This section describes the contents of the Kaspersky CyberTrace distribution kit.
Distribution kit types
Kaspersky CyberTrace is distributed in the following types of distribution kits:
This type of distribution kit is intended for installation on Linux systems.
This type of distribution kit is intended for installation on Linux systems.
This type of distribution kit is intended for installation on Windows systems.
This type of distribution kit can be used on Linux systems instead of the RPM or DEB package.
About the integration files
All distribution kits of Kaspersky CyberTrace are customized for integration with a particular SIEM solution or for standalone integration. Each distribution kit contains a number of files that can be used for integration with this SIEM solution. In addition, the configuration files of Feed Service and other utilities contained in the distribution kit are also customized for easy integration with the SIEM solution.
For example, a distribution kit for Splunk contains all the Kaspersky CyberTrace components, and, in addition, has customized configuration files for Feed Service and Feed Utility that work with Splunk. The integration directory inside the distribution kit contains applications for all variants of Splunk integration schemes. These applications can be deployed and used in the Splunk infrastructure.
RPM and DEB distribution kits
This type of distribution kit contains the following files and directories.
Distribution kit contents (RPM and DEB package)
Item |
Description |
Doc_data/* |
Documentation files. |
Kaspersky_CyberTrace.html |
Offline version of documentation. |
Kaspersky_CyberTrace-Linux-%architecture%-%version%.rpm (RPM package) Kaspersky_CyberTrace-Linux-%architecture%-%version%.deb (DEB package) |
Kaspersky CyberTrace installation package. For a list of files inside this package, see subsection "Files contained in archives and packages (Linux)" below. |
legal_notices.txt |
Legal notices. |
run.sh |
Installation script. |
ReleaseNotes.pdf |
Release notes. |
Executable installer distribution kit
This type of distribution kit contains the following file.
Distribution kit contents (executable installer)
Item |
Description |
Kaspersky_CyberTrace-Windows-%architecture-version%-Release.exe |
Executable installer. For a list of files inside this package, see subsection "Files contained in archives and packages (Windows)" below. |
Files contained in archives and packages (Linux)
RPM and DEB packages and TGZ archives contain the following set of files.
Files contained in archives and packages (Linux)
Item |
Description |
bin/.need_run_wizard |
Initial Setup Wizard. This file is deleted after the initial setup is done. |
bin/configure |
Configurator utility binary file. |
bin/en_US |
English localization files. |
bin/kl_feed_service |
Feed Service binary file. |
bin/kl_balancer_log.conf |
Balancer logging configuration file. |
bin/kl_feed_service_log.conf |
Feed Service logging configuration file. |
bin/kl_balancer |
Balancer binary file. |
bin/kl_balancer.conf |
Balancer configuration file |
bin/libssp.so.0 |
Auxiliary library. |
db/package/config/elasticsearch.yml |
Elasticsearch database configuration file. |
dmz/cron_dmz.sh |
Script for updating feeds from a separate computer. |
dmz/demofeeds.pem |
Certificate needed for getting access to demo feeds. |
dmz/feeds.pem |
Certificate needed for getting access to demo feeds. It is replaced with the certificate specified during the installation of Kaspersky CyberTrace. |
dmz/kl_feed_compiler |
Binary file used by Feed Utility to compile feeds. |
dmz/kl_feed_util |
Feed Utility binary file. |
dmz/kl_feed_util.conf |
Feed Utility configuration file. |
dmz/libssp.so.0 |
Auxiliary library. |
doc/Kaspersky_CyberTrace_Online_Documentation.html |
HTML page that redirects to the online documentation for Kaspersky CyberTrace. |
doc/legal_notices.txt |
Legal notices. |
doc/license.txt |
