This section describes how to configure Kaspersky CyberTrace instances for using them in High Availability mode.
To use Kaspersky CyberTrace in High Availability mode, configure all instances of Kaspersky CyberTrace as follows:
Manually added context fields, as well as indicators in the FalsePositive and InternalTI suppliers that were added by using Kaspersky CyberTrace Web or REST API, must be identical in all Kaspersky CyberTrace instances.
Regular expression for matching the incoming events from Balancer
| Indicator type | Rule name | Regular expression | 
|---|---|---|
| 
 | 
 | 
 | 
You can use any allowed name for the regular expression, but make sure to use the same regular expression name in the configuration steps below.
You can specify the regular expression in the default event source or create a new one.
Each event must start with the value that was extracted from the incoming event by the REQ regular expression. For example: %REQ% category=%Category% %RecordContext%.
systemctl stop cybertrace.service (in Linux)sc stop cybertrace (in Windows)OutputSettings > FinishedEventFormat element of the Kaspersky CyberTrace Service configuration file, specify the format of alerts as follows:<FinishedEventFormat enabled="true">%REQ% LookupFinished</FinishedEventFormat>
These alerts are for internal use only. They are not sent to a SIEM.
systemctl start cybertrace.service (in Linux)sc start cybertrace (in Windows)Optionally, specify the connection settings for sending service alerts to Balancer in the Service alerts section of the Settings → Service tab. Use the following parameters from the kl_balancer.conf file:
Balancer elementcybertrace_port parameter of the Balancer elementYou can send service alerts directly to the SIEM.
The settings for sending detection alerts are not used in High Availability mode, because Balancer receives results of events matching in ReplyBack mode.
Page top