Distribution kit contents

This section describes the contents of the Kaspersky CyberTrace distribution kit.

Distribution kit types

Kaspersky CyberTrace is distributed in the following types of distribution kits:

About the integration files

All distribution kits of Kaspersky CyberTrace are customized for integration with a particular SIEM solution or for standalone integration. Each distribution kit contains a number of files that can be used for integration with this SIEM solution. In addition, the configuration files of Feed Service and other utilities contained in the distribution kit are also customized for easy integration with the SIEM solution.

For example, a distribution kit for Splunk contains all the Kaspersky CyberTrace components, and, in addition, has customized configuration files for Feed Service and Feed Utility that work with Splunk. The integration directory inside the distribution kit contains applications for all variants of Splunk integration schemes. These applications can be deployed and used in the Splunk infrastructure.

RPM and DEB distribution kits

This type of distribution kit contains the following files and directories.

Distribution kit contents (RPM and DEB package)

Item

Description

Doc_data/*

Documentation files.

Kaspersky_CyberTrace.html

Offline version of documentation.

Kaspersky_CyberTrace-Linux-%architecture%-%version%.rpm (RPM package)

Kaspersky_CyberTrace-Linux-%architecture%-%version%.deb (DEB package)

Kaspersky CyberTrace installation package.

For a list of files inside this package, see subsection "Files contained in archives and packages (Linux)" below.

legal_notices.txt

Legal notices.

run.sh

Installation script.

ReleaseNotes.pdf

Release notes.

Executable installer distribution kit

This type of distribution kit contains the following file.

Distribution kit contents (executable installer)

Item

Description

Kaspersky_CyberTrace-Windows-%architecture-version%-Release.exe

Executable installer.

For a list of files inside this package, see subsection "Files contained in archives and packages (Windows)" below.

Files contained in archives and packages (Linux)

RPM and DEB packages and TGZ archives contain the following set of files.

Files contained in archives and packages (Linux)

Item

Description

bin/.need_run_wizard

Initial Setup Wizard. This file is deleted after the initial setup is done.

bin/configure

Configurator utility binary file.

bin/en_US

English localization files.

bin/kl_feed_service

Feed Service binary file.

bin/kl_balancer_log.conf

Balancer logging configuration file.

bin/kl_feed_service_log.conf

Feed Service logging configuration file.

bin/kl_balancer

Balancer binary file.

bin/kl_balancer.conf

Balancer configuration file

bin/libssp.so.0

Auxiliary library.

db/package/config/elasticsearch.yml

Elasticsearch database configuration file.

dmz/cron_dmz.sh

Script for updating feeds from a separate computer.

dmz/demofeeds.pem

Certificate needed for getting access to demo feeds.

dmz/feeds.pem

Certificate needed for getting access to demo feeds. It is replaced with the certificate specified during the installation of Kaspersky CyberTrace.

dmz/kl_feed_compiler

Binary file used by Feed Utility to compile feeds.

dmz/kl_feed_util

Feed Utility binary file.

dmz/kl_feed_util.conf

Feed Utility configuration file.

dmz/libssp.so.0

Auxiliary library.

doc/Kaspersky_CyberTrace_Online_Documentation.html

HTML page that redirects to the online documentation for Kaspersky CyberTrace.

doc/legal_notices.txt

Legal notices.

doc/license.txt

End User License Agreement (EULA).

etc/systemd/system/cybertrace.service

Systemd unit file for Feed Service.

etc/systemd/system/cybertrace_balancer.service

Systemd unit file for Balancer.

etc/systemd/system/cybertrace_db.service

Systemd unit file for Elasticsearch database service.

etc/kl_feed_service.conf

Feed Service configuration file.

etc/kl_feed_service_templates.conf

Configuration file template.

etc/kl_feed_util.conf

Feed Utility configuration file.

etc/kl_feed_util_diff.conf

Feed Utility configuration file for using with diff feeds.

feeds/APT_URL_Data_Feed.json.url.bin/*

feeds/Botnet_CnC_URL_Data_Feed.json.url.bin/*

feeds/Demo_Botnet_CnC_URL_Data_Feed.json.url.bin/*

feeds/IoT_URL_Data_Feed.json.url.bin/*

feeds/Malicious_URL_Data_Feed.json.url.bin/*

feeds/Mobile_Botnet_CnC_URL_Data_Feed.json.url.bin/*

feeds/Phishing_URL_Data_Feed.json.url.bin/*

feeds/Ransomware_URL_Data_Feed.json.url.bin/*

Compiled URL masks for feeds.