End User License Agreement (EULA). |
etc/systemd/system/cybertrace.service |
Systemd unit file for Feed Service. |
etc/systemd/system/cybertrace_balancer.service |
Systemd unit file for Balancer. |
etc/systemd/system/cybertrace_db.service |
Systemd unit file for Elasticsearch database service. |
etc/kl_feed_service.conf |
Feed Service configuration file. |
etc/kl_feed_service_templates.conf |
Configuration file template. |
etc/kl_feed_util.conf |
Feed Utility configuration file. |
etc/kl_feed_util_diff.conf |
Feed Utility configuration file for using with diff feeds. |
feeds/APT_URL_Data_Feed.json.url.bin/* feeds/Botnet_CnC_URL_Data_Feed.json.url.bin/* feeds/Demo_Botnet_CnC_URL_Data_Feed.json.url.bin/* feeds/IoT_URL_Data_Feed.json.url.bin/* feeds/Malicious_URL_Data_Feed.json.url.bin/* feeds/Mobile_Botnet_CnC_URL_Data_Feed.json.url.bin/* feeds/Phishing_URL_Data_Feed.json.url.bin/* feeds/Ransomware_URL_Data_Feed.json.url.bin/* |
Compiled URL masks for feeds. |
feeds/Demo_Botnet_CnC_URL_Data_Feed.json feeds/Demo_IP_Reputation_Data_Feed.json feeds/Demo_Malicious_Hash_Data_Feed.json |
Demo feeds. |
feeds/APT_Hash_Data_Feed.json feeds/APT_IP_Data_Feed.json feeds/APT_URL_Data_Feed.json feeds/Botnet_CnC_URL_Data_Feed.json feeds/IoT_URL_Data_Feed.json feeds/IP_Reputation_Data_Feed.json feeds/Malicious_Hash_Data_Feed.json feeds/Malicious_URL_Data_Feed.json feeds/Mobile_Botnet_CnC_URL_Data_Feed.json feeds/Mobile_Malicious_Hash_Data_Feed.json feeds/Phishing_URL_Data_Feed.json feeds/Ransomware_URL_Data_Feed.json feeds/Vulnerability_Data_Feed.json feeds/ICS_Hash_Data_Feed.json |
Files for performing verification test for commercial feeds. These files are replaced by actual commercial feeds when updated. |
httpsrv/etc/kl_feed_info.conf |
File that contains information about Kaspersky Threat Data Feeds. |
httpsrv/etc/kl_feed_info_diff.conf |
File that contains information about Kaspersky Threat Data Feeds that have diff versions available. |
httpsrv/etc/ktfsaccess |
File that contains information about CyberTrace accounts. |
httpsrv/etc/ktfsstatistics.kvdb |
Auxiliary file for Kaspersky CyberTrace Web. This file is not contained in the distribution kit, but is created during the work of Kaspersky CyberTrace. |
httpsrv/etc/ktfsstorage.kvdb |
File that contains information about open sessions and tasks in progress. This file is not contained in the distribution kit, but is created later during the work of Kaspersky CyberTrace. |
httpsrv/etc/osint_feed_list.conf |
File that contains the list of the supported OSINT feeds. |
httpsrv/templates/* |
Directory that contains templates for Kaspersky CyberTrace Web. |
httpsrv/templates_kuma |
Directory that contains Kaspersky CyberTrace Web templates for the KUMA integration. |
integration/* |
Files for integration with a particular SIEM solution. For a list of these files, see "Integration files" subsections below. |
log_scanner/libssp.so.0 |
Auxiliary library. |
log_scanner/log_scanner |
Log Scanner binary file. |
log_scanner/log_scanner.conf |
Log Scanner configuration file. |
scripts/cron_cybertrace.sh |
Script for updating feeds when Feed Service and Feed Utility are installed on different computers. |
tools/kl_access_util |
Password Utility. |
tools/kl_feed_compiler |
Binary file used by Feed Utility to compile feeds. |
tools/kl_feed_util |
Feed Utility binary file. |
tools/libssp.so.0 |
Auxiliary library. |
tools/openssl |
OpenSSL binary file. |
tools/openssl.cnf |
OpenSSL configuration file. |
tools/output/feeds.info |
Auxiliary file. |
verification/kl_verification_test_leef.txt |
Events for the verification test, in LEEF format. |
verification/kl_verification_test_cef.txt |
Events for the verification test in, CEF format. |
gcc-version |
Version of GCC. |
platform |
Version of the GLIBC library. |
ReleaseNotes.pdf |
Release notes. |
version |
Version info. |
Files contained in archives and packages (Windows)
Executable installers contain the following set of files.
