After you install Kaspersky CyberTrace and the necessary ArcSight software, you can test their performance.
Please make sure you perform the verification test before editing any filtering rules in the Feed Utility configuration file.
To check whether Kaspersky CyberTrace is correctly integrated with ArcSight:
For this purpose, set the host and port of ArcSight SmartConnector in the Connection
element of the Log Scanner configuration file.
%service_dir%/verification/kl_verification_test_cef.txt
file to ArcSight SmartConnector.For this purpose, run the following command (in Linux):
./log_scanner -p ../verification/kl_verification_test_cef.txt
For this purpose, run the following command (in Windows):
log_scanner.exe -p ..\verification\kl_verification_test_cef.txt
Do not specify the -r
flag in this command: send the test results to the SIEM solution by using the parameters for outbound events specified in the Service settings of Kaspersky CyberTrace.
You can view the test results in the CyberTrace all matches active channel. For this purpose, set the following inline filter for the Source Service Name field: Kaspersky Lab|CyberTrace Verification Kit
.
Verification test results
The verification test results depends on the feeds you use. The verification test results are listed in the following table.
Verification test results
Feed used |
Detected objects |
Malicious URL Data Feed |
http://fakess123.nu http://badb86360457963b90faac9ae17578ed.com |
Phishing URL Data Feed |
http://fakess123ap.nu http://e77716a952f640b42e4371759a661663.com |
Botnet CnC URL Data Feed |
http://fakess123bn.nu http://a7396d61caffe18a4cffbb3b428c9b60.com |
IP Reputation Data Feed |
192.0.2.0 192.0.2.3 |
Malicious Hash Data Feed |
FEAF2058298C1E174C2B79AFFC7CF4DF 44D88612FEA8A8F36DE82E1278ABB02F (EICAR Standard Anti-Virus Test File) C912705B4BBB14EC7E78FA8B370532C9 |
Mobile Malicious Hash Data Feed |
60300A92E1D0A55C7FDD360EE40A9DC1 |
Mobile Botnet CnC URL Data Feed |
001F6251169E6916C455495050A3FB8D (MD5 hash) sdfed7233dsfg93acvbhl.su/steallallsms.php (URL mask) |
Ransomware URL Data Feed |
http://fakess123r.nu http://fa7830b4811fbef1b187913665e6733c.com |
Vulnerability Data Feed |
D8C1F5B4AD32296649FF46027177C594 |
APT URL Data Feed |
http://b046f5b25458638f6705d53539c79f62.com |
APT Hash Data Feed |
7A2E65A0F70EE0615EC0CA34240CF082 |
APT IP Data Feed |
192.0.2.4 |
IoT URL Data Feed |
http://e593461621ee0f9134c632d00bf108fd.com/.i |
Demo Botnet CnC URL Data Feed |
http://5a015004f9fc05290d87e86d69c4b237.com http://fakess123bn.nu |
Demo IP Reputation Data Feed |
192.0.2.1 192.0.2.3 |
Demo Malicious Hash Data Feed |
776735A8CA96DB15B422879DA599F474 FEAF2058298C1E174C2B79AFFC7CF4DF 44D88612FEA8A8F36DE82E1278ABB02F |
ICS Hash Data Feed |
7A8F30B40C6564EFF95E678F7C43346C |