You can configure the integration with KUMA immediately after installing CyberTrace in the Quick Start Wizard or later in the CyberTrace web interface.
In the enrichment rule, you can specify which data from CyberTrace you want to enrich the event with. We recommend selecting cybertrace-http as the source kind.
Create a collector to receive events that you want to enrich with CyberTrace data.
Link the enrichment rule to the collector.
Save and create the service:
If you linked the rule to a new collector, click Save and create, copy the collector ID in the opened window and use the copied ID to install the collector on the server using the command line interface.
If you linked the rule to an existing collector, click Save and restart services to apply the settings.
The configuration of the integration of CyberTrace indicator search is complete and KUMA events will be enriched with CyberTrace data.
By default, KUMA does not test the connection with CyberTrace.
If you want to test the integration with CyberTrace and make sure that event enrichment is working, you can follow the steps of the following example or adapt the example to your situation. The example shows an integration test, which performs enrichment and shows that the event contains the specified test URL.
To run the test:
Create a test enrichment rule with parameters listed in the table below.
Setting
Value
Name
Test CT enrichment
Tenant
Shared
Source kind
cybertrace-http
URL
<URL of the cybertrace server to which you want to send requests>:9999
Mapping
KUMA field: RequestURL
CyberTrace indicator: url
Debug
Enabled
Create a test collector with the following parameters:
At step 2 Transport, specify the http connector.
At step 3 Parsing, specify the normalizer and select the json parsing method, set the mapping of the RequestUrl – RequestUrl fields.
At step 6 Enrichment, specify the 'Test CT enrichment' rule.
At step 7 Routing, specify the storage where events must be sent.
Click Create and save service.
A complete command for installing the collector is displayed in the window.
Click Copy to copy the command to the clipboard and run the command on the command line. Wait for the command to complete, return to the KUMA web interface, and click Save collector.
A test collector is created and the test enrichment rule is linked to the collector.
Use the command line interface to send a request to the collector, which will trigger an event, which will then be enriched with the test URL http://fakess123bn.nu. For example:
curl --request POST \ --url http://<ID of the host where the collector is installed>:<port of the collector>/input \ --header 'Content-Type: application/json' \ --data '{"RequestUrl":"http://fakess123bn.nu"}'
Go to the KUMA Events section and run the following query to filter event output and find the enriched event:
SELECT * FROM `events` WHERE RequestUrl = 'http://fakess123bn.nu' ORDER BY Timestamp DESC LIMIT 250
Result:
Enrichment is successful, the event now has a RequestURL field with the http://fakess123bn.nu value, as well as a TI indicator and indicator category with CyberTrace data.
If the test did not result in enrichment, for example, if the TI indicator is missing, we recommend to do the following:
Check the settings of the collector and enrichment rules.
Download the collector logs using the following command and look for errors in the logs: