This section describes how to finish the integration of Kaspersky CyberTrace with QRadar after the upgrade of the Kaspersky CyberTrace files.
Finishing the integration of Kaspersky CyberTrace with QRadar consists of the following actions:
If QRadar automatically receives configuration updates (including configuration file changes, vulnerabilities, QID maps, supportability scripts, and security threat information updates), the following features are included:
Adding support of Vulnerability Data Feed
Add the KL_Vulnerable_File_Hash_MD5, KL_Vulnerable_File_Hash_SHA1, KL_Vulnerable_File_Hash_SHA256, KL_Exploit_Hash_MD5, KL_Exploit_Hash_SHA1, and KL_Exploit_Hash_SHA256 categories to QRadar manually only if it does not receive configuration updates automatically. To add these categories to QRadar, perform the actions described in sections "Importing QIDs to QRadar", "Sending a set of events to QRadar", and "Mapping events to QIDs". The category mentioned above are included in the sample_initiallog.txt and sample_qid.txt files of the latest distribution kit of CyberTrace.
Adding support of IoT URL Data Feed
Add the KL_IoT_URL, KL_IoT_Hash_MD5, KL_IoT_Hash_SHA1, and KL_IoT_Hash_SHA256 categories to QRadar manually only if it does not receive configuration updates automatically. Do this as described in subsection "Adding support of Vulnerability Data Feed" above.
Adding support of new Mobile Botnet CnC URL Data Feed
Add the KL_Mobile_BotnetCnC_Hash_SHA1 and KL_Mobile_BotnetCnC_Hash_SHA256 categories to QRadar manually only if it does not receive configuration updates automatically. Do this as described in subsection "Adding support of Vulnerability Data Feed" above.
Adding support of new alert events
Add the KL_ALERT_LicenseExpires, KL_ALERT_LicenseExpired, KL_ALERT_EPSLimitExceeded, KL_ALERT_EPSHardLimit, KL_ALERT_FeedLoadedPartially, KL_ALERT_LicenseChanged, KL_ALERT_FeedBecameUnavailable, KL_ALERT_FeedBecameAvailable, and KL_ALERT_ConfigurationUpdated categories to QRadar manually only if it does not receive configuration updates automatically. Do this as described in subsection "Adding support of Vulnerability Data Feed" above.
Adding new categories for OSINT feeds
Add the AbuseCh_Feodo_Malware_Hash_MD5, AbuseCh_SSL_Certificate_Block_IP, AbuseCh_SSL_Certificate_Hash_SHA1, BlocklistDe_Block_IP, CyberCrime_Tracker_Block_URL, AbuseCh_Ransomware_Common_URL, AbuseCh_Ransomware_Block_URL, AbuseCh_Ransomware_Block_Domain, AbuseCh_Ransomware_Block_IP, AbuseCh_Feodo_Block_IP, EmergingThreats_Block_IP, and EmergingThreats_Compromised_IP categories to QRadar manually only if it does not receive configuration updates automatically. Do this as described in subsection "Adding support of Vulnerability Data Feed" above.