Files contained in archives and packages (Windows)
Item |
Description |
bin\.need_run_wizard |
Initial Setup Wizard. This file is deleted after the initial setup is done. |
bin\en_US |
English localization files. |
bin\kl_control.bat |
Script for managing Feed Service. |
bin\kl_feed_service.conf |
Feed Service configuration file. |
bin\kl_feed_service.exe |
Feed Service binary file. |
bin\kl_balancer_log.conf |
Balancer logging configuration file. |
bin\kl_feed_service_log.conf |
Feed Service logging configuration file. |
bin\kl_feed_service_templates.conf |
Feed Service configuration file template. |
bin\kl_feed_util.conf |
Feed Utility configuration file. |
bin\kl_balancer.exe |
Balancer binary file. |
bin\kl_balancer_control.bat |
Script for managing Balancer. |
bin\kl_balancer.conf |
Balancer configuration file. |
bin\kl_feed_util_diff.conf |
Feed Utility configuration file for using with diff feeds. |
bin\kl_watchdog_service.exe |
Binary file of the Windows service that monitors the Feed Service process. |
db\package\config\elasticsearch.yml |
Elasticsearch database configuration file. |
dmz\cron_dmz.cmd |
Script for updating feeds from a separate computer. |
dmz\demofeeds.pem |
Certificate required for access to demo feeds. |
dmz\feeds.pem |
Certificate required for access to demo feeds. It is replaced with the certificate specified during installation of Kaspersky CyberTrace. |
dmz\kl_feed_compiler.exe |
Binary file used by Feed Utility to compile feeds. |
dmz\kl_feed_util.conf |
Feed Utility configuration file. |
dmz\kl_feed_util.exe |
Feed Utility binary file. |
doc\Kaspersky_CyberTrace_Online_Documentation.html |
HTML page that redirects to the online documentation for Kaspersky CyberTrace. |
doc\legal_notices.txt |
Legal notices. |
doc\license.rtf |
End User License Agreement (EULA). |
feeds\APT_URL_Data_Feed.json.url.bin\* feeds\Botnet_CnC_URL_Data_Feed.json.url.bin\* feeds\Demo_Botnet_CnC_URL_Data_Feed.json.url.bin\* feeds\IoT_URL_Data_Feed.json.url.bin\* feeds\Malicious_URL_Data_Feed.json.url.bin\* feeds\Mobile_Botnet_CnC_URL_Data_Feed.json.url.bin\* feeds\Phishing_URL_Data_Feed.json.url.bin\* feeds\Ransomware_URL_Data_Feed.json.url.bin\* |
Compiled URL masks for feeds. |
feeds\Demo_Botnet_CnC_URL_Data_Feed.json feeds\Demo_IP_Reputation_Data_Feed.json feeds\Demo_Malicious_Hash_Data_Feed.json |
Demo feeds. |
feeds\APT_Hash_Data_Feed.json feeds\APT_IP_Data_Feed.json feeds\APT_URL_Data_Feed.json feeds\Botnet_CnC_URL_Data_Feed.json feeds\IoT_URL_Data_Feed.json feeds\IP_Reputation_Data_Feed.json feeds\Malicious_Hash_Data_Feed.json feeds\Malicious_URL_Data_Feed.json feeds\Mobile_Botnet_CnC_URL_Data_Feed.json feeds\Mobile_Malicious_Hash_Data_Feed.json feeds\Phishing_URL_Data_Feed.json feeds\Ransomware_URL_Data_Feed.json feeds\Vulnerability_Data_Feed.json feeds\ICS_Hash_Data_Feed.json |
Files for performing verification test for commercial feeds. These files are replaced by actual commercial feeds when updated. |
httpsrv\etc\kl_feed_info.conf |
File that contains information about Kaspersky Threat Data Feeds. |
httpsrv\etc\kl_feed_info_diff.conf |
File that contains information about Kaspersky Threat Data Feeds that have diff versions available. |
httpsrv\etc\ktfsaccess |
File that contains information about CyberTrace accounts. |
httpsrv\etc\ktfsstatistics.kvdb |
Auxiliary file for Kaspersky CyberTrace Web. This file is not contained in the distribution kit, but is created during the work of Kaspersky CyberTrace. |
httpsrv\etc\ktfsstorage.kvdb |
File that contains information about open sessions and tasks in progress. This file is not contained in the distribution kit, but is created during the work of Kaspersky CyberTrace. |
httpsrv\etc\osint_feed_list.conf |
File that contains the list of the supported OSINT feeds. |
httpsrv\templates\* |
Folder that contains templates for Kaspersky CyberTrace Web. |
httpsrv\templates_kuma |
Folder that contains Kaspersky CyberTrace Web templates for the KUMA integration. |
integration\* |
Files for integration with a particular SIEM solution. For a list of these files, see "Integration files" subsections below. |
log_scanner\log_scanner.conf |
Log Scanner configuration file. |
log_scanner\log_scanner.exe |
Log Scanner binary file. |
scripts\cron_cybertrace.cmd |
Script for updating feeds when Feed Service and Feed Utility are installed on different computers. |
tools\kl_access_util.exe |
Password Utility. |
tools\kl_feed_compiler.exe |
Binary file used by Feed Utility to compile feeds. |
tools\kl_feed_util.exe |
Feed Utility binary file. |
tools\openssl.cnf |
OpenSSL configuration file for generating a self-signed certificate. |
tools\openssl.exe |
OpenSSL binary file. |
verification\kl_verification_test_leef.txt |
Events for the verification test in LEEF format. |
verification\kl_verification_test_cef.txt |
Events for the verification test in CEF format. |
install.bat |
Batch script that installs Windows services for Kaspersky CyberTrace. |
ReleaseNotes.pdf |
Release notes. |
uninstall.bat |
Batch script that uninstalls Windows services for Kaspersky CyberTrace. |
version |
A text file containing the version info. |
Integration files (Splunk)
Integration files for Splunk are described in the following table.
