Distribution kit contents

This section describes the contents of the Kaspersky CyberTrace distribution kit.

Distribution kit types

Kaspersky CyberTrace is distributed in the following types of distribution kits:

About the integration files

All distribution kits of Kaspersky CyberTrace are customized for integration with a particular SIEM system or for standalone integration. Each distribution kit contains a number of files that can be used for integration with this SIEM system. In addition, the configuration files of Kaspersky CyberTrace Service and other utilities contained in the distribution kit are also customized for easy integration with the SIEM system.

For example, a distribution kit for Splunk contains all the Kaspersky CyberTrace components, and, in addition, has customized configuration files for Kaspersky CyberTrace Service and Feed Utility that work with Splunk. The integration directory inside the distribution kit contains applications for all variants of Splunk integration schemes. These applications can be deployed and used in the Splunk infrastructure.

RPM and DEB distribution kits

This type of distribution kit contains the following files and directories.

Distribution kit contents (RPM and DEB package)

Item

Description

Kaspersky_CyberTrace-Linux-%architecture%-%version%.rpm (RPM package)

Kaspersky_CyberTrace-Linux-%architecture%-%version%.deb (DEB package)

Kaspersky CyberTrace installation package.

For a list of files inside this package, see subsection "Files contained in archives and packages (Linux)" below.

legal_notices.txt

Legal notices.

run.sh

Installation script.

ReleaseNotes.pdf

Release notes.

Executable installer distribution kit

This type of distribution kit contains the following file.

Distribution kit contents (executable installer)

Item

Description

Kaspersky_CyberTrace-Windows-%architecture-version%-Release.exe

Executable installer.

For a list of files inside this package, see subsection "Files contained in archives and packages (Windows)" below.

Files contained in archives and packages (Linux)

RPM and DEB packages contain the following set of files.

Files contained in archives and packages (Linux)

Item

Description

bin/.need_run_wizard

Initial Setup Wizard. This file is deleted after the initial setup is done.

bin/configure

Configurator utility binary file.

bin/en_US/*

English localization files.

bin/kl_feed_service

Kaspersky CyberTrace Service binary file.

bin/kl_balancer_log.conf

Balancer logging configuration file.

bin/kl_feed_service_log.conf

Kaspersky CyberTrace Service logging configuration file.

bin/kl_balancer

Balancer binary file.

bin/kl_balancer.conf

Balancer configuration file

modules/elasticsearch/*

Directory that contains files of the Elasticsearch database.

dmz/cron_dmz.sh

Script for updating feeds from a separate computer.

dmz/demofeeds.pem

Certificate needed for getting access to demo feeds.

dmz/feeds.pem

Certificate needed for getting access to demo feeds. It is replaced with the certificate specified during the installation of Kaspersky CyberTrace.

dmz/kl_feed_compiler

Binary file used by Feed Utility to compile feeds.

dmz/kl_feed_util

Feed Utility binary file.

dmz/kl_feed_util.conf

Feed Utility configuration file.

dmz/TextExtraction

Utility that parses PDF files.

doc/Kaspersky_CyberTrace_Online_Documentation.html

HTML page that redirects to the online documentation for Kaspersky CyberTrace.

doc/legal_notices.txt

Legal notices.

doc/license.txt

End User License Agreement (EULA).

etc/systemd/system/cybertrace.service

Systemd unit file for Kaspersky CyberTrace Service.

etc/systemd/system/cybertrace_balancer.service

Systemd unit file for Balancer.

etc/systemd/system/cybertrace_db.service

Systemd unit file for Elasticsearch database service.

etc/kl_feed_service.conf

Kaspersky CyberTrace Service configuration file.

etc/kl_feed_service_templates.conf

Configuration file template.

etc/kl_feed_util.conf

Feed Utility configuration file.

etc/kl_feed_util_diff.conf

Feed Utility configuration file for using with differential feeds.

feeds/APT_URL_Data_Feed.json.url.bin/*

feeds/Botnet_CnC_URL_Data_Feed.json.url.bin/*

feeds/Demo_Botnet_CnC_URL_Data_Feed.json.url.bin/*

feeds/IoT_URL_Data_Feed.json.url.bin/*

feeds/Malicious_URL_Data_Feed.json.url.bin/*

feeds/Mobile_Botnet_CnC_URL_Data_Feed.json.url.bin/*

feeds/Phishing_URL_Data_Feed.json.url.bin/*

feeds/Ransomware_URL_Data_Feed.json.url.bin/*

/feeds/White_List.json.url.bin/masks_0001.dat

Compiled URL masks for feeds.

