To check events that arrive in QRadar by way of Kaspersky CyberTrace Service, you must configure QRadar to forward the events to Kaspersky CyberTrace Service.
To forward events from QRadar to Kaspersky CyberTrace Service:
"KL_Threat_Feed_Service_v2"
).Payload
as the events format and TCP
as the protocol.The Payload
format can contain less information, in comparison with the JSON
format. For example, if event source names are used, QRadar may remove them from the event. You can specify the JSON
format instead, but make sure to configure it properly. For the instructions on how to configure events in the JSON
format to forward to Kaspersky CyberTrace, see subsection "Recommendations on configuring events in JSON format" below.
Adding a forwarding destination
KL_Threat_Feed_Service_v2_Rule
).Online
as the mode.Events
as the data source.Choose the log sources together with KL_Verification_Tool
, and use the Equals any of
operator in the filter. Also, to achieve maximum performance of the service, you are advised to select only those events that contain indicators to look up in the feeds (such as URLs, hashes (MD5, SHA1, SHA256), and IP addresses).
Clear the Match all incoming events check box or leave it cleared so that the detection events received from Kaspersky CyberTrace Service will not be sent back to Kaspersky CyberTrace Service.
KL_Threat_Feed_Service_v2
).
Adding a routing rule
Recommendations for configuring events in the JSON format
A number of QRadar versions (such as, 7.3.2 Patch 6 and 7.4.0) can drop some forwarded events in the JSON
format, which may lead to incorrect results. To prevent this, we recommend that you exclude some fields from the event in JSON
(for an exact list of such fields, contact IBM's QRadar Support team or try to determine this list manually). You must specify additional normalization rules in Kaspersky CyberTrace Web (see below).
Therefore, use the JSON
format instead of the Payload
format if the event in the Payload
format does not contain the necessary fields. In this case, make sure that the following conditions are met:
Configuring events in JSON format
Configuring additional normalization rules