTrace supports distributed Splunk environments. The integration scheme for distributed Splunk environments is called the distributed integration scheme.

About the apps and services used in the distributed integration scheme

In the distributed integration scheme, Kaspersky CyberTrace is divided into two apps and one service:

• Feed Service

  This service matches Splunk events against Kaspersky Threat Data Feeds.

  Feed Service sends the resulting events to a single indexer that keeps the index with events from Kaspersky CyberTrace.

  This service can be installed on a separate computer.

• Kaspersky CyberTrace App Search Head (or Search Head App)

  This app contains Kaspersky CyberTrace App dashboards, alert templates, and the lookup script.

  This app is intended for installation on a Splunk instance that acts as a search head and sends search requests to the indexer that keeps the index with events from Kaspersky CyberTrace.

• Kaspersky CyberTrace App Forwarder (or Forwarder App)

  This app contains rules for forwarding events from Splunk to Feed Service. It also receives events from Feed Service.

  This app is intended for installation on Splunk instances that must forward events to Feed Service.

About the integration scheme variants

The following variants of the distributed integration scheme demonstrate a general approach to integrating Kaspersky CyberTrace with your distributed Splunk environment. Depending on how your distributed Splunk environment is organized, you may have to change or combine these variants.

One indexer, multiple forwarders variant

One indexer, multiple forwarders

In the one indexer, multiple forwarders variant, several heavy forwarders parse and send events directly to Feed Service. These forwarders must use Forwarder App. One of the forwarders receives matches from Feed Service. The forwarders send the matches to the indexers that store them in the index used by Kaspersky CyberTrace for Splunk Search Head App.

Multiple indexers, multiple forwarders variant

In the multiple indexers, multiple forwarders variant, several heavy forwarders parse and send events directly to Feed Service. These forwarders must use Forwarder App. One of the forwarders receives matches from Feed Service. The forwarders send the matches to the indexers that store them in the index used by Kaspersky CyberTrace App.

Default ports and addresses

By default, Forwarder App and Feed Service are configured to use certain addresses and ports for forwarding events and receiving matches. You must change these addresses and ports based on the organization of your distributed Splunk environment.

You must change the default addresses and ports that are used by Forwarder App and Feed Service.

By default, Forwarder App:

• Receives events at :3000 port.
• Receives events from Kaspersky CyberTrace at :9998 port. These events are stored in the main index.
• Forwards events to 127.0.0.1:9999.

By default, Feed Service does the following:

• Receives events at 127.0.0.1:9999.
• Sends its own events to 127.0.0.1:9998.

Event format

By default, Kaspersky CyberTrace App and Feed Service are configured to receive events in a certain format:

• Feed Service parses events with regular expressions defined in its configuration file (the regular expressions are also displayed in Kaspersky CyberTrace Web). These regular expressions are created for a specific format of inbound data. For example, the default regular expression for URLs will match a URL containing the protocol (for example, HTTP, HTTPS). If the URLs in the events generated by your devices do not contain the procotol, change the regular expression accordingly.
• The lookup script that comes with Kaspersky CyberTrace App (or Search Head App in the case of the distributed integration scheme) sends events to Feed Service in a format that matches the regular expressions used by Feed Service.

Step 1. Installing Forwarder and Search Head apps

In the distributed deployment scheme, you must install Forwarder App and Search Head App on the basis of the organization of your distributed Splunk environment. For more information about how to choose the computers where the apps must be installed, see the section about the distributed integration scheme.

Forwarder App is installed from the %service_dir%/integration/splunk/Kaspersky-CyberTrace-App-for-Splunk_Forwarder.tar.gz file. Search Head App is installed from the %service_dir%/integration/splunk/Kaspersky-CyberTrace-App-for-Splunk_Search-Head.tar.gz file.

Installing the apps

Forwarder App and Search Head App are installed from Splunk Web. The only difference in the installation process is the application file name.

To install Forwarder App or Search Head App:

1. Open Splunk Web for the Splunk instance where you want to install the app.
2. In Splunk Web, go to the home page.
3. On the home page, click the Manage Apps button.

   

   Manage Apps button

4. On the Apps page, click the Install app from file button.

   

   Install app from file button

5. In the Upload an app window, click Choose File and select the application file mentioned above in this section.

   

   Choose File button

6. In the Upload an app window, click the Upload button.

   

   Upload button

7. In the Restart required window, click the Restart Splunk button.

   This step can be skipped, depending on the Splunk version. If Splunk does not display the Restart required window, skip this step.

   

   Restart Splunk button

8. When Splunk starts again, the Forwarder App will be displayed in the list of installed apps. When Kaspersky Search Head App is installed, the Apps page will open with information about the successful installation of Kaspersky Search Head App. Kaspersky Search Head App will appear in the list of apps on the Splunk home page.

   

   Kaspersky Search Head App for Splunk in the list of apps

Step 2. Configuring Forwarder and Search Head apps (distributed deployment)

In the distributed deployment scheme, you must configure Forwarder App on the basis of the organization of your distributed Splunk environment. For example, the configuration changes may include changing the Feed Service address used by the apps, or adding new event sources for Forwarder App. For Search Head App, you may have to configure the email addresses for alerts.

Configuration actions for Forwarder App and Search Head App

For Forwarder App, you may have to do the following:

• Change the address and port for forwarding events to Feed Service. See subsection "Changing the address and port for forwarding data to Feed Service" below.
• Configure Forwarder App to send events to the Indexer (or multiple Indexers). By default, events that are sent from Forwarder App to Feed Service are not registered in the indexes. See subsection "Configuring Forwarder App to send events to indexes" below.
• If several Forwarder Apps are used, only one Forwarder App must receive events from Kaspersky CyberTrace at port 9998. For all other Forwarder Apps, disable this rule by specifying true in the disabled parameter for this rule in the Forwarder App configuration file. The IP address and port of the Forwarder App that will receive events from Kaspersky CyberTrace must be specified on the Settings > Service tab in Kaspersky CyberTrace Web.
• Add new event sources. See subsection "Adding new event sources" below.

For Search Head App, you may have to do the following:

• Add email addresses to alert templates. See "Adding email addresses to alert templates" below.

Restart Splunk after you make changes to the configuration files.

Edit only those Forwarder App and Search Head App configuration files that are described in this section. Editing other configuration files may result in unpredictable behavior.

Configuration files (distributed deployment)

The following table summarizes configuration files used by Forwarder App and Search Head App in the following distributed deployment scheme variants:

• One indexer, multiple forwarders
• Multiple indexers, multiple forwarders

  Configuration files of Forwarder App and Search Head App

  Application	Configuration file	Default rules
  Forwarder App	\default\inputs.conf	Receives data from sources at port 3000 and forwards it as configured in outputs.conf. Receives events from Kaspersky CyberTrace at :9998 port.
  Forwarder App	\default\outputs.conf	Forwards data to 127.0.0.1:9999 (Feed Service address).
  Forwarder App	\default\props.conf	Parse data received at :3000. For a description of default data parsing rules, see "Default data parsing rules" below.
  Search Head App	\default\savedsearches.conf	Rules for alert templates.

Default data parsing rules

The way in which Forwarder App parses incoming data is defined in the props.conf file. By default, Forwarder App does the following:

• Defines how time stamps are extracted from incoming data.
• Defines a delimiter (line breaker) between events for incoming data.

  For example, if the incoming data has the sequence "%data_1%\n\n%data_2%" and the line breaker is one or more \n symbols, Splunk splits this sequence into two events (%data_1% and %data_2%).

The following are the default rules used by Forwarder App to parse incoming data.

Changing the address and port for forwarding data to Feed Service

By default, Forwarder App is configured to forward data to Feed Service at 127.0.0.1:9999.

To change the address and port for forwarding data to Feed Service,

In the outputs.conf configuration file, in the [tcpout:service9999] section, specify the new address and port for the server parameter that will be used by Feed Service.

In the following example, 192.0.2.100:9999 is specified as the Feed Service address.

Adding new event sources

To add new event sources, edit the inputs.conf and props.conf configuration files of the app.

To add a new event source:

1. In inputs.conf, specify a new event source that uses the service9999 TCP routing rule.

   All data from this input will be forwarded to Feed Service.

2. In props.conf, specify how data from this source must be processed.
3. Restart Splunk.

Make sure that data from the new event source matches the regular expressions used by Kaspersky CyberTrace.

Below is an example of adding the address :3001 as the event source; it specifies that data from the address :3001 must be processed as other input data in the default integration scheme (in this scheme, the forwarder, indexer, and search head are installed on a single computer).

If Splunk Forwarder is already configured for receiving events from different event sources and you want to send events to Feed Service, perform the following procedure. This can be done if the server field of the outputs.conf configuration file of Forwarder App contains the IP address and port that are specified in the InputSettings > ConnectionString element of the Feed Service configuration file.

To forward events to Feed Service:

1. In the outputs.conf file that is used for forwarding events from Splunk (it can be either the outputs.conf file of a custom Splunk application or the %SPLUNK_DIR%/etc/system/local/inputs.conf file), in the defaultGroup field, add a comma and a string service9999.

   In this case, check the event forwarding logic and make sure that events that arrived from Feed Service are not sent again to Feed Service by Splunk.

   If the inputs.conf configuratioin file contains the _TCP_ROUTING parameter for those event sources, the events from which are sent to Feed Service, add a comma and the service9999 string to the _TCP_ROUTING parameter.

2. Restart Splunk.

Configuring Forwarder App to send events to indexes

By default, events that are sent from Forwarder App to Feed Service are not registered in the indexes. You can change this behavior by configuring Forwarder App.

To configure Forwarder App to send events to the main index:

1. Locate the Forwarder that you want to configure. This Forwarder is typically a machine with Forwarder App installed. You must configure all Forwarders that are used in your distributed integration scheme.
2. On the Forwarder, in the %SPLUNK_HOME%\etc\system\local\outputs.conf file, locate the name of the target group that is used for sending events to the Indexer (or multiple Indexers). Here %SPLUNK_HOME% is the Splunk installation directory.

   By default, the name of this group is default-autogroup-lb:

   [tcpout: default-autogroup-lb]

3. In the inputs.conf file used by the Forwarder App, locate the section with service9999 TCP routing rule:

   _TCP_ROUTING = service9999

4. Add the name of the target group to this rule.

   For example, if the name of the target group is default-autogroup-lb, the rule must be changed in the following way:

   _TCP_ROUTING=service9999, default-autogroup-lb

5. Restart Splunk on the Forwarder.

Configuring alert templates

For more information about configuring alert templates, see "Configuring alert templates" in Step 2 (optional). Configuring Kaspersky CyberTrace App.

Step 3 (optional). Configuring the lookup script (distributed deployment)

The lookup script is used to match individual URLs, IP addresses, and hashes to Kaspersky Threat Data Feeds. It can be invoked from the Indicators lookup tab in Kaspersky CyberTrace App for Search Head.

To configure the lookup script:

1. In Kaspersky CyberTrace App, go to the Indicators lookup tab.
2. Specify Kaspersky CyberTrace connection strings:
   • In the Kaspersky CyberTrace address field, specify the IP address of Kaspersky CyberTrace
   • In the Kaspersky CyberTrace port field, specify the port that Kaspersky CyberTrace uses

The script is ready for use.