feeds/Demo_Botnet_CnC_URL_Data_Feed.json

feeds/Demo_IP_Reputation_Data_Feed.json

feeds/Demo_Malicious_Hash_Data_Feed.json

Demo feeds.

feeds/APT_Hash_Data_Feed.json

feeds/APT_IP_Data_Feed.json

feeds/APT_URL_Data_Feed.json

feeds/Botnet_CnC_URL_Data_Feed.json

feeds/IoT_URL_Data_Feed.json

feeds/IP_Reputation_Data_Feed.json

feeds/Malicious_Hash_Data_Feed.json

feeds/Malicious_URL_Data_Feed.json

feeds/Mobile_Botnet_CnC_URL_Data_Feed.json

feeds/Mobile_Malicious_Hash_Data_Feed.json

feeds/Phishing_URL_Data_Feed.json

feeds/Ransomware_URL_Data_Feed.json

feeds/Vulnerability_Data_Feed.json

feeds/ICS_Hash_Data_Feed.json

Files for performing verification test for commercial feeds. These files are replaced by actual commercial feeds when updated.

httpsrv/etc/kl_feed_info.conf

File that contains information about Kaspersky Threat Data Feeds.

httpsrv/etc/kl_feed_info_diff.conf

File that contains information about Kaspersky Threat Data Feeds that have diff versions available.

httpsrv/etc/ktfsaccess

File that contains information about CyberTrace accounts.

httpsrv/etc/ktfsstatistics.kvdb

Auxiliary file for Kaspersky CyberTrace Web.

This file is not contained in the distribution kit, but is created during the work of Kaspersky CyberTrace.

httpsrv/etc/ktfsstorage.kvdb

File that contains information about open sessions and tasks in progress.

This file is not contained in the distribution kit, but is created later during the work of Kaspersky CyberTrace.

httpsrv/etc/osint_feed_list.conf

File that contains the list of the supported OSINT feeds.

httpsrv/templates/*

Directory that contains templates for Kaspersky CyberTrace Web.

httpsrv/templates_kuma

Directory that contains Kaspersky CyberTrace Web templates for the KUMA integration.

integration/*

Files for integration with a particular SIEM solution.

For a list of these files, see "Integration files" subsections below.

log_scanner/libssp.so.0

Auxiliary library.

log_scanner/log_scanner

Log Scanner binary file.

log_scanner/log_scanner.conf

Log Scanner configuration file.

scripts/cron_cybertrace.sh

Script for updating feeds when Feed Service and Feed Utility are installed on different computers.

tools/kl_access_util

Password Utility.

tools/kl_feed_compiler

Binary file used by Feed Utility to compile feeds.

tools/kl_feed_util

Feed Utility binary file.

tools/libssp.so.0

Auxiliary library.

tools/openssl

OpenSSL binary file.

tools/openssl.cnf

OpenSSL configuration file.

tools/output/feeds.info

Auxiliary file.

verification/kl_verification_test_leef.txt

Events for the verification test, in LEEF format.

verification/kl_verification_test_cef.txt

Events for the verification test in, CEF format.

gcc-version

Version of GCC.

platform

Version of the GLIBC library.

ReleaseNotes.pdf

Release notes.

version

Version info.

Files contained in archives and packages (Windows)

Executable installers contain the following set of files.

Files contained in archives and packages (Windows)

Item

Description

bin\.need_run_wizard

Initial Setup Wizard. This file is deleted after the initial setup is done.

bin\en_US

English localization files.

bin\kl_control.bat

Script for managing Feed Service.

bin\kl_feed_service.conf

Feed Service configuration file.

bin\kl_feed_service.exe

Feed Service binary file.

bin\kl_balancer_log.conf

Balancer logging configuration file.

bin\kl_feed_service_log.conf

Feed Service logging configuration file.

bin\kl_feed_service_templates.conf

Feed Service configuration file template.

bin\kl_feed_util.conf

Feed Utility configuration file.

bin\kl_balancer.exe

Balancer binary file.

bin\kl_balancer_control.bat

Script for managing Balancer.

bin\kl_balancer.conf

Balancer configuration file.

bin\kl_feed_util_diff.conf

Feed Utility configuration file for using with diff feeds.

