Upgrading integration (RSA)

This section describes how to finish the integration of Kaspersky CyberTrace with RSA NetWitness after the files of Kaspersky Threat Feed Service for RSA NetWitness are upgraded to the files of Kaspersky CyberTrace.

To integrate Kaspersky CyberTrace with RSA NetWitness after Kaspersky Threat Feed Service for NetWitness'files are upgraded to Kaspersky CyberTrace files:

1. Remove the /etc/netwitness/ng/envision/etc/devices/ktfs directory from the computer on which Log Decoder runs.
2. Copy the integraton/cybertrace directory of the Kaspersky CyberTrace distribution kit to the /etc/netwitness/ng/envision/etc/devices directory.
3. Make sure that all fields in the v20_cybertracemsg.xml file (except context) are present in the following files:
   • table-map-custom.xml
   • index-logdecoder-custom.xml or index-concentrator-custom.xml (see section "Checking software settings")

   If any fields are absent, refer to section "Troubleshooting".

4. Restart Log Decoder.
5. Remove the objects whose names start with "KTFS " in the following order:
   1. Dashboard
   2. Charts
   3. Reports
   4. Alerts
   5. Rules
6. Import the Feed Service rules to RSA NetWitness.

   

   Importing rules

   In the Import Rule window, select Rule and List to overwrite the existing data and then click the Import button.

7. Remove the KTFS_META_GROUP meta group, as follows:
   1. On the RSA NetWitness menu, select Investigation > Navigate.
   2. Select Meta > Manage Meta Groups.

      The Manage Meta Groups window opens.

   3. Select the KTFS_META_GROUP meta group and click the Delete button ().
   4. Click the Save button or the Save and Apply button.

   

   Removing a meta group

8. In the Manage Meta Groups window, import the CyberTrace_META_GROUP meta group.
9. From the RSA NetWitness menu, select Dashboard > Reports (in RSA NetWitness 11, you select Monitor > Reports) and import the reports.
10. In the Dashboard form, import the dashboards.

Page top