Step 4. Performing the verification test (Splunk, distributed integration)

The verification test for the distributed integration of Kaspersky CyberTrace with Splunk is performed in the same way as the verification test for the single-instance integration.

Integration with ArcSight

This chapter describes how to integrate Kaspersky CyberTrace with ArcSight.

Integration steps (ArcSight)

This chapter describes how to integrate Kaspersky CyberTrace with ArcSight products.

About the integration schemes

Kaspersky CyberTrace can be integrated with ArcSight in several integration schemes. For more information about the integration schemes for ArcSight, see Integration schemes (ArcSight).

How to integrate with ArcSight

To integrate Kaspersky CyberTrace with ArcSight:

1. Before you install Kaspersky CyberTrace, make sure that ArcSight SmartConnector is installed.
2. Make sure that you have installed Kaspersky CyberTrace.
3. Import the Kaspersky_CyberTrace_Connector.arb package.
4. Install ArcSight Forwarding Connector using one of two options:
   • Install ArcSight Forwarding Connector using ArcSight interface.
   • Install ArcSight Forwarding Connector by using the console.
5. Configure Kaspersky CyberTrace for interaction with ArcSight.
6. Perform the verification test.

   Please make sure you perform the verification test before editing any matching process settings.

Before you begin (ArcSight)

ArcSight SmartConnector must be installed before you install Kaspersky CyberTrace. This section describes how to install ArcSight SmartConnector.

Installing ArcSight SmartConnector (Linux)

This section describes how to install ArcSight SmartConnector.

To install ArcSight SmartConnector:

1. Run the ArcSight SmartConnector installation application.

   This application is a component of HP ArcSight and is not included in Kaspersky CyberTrace.

2. Select the ArcSight SmartConnector installation directory (hereinafter referred to as %ARCSIGHT_HOME%).
3. Instruct the installer not to create links.
4. After the contents of the binary file are unpacked, select Add a Connector.

   

   Adding a connector

   If this window is not displayed, configure ArcSight SmartConnector manually. For this purpose, run the following command:

   %ARCSIGHT_HOME%/current/bin/runagentsetup.sh

5. Select Syslog Daemon as the connector type.
6. In the Enter the parameter details form, specify the following data:
   • Network Port—Port to which Feed Service will send detection events.

     It is the same port that is specified on the Settings > Service tab of Kaspersky CyberTrace Web (by default, it is 9998).

   • IP Address—IP address to which Feed Service will send detection events.

     It is the same IP address that is specified on the Settings > Service tab of Kaspersky CyberTrace Web (by default, it is 127.0.0.1).

     You can specify (ALL) if you want Arcsight SmartConnector to receive events from all network interfaces of the computer on which it runs. (Note that you cannot specify (ALL) in the Feed Service configuration file.)

   • Protocol—Specify Raw TCP.
   • Forwarder—Specify false.

   

   Parameters for sending detection events

   Click Next.

7. Specify ArcSight Manager (encrypted) as the type of destination.

   

   Type of destination

   Click Next.

8. Specify other destination settings:
   • Manager Hostname—Host where ArcSight Manager is running.
   • Manager Port—Port where ArcSight Manager is available.

     By default, it is 8443.

   • User—Name of the ArcSight ESM user that has rights for registering the connector.
   • Password—Password of the ArcSight ESM user.
   • AUP Master Destination—Specify false.
   • Filter Out All Events—Specify false.
   • Enable Demo CA—Specify false.

   

   Destination parameters

   Click Next.

9. Specify the connector details: the name (arbitrary value permitted), location (arbitrary value permitted), location of the device that will send events to the connector (arbitrary value permitted, can be empty), and comment about the connector (arbitrary value permitted, can be empty).

   

   Connector details

   Click Next.

10. If the ArcSight Manager parameters are valid, accept importing the certificate from the destination.
11. If the certificate is imported successfully, install the ArcSight SmartConnector service.
    • If you do not run the installation as root, a warning will be displayed.

    

    Warning about user privileges

    You can either run the Connector Setup Wizard as root, or run the following command as root:

    %ARCSIGHT_HOME%/current/bin/arcsight agentsvc -i -u $username -sn $service_name

    Here

    • $username is the name of the operating system user that will run the service.
    • $service_name is the service name.

      We recommend that you set the service name to be the same as the connector name.

    The %ARCSIGHT_HOME%/current/logs/agent.log log file will contain messages about the installation process.

    Skip the next step that describes how to specify the service parameters.

    • If you run the installation as root, select Install as a service.

    Click Next.

12. Specify the service parameters.

    We recommend that you set the service name to be the same as the connector name.

    

    Specifying service parameters

    Click Next.

13. Start ArcSight SmartConnector by calling the following command:

    /etc/init.d/arc_$service_name start

    In this command, $service_name is the service name.

After you have installed ArcSight SmartConnector, you can install Feed Service and integrate it with ArcSight. For more information, see Integration steps (ArcSight).

Installing ArcSight SmartConnector by using the console (Linux)

You can install ArcSight SmartConnector on Linux by using the console instead of the GUI installer.

To install ArcSight SmartConnector by using the console:

1. In the console, run the ArcSight SmartConnector installer.
2. Read the Introduction section and press Enter.
3. When prompted, select Choose Install Folder, and type the full path to the directory where ArcSight SmartConnector will be installed (%ARCSIGHT_HOME%).

   The default value of the installation directory is /root/ArcSightSmartConnectors.

4. When prompted, select Choose Link Location, and specify whether a link to the installation directory must be created.

   We recommend that you specify Don't create links.

5. Make sure that the Pre-Installation Summary section lists the correct values of the installation settings. Press Enter if the values are correct.

   After ArcSight SmartConnector is installed, the following information will be displayed in the console:

   Installation Complete

   ---------------------

   The core components of the ArcSight SmartConnector have been successfully installed to:

   %ARCSIGHT_HOME%

   To finish the configuration of the SmartAgent, please go to the folder:

   %ARCSIGHT_HOME%/current/bin/

   and execute the script:

   ./runagentsetup.sh

6. Run %ARCSIGHT_HOME%/current/bin/runagentsetup.sh.
7. Run Add a Connector.
8. Specify Syslog Daemon as the connector type.
9. Specify the following settings of the connector:
   • Network Port

     Specify the port to which Feed Service sends events. This port is specified on the Settings > Service tab of Kaspersky CyberTrace Web (by default, it is 9998).

   • IP Address

     Specify the IP address to which Feed Service sends events. This IP address is specified on the Settings > Service tab of Kaspersky CyberTrace Web (by default, it is 127.0.0.1).

     You can specify ALL if you want Arcsight SmartConnector to receive events from all network interfaces of the computer on which it runs. (Note that you cannot specify ALL in the Feed Service configuration file.)

   • Protocol

     Specify Raw TCP.

   • Forwarder

     Specify false.

10. Specify ArcSight Manager (encrypted) as the destination type.
11. Specify whether to mask passwords.

    It is recommended to specify yes.

12. Specify the following connection settings of ArcSight Manager:
    • Manager Hostname

      ArcSight Manager host.

    • Manager Port

      ArcSight Manager port. By default, it is 8443.

    • User

      Name of the user that has the right to register a connector in ArcSight.

    • Password

      Password of the specified user.

    • AUP Master Destination

      Specify False.

    • Filter Out All Events

      Specify False.

    • Enable Demo CA

      Specify False.

13. Specify the following connector settings:
    • Name

      Arbitrary value can be specified.

    • Location

      Arbitrary value can be specified.

    • DeviceLocation

      Arbitrary value can be specified.

    • Comment

      Arbitrary value can be specified.

    After this, the connector will be registered.

14. Specify the following action for importing the certificate: Import the certificate to connector from destination.
15. Make sure that the displayed data to check is correct.

    If correct data is displayed, type yes.

16. Specify how the connector must be installed: Install as a service.
17. Specify the service settings:
    • Service Internal Name
    • Service Display Name
    • Start the service automatically

      Indicates whether the service will start on the system startup. We recommend that you specify yes.

18. Check the specified data. If it is correct, press Enter.

    The connector will be installed as a service.

19. Start the connector by calling the following command:

    /etc/init.d/arc_$service_name start

    In this command, $service_name is the service internal name that you specified.

After you have installed ArcSight SmartConnector, you can install Kaspersky CyberTrace and integrate it with ArcSight.

Installing ArcSight SmartConnector (Windows)

This section describes how to install ArcSight SmartConnector on Windows.

To install ArcSight SmartConnector:

1. Run the ArcSight SmartConnector installation application.

   This application is a component of HP ArcSight and is not included in Kaspersky CyberTrace.

   

   SmartConnector installation: Introduction

2. Select the ArcSight SmartConnector installation folder (hereinafter referred to as %ARCSIGHT_HOME%).

   

   Choosing an installation folder

3. Set the installation type to Typical.
4. Select the location where a shortcut for the connector will be created.

   You can also choose not to create icons.

   

   Choosing a shortcut folder

5. After the contents of the binary file are unpacked, click Add a Connector.

   

   Adding a connector

   If this window is not displayed, configure ArcSight SmartConnector manually. For this purpose, run the following command:

   %ARCSIGHT_HOME%\current\bin\runagentsetup.bat

6. Select Syslog Daemon as the connector type.

   

   Selecting the connector type

   Click Next.

7. In the Enter the parameter details form, specify the following data:
   • Network Port—Port to which Feed Service will send detection events.

     It is the same port that is specified on the Settings > Service tab of Kaspersky CyberTrace Web (by default, it is 9998).

   • IP Address—IP address to which Feed Service will send detection events.

     It is the same IP address that is specified on the Settings > Service tab of Kaspersky CyberTrace Web (by default, it is 127.0.0.1).

     You can specify ALL if you want Arcsight SmartConnector to receive events from all network interfaces of the computer on which it runs. (Note that you cannot specify ALL in the Feed Service configuration file.)

   • Protocol—Specify Raw TCP.
   • Forwarder—Specify false.

   

   Parameters for sending detection events

   Click Next.

8. Specify ArcSight Manager (encrypted) as the type of destination.

   Click Next.

9. Specify other destination parameters:
   • Manager Hostname—Host where ArcSight Manager is running.
   • Manager Port—Port where ArcSight Manager is available.

     By default, it is 8443.

   • User—Name of the ArcSight ESM user that has rights for registering the connector.
   • Password—Password of the ArcSight ESM user.
   • AUP Master Destination—Specify false.
   • Filter Out All Events—Specify false.
   • Enable Demo CA—Specify false.

   

   Destination parameters

   Click Next.

10. Specify the connector details: the name (arbitrary value permitted), location (arbitrary value permitted), location of the device that will send events to the connector (arbitrary value permitted, can be empty), and comment about the connector (arbitrary value permitted, can be empty).

    

    Connector details

    Click Next.

11. If the ArcSight Manager parameters are valid, accept importing the certificate from the destination.
12. If the certificate is imported successfully, you will be asked to install ArcSight SmartConnector either as a service or as an application. We recommend that you install it as a service.

