This section describes how to finish the integration of Kaspersky CyberTrace with ArcSight after the files of Kaspersky Threat Feed Service for ArcSight are upgraded to the files of Kaspersky CyberTrace.
If you have added some other objects and made them dependent on the objects from the old ARB package, remove these dependencies before proceeding to step 2 of the instructions below. Otherwise, your objects will be removed.
To integrate Kaspersky CyberTrace with ArcSight after Kaspersky Threat Feed Service for ArcSight files are upgraded to Kaspersky CyberTrace files:
/All Packages/Public/Kaspersky Threat Feed Connector package.If a warning message is displayed (for example, saying that some changes are made to the objects in the ARB package), click Skip to skip any additional actions.
integration directory of the distribution kit.FwdCyberTrace user for forwarding events.To use the FwdCyberTrace user account for forwarding events:
%ForwardingConnector%/current/bin/runagentsetup.sh script.Here %ForwardingConnector% is the directory in which ArcSight Forwarding Connector is installed.
FwdCyberTrace as the user name.KasperskyLab!1 as the password.By default, Kaspersky CyberTrace listens on port 9999 for incoming events. Make sure that ArcSight Forwarding Connector sends events from ArcSight ESM to the IP address and port that are specified in the InputSettings > ConnectionString element of the Feed Service configuration file. If you need to change the IP address and port to which ArcSight Forwarding Connector sends events, in the Connector Setup Wizard select Modify Connector > Add, Modify, or remove destinations and follow the Wizard instructions.
When you integrated Kaspersky Threat Feed Service for ArcSight with ArcSight, you added the ktfs_events.subagent.sdkrfilereader.properties file to ArcSight SmartConnector. When you upgrade Kaspersky Threat Feed Service for ArcSight to Kaspersky CyberTrace, you do not have to do anything with the file: you can leave it alone.
Page top