Step 5. Data management settings

At the Data management settings step of the wizard, you should select and configure the SIEM system with which Kaspersky CyberTrace is to be integrated. The same settings are stored in the kl_feed_util.conf and kl_feed_service_log.conf configuration files.

The choice of a SIEM system affects the format of the Kaspersky CyberTrace configuration files, since these files are customized for integration with specific SIEM systems.

The following SIEM systems are supported:

• Kaspersky Unified Monitoring and Analysis Platform
• Splunk
• ArcSight
• QRadar
• RSA NetWitness
• LogRhythm

To define data management settings:

1. Under SIEM system, select the SIEM system that you want to integrate Kaspersky CyberTrace with.
2. Under Incoming events, define the parameters of the socket that Kaspersky CyberTrace will use to listen to incoming events:
   1. Select the type of connection that you want to use: IP address and port or UNIX socket.
   2. Depending on the type of connection, do one of the following:
      • In the IP address and Port fields, specify an IP address and port.
      • In the UNIX socket field, specify a UNIX™ socket.

   These settings are stored in the InputSettings > ConnectionString element of the kl_feed_service.conf file.

3. Under Detection alerts, specify an IP address and port that Kaspersky CyberTrace will use for outgoing alerts about detections.

   These settings are stored in the OutputSettings > ConnectionString element of the kl_feed_service.conf file.

You can use IPv6 addresses to receive incoming events and send outgoing alerts.

Later, you will be able to edit data management settings on the Settings → General page of Kaspersky CyberTrace Web.

Page top