    

    Choosing installation mode

    Click Next.

13. Specify the service parameters.

    We recommend that you set the service name to be the same as the connector name.

    

    Specifying service parameters

    Click Next.

    The operation summary is displayed.

    

    SmartConnector installation: Operation summary

14. In the %ARCSIGHT_HOME%/current/user/agent/agent.properties configuration file, specify 30000 in the agents[0].tcppeerclosedchecktimeout parameter.
15. Make sure that the service named ArcSight %ServiceDisplayName% is running (%ServiceDisplayName% is the name that you specified in the Service Display Name box in the previous step).

    For this purpose, open Windows Task Manager and check the status of the service. The status must be Running. Using Windows Task Manager, you can stop or start the service.

Standard integration (ArcSight)

This section contains instructions for integrating Kaspersky CyberTrace with ArcSight in different integration schemes.

Integration schemes (ArcSight)

This section describes possible integration schemes of ArcSight products and Kaspersky CyberTrace.

About the components of the standard integration scheme

The following components are used in the integration schemes for ArcSight:

• ArcSight ESM

  This SIEM solution is used in this integration.

• Forwarding Connector

  This ArcSight component sends ArcSight events to Feed Service.

• Feed Service

  This service matches ArcSight events against Kaspersky Threat Data Feeds.

• SmartConnector

  This ArcSight component sends events generated by Feed Service to ArcSight.

• Security controls

  These are sources of events for ArcSight such as firewalls, proxies, intrusion detection systems, and other networking devices. Security controls can send events to ArcSight via any method supported by ArcSight.

ArcSight ESM, ArcSight Forwarding Connector, ArcSight SmartConnector, and Feed Service can be installed on the same computer or connect over a network. ArcSight ESM and ArcSight Forwarding Connector run on Linux, so they must be installed separately from Feed Service.

The figures in the following sections show some of the possible integration schemes.

Single-computer installation

The figure below depicts all four components installed on a single computer.

Single-computer installation

Two-computer installation (suggested integration)

The figure below depicts ArcSight ESM and Forwarding Connector installed on one computer, and Feed Service and SmartConnector installed on another.

Two-computer installation (suggested integration)

Two-computer installation (second suggested integration)

The figure below depicts ArcSight ESM installed on one computer, and Forwarding Connector, Feed Service, and SmartConnector installed on another.

Two-computer installation (second suggested integration)

Two-computer installation (third suggested integration)

The figure below depicts Feed Service installed on one computer, and SmartConnector, ArcSight ESM, and Forwarding Connector installed on another.

Two-computer installation (third suggested integration)

Three-computer installation

The figure below depicts ArcSight ESM installed on one computer, Forwarding Connector installed on another, and Feed Service and SmartConnector installed on still another.

Three-computer installation

Step 1. Importing the ARB package

This section describes how to import the ARB package to ArcSight.

The ARB package contains objects (active channels, dashboards, field sets, reports, rules, filters, users) that are necessary for integrating the service with ArcSight. When you import this file, these objects are created in ArcSight.

To import the ARB package:

1. Run ArcSight Console.
2. In the Navigator pane (tree view), select the Packages tab.
3. Click the Import button.

   

   ArcSight packages

4. In the Open window, select the Kaspersky_CyberTrace_Connector.arb file, located in the integration directory.

   

   ARB file selection

   The import process will be performed.

   

   ARB import complete

After all objects from the ARB file are imported to ArcSight, all the imported rules are real-time rules, that is, they will be applied in real time.

To browse and manage the list of real-time rules:

1. In the tree view, click the Resources tab.
2. Open the Active Channels drop-down list and select Rules.
3. In the tree, select Rules > Shared > All Rules > Real-time Rules.

   

   Real-time rules

4. Expand Real-time Rules and remove unnecessary nested items from it.

After the ARB package is imported, new objects are created in ArcSight.

• When the Active Channels item in the tree view is selected, the following objects will be at the Active Channels > Shared > All Active Channels > Public > Kaspersky CyberTrace Connector location:

  Object	Description	Default state
  CyberTrace alerts	Displays service events from Kaspersky CyberTrace in real time.	Turned on
  CyberTrace all matches	Displays detection events from Kaspersky CyberTrace in real time.	Turned on
  CyberTrace hash matches	Displays hash detection events from Kaspersky CyberTrace in real time.	Turned off
  CyberTrace URL matches	Displays URL detection events from Kaspersky CyberTrace in real time.	Turned off
  CyberTrace IP matches	Displays IP detection events from Kaspersky CyberTrace in real time.	Turned off

• When the Dashboards item in the tree view is selected, the following objects will be at the Dashboards > Shared > All Dashboards > Public > Kaspersky CyberTrace Connector location:

  Object	Description	Default state
  CyberTrace detection map	Displays all devices that sent events containing malicious URLs, IP addresses, or hashes. Displays all feeds that were involved in the detection process.	Turned off
  CyberTrace match statistics	Detection statistics: how many objects of a specific category were detected.	Turned on
  CyberTrace Top 10 matched indicators	Top 10 detected indicators.	Turned off

  The CyberTrace detection map and CyberTrace Top 10 matched indicators dashboards are turned off by default so as not to overload ArcSight. You can turn them on if you need these dashboards.

• When the Field Sets item in the tree view is selected, the following objects will be at the Field Sets > Shared > All Field Sets > Public > Kaspersky CyberTrace Connector location:

  Object	Description	Default state
  CyberTrace alerts	Displayed fields of service events from Kaspersky CyberTrace.	Static
  CyberTrace all matches	Displayed fields of detection events from Kaspersky CyberTrace.	Static
  CyberTrace matched hashes	Displayed fields of hash detection events from Kaspersky CyberTrace.	Static
  CyberTrace matched URLs	Displayed fields of URL detection events from Kaspersky CyberTrace.	Static
  CyberTrace matched IPs	Displayed fields of IP address detection events from Kaspersky CyberTrace.	Static

• When the Reports item in the tree view is selected, the following objects will be at the Reports > Shared > All Reports > Public > Kaspersky CyberTrace Connector location:

  Object	Description	Default state
  CyberTrace all matches	Report that contains detection events from Kaspersky CyberTrace.	Static

• When the Rules item in the tree view is selected, the following object will be at the Rules > Shared > All Rules > Public > Kaspersky CyberTrace Connector location:

  Object	Description	Default state
  CyberTrace_HighThreatScoreIP	Rule for assigning high severity level and storing high priority IP detection events from Kaspersky CyberTrace.	Turned on
  CyberTrace_MediumThreatScoreIP	Rule for assigning medium severity level and storing medium priority IP detection events from Kaspersky CyberTrace.	Turned on
  CyberTrace_LowThreatScoreIP	Rule for assigning low severity level and storing low priority IP detection events from Kaspersky CyberTrace.	Turned on

• When the Filters item in the tree view is selected, the following objects will be at the Filters > Shared > All Filters > Public > Kaspersky CyberTrace Connector location:

  Object	Description	Default state
  CyberTrace all matches	Filter for selecting detection events sent by Kaspersky CyberTrace.	Static
  CyberTrace forwarding events	Filter for forwarding to Kaspersky CyberTrace those events that contain URLs, IP addresses, or hashes.	Static
  CyberTrace matched hashes	Filter for selecting hash detection events sent by Kaspersky CyberTrace.	Static
  CyberTrace matched URLs	Filter for selecting URL detection events sent by Kaspersky CyberTrace.	Static
  CyberTrace matched IPs	Filter for selecting IP detection events sent by Kaspersky CyberTrace.	Static

• When the Users item in the tree view is selected, the following objects will be at the Users > Shared > Custom User Groups > Kaspersky CyberTrace Connector location:

  Object	Description	Default state
  FwdCyberTrace	Account that is used for configuring ArcSight event forwarding.	Static

After the import is finished, make sure that the FwdCyberTrace user is created. To check, navigate to Users > Shared > Custom User Groups > Kaspersky CyberTrace Connector in ArcSight Console. If there is no FwdCyberTrace user, create it manually.

Step 2. Installing ArcSight Forwarding Connector

This section describes how to install ArcSight Forwarding Connector.

ArcSight Forwarding Connector is a component of HP ArcSight and is not included in Kaspersky CyberTrace. You can receive this application in one of the following ways:

• Contact the HP support team to get ArcSight Forwarding Connector.
• Contact a Kaspersky technical account manager (TAM) to get ArcSight Forwarding Connector.

To install ArcSight Forwarding Connector:

1. Run the ArcSight Forwarding Connector installation application.
2. Select the ArcSight Forwarding Connector installation directory (hereinafter referred to as %ConnectorInstallDir%).
3. After the installation files are unpacked, select Add a Connector.

   

   Adding a connector

   Click Next.

4. In the Type drop-down list, select ArcSight Forwarding Connector (Enhanced).

   

   Selecting the connector type

   Click Next.

5. Specify the following connection parameters of ArcSight Source Manager:
   • Host Name

     ArcSight Source Manager host.

   • Port

     ArcSight Source Manager port (by default, it is 8443).

   • User Name

     User name of the account intended for use by ArcSight Forwarding Connector (by default, it is FwdCyberTrace).

     You can also specify a user other than FwdCyberTrace. To do so, specify а custom ArcSight user in the ArcSight Forwarding Connector settings.

   • Password

     Password for the account intended for use by ArcSight Forwarding Connector (by default, it is KasperskyLab!).

   

   ArcSight Source Manager parameters

   If an authentication error occurs (user name or password is incorrect), we recommend that you verify the FwdCyberTrace user is present in ArcSight Console. If not, create it manually.

   Click Next.

6. If valid connection parameters are specified, import the required certificate.

   

   Importing the certificate

   Click Next.

7. Specify CEF Syslog as the event format that will be used for events sent to Feed Service.

   

   Specifying event format

   Click Next.

8. Specify the IP address (or host) and port that Feed Service will listen on for events. Specify Raw TCP as the protocol.

   The IP address and port are the same as specified on the Settings > Service tab of Kaspersky CyberTrace Web. By default, 127.0.0.1:9999 is used as the IP address and port for receiving events from ArcSight.

   

   Specifying event destination

   Click Next.

9. Specify the details of the new ArcSight Forwarding Connector object: the name (arbitrary value permitted), location (arbitrary value permitted), location of the device that will send events to the connector (arbitrary value permitted, can be empty), and comment about the connector (arbitrary value permitted, can be empty).

   

   Connector details

   Click Next.

10. Install the ArcSight Forwarding Connector service.
    • If you do not run the Connector Setup Wizard as root, a warning will be displayed.

    

    Warning about user privileges

    You can either run the Connector Setup Wizard as root, or run the following command as root:

    %ConnectorInstallDir%/current/bin/arcsight agentsvc -i -u $username -sn $service_name

    Here

    • $username is the name of the operating system user that will run the service.
    • $service_name is the service name.

      We recommend that you set the service name to be the same as the connector name.

    Log file %ConnectorInstallDir%/current/logs/agent.log will contain messages about the installation process.

    Skip the next step, which describes how to specify the service parameters.