Integration files (Splunk)
Item |
Description |
/integration/splunk/Kaspersky-CyberTrace-App-for-Splunk.tar.gz |
Kaspersky CyberTrace App for Splunk application file for the single-instance integration scheme. |
/integration/splunk/Kaspersky-CyberTrace-App-for-Splunk_Forwarder.tar.gz |
Kaspersky CyberTrace App for Splunk Forwarder application file for the distributed integration scheme. |
/integration/splunk/Kaspersky-CyberTrace-App-for-Splunk_Search-Head.tar.gz |
Kaspersky CyberTrace App for Splunk Search Head application file for the distributed integration scheme. |
Integration files (ArcSight)
Integration files for ArcSight are described in the following table.
Integration files (ArcSight)
Item |
Description |
integration/arcsight/Kaspersky_CyberTrace_Connector.arb |
Kaspersky CyberTrace Connector ARB file for ArcSight. |
Integration files (QRadar)
Integration files for QRadar are described in the following table.
Integration files (QRadar)
Item |
Description |
integration/qradar/sample_initiallog.txt |
A log example for the first transmission of events to QRadar. |
integration/qradar/sample_qid.txt |
An example list of QIDs for importing to QRadar. |
Integration files (RSA NetWitness)
Integration files for RSA NetWitness are described in the following table.
Integration files (RSA NetWitness)
Item |
Description |
integration/rsa/additional_elements/CyberTrace_Charts.zip |
File that contains preconfigured charts. |
integration/rsa/additional_elements/CyberTrace_Reports.zip |
File that contains a preconfigured report. |
integration/rsa/additional_elements/CyberTrace_Rules.zip |
File that contains rules to operate the events from Feed Service. |
integration/rsa/additional_elements/index-concentrator-custom.xml |
Example of data that can be added to the index-concentrator-custom.xml file. This data example contains only a description of the kl actionable fields. |
integration/rsa/additional_elements/Kaspersky CyberTrace.zip |
File for creating the Kaspersky CyberTrace dashboard in RSA NetWitness 11.0. |
integration/rsa/additional_elements/Kaspersky+CyberTrace.cfg |
File for creating the Kaspersky CyberTrace dashboard in RSA NetWitness 10.6. |
integration/rsa/additional_elements/MetaGroups.jsn |
File that contains a meta group that is used for browsing fields in RSA NetWitness that are filled by Feed Service. |
integration/rsa/additional_elements/MetaGroups_without_kl_fields.jsn |
Metagroup for the Navigate tab. This metagroup does not contain the |
integration/rsa/additional_elements/table-map-custom.xml |
Example of data that can be added to the table-map-custom.xml file. This data example contains only a description of the |
integration/rsa/cybertrace/cybertrace.ini |
File used for integrating Kaspersky CyberTrace with RSA NetWitness. |
integration/rsa/cybertrace/v20_cybertracemsg.xml |
File used for integrating Kaspersky CyberTrace with RSA NetWitness |
Integration files (LogRhythm)
Integration files for LogRhythm are described in the following table.
Integration files (LogRhythm)
Item |
Description |
integration/logrhythm/events/* |
Files that contain KasperskyCyberTrace rules for importing to LogRhythm:
|