bin\kl_watchdog_service.exe

Binary file of the Windows service that monitors the Feed Service process.

db\package\config\elasticsearch.yml

Elasticsearch database configuration file.

dmz\cron_dmz.cmd

Script for updating feeds from a separate computer.

dmz\demofeeds.pem

Certificate required for access to demo feeds.

dmz\feeds.pem

Certificate required for access to demo feeds. It is replaced with the certificate specified during installation of Kaspersky CyberTrace.

dmz\kl_feed_compiler.exe

Binary file used by Feed Utility to compile feeds.

dmz\kl_feed_util.conf

Feed Utility configuration file.

dmz\kl_feed_util.exe

Feed Utility binary file.

doc\Kaspersky_CyberTrace_Online_Documentation.html

HTML page that redirects to the online documentation for Kaspersky CyberTrace.

doc\legal_notices.txt

Legal notices.

doc\license.rtf

End User License Agreement (EULA).

feeds\APT_URL_Data_Feed.json.url.bin\*

feeds\Botnet_CnC_URL_Data_Feed.json.url.bin\*

feeds\Demo_Botnet_CnC_URL_Data_Feed.json.url.bin\*

feeds\IoT_URL_Data_Feed.json.url.bin\*

feeds\Malicious_URL_Data_Feed.json.url.bin\*

feeds\Mobile_Botnet_CnC_URL_Data_Feed.json.url.bin\*

feeds\Phishing_URL_Data_Feed.json.url.bin\*

feeds\Ransomware_URL_Data_Feed.json.url.bin\*

Compiled URL masks for feeds.

feeds\Demo_Botnet_CnC_URL_Data_Feed.json

feeds\Demo_IP_Reputation_Data_Feed.json

feeds\Demo_Malicious_Hash_Data_Feed.json

Demo feeds.

feeds\APT_Hash_Data_Feed.json

feeds\APT_IP_Data_Feed.json

feeds\APT_URL_Data_Feed.json

feeds\Botnet_CnC_URL_Data_Feed.json

feeds\IoT_URL_Data_Feed.json

feeds\IP_Reputation_Data_Feed.json

feeds\Malicious_Hash_Data_Feed.json

feeds\Malicious_URL_Data_Feed.json

feeds\Mobile_Botnet_CnC_URL_Data_Feed.json

feeds\Mobile_Malicious_Hash_Data_Feed.json

feeds\Phishing_URL_Data_Feed.json

feeds\Ransomware_URL_Data_Feed.json

feeds\Vulnerability_Data_Feed.json

feeds\ICS_Hash_Data_Feed.json

Files for performing verification test for commercial feeds. These files are replaced by actual commercial feeds when updated.

httpsrv\etc\kl_feed_info.conf

File that contains information about Kaspersky Threat Data Feeds.

httpsrv\etc\kl_feed_info_diff.conf

File that contains information about Kaspersky Threat Data Feeds that have diff versions available.

httpsrv\etc\ktfsaccess

File that contains information about CyberTrace accounts.

httpsrv\etc\ktfsstatistics.kvdb

Auxiliary file for Kaspersky CyberTrace Web.

This file is not contained in the distribution kit, but is created during the work of Kaspersky CyberTrace.

httpsrv\etc\ktfsstorage.kvdb

File that contains information about open sessions and tasks in progress.

This file is not contained in the distribution kit, but is created during the work of Kaspersky CyberTrace.

httpsrv\etc\osint_feed_list.conf

File that contains the list of the supported OSINT feeds.

httpsrv\templates\*

Folder that contains templates for Kaspersky CyberTrace Web.

httpsrv\templates_kuma

Folder that contains Kaspersky CyberTrace Web templates for the KUMA integration.

integration\*

Files for integration with a particular SIEM solution.

For a list of these files, see "Integration files" subsections below.

log_scanner\log_scanner.conf

Log Scanner configuration file.

log_scanner\log_scanner.exe

Log Scanner binary file.

scripts\cron_cybertrace.cmd

Script for updating feeds when Feed Service and Feed Utility are installed on different computers.

tools\kl_access_util.exe

Password Utility.

tools\kl_feed_compiler.exe

Binary file used by Feed Utility to compile feeds.

tools\kl_feed_util.exe

Feed Utility binary file.

tools\openssl.cnf

OpenSSL configuration file for generating a self-signed certificate.

tools\openssl.exe

OpenSSL binary file.

verification\kl_verification_test_leef.txt

Events for the verification test in LEEF format.

verification\kl_verification_test_cef.txt

Events for the verification test in CEF format.

install.bat

Batch script that installs Windows services for Kaspersky CyberTrace.