    • If you run the installation as root, select Install as a service.

    

    Choosing installation mode

    Click Next.

11. Specify the service parameters.

    We recommend that you set the service name to be the same as the connector name.

    

    Specifying service parameters

    Click Next.

    After this, the Connector Setup Wizard informs you that the new forwarding connector is installed.

12. Make sure that the connector is running (see the section about ArcSight troubleshooting on how you can do this). If it is not running, start it by using the following command:

    /etc/init.d/arc_%FORWARDING% start

    Here %FORWARDING% is the name of the connector.

If the forwarding connector sends a large amount of events (more than 1000 events per second) to Feed Service, we recommend that you do the following: in the %ConnectorInstallDir%/current/user/agentagent.wrapper.conf file, set the wrapper.java.maxmemory field to 512 and restart the forwarding connector.

Step 2 (alternative). Installing ArcSight Forwarding Connector by using the console

You can install ArcSight Forwarding Connector by using the console instead of the GUI installer.

To install ArcSight Forwarding Connector by using the console:

1. In the console, run the ArcSight Forwarding Connector installer.
2. Read the Introduction section and press Enter.
3. When prompted, select Choose Install Folder, and type the full path to the directory where ArcSight Forwarding Connector will be installed (%ConnectorInstallDir%).

   The default value of the installation directory is /root/ArcSightSmartConnectors

4. When prompted, select Choose Install Set, and type 1 (stands for Typical).
5. When prompted, select Choose Link Location, and specify whether a link to the installation directory must be created.

   We recommend that you specify Don't create links.

6. Make sure that the Pre-Installation Summary section lists the correct values of the installation settings. Press Enter if the values are correct.

   After ArcSight Forwarding Connector is installed, the following information will be displayed in the console:

   Installation Complete

   ---------------------

   The core components of the ArcSight SmartConnector have been successfully installed to:

   %ConnectorInstallDir%

   To finish the configuration of the SmartAgent, please go to the folder:

   %ConnectorInstallDir%/current/bin/

   and execute the script:

   ./runagentsetup.sh

7. Run %ConnectorInstallDir%/current/bin/runagentsetup.sh.
8. At the prompt, select Add a Connector.
9. Specify ArcSight Forwarding Connector as the connector type.
10. Specify whether to mask passwords.

    We recommend that you specify yes.

11. Specify the following connection parameters of ArcSight Source Manager:
    • Host Name

      ArcSight Source Manager host.

    • Port

      ArcSight Source Manager port (by default, it is 8443).

    • User

      Username of the account intended for use by ArcSight Forwarding Connector (by default, it is FwdCyberTrace).

      You can also specify a user other than FwdCyberTrace. To do so, specify а custom ArcSight user in the ArcSight Forwarding Connector settings.

    • Password

      Password for the account intended for use by ArcSight Forwarding Connector (by default, it is KasperskyLab!).

12. Specify the following action for importing the certificate: Import the certificate to connector from destination.
13. Specify the destination type: CEF Syslog.
14. Specify the following settings:
    • Ip/Host

      IP address that Feed Service listens on for events.

    • Port

      Port through which Feed Service receives events. By default, it is 9999.

    • Protocol

      Specify Raw TCP.

    The IP address and port are the same as specified in the Connection settings section of the Service tab of Kaspersky CyberTrace Web.

15. Specify the following connector settings:
    • Name

      Arbitrary value can be specified.

    • Location

      Arbitrary value can be specified.

    • DeviceLocation

      Arbitrary value can be specified.

    • Comment

      Arbitrary value can be specified.

    After this, the connector will be registered.

16. Specify the way in which the connector must be installed: Install as a service.
17. Specify the service settings:
    • Service Internal Name
    • Service Display Name
    • Start the service automatically

      Indicates whether the service will start on the system startup. We recommend that you specify yes.

18. Check the specified data. If it is correct, press Enter.

    The connector will be installed as a service.

19. Make sure that the connector is running (see the section about ArcSight troubleshooting on how you can do this). If it is not running, start it by using the following command:

    /etc/init.d/arc_%FORWARDING% start

    Here %FORWARDING% is the name of the connector.

If the forwarding connector sends a large amount of events (more than 1000 events per second) to Feed Service, we recommend that you do the following: in the %ConnectorInstallDir%/current/user/agentagent.wrapper.conf file, set the wrapper.java.maxmemory field to 512 and restart the forwarding connector.

Step 3. Configuring CyberTrace for interaction with ArcSight

This section describes how to configure CyberTrace for interaction with ArcSight during normal work.

To configure CyberTrace for interaction with ArcSight:

1. Open Kaspersky CyberTrace Web.
2. Select the Settings > Service tab.
3. In the Connection settings section, for Service listens on, select the IP address and port that Feed Service listens on for incoming events. The IP address and port are set when ArcSight Forwarding Connector is installed (its default value is 127.0.0.1:9999).
4. Select the Matching tab, and then select the Edit default rules link.

   The Default properties form opens.

5. On the Normalizing rules tab, do the following:
   • In the Regexp to replace field, enter the symbol sequence \=
   • In the Replace with field,enter the symbol =

   After you make the changes, the Normalizing rules tab must look like this:

   

   Normalizing rules tab

6. Select the Regular expressions tab. This tab contains universal regular expressions that match URLs (with protocol), hashes, IP addresses (src and dst), device name, vendor name, device IP address, user name, and event ID. Change these regular expressions to match the events.
7. Close the Default properties form.
8. On the Events format tab, in the Alert events format field, enter the following string:

   CEF:0|Kaspersky|Kaspersky CyberTrace for ArcSight|2.0|1|CyberTrace Service Event|4| reason=%Alert% msg=%RecordContext%

9. In the Detection events format field, specify the following string:

   CEF:0|Kaspersky|Kaspersky CyberTrace for ArcSight|2.0|2|CyberTrace Detection Event|8| reason=%Category% dst=%DST_IP% src=%DeviceIp% fileHash=%RE_HASH% request=%RE_URL% sourceServiceName=%Device% sproc=%Product% suser=%UserName% msg=CyberTrace detected %Category% externalId=%Id% %ActionableFields% cs5Label=MatchedIndicator cs5=%MatchedIndicator% cn3Label=Confidence cn3=%Confidence% cs6Label=Context cs6=%RecordContext%

ArcSight and actionable fields

The following actionable fields are used in Kaspersky Data Feeds. You can review the actionable fields on the Settings > Feeds tab. For more information, see section "Adding actionable fields to a feed".

• For Demo Botnet CnC URL Data Feed and Botnet CnC URL Data Feed:

  Field name	Output	CEF field
  mask	cs1	deviceCustomString1
  first_seen	flexString1	flexString1
  last_seen	flexString2	flexString2
  popularity	cn2	deviceCustomNumber2
  threat	cs3	deviceCustomString3
  urls/url	cs4	deviceCustomString4
  whois/domain	cs2	deviceCustomString2

• For Demo Malicious Hash Data Feed and Malicious Hash Data Feed:

  Field name	Output	CEF field
  first_seen	flexString1	flexString1
  last_seen	flexString2	flexString2
  popularity	cn2	deviceCustomNumber2
  threat	cs3	deviceCustomString3
  urls/url	cs4	deviceCustomString4
  file_size	fsize	file_size

• For Demo IP Reputation Feed and IP Reputation Data Feed:

  Field name	Output	CEF field
  first_seen	flexString1	flexString1
  last_seen	flexString2	flexString2
  popularity	cn2	deviceCustomNumber2
  threat_score	cn1	deviceCustomNumber1
  domains	cs2	deviceCustomString2
  urls/url	cs4	deviceCustomString4
  files/threat	cs3	deviceCustomString3

• For Malicious URL Data Feed:

  Field name	Output	CEF field
  mask	cs1	deviceCustomString1
  first_seen	flexString1	flexString1
  last_seen	flexString2	flexString2
  popularity	cn2	deviceCustomNumber2
  files/threat	cs3	deviceCustomString3
  category	cs4	deviceCustomString4
  whois/domain	cs2	deviceCustomString2

• For Mobile Malicious Hash Data Feed:

  Field name	Output	CEF field
  first_seen	flexString1	flexString1
  last_seen	flexString2	flexString2
  popularity	cn2	deviceCustomNumber2
  threat	cs3	deviceCustomString3
  file_size	fsize	file_size

• For Phishing URL Data Feed:

  Field name	Output	CEF field
  mask	cs1	deviceCustomString1
  first_seen	flexString1	flexString1
  last_seen	flexString2	flexString2
  popularity	cn2	deviceCustomNumber2
  industry	deviceFacility	deviceFacility
  whois/domain	cs2	deviceCustomString2

• For Mobile Botnet Data Feed:

  Field name	Output	CEF field
  threat	cs3	deviceCustomString3

• For Vulnerability Data Feed:

  Field name	Output	CEF field
  severity	cs3	deviceCustomString3
  detection_date	flexString1	flexString1

• For APT URL Data Feed:

  Field name	Output	CEF field
  detection_date	flexString1	flexString1
  publication_name	cs3	deviceCustomString3

• For APT IP Data Feed:

  Field name	Output	CEF field
  detection_date	flexString1	flexString1
  publication_name	cs3	deviceCustomString3

• For APT Hash Data Feed:

  Field name	Output	CEF field
  detection_date	flexString1	flexString1
  publication_name	cs3	deviceCustomString3

• For IoT URL Data Feed:

  Field name	Output	CEF field
  mask	cs1	deviceCustomString1
  first_seen	flexString1	flexString1
  last_seen	flexString2	flexString2
  popularity	cn2	deviceCustomNumber2
  files/threat	cs3	deviceCustomString3

Clearing ArcSight fields occupied by information from Kaspersky Data Feeds

If you want to use a CEF field for data other than information from Kaspersky Data Feeds, you must clear this field.

To clear a CEF field:

1. Select the Settings tab of Kaspersky CyberTrace Web.
2. Select the Feeds tab.
3. In the Filtering rules for feeds section, make sure the Kaspersky feeds tab is selected and then click the Kaspersky Threat Data Feed that contains the field that you want to clear.
4. In the Actionable fields section, find the Output field containing the name of the CEF field that you want to clear.
5. Click the Delete icon () next to the Output field that you found in the previous step.

Step 4. Performing the verification test (ArcSight)

After you install Kaspersky CyberTrace and the necessary ArcSight software, you can test their performance.

Please make sure you perform the verification test before editing any filtering rules in the Feed Utility configuration file.

To check whether Kaspersky CyberTrace is correctly integrated with ArcSight:

1. Configure Log Scanner to send events to ArcSight SmartConnector.

   For this purpose, set the host and port of ArcSight SmartConnector in the Connection element of the Log Scanner configuration file.

2. Send the %service_dir%/verification/kl_verification_test_cef.txt file to ArcSight SmartConnector.

   For this purpose, run the following command (in Linux):

   ./log_scanner -p ../verification/kl_verification_test_cef.txt

   For this purpose, run the following command (in Windows):

   log_scanner.exe -p ..\verification\kl_verification_test_cef.txt

   Do not specify the -r flag in this command: send the test results to the SIEM solution by using the parameters for outbound events specified in the Service settings of Kaspersky CyberTrace.