feeds/Demo_Botnet_CnC_URL_Data_Feed.json

feeds/Demo_IP_Reputation_Data_Feed.json

feeds/Demo_Malicious_Hash_Data_Feed.json

Demo feeds.

feeds/APT_Hash_Data_Feed.json

feeds/APT_IP_Data_Feed.json

feeds/APT_URL_Data_Feed.json

feeds/Botnet_CnC_URL_Data_Feed.json

feeds/IoT_URL_Data_Feed.json

feeds/IP_Reputation_Data_Feed.json

feeds/Malicious_Hash_Data_Feed.json

feeds/Malicious_URL_Data_Feed.json

feeds/Mobile_Botnet_CnC_URL_Data_Feed.json

feeds/Mobile_Malicious_Hash_Data_Feed.json

feeds/Phishing_URL_Data_Feed.json

feeds/Ransomware_URL_Data_Feed.json

feeds/ICS_Hash_Data_Feed.json

Files for performing verification test for commercial feeds. These files are replaced by actual commercial feeds when updated.

httpsrv/etc/kl_feed_info.conf

File that contains information about Kaspersky Threat Data Feeds.

httpsrv/etc/kl_feed_info_diff.conf

File that contains information about Kaspersky Threat Data Feeds that have differential versions available.

httpsrv/etc/ktfsaccess

File that contains information about Kaspersky CyberTrace accounts.

httpsrv/etc/ktfsstatistics.kvdb

Auxiliary file for Kaspersky CyberTrace Web.

This file is not contained in the distribution kit, but is created during the work of Kaspersky CyberTrace.

httpsrv/etc/ktfsstorage.kvdb

File that contains information about open sessions and tasks in progress.

This file is not contained in the distribution kit, but is created later during the work of Kaspersky CyberTrace.

httpsrv/etc/ktfstasks.kvdb

Auxiliary file for Kaspersky CyberTrace Web.

This file is not contained in the distribution kit, but is created during the work of Kaspersky CyberTrace.

httpsrv/etc/osint_feed_list.conf

File that contains the list of the supported OSINT feeds.

httpsrv/kl_feed_service_cert.pem

Path to the PEM-formatted certificate on a local computer for HTTPS connections.

httpsrv/kl_feed_service_private.pem

Path to the PEM-formatted private key on a local computer for HTTPS connections.

httpsrv/templates/*

Directory that contains templates for Kaspersky CyberTrace Web.

httpsrv/templates_kuma/*

Directory that contains Kaspersky CyberTrace Web templates for the KUMA integration.

integration/*

Files for integration with a particular SIEM system.

For a list of these files, see "Integration files" subsections below.

plugins/virus_total/*

Directory that contains files for the VirusTotal plug-in.

scripts/cron_cybertrace.sh

Script for updating feeds when Kaspersky CyberTrace Service and Feed Utility are installed on different computers.

tools/integrity_checker

Utility that checks the signatures of plug-ins.

tools/kl_access_util

Password Utility.

tools/kl_feed_compiler

Binary file used by Feed Utility to compile feeds.

tools/kl_feed_util

Feed Utility binary file.

tools/log_scanner

Log Scanner binary file.

tools/log_scanner.conf

Log Scanner configuration file.

tools/openssl

OpenSSL binary file.

tools/openssl.cnf

OpenSSL configuration file.

tools/output/feeds.info

Auxiliary file.

tools/TextExtraction

Utility that parses PDF files.

var/graphs/*

Directory with files of graphs.

var/retroscan/*

Directory with files of the retrospective scan.

verification/kl_verification_test_leef.txt

Events for the verification test, in LEEF format.

verification/kl_verification_test_cef.txt

Events for the verification test in, CEF format.

Files contained in archives and packages (Windows)

Executable installers contain the following set of files.

Files contained in archives and packages (Windows)

Item

Description

bin\.need_run_wizard

Initial Setup Wizard. This file is deleted after the initial setup is done.

bin\en_US

English localization files.

bin\kl_feed_service.conf

Kaspersky CyberTrace Service configuration file.

bin\kl_feed_service.exe

Kaspersky CyberTrace Service binary file.

bin\kl_balancer_log.conf

Balancer logging configuration file.

bin\kl_feed_service_log.conf

Kaspersky CyberTrace Service logging configuration file.

bin\kl_feed_service_template.conf

Kaspersky CyberTrace Service configuration file template.

bin\kl_feed_util.conf

Feed Utility configuration file.

bin\kl_balancer.exe

Balancer binary file.

bin\kl_balancer.conf

Balancer configuration file.

bin\kl_feed_util_diff.conf

Feed Utility configuration file for using with differential feeds.

