Configuring Kaspersky CyberTrace for integration with McAfee Enterprise Security Manager

This section describes how to configure Kaspersky CyberTrace for integration with McAfee ESM.

To configure Kaspersky CyberTrace for integration with McAfee ESM:

  1. Download Kaspersky CyberTrace from https://support.kaspersky.com/datafeeds/download/15920.
  2. Install Kaspersky CyberTrace.
    • In Linux, Kaspersky CyberTrace is installed to the /opt/kaspersky/ktfs directory.
    • For the Windows installation, the installation directory is hereinafter referred to as %CyberTrace_installDir%.
  3. When you login to Kaspersky CyberTrace Web UI for the first time, the Initial Setup Wizard window opens. Make the following settings:
    1. Select Other in the SIEM field, and then click Next.
    2. In the Connection Settings window that opens, specify the following:
      • IP address and port on which Kaspersky CyberTrace will listen for incoming events
      • IP address and port of McAfee ESM to which Kaspersky CyberTrace will send detection events and alert events

        For McAfee ESM, the port is 514.

      Click Next.

    3. If necessary, specify the proxy server connection parameters in the Proxy Settings window.
    4. Perform the remaining steps of the initial setup as required.
  4. On the Settings > Matching tab, click Edit default rules, select the Regular expressions tab, and then specify the following regular expressions:

    Regular expressions for integration with McAfee ESM

    Indicator type

    Rule name

    Regular expression

    Additional options

    CONTEXT

    Device

    deviceExternalId\=(.*?)\s

     

    CONTEXT

    DeviceAction

    act\=(.*?)\s

     

    CONTEXT

    DeviceIp

    deviceTranslatedAddress\=(.*?)\s

     

    HASH

    RE_HASH

    ([\da-fA-F]{32,64})

    Extract all: True

    IP

    RE_IP

    dst\=(.*?)\s

     

    URL

    RE_URL

    (?:\:\/\/)((?:\S+(?::\S*)?+@)?(?:(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-*)*[a-z\x{00a1}-\x{ffff}0-9]*)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-)*+[a-z\x{00a1}-\x{ffff}0-9]++)*(?:\.(?:[a-z\x{00a1}-\x{ffff}\-0-9]{2,}+)))(?:\.*:\d{2,5})?+(?:\.*\/[^\s\"\<\>]*+)?+)

    Extract all: True

    IP

    SRC_IP

    src\=(.*?)\s

     

    CONTEXT

    UserName

    duser\=(.*?)\s

     
  5. On the Normalization rules tab, specify the following replacement rule:

    Replacement rule in CyberTrace for integration with McAfee.

    Replacement rule for integration with McAfee ESM

  6. Save the changes.
  7. Select Settings > Events format, and then specify the following formats:

    Events format for integration with McAfee ESM

    Field

    Value

    Alert events format

    Kaspersky CyberTrace Service Event| date=%Date% alert=%Alert% msg:%RecordContext%

    Detection events format

    Kaspersky CyberTrace Detection Event| date=%Date% reason=%Category% detected=%MatchedIndicator% act=%DeviceAction% dst=%RE_IP% src=%SRC_IP% hash=%RE_HASH% request=%RE_URL% dvc=%DeviceIp% sourceServiceName=%Device% suser=%UserName% msg:%RecordContext%

    Records context format

    %ParamName%=%ParamValue%

    Note the space before %ParamName%.

    Actionable fields context format

    %ParamName%:%ParamValue%

    Note the space before %ParamName%.

    Save the changes.

Page top