3. Make sure that you have the test results below.

   You can view the test results in the CyberTrace all matches active channel. For this purpose, set the following inline filter for the Source Service Name field: Kaspersky Lab|CyberTrace Verification Kit.

Verification test results

The verification test results depends on the feeds you use. The verification test results are listed in the following table.

Verification test results

Integration with QRadar

This chapter describes how to integrate Kaspersky CyberTrace with QRadar.

Integration steps (QRadar)

This chapter describes how to integrate Kaspersky CyberTrace with QRadar.

About the integration schemes

Kaspersky CyberTrace can be integrated with QRadar in two integration schemes:

• Standard integration

  Use this scenario if it is possible to get QRadar updates. For more information about the standard integration scheme, see About the standard integration scheme (QRadar).

• Integration when QRadar cannot get updates

  This is an additional scenario for a case when it is not possible to get QRadar updates. The procedure is outlined in Integration with QRadar when QRadar cannot get updates.

How to integrate Kaspersky CyberTrace with QRadar

Make sure that you have installed Kaspersky CyberTrace (see Part 1: Installing Kaspersky CyberTrace).

To integrate Kaspersky CyberTrace with QRadar in the standard integration scenario:

• Step 1. Configure QRadar to receive latest updates.
• Step 2. Send a set of events to QRadar so that QRadar will automatically add new log sources.
• Step 3. Forward events from QRadar to Feed Service.
• Step 4. Perform the verification test.

  Please make sure you perform the verification test before editing any matching process settings.

• Step 5. Configure QRadar to retrieve custom event properties.
• Step 6. Configure QRadar to create a search filter for CyberTrace events.
• Step 7 (optional). Configure QRadar to display events in a dashboard.

After you have successfully integrated Kaspersky CyberTrace with QRadar, install Kaspersky Threat Feed App:

• Step 8 (optional). Configure QRadar to notify about incoming service events.
• Step 9 (optional). Install Kaspersky Threat Feed App.
• Step 10 (optional). Enable the indexes of the added custom event properties.
• Step 11 (optional). Configure Kaspersky Threat Feed App.

Standard integration (QRadar)

This section contains instructions for integrating Kaspersky CyberTrace with QRadar in the standard integration scheme.

About the standard integration scheme (QRadar)

This section describes the standard integration scheme for QRadar and Kaspersky CyberTrace.

For the standard integration scheme to work properly, you must install the update DSM-KasperskyCyberTrace-%version%-20180802144954.noarch.rpm, where %version% is the version of QRadar. Usually, you receive these updates as part of the auto-update process, but you can also visit IBM Fix Central and download them manually.

About the components of the standard integration scheme

The following components are used in the standard integration scheme for QRadar:

• Feed Service

  This service matches QRadar events against Kaspersky Threat Data Feeds.

• QRadar

  The SIEM solution used in this integration.

• Security controls

  These are sources of events for QRadar such as firewalls, proxies, intrusion detection systems, and other networking devices.

  Security controls can send events to QRadar by any method supported by QRadar.

Standard integration scheme

In the standard integration scheme, Feed Service by default is configured to listen for incoming events from QRadar on 0.0.0.0:9999 (аll interfaces).

Feed Service sends detection events to port 514 of the interface defined in QRadar configuration. The address of this interface is specified when you install Kaspersky CyberTrace.

Security controls can send events to QRadar in any format that is supported by QRadar, for example, Syslog, JDBC, OPSEC, File, or SNMP.

Standard integration scheme for QRadar

Step 1. Configuring QRadar to receive latest updates

This section describes how you can receive the latest updates of QRadar.

To configure QRadar for getting latest updates:

1. In QRadar Console, select Admin > Auto-Update.

   The Update Configuration form opens.

2. On the Basic tab, in the Configuration Updates section, select Auto Integrate in the Update Type drop-down list.
3. In the DSM, Scanner, Protocol Updates section, select the Auto Install update type.

   

   Update configuration

4. Click Save.
5. Wait for installation of the updates.
6. In QRadar Console, select Admin > Log Sources > Add.

   The Add a log source form opens.

7. Make sure that Kaspersky CyberTrace appears in the Log Source Type drop-down list.

   

   Kaspersky CyberTrace log source type

As an alternative to auto-updating QRadar, you can visit IBM Fix Central to manually download and install the DSM package that is specified in section "About the standard integration scheme (QRadar)", and then configure QRadar, as described in section "Integration with QRadar when QRadar cannot get updates".

Step 2. Sending a set of events to QRadar

On this step, you must send two sets of events to QRadar so that QRadar will automatically add two new log sources—one for verification and the other for events from Feed Service.

To add new log sources:

1. Send the verification test log file.

   Send the verification/kl_verification_test_leef.txt file to QRadar, as described in the procedure in subsection "Sending a set of events" below.

   After you send the verification test file, QRadar will contain the KL_Verification_Tool log source.

2. Send the sample log file.

   For testing and final adjustments of integration with QRadar, send the integration/qradar/sample_initiallog.txt sample log file to QRadar, as described in the procedure in subsection "Sending a set of events" below.

   After you send the sample log file, QRadar will contain the KL_Feed_Service_v2 log source.

   Up to 25 events can be missed after a new log source is added, according to the QRadar documentation. So you may have to send sample_initiallog.txt several times. This ensures that some events will be displayed by QRadar and handled by Feed Service.

Sending a set of events

To send events to QRadar:

1. In the Connection element of the Log Scanner configuration file, specify the IPv4 address and port of your QRadar server (usually it is 514).
2. Invoke the following command from the Log Scanner directory.

   In Linux:

   ./log_scanner -p <log_file> [-p <log_file2> ...]

   In Windows:

   log_scanner.exe -p <log_file> [-p <log_file2> ...]

   <log_file>, <log_file2> are log files to send. Alternatively, you can specify a directory containing log files to send.

3. In QRadar Console (which is the web interface for QRadar), select Admin > Log Sources.

   A new log source of the Kaspersky CyberTrace type appears in the log sources list.

4. In the settings form of the new log source, clear the Coalescing Events check box and click Save.

   

   Editing a log source

5. If necessary, deploy the changes by selecting the Admin > Deploy Changes menu item in QRadar Console.

Step 3. Forwarding events from QRadar to Feed Service

To check events that arrive in QRadar by way of Feed Service, you must configure QRadar to forward the events to Feed Service.

To forward events from QRadar to Feed Service:

1. Select Admin > System Configuration > Forwarding Destinations > Add.
2. In the Forwarding Destination Properties window, type the identifier of the destination (for example, "KL_Threat_Feed_Service_v2").
3. Type the destination address (the host where Feed Service runs).
4. Select Payload as the events format and TCP as the protocol.

   The Payload format can contain less information, in comparison with the JSON format. For example, if event source names are used, QRadar may remove them from the event. You can specify the JSON format instead, but make sure to configure it properly. For the instructions on how to configure events in the JSON format to forward to Kaspersky CyberTrace, see subection "Recommendations on configuring events in JSON format" below.

5. Set the port according to the parameters for inbound events of Kaspersky CyberTrace. You can see this information on the Settings >Service tab of Kaspersky CyberTrace Web.

   

   Adding a forwarding destination

6. Click Save.
7. Select Admin > Routing rules > Add.
8. In the Routing Rule window, type the rule name (for example, KL_Threat_Feed_Service_v2_Rule).
9. Select Online as the mode.
10. Leave the default value in the Forwarding Event Collector drop-down list.
11. Select Events as the data source.
12. In the Event Filters group, set the event filter.

    Choose the log sources together with KL_Verification_Tool, and use the Equals any of operator in the filter. Also, to achieve maximum performance of the service, you are advised to select only those events that contain indicators to look up in the feeds (such as URLs, hashes (MD5, SHA1, SHA256), and IP addresses).

    Clear the Match all incoming events check box or leave it cleared so that the detection events received from Feed Service will not be sent back to Feed Service.

13. Select the Forward check box. In the table, next to the Name column, select the check box next to the item added in step 1 (in this case, it is KL_Threat_Feed_Service_v2).

    

    Adding a routing rule

14. Click Save.

Recommendations for configuring events in the JSON format

A number of QRadar versions (such as, 7.3.2 Patch 6 and 7.4.0) can drop some forwarded events in the JSON format, which may lead to incorrect results. To prevent this, we recommend that you exclude some fields from the event in JSON (for an exact list of such fields, contact IBM's QRadar Support team or try to determine this list manually). You must specify additional normalizing rules in Kaspersky CyberTrace Web (see below).

Therefore, use the JSON format instead of the Payload format if the event in the Payload format does not contain the necessary fields. In this case, make sure that the following conditions are met:

• In the Forwarding Destination Properties window, only fields that you need are selected. QRadar does not drop forwarded events. To enable or disable fields that will be forwarded within an event, open the Forwarding Profile Properties window by clicking the button near the Profile field.

  

  Configuring events in JSON format

• On the Settings > Matching tab of Kaspersky CyberTrace Web, the following normalizing rules are specified:

  

  Configuring additional normalizing rules

Step 4. Performing the verification test (QRadar)

This section explains how to check the capabilities of Kaspersky CyberTrace by performing the verification test.

Please make sure you perform the verification test before editing any matching process settings.

What is the verification test

The verification test is a procedure that is used to check the capabilities of Kaspersky CyberTrace and to confirm the accuracy of the integration.

During this test you will check whether events from QRadar are received by Feed Service, whether events from Feed Service are received by QRadar, and whether events are correctly parsed by Feed Service using the regular expressions.

About the verification test file

The verification test file is a file that contains a collection of events with URLs, IP addresses, and hashes. This file is located in the ./verification directory in the distribution kit. The name of this file is kl_verification_test_leef.txt.

Verification procedure

To verify the installation:

1. Make sure that the "KL_Verification_Tool" log source is added to QRadar and routing rules are set in such a way that events from "KL_Verification_Tool" are sent to Feed Service.
2. Open QRadar Console and select the Log Activity tab.
3. Add a filter:
   1. Click the Add Filter button.
   2. In the Parameter drop-down list, select Log Source.
   3. In the Operator drop-down list, select Equals.
   4. In the Value group, in the Log Source drop-down list select the required service name.

   

   Adding a filter for browsing events

   1. Click the Add Filter button.

   The Log Source is KL_Threat_Feed_Service_v2 string will be displayed under Current Filters.

4. In the View drop-down list, select Real Time to clear the event area.

   You now can browse information about the service events.

   

   Browsing filtered information

5. Send the kl_verification_test_leef.txt file to QRadar by using Log Scanner, by running the following command:

   For Linux: ./log_scanner -p ../verification/kl_verification_test_leef.txt

   For Windows: log_scanner.exe -p ..\verification\kl_verification_test_leef.txt

   If you specify the -r flag in this command, the test results are written to the Log Scanner report file. If you do not specify the -r flag, the test results are sent to the SIEM solution by using the settings for outbound events specified for Feed Service.

   The expected results to be displayed by QRadar depend on the feeds you use. The verification test results are listed in the following table.