ReleaseNotes.pdf

Release notes.

uninstall.bat

Batch script that uninstalls Windows services for Kaspersky CyberTrace.

version

A text file containing the version info.

Integration files (Splunk)

Integration files for Splunk are described in the following table.

Integration files (Splunk)

Item

Description

/integration/splunk/Kaspersky-CyberTrace-App-for-Splunk.tar.gz

Kaspersky CyberTrace App for Splunk application file for the single-instance integration scheme.

/integration/splunk/Kaspersky-CyberTrace-App-for-Splunk_Forwarder.tar.gz

Kaspersky CyberTrace App for Splunk Forwarder application file for the distributed integration scheme.

/integration/splunk/Kaspersky-CyberTrace-App-for-Splunk_Search-Head.tar.gz

Kaspersky CyberTrace App for Splunk Search Head application file for the distributed integration scheme.

Integration files (ArcSight)

Integration files for ArcSight are described in the following table.

Integration files (ArcSight)

Item

Description

integration/arcsight/Kaspersky_CyberTrace_Connector.arb

Kaspersky CyberTrace Connector ARB file for ArcSight.

Integration files (QRadar)

Integration files for QRadar are described in the following table.

Integration files (QRadar)

Item

Description

integration/qradar/sample_initiallog.txt

A log example for the first transmission of events to QRadar.

integration/qradar/sample_qid.txt

An example list of QIDs for importing to QRadar.

Integration files (RSA NetWitness)

Integration files for RSA NetWitness are described in the following table.

Integration files (RSA NetWitness)

Item

Description

integration/rsa/additional_elements/CyberTrace_Charts.zip

File that contains preconfigured charts.

integration/rsa/additional_elements/CyberTrace_Reports.zip

File that contains a preconfigured report.

integration/rsa/additional_elements/CyberTrace_Rules.zip

File that contains rules to operate the events from Feed Service.

integration/rsa/additional_elements/index-concentrator-custom.xml

Example of data that can be added to the index-concentrator-custom.xml file. This data example contains only a description of the kl actionable fields.

integration/rsa/additional_elements/Kaspersky CyberTrace.zip

File for creating the Kaspersky CyberTrace dashboard in RSA NetWitness 11.0.

integration/rsa/additional_elements/Kaspersky+CyberTrace.cfg

File for creating the Kaspersky CyberTrace dashboard in RSA NetWitness 10.6.

integration/rsa/additional_elements/MetaGroups.jsn

File that contains a meta group that is used for browsing fields in RSA NetWitness that are filled by Feed Service.

integration/rsa/additional_elements/MetaGroups_without_kl_fields.jsn

Metagroup for the Navigate tab. This metagroup does not contain the kl actionable fields.

integration/rsa/additional_elements/table-map-custom.xml

Example of data that can be added to the table-map-custom.xml file. This data example contains only a description of the kl actionable fields.

integration/rsa/cybertrace/cybertrace.ini

File used for integrating Kaspersky CyberTrace with RSA NetWitness.

integration/rsa/cybertrace/v20_cybertracemsg.xml

File used for integrating Kaspersky CyberTrace with RSA NetWitness

Integration files (LogRhythm)

Integration files for LogRhythm are described in the following table.

Integration files (LogRhythm)

Item

Description

integration/logrhythm/events/*

Files that contain KasperskyCyberTrace rules for importing to LogRhythm:

  • mperule_AbuseCh_Feodo_Block_IP.xml
  • mperule_AbuseCh_SSL_Certificate_Block_IP.xml
  • mperule_AbuseCh_SSL_Certificate_Hash_SHA1.xml
  • mperule_BlocklistDe_Block_IP.xml
  • mperule_CyberCrime_Tracker_Block_Url.xml
  • mperule_EmergingThreats_Block_IP.xml
  • mperule_EmergingThreats_Compromised_IP.xml
  • mperule_KL_ALERT_ConfigurationUpdated.xml
  • mperule_KL_ALERT_DetectsStorageExceeded.xml
  • mperule_KL_ALERT_EPSHardLimit.xml
  • mperule_KL_ALERT_EPSLimitExceeded.xml
  • mperule_KL_ALERT_FailedToUpdateFeed.xml
  • mperule_KL_ALERT_FeedBecameAvailable.xml
  • mperule_KL_ALERT_FeedBecameUnavailable.xml
  • mperule_KL_ALERT_FreeSpaceEnds.xml
  • mperule_KL_ALERT_IndicatorsStoreHardLimit.xml
  • mperule_KL_ALERT_IndicatorsStoreLimitExceeded.xml
  • mperule_KL_ALERT_LicenseChanged.xml
  • mperule_KL_ALERT_LicenseExpired.xml
  • mperule_KL_ALERT_LicenseExpires.xml
  • mperule_KL_ALERT_OutdatedFeed.xml
  • mperule_KL_ALERT_RetroScanCompleted.xml
  • mperule_KL_ALERT_RetroScanError.xml
  • mperule_KL_ALERT_RetroScanStorageExceeded.xml
  • mperule_KL_ALERT_ServiceStarted.xml
  • mperule_KL_ALERT_ServiceStopped.xml
  • mperule_KL_ALERT_ServiceUnavailable.xml
  • mperule_KL_ALERT_UpdatedFeed.xml
  • mperule_KL_APT_Hash_MD5.xml
  • mperule_KL_APT_Hash_SHA1.xml
  • mperule_KL_APT_Hash_SHA256.xml
  • mperule_KL_APT_IP.xml
  • mperule_KL_APT_URL.xml
  • mperule_KL_BotnetCnC_Hash_MD5.xml
  • mperule_KL_BotnetCnC_Hash_SHA1.xml
  • mperule_KL_BotnetCnC_Hash_SHA256.xml
  • mperule_KL_BotnetCnC_URL.xml
  • mperule_KL_Exploit_Hash_MD5.xml
  • mperule_KL_Exploit_Hash_SHA1.xml
  • mperule_KL_Exploit_Hash_SHA256.xml
  • mperule_KL_ICS_Hash_MD5.xml
  • mperule_KL_ICS_Hash_SHA1.xml
  • mperule_KL_ICS_Hash_SHA256.xml
  • mperule_KL_InternalTI_Hash_MD5.xml
  • mperule_KL_InternalTI_Hash_SHA1.xml
  • mperule_KL_InternalTI_Hash_SHA256.xml
  • mperule_KL_InternalTI_IP.xml
  • mperule_KL_InternalTI_URL.xml
  • mperule_KL_IoT_Hash_MD5.xml
  • mperule_KL_IoT_Hash_SHA1.xml
  • mperule_KL_IoT_Hash_SHA256.xml
  • mperule_KL_IoT_URL.xml
  • mperule_KL_IP_Reputation.xml
  • mperule_KL_IP_Reputation_Hash_MD5.xml
  • mperule_KL_IP_Reputation_Hash_SHA1.xml
  • mperule_KL_IP_Reputation_Hash_SHA256.xml
  • mperule_KL_Malicious_Hash_MD5.xml
  • mperule_KL_Malicious_Hash_SHA1.xml
  • mperule_KL_Malicious_Hash_SHA256.xml
  • mperule_KL_Malicious_URL.xml
  • mperule_KL_Malicious_URL_Hash_MD5.xml
  • mperule_KL_Malicious_URL_Hash_SHA1.xml
  • mperule_KL_Malicious_URL_Hash_SHA256.xml
  • mperule_KL_Mobile_BotnetCnC_Hash_MD5.xml
  • mperule_KL_Mobile_BotnetCnC_Hash_SHA1.xml
  • mperule_KL_Mobile_BotnetCnC_Hash_SHA256.xml
  • mperule_KL_Mobile_BotnetCnC_URL.xml
  • mperule_KL_Mobile_Malicious_Hash_MD5.xml
  • mperule_KL_Mobile_Malicious_Hash_SHA1.xml
  • mperule_KL_Mobile_Malicious_Hash_SHA256.xml
  • mperule_KL_Phishing_URL.xml
  • mperule_KL_Ransomware_URL.xml
  • mperule_KL_Ransomware_URL_Hash_MD5.xml
  • mperule_KL_Ransomware_URL_Hash_SHA1.xml
  • mperule_KL_Ransomware_URL_Hash_SHA256.xml
  • mperule_KL_Vulnerable_File_Hash_MD5.xml
  • mperule_KL_Vulnerable_File_Hash_SHA1.xml
  • mperule_KL_Vulnerable_File_Hash_SHA256.xml

Page top