This section describes the contents of the Kaspersky CyberTrace distribution kit.
Distribution kit types
Kaspersky CyberTrace is distributed in the following types of distribution kits:
This type of distribution kit is intended for installation on Linux systems.
This type of distribution kit is intended for installation on Linux systems.
This type of distribution kit is intended for installation on Windows systems.
This type of distribution kit can be used on Linux systems instead of the RPM or DEB package.
This type of distribution kit can be used on Windows systems instead of the Windows Installer package.
About the integration files
All distribution kits of Kaspersky CyberTrace are customized for integration with a particular SIEM solution or for standalone integration. Each distribution kit contains a number of files that can be used for integration with this SIEM solution. In addition, the configuration files of Feed Service and other utilities contained in the distribution kit are also customized for easy integration with the SIEM solution.
For example, a distribution kit for Splunk contains all the Kaspersky CyberTrace components, and, in addition, has customized configuration files for Feed Service and Feed Utility that work with Splunk. The integration directory inside the distribution kit contains applications for all variants of Splunk integration schemes. These applications can be deployed and used in the Splunk infrastructure.
RPM and DEB distribution kits
This type of distribution kit contains the following files and directories.
Distribution kit contents (RPM and DEB package)
Item |
Description |
Doc_data/* |
Documentation files. |
index.html |
Offline version of documentation. |
Kaspersky_CyberTrace_for_%SIEM%-Linux-%architecture-version%-Release.rpm (RPM package) Kaspersky_CyberTrace_for_%SIEM%-Linux-%architecture-version%-Release.deb (DEB package) |
Package for a specific SIEM solution and architecture. For a list of files inside this package, see subsection "Files contained in archives and packages (Linux)" below. |
legal_notices.txt |
Legal notices for the product. |
run.sh |
Installation script. |
ReleaseNotes.pdf |
Release notes. |
version_history.txt |
Changes made to the documentation. |
Windows Installer distribution kit
This type of distribution kit contains the following files and directories.
Distribution kit contents (Windows Installer package)
Item |
Description |
Doc_data/* |
Documentation files. |
index.html |
Offline version of documentation. |
Kaspersky_CyberTrace-Windows-%architecture-version%-Release_for_%SIEM%.msi |
Windows Installer package (.msi file) for a specific SIEM solution and architecture. For a list of files inside this package, see subsection "Files contained in archives and packages (Windows)" below. |
ReleaseNotes.pdf |
Release notes. |
legal_notices.txt |
Legal notices for the product. |
license.rtf |
End User License Agreement (EULA). |
version_history.txt |
Changes made to the documentation. |
Files contained in archives and packages (Linux)
RPM and DEB packages and TGZ archives contain the following set of files.
Files contained in archives and packages (Linux)
Item |
Description |
bin/configure |
Configurator utility binary file. |
bin/kl_feed_service |
Feed Service binary file. |
bin/kl_feed_service_log.conf |
Feed Service logging configuration file. |
bin/libssp.so.0 |
Auxiliary library. |
dmz/cron_dmz.sh |
Script for updating feeds from a separate computer. |
dmz/demofeeds.pem |
Certificate needed for getting access to demo feeds. |
dmz/feeds.pem |
Certificate needed for getting access to demo feeds. It is replaced with the certificate specified during the installation of Kaspersky CyberTrace. |
dmz/kl_feed_compiler |
Binary file used by Feed Utility to compile feeds. |