   Verification test results

   Feed used	Detected objects
   Malicious URL Data Feed	http://fakess123.nu http://badb86360457963b90faac9ae17578ed.com
   Phishing URL Data Feed	http://fakess123ap.nu http://e77716a952f640b42e4371759a661663.com
   Botnet CnC URL Data Feed	http://fakess123bn.nu http://a7396d61caffe18a4cffbb3b428c9b60.com
   IP Reputation Data Feed	192.0.2.0 192.0.2.3
   Malicious Hash Data Feed	FEAF2058298C1E174C2B79AFFC7CF4DF 44D88612FEA8A8F36DE82E1278ABB02F (stands for EICAR Standard Anti-Virus Test File) C912705B4BBB14EC7E78FA8B370532C9
   Mobile Malicious Hash Data Feed	60300A92E1D0A55C7FDD360EE40A9DC1
   Mobile Botnet CnC URL Data Feed	001F6251169E6916C455495050A3FB8D (MD5 hash) http://sdfed7233dsfg93acvbhl.su/steallallsms.php (URL mask)
   Ransomware URL Data Feed	http://fakess123r.nu http://fa7830b4811fbef1b187913665e6733c.com
   Vulnerability Data Feed	D8C1F5B4AD32296649FF46027177C594
   APT URL Data Feed	http://b046f5b25458638f6705d53539c79f62.com
   APT Hash Data Feed	7A2E65A0F70EE0615EC0CA34240CF082
   APT IP Data Feed	192.0.2.4
   IoT URL Data Feed	http://e593461621ee0f9134c632d00bf108fd.com/.i
   Demo Botnet CnC URL Data Feed	http://5a015004f9fc05290d87e86d69c4b237.com http://fakess123bn.nu
   Demo IP Reputation Data Feed	192.0.2.1 192.0.2.3
   Demo Malicious Hash Data Feed	776735A8CA96DB15B422879DA599F474 FEAF2058298C1E174C2B79AFFC7CF4DF 44D88612FEA8A8F36DE82E1278ABB02F
   ICS Hash Data Feed	7A8F30B40C6564EFF95E678F7C43346C

   

   Browsing events from Feed Service

If the actual results of the test are the same as those expected, the integration of Feed Service with QRadar is correct.

Step 5. Retrieving custom event properties

This section describes how to configure retrieval of custom event properties from Kaspersky CyberTrace outgoing events, in addition to standard fields. As a result of this setting, the MD5, SHA1, and SHA256 hashes will be extracted and the extraction rule of the Source IP field will be redefined.

To configure retrieval of custom event properties:

1. Select the Log Activity tab, and then click Add Filter.

   The Add Filter form opens.

2. Fill in the form:
   1. In the Parameter drop-down list, select Log Source [Indexed].
   2. In the Operator drop-down list, select Equals.
   3. In the Log Source list, select KL_Threat_Feed_Service_v2.

      The selection KL_Threat_Feed_Service_v2 is the log source name that is set in the OutputSettings > EventFormat element and the OutputSettings > AlertFormat element of the Feed Service configuration file (you can also set them by using Kaspersky CyberTrace Web).

   

   Adding a filter

3. Click Add Filter.
4. Run the verification test, and then stop the events flow by clicking Pause () in the upper-right area of the window.
5. Press Ctrl (or Shift) to select several records, and then select Actions > DSM editor.

   

   The Log Activity window

   The DSM Editor window opens.

   

   The DSM Editor window

6. In the DSM Editor window, click the + button near the Filters text box.

   The Choose a Custom Property Definition to Express form opens.

   

   Choosing a custom property

7. Click Create new.

   The Create a new Custom Property Definition form opens.

8. Fill in the form:
   1. In the Name field, enter MD5.
   2. In the Field Type drop-down list, select Text.
   3. In the Description field, enter a description of the property.
   4. Select the Enable this Property for Use in Rules and Search Indexing checkbox.
   5. Click Save.

   

   Creating a new custom property definition

9. Add the SHA1 and SHA256 properties similarly.
10. In the Choose a Custom Property Definition to Express window, select the created properties, add URL and Source IP, and then click Select.
11. In the Log Activity Preview section, click Configure and then select the following properties:
    • Event Name
    • IP (custom)
    • MD5 (custom)
    • SHA1 (custom)
    • SHA256 (custom)
    • Source IP
    • URL (custom)
    • Username

    Click Update.

    

    Configuring preview columns

12. On the Properties tab, configure regular expressions as described in the table below:

    Custom property	Regular expression
    MD5	md5=([\da-fA-F]{32})
    SHA1	sha1=([\da-fA-F]{40})
    SHA256	sha256=([\da-fA-F]{64})
    URL	url=([-a-zA-Z0-9()@:%_\+.~#?&\/\/=]{2,})
    Source IP	src=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

    If necessary, type 1 in the Capture Group field.

13. For the Source IP property, select the Override system behavior checkbox.

    

    Source IP configuration

    When changing the format for outgoing detection events in Kaspersky CyberTrace, the regular expressions that are specified above may require corresponding changes.

    If all of the settings above are specified correctly, you will find the configured Custom properties in the Log Activity Preview section.

14. Click Save and close the window.
15. On the Log Activity tab, perform the new verification test.

    After that, if you open the event received from KL_Threat_Feed_Service_v2, the configured custom properties will be displayed.

    

    Event information

Step 6. Creating a search filter for CyberTrace events

This section describes how to create an event search.

To create an event search:

1. Stop the events flow by clicking Pause () in the upper-right area of the window.
2. In QRadar Console, select the Log Activity tab.
3. Select Search > New Search.

   

   New search

4. In the Column Definition form, add MD5 (custom), SHA1 (custom), SHA256 (custom), URL (custom), IP (custom) from the Available Columns to the Columns list.

   

   Defining columns

5. Scroll down the page and in the Search Parameters form, set KL_Threat_Feed_Service_v2 as the log source:
   1. In the Parameter drop-down list, select Log Source [Indexed].
   2. In the Operator drop-down list, select Equals.
   3. In the Log Source list, select KL_Threat_Feed_Service_v2.

      The selection KL_Threat_Feed_Service_v2 is the log source name that is set in the OutputSettings > EventFormat element and the OutputSettings > AlertFormat element of the Feed Service configuration file (you can also set them by using Kaspersky CyberTrace Web).

   4. Click the Add Filter button.

      The Log Source is KL_Threat_Feed_Service_v2 string will be added to the Current Filters list.

   

   Setting the log source

6. Click either the Search button to display the search result.
7. Click the Save Criteria button.

   

   Save Criteria button

8. In the Save Criteria form, type the name of the search in the Search Name text box, select the Include in my Quick Searches checkbox and then specify the analyzed interval for created search (for example, Real Time).
9. Click OK.

   

   Saving criteria

Step 7 (optional). Displaying events in a dashboard

A QRadar dashboard presents detection results in visual format. For example, a chart displays the ratio of the number of events of different types.

QRadar 7.2.6 Patch 3 or later is required. Using an earlier version can lead to incorrect results.

Adding a chart that displays the detection results of Feed Service in visual format involves three procedures:

1. Create an event search.
2. Add a chart to a dashboard.
3. Adjust the added chart.

Creating an event search

The following procedure describes how to create an event search.

To create an event search:

1. In QRadar Console, select the Log Activity tab.
2. Select Search > New Search.
3. In the Column Definition form, delete Event Name from the Available Columns list and add Event Name to the Group By list.

   

   Defining columns

4. Scroll down the page and in the Search Parameters form, set KL_Threat_Feed_Service_v2 as the log source:
   1. In the Parameter drop-down list, select Log Source [Indexed].
   2. In the Operator drop-down list, select Equals.
   3. In the Log Source list, select KL_Threat_Feed_Service_v2.

      The selection KL_Threat_Feed_Service_v2 is the log source name that is set in the detection events format and alert events format parameters on the Events format tab of Kaspersky CyberTrace Web.

   4. Click the Add Filter button.

      The Log Source is KL_Threat_Feed_Service_v2 string will be added to the Current Filters list.

   

   Setting the log source

5. Click either the Filter button or the Save button to display the search result.
6. Click the Save Criteria button.

   

   Save Criteria button

7. In the Save Criteria form, select the Include in my Dashboard check box, type the name of the search in the Search Name text box, and then click OK.

   

   Saving criteria

Adding a diagram to a dashboard

The following procedure describes how to add a diagram to a dashboard.

To add a diagram to a dashboard:

1. In QRadar Console, select the Dashboard tab.
2. Select Add Item > Log Activity > Event Searches > KL_Events.

   Here, KL_Events is the name of the search that you set.

   

   Adding an item to the dashboard

   A chart will appear on the dashboard.

   

   New chart

Adjusting the added chart

The following procedure describes how to adjust the chart that has been added to the dashboard.

To adjust the added chart:

1. Click the Settings button () in the upper-right corner of the chart box.
2. Specify the settings of the chart.

   

   Chart settings

   If you select the Capture Time Series Data check box, the chart will display all incoming data received after this check box is selected; the item selected in the Time Range drop-down list will be ignored. If you clear the Capture Time Series Data check box, only the information received during the time range selected in the Time Range drop-down box will be displayed.

After events arrive, the chart displays them.

Bar chart

In the Chart Type drop-down list you can select the type of chart in which the data will be displayed.

Pie chart

You can also get information about charts, which are based on the search results, from QRadar Help (section "Dashboard management" > "Adding search-based dashboard items to the Add Items list").

Step 8 (optional). Creating notifications about incoming service events

You can create notifications about issues with Kaspersky CyberTrace by configuring alert rules.

To create notifications about service events from Kaspersky CyberTrace in QRadar:

1. Run QRadar Console.
2. Select any of the Offenses, Log Activity or Network Activity tabs, and then select Rules.
3. In the Actions drop-down list, select New Event Rule.

   

   The Rules page

   The Rule Wizard page opens.

4. On the Rule Wizard page, click Next to select the source from which you want the rule to be generated.

   

   The Rules Wizard window

5. Select Events, and then click Next.
6. On the Rule Test Stack Editor page, perform the following actions:
   • Add the following test conditions for a new rule:
     • when the event(s) were detected by one or more of these log sources
     • when the event matches this search filter
   • For each specified condition, set a logical and operator.
   • For the when the event(s) were detected by one or more of these log sources condition, specify Log Source that is equal to KL_Threat_Feed_Service_v2. If this event source is absent, add Feed Service as a log source.
   • For the when the event matches this search filter condition, specify a filter for comparing Event Name with the value of the event source name by performing the following actions:
     1. In the list of the event fields, select Event Name.
     2. In the list of conditions, select Equals.
     3. Click Browse to choose the name of the service event for which the rule is created.

        

     4. Click Add+, and then Submit.

        If the necessary event is absent, add it to the QRadar Identifiers (QID) list.

   • Enter the name of the rule and select the way in which this rule will be applied to the incoming events (Local or Global). For more information about the Local and Global rules, see IBM documentation.
   • Select the group that you need for the rule.
   • Add a description for the rule.