modules\elasticsearch\*

Folder that contains files of the Elasticsearch database.

dmz\cron_dmz.cmd

Script for updating feeds from a separate computer.

dmz\demofeeds.pem

Certificate required for access to demo feeds.

dmz\feeds.pem

Certificate required for access to demo feeds. It is replaced with the certificate specified during installation of Kaspersky CyberTrace.

dmz\kl_feed_compiler.exe

Binary file used by Feed Utility to compile feeds.

dmz\kl_feed_util.conf

Feed Utility configuration file.

dmz\kl_feed_util.exe

Feed Utility binary file.

dmz\TextExtraction.exe

Utility that parses PDF files.

doc\Kaspersky_CyberTrace_Online_Documentation.html

HTML page that redirects to the online documentation for Kaspersky CyberTrace.

doc\legal_notices.txt

Legal notices.

doc\license.rtf

End User License Agreement (EULA).

doc\ReleaseNotes.txt

Release notes.

feeds\APT_URL_Data_Feed.json.url.bin\*

feeds\Botnet_CnC_URL_Data_Feed.json.url.bin\*

feeds\Demo_Botnet_CnC_URL_Data_Feed.json.url.bin\*

feeds\IoT_URL_Data_Feed.json.url.bin\*

feeds\Malicious_URL_Data_Feed.json.url.bin\*

feeds\Mobile_Botnet_CnC_URL_Data_Feed.json.url.bin\*

feeds\Phishing_URL_Data_Feed.json.url.bin\*

feeds\Ransomware_URL_Data_Feed.json.url.bin\*

feeds

Compiled URL masks for feeds.

feeds\Demo_Botnet_CnC_URL_Data_Feed.json

feeds\Demo_IP_Reputation_Data_Feed.json

feeds\Demo_Malicious_Hash_Data_Feed.json

Demo feeds.

feeds\APT_Hash_Data_Feed.json

feeds\APT_IP_Data_Feed.json

feeds\APT_URL_Data_Feed.json

feeds\Botnet_CnC_URL_Data_Feed.json

feeds\IoT_URL_Data_Feed.json

feeds\IP_Reputation_Data_Feed.json

feeds\Malicious_Hash_Data_Feed.json

feeds\Malicious_URL_Data_Feed.json

feeds\Mobile_Botnet_CnC_URL_Data_Feed.json

feeds\Mobile_Malicious_Hash_Data_Feed.json

feeds\Phishing_URL_Data_Feed.json

feeds\Ransomware_URL_Data_Feed.json

feeds\ICS_Hash_Data_Feed.json

Files for performing verification test for commercial feeds. These files are replaced by actual commercial feeds when updated.

httpsrv\etc\kl_feed_info.conf

File that contains information about Kaspersky Threat Data Feeds.

httpsrv\etc\kl_feed_info_diff.conf

File that contains information about Kaspersky Threat Data Feeds that have differential versions available.

httpsrv\etc\ktfsaccess

File that contains information about Kaspersky CyberTrace accounts.

httpsrv\etc\ktfsstatistics.kvdb

Auxiliary file for Kaspersky CyberTrace Web.

This file is not contained in the distribution kit, but is created during the work of Kaspersky CyberTrace.

httpsrv\etc\ktfsstorage.kvdb

File that contains information about open sessions and tasks in progress.

This file is not contained in the distribution kit, but is created during the work of Kaspersky CyberTrace.

httpsrv\etc\ktfstasks.kvdb

Auxiliary file for Kaspersky CyberTrace Web.

This file is not contained in the distribution kit, but is created during the work of Kaspersky CyberTrace.

httpsrv\etc\osint_feed_list.conf

File that contains the list of the supported OSINT feeds.

httpsrv\kl_feed_service_cert.pem

Path to the PEM-formatted certificate on a local computer for HTTPS connections.

httpsrv\kl_feed_service_private.pem

Path to the PEM-formatted private key on a local computer for HTTPS connections.

httpsrv\templates\*

Folder that contains templates for Kaspersky CyberTrace Web.

httpsrv\templates_kuma

Folder that contains Kaspersky CyberTrace Web templates for the KUMA integration.

integration\*

Files for integration with a particular SIEM system.