dmz/kl_feed_util |
Feed Utility binary file. |
dmz/kl_feed_util.conf |
Feed Utility configuration file. |
dmz/libssp.so.0 |
Auxiliary library. |
doc/Kaspersky_CyberTrace_Online_Documentation.html |
HTML page that redirects to the online documentation for Kaspersky CyberTrace. |
doc/legal_notices.txt |
Legal notices for the product. |
doc/license.txt |
End User License Agreement (EULA). |
etc/init.d/kl_feed_service |
Script for managing Feed Service. |
etc/kl_feed_service.conf |
Feed Service configuration file. |
etc/kl_feed_util.conf |
Feed Utility configuration file. |
feeds/APT_URL_Data_Feed.json.url.bin/* feeds/Black_List.json.url.bin/* feeds/Botnet_CnC_URL_Data_Feed.json.url.bin/* feeds/Demo_Botnet_CnC_URL_Data_Feed.json.url.bin/* feeds/IoT_URL_Data_Feed.json.url.bin/* feeds/Malicious_URL_Data_Feed.json.url.bin/* feeds/Mobile_Botnet_CnC_URL_Data_Feed.json.url.bin/* feeds/Phishing_URL_Data_Feed.json.url.bin/* feeds/Ransomware_URL_Data_Feed.json.url.bin/* feeds/White_List.json.url.bin/* |
Compiled URL masks for feeds. |
feeds/Demo_Botnet_CnC_URL_Data_Feed.json feeds/Demo_IP_Reputation_Data_Feed.json feeds/Demo_Malicious_Hash_Data_Feed.json |
Demo feeds. |
feeds/APT_Hash_Data_Feed.json feeds/APT_IP_Data_Feed.json feeds/APT_URL_Data_Feed.json feeds/Botnet_CnC_URL_Data_Feed.json feeds/IoT_URL_Data_Feed.json feeds/IP_Reputation_Data_Feed.json feeds/Malicious_Hash_Data_Feed.json feeds/Malicious_URL_Data_Feed.json feeds/Mobile_Botnet_CnC_URL_Data_Feed.json feeds/Mobile_Malicious_Hash_Data_Feed.json feeds/P-SMS_Trojan_Data_Feed.json feeds/Phishing_URL_Data_Feed.json feeds/Ransomware_URL_Data_Feed.json feeds/Vulnerability_Data_Feed.json |
Files for performing verification test for commercial feeds. These files are replaced by actual commercial feeds when updated. |
feeds/Black_List.json |
File with black list records. |
feeds/White_List.json |
File with white list records. |
httpsrv/etc/kl_feed_info.conf |
File that contains information about Kaspersky Threat Data Feeds. |
httpsrv/etc/ktfsaccess |
File that contains information about CyberTrace accounts. |
httpsrv/etc/ktfsstatistics.kvdb |
Auxiliary file for Kaspersky CyberTrace Web. This file is not contained in the distribution kit, but is created during the work of Kaspersky CyberTrace. |
httpsrv/etc/ktfsstorage.kvdb |
File that contains information about open sessions and tasks in progress. This file is not contained in the distribution kit, but is created later during the work of Kaspersky CyberTrace. |
httpsrv/etc/osint_list.conf |
File that contains the list of the supported OSINT feeds. |
httpsrv/templates/* |
Directory that contains templates for Kaspersky CyberTrace Web. |
integration/* |
Files for integration with a particular SIEM solution. For a list of these files, see "Integration files" subsections below. |
log_scanner/libssp.so.0 |
Auxiliary library. |
log_scanner/log_scanner |
Log Scanner binary file. |
log_scanner/log_scanner.conf |
Log Scanner configuration file. |
scripts/cron_cybertrace.sh |
Script for updating feeds when Feed Service and Feed Utility are installed on different computers. |
tools/kl_access_util |
Password Utility. |
tools/kl_feed_compiler |
Binary file used by Feed Utility to compile feeds. |
tools/kl_feed_util |
Feed Utility binary file. |
tools/libssp.so.0 |
Auxiliary library. |
tools/openssl |
OpenSSL binary file. |
tools/openssl.cnf |
OpenSSL configuration file. |
tools/output/feeds.info |
Auxiliary file. |
verification/kl_verification_test.txt |
Events for the verification test. |
gcc-version |
Version of GCC. |
platform |
Version of the GLIBC library. |
ReleaseNotes.pdf |
Release notes. |
version |
Product version. |
Files contained in archives and packages (Windows)
Windows Installer packages and ZIP archives contain the following set of files.