   

   The Rule Editor window

   • Click Next.
7. On the Rule Response page, perform the following actions:
   • Select Notify.
   • If necessary, specify a limit on a rule triggering in the Response Limiter section.
   • Check the Enable Rule section.

   

   The Rule Editor page

   • Click Next
8. On the Rule Summary page, make sure that all settings are specified correctly, and click Finish.

   

   The Rule Summary page

   The rule will now be added to the Rules list.

   

   The Rules list

The added rule generates a notification about an incoming service event. You can browse these notifications by clicking the Messages drop-down list. Also, notifications are displayed in QRadar Console as a pop-up message.

The Messages drop-down list

You can configure displaying of notifications on the Dashboard tab.

System notifications on the Dashboard tab

To configure displaying of notifications on the Dashboard tab:

1. Select the Dashboard tab.
2. In the Add Item drop-down list, select System Notifications.

   

   Adding system notifications on the Dashboard tab

Step 9 (optional). Installing Kaspersky Threat Feed App

This section describes how to install Kaspersky Threat Feed App.

Only a user account that has the System Administrator role can manage Kaspersky Threat Feed App.

Getting Kaspersky Threat Feed App

You can get the Kaspersky Threat Feed App installation package from IBM Security App Exchange.

Installing Kaspersky Threat Feed App

To install Kaspersky Threat Feed App:

1. In QRadar, select Admin and then Extensions Management.
2. In the Extensions Management form, click the Add button.

   

   Extensions Management form

3. Select the application file archive.
4. Select the Install immediately check box.
5. Click Add.
6. Click Install.

   A list of changes to be made is displayed. In particular, the custom event properties that will be added are displayed.

   

   Custom event properties to be added

   The following custom event properties are added when the app is installed:

   • urls
   • feed
   • geo
   • hash
   • files
   • first_seen
   • last_seen
   • mask
   • popularity
   • threat
   • whois
   • URL
   • SHA1 Hash
   • SHA256 Hash
   • MD5 Hash
   • ip
   • records_count

   You will use these properties to enable the indexes of the added custom event properties and to specify the log source type.

7. Click Install again.

   Kaspersky Threat Feed App appears in the Extensions Management form after it is installed.

8. Refresh the browser window before you use the app.

   After Kaspersky Threat Feed Service App is installed, its name will appear as a tab—Kaspersky Data Feeds—in QRadar Console.

   

   Kaspersky Data Feeds tab

9. In QRadar Console, select Kaspersky Data Feeds tab.

   The Configuration required form will appear.

   

   Configuration required form

10. In the Configuration required form:
    1. In the QRadar authentication token field, specify an authentication token to access QRadar REST API.

       You can specify an existing token or create a new token.

       If the specified token expires, the Configuration required form will appear again the next time you select Kaspersky Data Feeds. In this case, you must specify a new token.

    2. In the Feed Service connection string field, specify the IP address and port that Feed Service listens on for incoming events.

       You cannot specify the 127.0.0.1 IP address, even if Kaspersky Threat Feed App is installed on the QRadar computer. Instead, specify the external IP address of the QRadar computer.

    3. In the Feed Service log source name field, specify the log source name of Feed Service as it is registered in QRadar.

       This name is displayed in the Name column of the window that opens after Admin > Log Sources is selected in QRadar Console. For example, KL_Threat_Feed_Service_v2.

       For more information about specifying log sources, see the section about configuring Kaspersky Threat Feed App.

Step 10 (optional). Enabling the indexes of the added custom event properties

We recommend that you enable the indexes of the added custom event properties. This will increase the performance of Kaspersky Threat Feed App.

To enable the indexes of the added custom event properties:

1. In QRadar, select Admin and under System Configuration select Index Management.

   

   Admin tab of QRadar Console (system configuration tools)

   The Index Management window opens.

2. Optionally, specify the filter to find the added properties.
3. Select one or several table rows, and click Enable Index.
4. Click Save.

   A message box appears that asks you whether you want to save the changes you made.

   

   Saving changes to the indexes

5. Click OK to save changes to the properties.

Step 11 (optional). Configuring Kaspersky Threat Feed App

You can configure Kaspersky Threat Feed App by selecting the Settings link in QRadar Console.

Settings link

You specify the settings in a form that appears after you select the Settings link.

Settings form

The following settings fields are available:

• QRadar authentication token

  The authentication token to access QRadar RestApi.

  You can specify an existing token or create a new token.

• Feed Service connection string

  The IP address and port that Feed Service listens on for incoming events.

  If you have installed Kaspersky CyberTrace on the same computer on which QRadar is installed, Kaspersky Threat Feed App will not be able to connect to QRadar because the iptables rules forbid the communication of a Docker container, in which Kaspersky Threat Feed App is running, and the QRadar computer.

  To make Kaspersky Threat Feed App work on the QRadar computer, connect to the QRadar computer using the SSH protocol and run the following command:

  iptables -I INPUT -i <D_interface> -p tcp --destination-port <FS_port> -j ACCEPT

  This command includes:

  • <D_interface>—Interface of the Docker container that contains Kaspersky Threat Feed App for QRadar.

    To find the <D_interface> name, perform the following:

    1. Find the identifier of Kaspersky Threat Feed App by running the following command:

       psql -U qradar -c "select id, name from installed_application;"

       A table appears. Find the value for the identifier of Kaspersky Threat Feed App (hereinafter <app_id>) from the id column.

    2. Find the identifier of the Docker container in which Kaspersky Threat Feed App is contained by running the following command:

       docker ps

       In the output result, find the image with the .../qapp/<app_id>:x.x.x name, where x.x.x is the installed version of Kaspersky Threat Feed App, and find its CONTAINER ID value (hereinafter <container_id>).

    3. Find the interface name for the Docker image that contains Kaspersky Threat Feed App, by running the following command:

       docker inspect <container_id> | grep NetworkMode

       The output result appears, in the format "NetworkMode": "<D_interface>". Substitute this result for <D_interface> in the command above.

  • <FS_port>—Port that Feed Service listens on for incoming events.

  If you run the above command, the added rule will be present in iptables only until iptables is restarted, or the QRadar computer is restarted. To add this rule permanently, add it to the /etc/sysconfig/iptables file (the path to the iptables file depends on the environment configuration).

  Also note that you cannot specify the 127.0.0.1 IP address even if Kaspersky Threat Feed App is installed on the QRadar computer. Specify the external IP address of the QRadar computer instead.

• Feed Service log source name

  The log source name of Feed Service as it is registered in QRadar. This name is displayed in the Name column of the window that opens after Admin > Log Sources is selected in QRadar Console.

  If the Feed Service log source was added automatically when you sent the initial set of Feed Service events to QRadar, the log source name is Kaspersky Threat Feed Service @ [id], where [id] is the identifier of Feed Service events. (By default, [id] is KL_Threat_Feed_Service_v2). If you had to add Feed Service to QRadar as a log source manually because you did not have the latest QRadar updates, the log source name is [id]; that is, KL_Threat_Feed_Service_v2 by default.

  It takes some time to visualize the requested data after you have changed the log source name or the installed Kaspersky Threat Feed App. While the data is being loaded, a progress bar is displayed. The time required for getting all the data depends on the selected period over which the data is visualized.

After you configure Kaspersky Threat Feed App, you can run the verification test by clicking the Run self-test button.

Self-test results

A test result of Failed for any feed means that a tested object is assigned to an incorrect category. The error can originate, for example, in an incorrect configuration file.

Integration with RSA NetWitness

This chapter describes how to integrate Kaspersky CyberTrace with RSA NetWitness.

Integration steps (RSA NetWitness)

This chapter describes how to integrate Kaspersky CyberTrace with RSA NetWitness.

About the integration schemes

The recommended integration scheme for integrating Kaspersky CyberTrace with RSA NetWitness is the standard integration scheme.

How to integrate with RSA NetWitness

Before you start to integrate Kaspersky CyberTrace with RSA NetWitness:

• Before you install Kaspersky CyberTrace, make sure that the RSA NetWitness services meet the software requirements.
• Make sure that you have installed Kaspersky CyberTrace.

To integrate Kaspersky CyberTrace with RSA NetWitness:

• Step 1. Configure RSA NetWitness so that it will forward the received events to Feed Service.
• Step 2. Configure RSA NetWitness to receive events from Feed Service.
• Step 3 (optional). Import a meta group for browsing all fields in RSA NetWitness that are filled by Feed Service.
• Step 4 (optional). Import the Feed Service rules to RSA NetWitness.
• Step 5 (optional). Import a preconfigured report to RSA NetWitness.

  This step requires importing Feed Service rules (Step 4).

• Step 6 (optional). Import preconfigured charts and a dashboard to RSA NetWitness.

  This step requires importing Feed Service rules (Step 4).

• Step 7. Perform the verification test.

  Please make sure you perform the verification test before editing any matching process settings.

Before you begin (RSA NetWitness)

This section describes additional requirements that must be met before you integrate Kaspersky CyberTrace with RSA NetWitness.

Checking software settings (RSA NetWitness)

This section describes the requirements that the RSA NetWitness services must meet.

Check that the following conditions are met:

• The index file (index-concentrator-custom.xml) of the Concentrator which receives Feed Service events must contain the following metafields:
  • virusname

    This and other metafields (except for msg) must have the IndexValues level. Also, set the defaultAction value of these metafields to Open.

  • user.src
  • ip.src
  • action
  • msg

    This metafield must have the IndexKeys (the presence of the metafield in an event is indexed) or IndexNone (the metafield is not indexed) level in the index-concentrator-custom.xml file. If you set the IndexValues level for this metafield, the hard disk space will be consumed rapidly.

  • event.source
  • device.ip
  • ip.dst
  • url
  • checksum

  If any of these fields are absent from the index file, add them there and restart the Concentrator, as described in the section about RSA NetWitness troubleshooting.

  If you do not have a Concentrator but you use a Log Decoder for storing data from Feed Service, change the index-logdecoder-custom.xml file and restart the Log Decoder as described above.

  Update only the index file of a Concentrator (index-concentrator-custom.xml) if the Concentrator receives data from a Log Decoder. For more information, refer to https://community.rsa.com/docs/DOC-41760. Also, update the index file of a Log Decoder (index-logdecoder-custom.xml) if you use the Log Decoder as the source of data in which you search for events or if you use the Log Decoder to create reports or dashboards.

• The table-map-custom.xml configuration file (the configuration file of a Log Decoder) must contain the following metafields:
  • virusname
  • c_username
  • saddr
  • daddr
  • url
  • checksum
  • msg
  • event_source
  • hostip
  • action

  The value of the flags attribute must be None for each of these metafields.

  If any of these fields are absent from the index files, refer to the section about RSA NetWitness troubleshooting.

Detection events sent by Feed Service contain the context from the feeds in separate fields. You can display and use these fields in RSA NetWitness. (In RSA NetWitness, the names of these fields will have the kl. prefix.)

To display the context fields:

1. Add the contents of %service_dir%/integration/rsa/additional_elements/table-map-custom.xml to the table-map-custom.xml file of the log decoder to which Feed Service will send detection events.
2. Add the contents %service_dir%/integration/rsa/additional_elements/index-concentrator-custom.xml to the index-concentrator-custom.xml file of the Concentrator that will store the events from Feed Service.

