Step 4. Performing the verification test (ArcSight)

After you install Kaspersky CyberTrace and the necessary ArcSight software, you can test their performance.

Please make sure you perform the verification test before editing any filtering rules in the Feed Utility configuration file.

To check whether Kaspersky CyberTrace is correctly integrated with ArcSight:

  1. Configure Log Scanner to send events to ArcSight SmartConnector.

    For this purpose, set the host and port of ArcSight SmartConnector in the Connection element of the Log Scanner configuration file.

  2. Send the %service_dir%/verification/kl_verification_test.txt file to ArcSight SmartConnector.

    For this purpose, run the following command (in Linux):

    ./log_scanner -p ../verification/kl_verification_test.txt

    For this purpose, run the following comverifimand (in Windows):

    log_scanner.exe -p ../verification/kl_verification_test.txt

    Do not specify the -r flag in this command: send the test results to the SIEM solution by means of the OutputSettings > ConnectionString settings specified in the Feed Service configuration file.

  3. Make sure that you have the test result below.

    You can view the test result in the CyberTrace all matches active channel. For this purpose, set the following inline filter for the Source Service Name field: Kaspersky Lab|CyberTrace Verification Kit.

Verification test result

The verification test result depends on the feeds you use. The verification test results are listed in the following table.

Verification test result

Feed used

Detected objects

Malicious URL Data Feed

http://fakess123.nu

http://badb86360457963b90faac9ae17578ed.com

and many others, such as kaspersky.com/test/wmuf

Phishing URL Data Feed

http://fakess123ap.nu

http://e77716a952f640b42e4371759a661663.com

Botnet CnC URL Data Feed

http://fakess123bn.nu

http://a7396d61caffe18a4cffbb3b428c9b60.com

IP Reputation Data Feed

192.0.2.0

192.0.2.3

Malicious Hash Data Feed

FEAF2058298C1E174C2B79AFFC7CF4DF

44D88612FEA8A8F36DE82E1278ABB02F (EICAR Standard Anti-Virus Test File)

C912705B4BBB14EC7E78FA8B370532C9

Mobile Malicious Hash Data Feed

60300A92E1D0A55C7FDD360EE40A9DC1

Mobile Botnet CnC URL Data Feed

001F6251169E6916C455495050A3FB8D (MD5 hash)

sdfed7233dsfg93acvbhl.su/steallallsms.php (URL mask)

P-SMS Trojan Data Feed

FFAD85C453F0F29404491D8DAF0C646E (MD5 hash)

Ransomware URL Data Feed

http://fakess123r.nu

http://fa7830b4811fbef1b187913665e6733c.com

Vulnerability Data Feed

D8C1F5B4AD32296649FF46027177C594

APT URL Data Feed

http://b046f5b25458638f6705d53539c79f62.com

APT Hash Data Feed

7A2E65A0F70EE0615EC0CA34240CF082

APT IP Data Feed

192.0.2.4

IoT URL Data Feed

http://e593461621ee0f9134c632d00bf108fd.com/.i

Demo Botnet CnC URL Data Feed

http://5a015004f9fc05290d87e86d69c4b237.com

http://fakess123bn.nu

Demo IP Reputation Data Feed

192.0.2.1

192.0.2.3

Demo Malicious Hash Data Feed

776735A8CA96DB15B422879DA599F474

FEAF2058298C1E174C2B79AFFC7CF4DF

44D88612FEA8A8F36DE82E1278ABB02F

Page top