Files contained in archives and packages (Windows)
Item |
Description |
bin\kl_control.bat |
Script for managing Feed Service. |
bin\kl_feed_service.conf |
Feed Service configuration file. |
bin\kl_feed_service.exe |
Feed Service binary file. |
bin\kl_feed_service_log.conf |
Logging configuration file. |
bin\kl_feed_util.conf |
Feed Utility configuration file. |
bin\kl_watchdog_service.exe |
Binary file of the Windows service that monitors the Feed Service process. |
dmz\cron_dmz.cmd |
Script for updating feeds from a separate computer. |
dmz\demofeeds.pem |
Certificate required for access to demo feeds. |
dmz\feeds.pem |
Certificate required for access to demo feeds. It is replaced with the certificate specified during installation of Kaspersky CyberTrace. |
dmz\kl_feed_compiler.exe |
Binary file used by Feed Utility to compile feeds. |
dmz\kl_feed_util.conf |
Feed Utility configuration file. |
dmz\kl_feed_util.exe |
Feed Utility binary file. |
doc\Kaspersky_CyberTrace_Online_Documentation.html |
HTML page that redirects to the online documentation for Kaspersky CyberTrace. |
doc\legal_notices.txt |
Legal notices for the product. |
doc\license.rtf |
End User License Agreement (EULA). |
feeds\APT_URL_Data_Feed.json.url.bin\* feeds\Black_List.json.url.bin\* feeds\Botnet_CnC_URL_Data_Feed.json.url.bin\* feeds\Demo_Botnet_CnC_URL_Data_Feed.json.url.bin\* feeds\IoT_URL_Data_Feed.json.url.bin\* feeds\Malicious_URL_Data_Feed.json.url.bin\* feeds\Mobile_Botnet_CnC_URL_Data_Feed.json.url.bin\* feeds\Phishing_URL_Data_Feed.json.url.bin\* feeds\Ransomware_URL_Data_Feed.json.url.bin\* feeds\White_List.json.url.bin\* |
Compiled URL masks for feeds. |
feeds\Demo_Botnet_CnC_URL_Data_Feed.json feeds\Demo_IP_Reputation_Data_Feed.json feeds\Demo_Malicious_Hash_Data_Feed.json |
Demo feeds. |
feeds\APT_Hash_Data_Feed.json feeds\APT_IP_Data_Feed.json feeds\APT_URL_Data_Feed.json feeds\Botnet_CnC_URL_Data_Feed.json feeds\IoT_URL_Data_Feed.json feeds\IP_Reputation_Data_Feed.json feeds\Malicious_Hash_Data_Feed.json feeds\Malicious_URL_Data_Feed.json feeds\Mobile_Botnet_CnC_URL_Data_Feed.json feeds\Mobile_Malicious_Hash_Data_Feed.json feeds\P-SMS_Trojan_Data_Feed.json feeds\Phishing_URL_Data_Feed.json feeds\Ransomware_URL_Data_Feed.json feeds\Vulnerability_Data_Feed.json |
Files for performing verification test for commercial feeds. These files are replaced by actual commercial feeds when updated. |
feeds\Black_List.json |
File with black list records. |
feeds\White_List.json |
File with white list records. |
httpsrv\etc\kl_feed_info.conf |
File that contains information about Kaspersky Threat Data Feeds. |
httpsrv\etc\ktfsaccess |
File that contains information about CyberTrace accounts. |
httpsrv\etc\ktfsstatistics.kvdb |
Auxiliary file for Kaspersky CyberTrace Web. This file is not contained in the distribution kit, but is created during the work of Kaspersky CyberTrace. |
httpsrv\etc\ktfsstorage.kvdb |
File that contains information about open sessions and tasks in progress. This file is not contained in the distribution kit, but is created during the work of Kaspersky CyberTrace. |
httpsrv\etc\osint_list.conf |
File that contains the list of the supported OSINT feeds. |
httpsrv\templates\* |
Folder that contains templates for Kaspersky CyberTrace Web. |
integration\* |
Files for integration with a particular SIEM solution. For a list of these files, see "Integration files" subsections below. |
log_scanner\log_scanner.conf |
Log Scanner configuration file. |
log_scanner\log_scanner.exe |
Log Scanner binary file. |
scripts\cron_cybertrace.cmd |
Script for updating feeds when Feed Service and Feed Utility are installed on different computers. |
tools\kl_access_util.exe |
Password Utility. |
tools\kl_feed_compiler.exe |
Binary file used by Feed Utility to compile feeds. |
tools\kl_feed_util.exe |
Feed Utility binary file. |
tools\openssl.cnf |
OpenSSL configuration file for generating a self-signed certificate. |
tools\openssl.exe |
OpenSSL binary file. |
verification\kl_verification_test.txt |
File that contains events for the verification test. |
install.bat |
Batch script that installs Windows services for Kaspersky CyberTrace. |
ReleaseNotes.pdf |
Release notes. |
uninstall.bat |
Batch script that uninstalls Windows services for Kaspersky CyberTrace. |
version |
A text file containing the product version. |
Integration files (Splunk)
Integration files for Splunk are described in the following table.