You can specify all the settings described above by using the RSA NetWitness web user interface in the Services (Log Decoder and Concentrator) > Config view.

Restart the log decoder and Concentrator after you have edited the table-map-custom.xml and index-concentrator-custom.xml files.

Standard integration (RSA NetWitness)

This section contains instructions for integrating Kaspersky CyberTrace and RSA NetWitness in the standard integration scheme.

About the standard integration scheme (RSA NetWitness)

This section describes the standard integration scheme for RSA NetWitness and Kaspersky CyberTrace.

About the components of the standard integration scheme

The following components are used in the standard integration scheme for RSA NetWitness:

• Feed Service

  This service matches RSA NetWitness events against Kaspersky Threat Data Feeds.

• RSA NetWitness

  The SIEM solution used in this integration.

• Security controls

  These are sources of events for RSA NetWitness such as firewalls, proxies, intrusion detection systems, and other networking devices.

  Security controls can send events to RSA NetWitness by any method supported by RSA NetWitness.

Standard integration scheme

In the standard integration scheme, Feed Service by default is configured to listen for incoming events from RSA NetWitness on 127.0.0.1:9999.

Feed Service sends detection events to IP address 127.0.0.1 and port 514 of the interface defined in RSA configuration. The address of this interface is specified when you install Kaspersky CyberTrace. Security controls also send events to port 514 of the interface defined in the RSA NetWitness configuration.

Standard integration scheme for RSA NetWitness

Step 1. Forwarding events from RSA NetWitness

This section describes how to configure RSA NetWitness so that it will forward the received events to Feed Service.

To forward events from RSA NetWitness to Feed Service:

1. In the RSA NetWitness main window, select Administration > Services.
2. In the Services table, below, select the relevant Log Decoder (the Log Decoder that receives events containing a URL, hash, or IP address).

   

   Selecting a Log Decoder

   If more than one Log Decoder is used for receiving events, repeat the following steps for each Log Decoder.

3. For the selected Log Decoder, in the Actions column, select the Settings split button () and in the drop-down list select View > Config.
4. Select the App Rules tab and click the Add button ().

   The Rule Editor window opens.

5. Specify the following data:
   • Rule Name: cybertrace
   • Condition: device.type='%DEVICE_NAME_1%'

     This is an example of a condition, in which the %DEVICE_NAME_1% string represents the name of the device whose events must be sent to Feed Service. Following is another example of a condition, according to which events from Cisco ASA and Check Point Firewall must be sent to Feed Service:

     device.type='ciscoasa' || device.type='checkpointfw1'

     If an event meets the condition specified here, it will be sent to Feed Service.

   • Alert: Selected
   • Forward: Selected

   

   Rule Editor window

   For information on how to create rules, refer to https://community.rsa.com/t5/rsa-netwitness-platform-online/configure-application-rules/ta-p/592148.

6. Click OK.
7. Click Apply.
8. Next to the Log Decoder name, select Config > Explore.
9. Specify the destination:
   • For RSA NetWitness versions 11.2 and above:

     For the /decoder/config/logs.forwarding.destination parameter, specify the following destination:

     cybertrace=tcp:[IP]:[port]:rfc3164

     Here, [IP] is the IP address of the computer on which Feed Service is installed, and [port] is the port that Feed Service listens on for events (by default, the port 9999 is used). The IP address and port are the same as specified on the Settings > Service tab of Kaspersky CyberTrace Web.

   • For RSA NetWitness versions below 11.2:
     1. For the /decoder/config/logs.forwarding.destination parameter, specify the following destination:

        cybertrace=tcp:[IP]:[port]

        Here, [IP] is the IP address of the computer on which Feed Service is installed, and [port] is the port that Feed Service listens on for events (by default, the port 9999 is used). The IP address and port are the same as specified on the Settings > Service tab of Kaspersky CyberTrace Web.

     2. In the EventDelimeter parameter, in the Feed Service configuration file, specify the (\<\d+\>) value.

   

   Log events forwarding settings

10. In the /decoder/config/logs.forwarding.enabled parameter, specify true.

After these actions are performed, RSA NetWitness will forward the events that satisfy the cybertrace rule to the address that you specified in the logs.forwarding.destination parameter.

For more information on event forwarding, refer to https://community.rsa.com/t5/rsa-netwitness-platform-online/decoder-configure-syslog-forwarding-to-destination/ta-p/572084.

Step 2. Sending events from Feed Service to RSA NetWitness

This section describes the actions to take so that Feed Service will send events to RSA NetWitness.

Note that Feed Service sends events to a Log Decoder service.

To send events from Feed Service to RSA NetWitness:

1. In Kaspersky CyberTrace Web, on the Settings > Service tab, specify the following value for the Service sends events to text box:

   [IP]:514

   Here [IP] is the IP address of the Log Decoder service to which Feed Service will send events.

   If there are several Log Decoder services, perform the integration with only one of the Log Decoders.

2. In /etc/netwitness/ng/envision/etc/devices directory of the computer on which Log Decoder runs, create a cybertrace subdirectory and copy to the subdirectory the following files from the %service_dir%/integration/rsa/cybertrace directory:
   • cybertrace.ini

     This is a configuration file that contains declaration of Feed Service for RSA NetWitness.

   • v20_cybertracemsg.xml

     This is a configuration file that contains parsing rules for events that are sent from Feed Service to RSA NetWitness. See below in this section for a description of the contents.

   You can find these files in the integration/cybertrace directory of the distribution kit.

3. Restart Log Decoder.

   For this purpose, in the Services view, for the selected Log Decoder click the Settings split button () and from the drop-down list select Restart.

4. Make sure that the cybertrace service parser is turned on in RSA NetWitness.

   You can do this as follows:

   1. In the RSA NetWitness menu, select Administration > Services.
   2. In the Services grid, select the Log Decoder, and from the Actions menu, choose View > Config.
   3. In the Service Parsers Configuration panel, search for cybertrace, and ensure that the Config Value field in this row is selected.

   

   Service Parsers Configuration grid

5. Restart Feed Service.

   You can restart Feed Service by running the kl_feed_service script as follows:

   systemctl restart cybertrace.service

   You can do this by using Kaspersky CyberTrace Web too.

Contents of integration files

The v20_cybertracemsg.xml file contains the following rule for parsing service events from Feed Service:

The v20_cybertracemsg.xml file contains several rules for parsing detection events from Feed Service:

• MATCH_EVENT:01—For parsing detection events when Botnet CnC URL Data Feed is involved in the detection process.
• MATCH_EVENT:02—For parsing detection events when Malicious URL Data Feed is involved in the detection process.
• MATCH_EVENT:03—For parsing detection events when Mobile Botnet CnC URL Data Feed is involved in the detection process.
• MATCH_EVENT:04—For parsing detection events when Malicious Hash Data Feed is involved in the detection process.
• MATCH_EVENT:05—For parsing detection events when Phishing URL Data Feed is involved in the detection process.
• MATCH_EVENT:06—For parsing detection events when Ransomware URL Data Feed or IoT URL Data Feed are involved in the detection process.
• MATCH_EVENT:07—For parsing detection events when IP Reputation Data Feed is involved in the detection process.
• MATCH_EVENT:08—For parsing detection events when Vulnerability Data Feed is involved in the detection process.
• MATCH_EVENT:09—For parsing detection events when Mobile Malicious Hash Data Feed is involved in the detection process.
• MATCH_EVENT:10—For parsing detection events when APT IP and URL feeds are involved in the detection process.
• MATCH_EVENT:11—For parsing detection events when Industrial Control Systems Data Feed is involved in the detection process.
• MATCH_EVENT:12—For parsing detection events when APT Hash feeds are involved in the detection process.
• MATCH_EVENT—For parsing detection events when other feeds are involved in the detection process.

The fields of the cybertrace.ini file and the v20_cybertracemsg.xml file correspond to the following format of service events and detection events from Feed Service:

In the v20_cybertracemsg.xml file, the format of events from Feed Service is provided in the HEADER/content element and in the MESSAGE/content element. Make sure that the following fields are present in the index files of Log Decoder and Concentrator: virusname, url, checksum, and ip.src, ip.dst. As for the fields other than virusname, url, checksum, and ip.src, ip.dst in the MESSAGE/content element, you may or may not use them in the index files of Log Decoder and Concentrator. Also, make sure that the value of the flags attribute is None for each of these fields in the table-map-custom.xml file. If any of these conditions are not met, refer to the section about RSA NetWitness troubleshooting.

The following tables describe the fields used in the v20_cybertracemsg.xml and kl_feed_service.conf files, and describe how fields in one file correspond to fields in the other. If you want to constantly use some new field in detection events, contant your technical account manager (TAM).

• Fields of service events

  Field in kl_feed_service.conf	Field in v20_cybertracemsg.xml	Description
  <232>	-	Service string for RSA NetWitness.
  %CyberTrace:	%CyberTrace:	Informs RSA NetWitness that an event is sent from Feed Service.
  ALERT_EVENT	&lt;messageid&gt;	The event type.
  -	&lt;!payload&gt;	Notifies RSA NetWitness that the event has additional information, the format of which is provided in the MESSAGE/content element.
  %Alert%	&lt;action&gt;	The service event (for example, KL_ALERT_ServiceStarted).
  %RecordContext%	&lt;msg&gt;	Context information about the service event.

• Fields of detection events

  Field in kl_feed_service.conf	Field in v20_cybertracemsg.xml	Description
  <232>	-	Service string for RSA NetWitness.
  %CyberTrace:	%CyberTrace:	Informs RSA NetWitness that an event is sent from Feed Service.
  MATCH_EVENT	&lt;messageid&gt;	The event type.
  -	&lt;!payload&gt;	Notifies RSA NetWitness that the event has additional information, the format of which is provided in the MESSAGE/content element.
  %Category%	&lt;virusname&gt;	Category of the detected object.
  %MatchedIndicator%	&lt;kl_detected_indicator%gt;	The detected indicator.
  %RE_URL%	&lt;url&gt;	The URL specified in the event from RSA NetWitness.
  %RE_HASH%	&lt;checksum&gt;	The hash specified in the event from RSA NetWitness.
  %DST_IP%	&lt;daddr&gt;	The IP address to which the request is sent.
  %SRC_IP%	&lt;saddr&gt;	The IP address from which the request is sent.
  %DeviceIp%	&lt;hostip&gt;	The IP address from which the event is sent.
  %Device%	&lt;event_source&gt;	The name of the device that has sent the event.
  %DeviceAction%	&lt;action&gt;	The action that the device has performed.
  %UserName%	&lt;c_username&gt;	The name of the user on whose account the action described in the event is performed.
  %ActionableFields%	The fields' names are discussed below in this section.	Fields of the feed record involved in the detection process that are displayed apart from the context.
  %RecordContext%	&lt;fld1&gt;	Context of the feed record that was involved in the detection process. To view the contents of this field, open the event in RSA NetWitness and select the View Log tab.
  %Confidence%	&lt;kl_confidence&gt;	The level of confidence in the indicators of the feed, in percent.