For a list of these files, see "Integration files" subsections below.

plugins\virus_total\*

Folder that contains files for the VirusTotal plug-in.

scripts\cron_cybertrace.cmd

Script for updating feeds when Kaspersky CyberTrace Service and Feed Utility are installed on different computers.

tools\integrity_checker.exe

Utility that checks the signatures of plug-ins.

tools\kl_access_util.exe

Password Utility.

tools\kl_feed_compiler.exe

Binary file used by Feed Utility to compile feeds.

tools\kl_feed_util.exe

Feed Utility binary file.

tools\log_scanner.conf

Log Scanner configuration file.

tools\log_scanner.exe

Log Scanner binary file.

tools\openssl.cnf

OpenSSL configuration file for generating a self-signed certificate.

tools\openssl.exe

OpenSSL binary file.

tools\TextExtraction.exe

Utility that parses PDF files.

var\graphs\*

Folder with files of graphs. This folder is not included in the distribution kit and is created during the Kaspersky CyberTrace run.

var\retroscan\*

Folder with files of the retrospective scan. This folder is not included in the distribution kit and is created during the Kaspersky CyberTrace run.

verification\kl_verification_test_leef.txt

Events for the verification test in LEEF format.

verification\kl_verification_test_cef.txt

Events for the verification test in CEF format.

Integration files (Splunk)

Integration files for Splunk are described in the following table.

Integration files (Splunk)

Item

Description

/integration/splunk/Kaspersky-CyberTrace-App-for-Splunk.tar.gz

Kaspersky CyberTrace App for Splunk application file for the single-instance integration scheme.

/integration/splunk/Kaspersky-CyberTrace-App-for-Splunk_Forwarder.tar.gz

Kaspersky CyberTrace App for Splunk Heavy Forwarder application file for the distributed integration scheme.

/integration/splunk/Kaspersky-CyberTrace-App-for-Splunk_Search-Head.tar.gz

Kaspersky CyberTrace App for Splunk Search Head application file for the distributed integration scheme.

/integration/splunk/Kaspersky-CyberTrace-App-for-Splunk_Universal-Forwarder.tar.gz

Kaspersky CyberTrace App for Splunk Universal Forwarder application file for the distributed integration scheme.

Integration files (ArcSight)

Integration files for ArcSight are described in the following table.

Integration files (ArcSight)

Item

Description

integration/arcsight/Kaspersky_CyberTrace_Connector.arb

Kaspersky CyberTrace Connector ARB file for ArcSight.

Integration files (QRadar)

Integration files for QRadar are described in the following table.

Integration files (QRadar)

Item

Description

integration/qradar/sample_initiallog.txt

A log example for the first transmission of events to QRadar.

integration/qradar/sample_qid.txt

An example list of QIDs for importing to QRadar.

Integration files (RSA NetWitness)

Integration files for RSA NetWitness are described in the following table.

Integration files (RSA NetWitness)

Item

Description

integration/rsa/additional_elements/CyberTrace_Charts.zip

File that contains preconfigured charts.

integration/rsa/additional_elements/CyberTrace_Reports.zip

File that contains a preconfigured report.

integration/rsa/additional_elements/CyberTrace_Rules.zip

File that contains rules to operate the events from Kaspersky CyberTrace Service.

integration/rsa/additional_elements/index-concentrator-custom.xml

Example of data that can be added to the index-concentrator-custom.xml file. This data example contains only a description of the kl actionable fields.

integration/rsa/additional_elements/Kaspersky CyberTrace.zip

File for creating the Kaspersky CyberTrace dashboard in RSA NetWitness 11.0.

integration/rsa/additional_elements/Kaspersky+CyberTrace.cfg

File for creating the Kaspersky CyberTrace dashboard in RSA NetWitness 10.6.

integration/rsa/additional_elements/MetaGroups.jsn

File that contains a meta group that is used for browsing fields in RSA NetWitness that are filled by Kaspersky CyberTrace Service.

integration/rsa/additional_elements/MetaGroups_without_kl_fields.jsn

Metagroup for the Navigate tab. This metagroup does not contain the kl actionable fields.

integration/rsa/additional_elements/table-map-custom.xml

Example of data that can be added to the table-map-custom.xml file. This data example contains only a description of the kl actionable fields.

integration/rsa/cybertrace/cybertrace.ini

File used for integrating Kaspersky CyberTrace with RSA NetWitness.

integration/rsa/cybertrace/v20_cybertracemsg.xml

File used for integrating Kaspersky CyberTrace with RSA NetWitness

Integration files (LogRhythm)

Integration files for LogRhythm are described in the following table.