Integration files (Splunk)
Item |
Description |
/integration/Kaspersky-CyberTrace-App-for-Splunk.tar.gz |
Kaspersky CyberTrace App for Splunk application file for the single-instance integration scheme. |
/integration/Kaspersky-CyberTrace-App-for-Splunk_Forwarder.tar.gz |
Kaspersky CyberTrace App for Splunk Forwarder application file for the distributed integration scheme. |
/integration/Kaspersky-CyberTrace-App-for-Splunk_Search-Head.tar.gz |
Kaspersky CyberTrace App for Splunk Search Head application file for the distributed integration scheme. |
Integration files (ArcSight)
Integration files for ArcSight are described in the following table.
Integration files (ArcSight)
Item |
Description |
integration/Kaspersky_CyberTrace_Connector.arb |
Kaspersky CyberTrace Connector ARB file for ArcSight. |
Integration files (QRadar)
Integration files for QRadar are described in the following table.
Integration files (QRadar)
Item |
Description |
integration/sample_initiallog.txt |
A log example for the first transmission of events to QRadar. |
integration/sample_qid.txt |
An example list of QIDs for importing to QRadar. |
Integration files (RSA NetWitness)
Integration files for RSA NetWitness are described in the following table.
Integration files (RSA NetWitness)
Item |
Description |
integration/additional_elements/CyberTrace_Charts.zip |
File that contains preconfigured charts. |
integration/additional_elements/CyberTrace_Reports.zip |
File that contains a preconfigured report. |
integration/additional_elements/CyberTrace_Rules.zip |
File that contains rules to operate the events from Feed Service. |
integration/additional_elements/index-concentrator-custom.xml |
Example of data that can be added to the index-concentrator-custom.xml file. This data example contains only a description of the kl actionable fields. |
integration/additional_elements/Kaspersky CyberTrace.zip |
File for creating the Kaspersky CyberTrace dashboard in RSA NetWitness 11.0. |
integration/additional_elements/Kaspersky+CyberTrace.cfg |
File for creating the Kaspersky CyberTrace dashboard in RSA NetWitness 10.6. |
integration/additional_elements/MetaGroups.jsn |
File that contains a meta group that is used for browsing fields in RSA NetWitness that are filled by Feed Service. |
integration/additional_elements/MetaGroups_without_kl_fields.jsn |
Metagroup for the Navigate tab. This metagroup does not contain the |
integration/additional_elements/table-map-custom.xml |
Example of data that can be added to the table-map-custom.xml file. This data example contains only a description of the |
integration/cybertrace/cybertrace.ini |
File used for integrating Kaspersky CyberTrace with RSA NetWitness. |
integration/cybertrace/v20_cybertracemsg.xml |
File used for integrating Kaspersky CyberTrace with RSA NetWitness. |
Integration files (LogRhythm)
Integration files for LogRhythm are described in the following table.
Integration files (LogRhythm)
Item |
Description |
integration/events/* |
Files that contain KasperskyCyberTrace rules for importing to LogRhythm:
|