This section describes how to configure Kaspersky CyberTrace instances for using them in High Availability mode.
To use Kaspersky CyberTrace in High Availability mode, configure all instances of Kaspersky CyberTrace as follows:
Manually added context fields, as well as indicators in the FalsePositive and InternalTI suppliers that were added by using Kaspersky CyberTrace Web or REST API, must be identical in all Kaspersky CyberTrace instances.
Regular expression for matching the incoming events from Balancer
Indicator type |
Rule name |
Regular expression |
---|---|---|
|
|
|
You can use any allowed name for the regular expression, but make sure to use the same regular expression name in the configuration steps below.
You can specify the regular expression in the default event source or create a new one.
Each event must start with the value that was extracted from the incoming event by the REQ
regular expression. For example: %REQ% category=%Category% %RecordContext%
.
systemctl stop cybertrace.service
(in Linux)%service_dir%\bin\kl_control.bat stop
(in Windows)OutputSettings > FinishedEventFormat
element of the Feed Service configuration file, specify the format of informational events as follows:<FinishedEventFormat enabled="true">%REQ% LookupFinished</FinishedEventFormat>
These events are for internal use only. They are not sent to a SIEM.
systemctl start cybertrace.service
(in Linux)%service_dir%\bin\kl_control.bat start
(in Windows)Optionally, specify the connection settings for sending alert events to Balancer in the Connection settings section of the Settings > Service tab. Use the following parameters from the kl_balancer.conf
file:
Balancer
elementcybertrace_port
parameter of the Balancer
elementYou can send alert events directly to the SIEM.
The settings for sending detection events are not used in High Availability mode, because Balancer receives results of events matching in ReplyBack mode.