Integration files (LogRhythm)

Item

Description

integration/logrhythm/events/*

Files that contain Kaspersky CyberTrace rules for importing to LogRhythm:

  • mperule_AbuseCh_Feodo_Block_IP.xml
  • mperule_AbuseCh_SSL_Certificate_Block_IP.xml
  • mperule_AbuseCh_SSL_Certificate_Hash_SHA1.xml
  • mperule_BlocklistDe_Block_IP.xml
  • mperule_CyberCrime_Tracker_Block_Url.xml
  • mperule_EmergingThreats_Block_IP.xml
  • mperule_EmergingThreats_Compromised_IP.xml
  • mperule_KL_ALERT_ConfigurationUpdated.xml
  • mperule_KL_ALERT_DetectsStorageExceeded.xml
  • mperule_KL_ALERT_EPSHardLimit.xml
  • mperule_KL_ALERT_EPSLimitExceeded.xml
  • mperule_KL_ALERT_FailedToUpdateFeed.xml
  • mperule_KL_ALERT_FeedBecameAvailable.xml
  • mperule_KL_ALERT_FeedBecameUnavailable.xml
  • mperule_KL_ALERT_FreeSpaceEnds.xml
  • mperule_KL_ALERT_IndicatorsStoreHardLimit.xml
  • mperule_KL_ALERT_IndicatorsStoreLimitExceeded.xml
  • mperule_KL_ALERT_LicenseChanged.xml
  • mperule_KL_ALERT_LicenseExpired.xml
  • mperule_KL_ALERT_LicenseExpires.xml
  • mperule_KL_ALERT_OutdatedFeed.xml
  • mperule_KL_ALERT_RetroScanCompleted.xml
  • mperule_KL_ALERT_RetroScanError.xml
  • mperule_KL_ALERT_RetroScanStorageExceeded.xml
  • mperule_KL_ALERT_ServiceStarted.xml
  • mperule_KL_ALERT_ServiceStopped.xml
  • mperule_KL_ALERT_ServiceUnavailable.xml
  • mperule_KL_ALERT_UpdatedFeed.xml
  • mperule_KL_APT_Hash_MD5.xml
  • mperule_KL_APT_Hash_SHA1.xml
  • mperule_KL_APT_Hash_SHA256.xml
  • mperule_KL_APT_IP.xml
  • mperule_KL_APT_URL.xml
  • mperule_KL_BotnetCnC_Hash_MD5.xml
  • mperule_KL_BotnetCnC_Hash_SHA1.xml
  • mperule_KL_BotnetCnC_Hash_SHA256.xml
  • mperule_KL_BotnetCnC_URL.xml
  • mperule_KL_ICS_Hash_MD5.xml
  • mperule_KL_ICS_Hash_SHA1.xml
  • mperule_KL_ICS_Hash_SHA256.xml
  • mperule_KL_InternalTI_Hash_MD5.xml
  • mperule_KL_InternalTI_Hash_SHA1.xml
  • mperule_KL_InternalTI_Hash_SHA256.xml
  • mperule_KL_InternalTI_IP.xml
  • mperule_KL_InternalTI_URL.xml
  • mperule_KL_IoT_Hash_MD5.xml
  • mperule_KL_IoT_Hash_SHA1.xml
  • mperule_KL_IoT_Hash_SHA256.xml
  • mperule_KL_IoT_URL.xml
  • mperule_KL_IP_Reputation.xml
  • mperule_KL_IP_Reputation_Hash_MD5.xml
  • mperule_KL_IP_Reputation_Hash_SHA1.xml
  • mperule_KL_IP_Reputation_Hash_SHA256.xml
  • mperule_KL_Malicious_Hash_MD5.xml
  • mperule_KL_Malicious_Hash_SHA1.xml
  • mperule_KL_Malicious_Hash_SHA256.xml
  • mperule_KL_Malicious_URL.xml
  • mperule_KL_Malicious_URL_Hash_MD5.xml
  • mperule_KL_Malicious_URL_Hash_SHA1.xml
  • mperule_KL_Malicious_URL_Hash_SHA256.xml
  • mperule_KL_Mobile_BotnetCnC_Hash_MD5.xml
  • mperule_KL_Mobile_BotnetCnC_Hash_SHA1.xml
  • mperule_KL_Mobile_BotnetCnC_Hash_SHA256.xml
  • mperule_KL_Mobile_BotnetCnC_URL.xml
  • mperule_KL_Mobile_Malicious_Hash_MD5.xml
  • mperule_KL_Mobile_Malicious_Hash_SHA1.xml
  • mperule_KL_Mobile_Malicious_Hash_SHA256.xml
  • mperule_KL_Phishing_URL.xml
  • mperule_KL_Ransomware_URL.xml
  • mperule_KL_Ransomware_URL_Hash_MD5.xml
  • mperule_KL_Ransomware_URL_Hash_SHA1.xml
  • mperule_KL_Ransomware_URL_Hash_SHA256.xml

Page top