Step 1. Importing the ARB package

February 27, 2024

ID 167562

This section describes how to import the ARB package to ArcSight.

The ARB package contains objects (active channels, dashboards, field sets, reports, rules, filters, users) that are necessary for integrating the service with ArcSight. When you import this file, these objects are created in ArcSight.

To import the ARB package:

  1. Run ArcSight Console.
  2. In the Navigator pane (tree view), select the Packages tab.
  3. Click the Import button.

    List of ArcSight packages.

    ArcSight packages

  4. In the Open window, select the Kaspersky_CyberTrace_Connector.arb file, located in the /integration/arcsight/ directory of the distribution kit.

    Open window in ArcSight.

    ARB file selection

    The import process will be performed.

    Installing Packages Completed window in ArcSight.

    ARB import complete

After all objects from the ARB file are imported to ArcSight, all the imported rules are real-time rules, that is, they will be applied in real time.

To browse and manage the list of real-time rules:

  1. In the tree view, click the Resources tab.
  2. Open the Active Channels drop-down list and select Rules.
  3. In the tree, select Rules > Shared > All Rules > Real-time Rules.

    Real-time Rules in ArcSight.

    Real-time rules

  4. Expand Real-time Rules and remove unnecessary nested items from it.

After the ARB package is imported, new objects are created in ArcSight.

  • When the Active Channels item in the tree view is selected, the following objects will be at the Active Channels > Shared > All Active Channels > Public > Kaspersky CyberTrace Connector location:

    Object

    Description

    Default state

    CyberTrace alerts

    Displays service events from Kaspersky CyberTrace in real time.

    Turned on

    CyberTrace all matches

    Displays detection events from Kaspersky CyberTrace in real time.

    Turned on

    CyberTrace hash matches

    Displays hash detection events from Kaspersky CyberTrace in real time.

    Turned off

    CyberTrace URL matches

    Displays URL detection events from Kaspersky CyberTrace in real time.

    Turned off

    CyberTrace IP matches

    Displays IP detection events from Kaspersky CyberTrace in real time.

    Turned off

  • When the Dashboards item in the tree view is selected, the following objects will be at the Dashboards > Shared > All Dashboards > Public > Kaspersky CyberTrace Connector location:

    Object

    Description

    Default state

    CyberTrace detection map

    Displays all devices that sent events containing malicious URLs, IP addresses, or hashes. Displays all feeds that were involved in the detection process.

    Turned off

    CyberTrace match statistics

    Detection statistics: how many objects of a specific category were detected.

    Turned on

    CyberTrace Top 10 matched indicators

    Top 10 detected indicators.

    Turned off

    The CyberTrace detection map and CyberTrace Top 10 matched indicators dashboards are turned off by default so as not to overload ArcSight. You can turn them on if you need these dashboards.

  • When the Field Sets item in the tree view is selected, the following objects will be at the Field Sets > Shared > All Field Sets > Public > Kaspersky CyberTrace Connector location:

    Object

    Description

    Default state

    CyberTrace alerts

    Displayed fields of service events from Kaspersky CyberTrace.

    Static

    CyberTrace all matches

    Displayed fields of detection events from Kaspersky CyberTrace.

    Static

    CyberTrace matched hashes

    Displayed fields of hash detection events from Kaspersky CyberTrace.

    Static

    CyberTrace matched URLs

    Displayed fields of URL detection events from Kaspersky CyberTrace.

    Static

    CyberTrace matched IPs

    Displayed fields of IP address detection events from Kaspersky CyberTrace.

    Static

  • When the Reports item in the tree view is selected, the following objects will be at the Reports > Shared > All Reports > Public > Kaspersky CyberTrace Connector location:

    Object

    Description

    Default state

    CyberTrace all matches

    Report that contains detection events from Kaspersky CyberTrace.

    Static

  • When the Rules item in the tree view is selected, the following object will be at the Rules > Shared > All Rules > Public > Kaspersky CyberTrace Connector location:

    Object

    Description

    Default state

    CyberTrace_HighThreatScoreIP

    Rule for assigning high severity level and storing high priority IP detection events from Kaspersky CyberTrace.

    Turned on

    CyberTrace_MediumThreatScoreIP

    Rule for assigning medium severity level and storing medium priority IP detection events from Kaspersky CyberTrace.

    Turned on

    CyberTrace_LowThreatScoreIP

    Rule for assigning low severity level and storing low priority IP detection events from Kaspersky CyberTrace.

    Turned on

  • When the Filters item in the tree view is selected, the following objects will be at the Filters > Shared > All Filters > Public > Kaspersky CyberTrace Connector location:

    Object

    Description

    Default state

    CyberTrace all matches

    Filter for selecting detection events sent by Kaspersky CyberTrace.

    Static

    CyberTrace forwarding events

    Filter for forwarding to Kaspersky CyberTrace those events that contain URLs, IP addresses, or hashes.

    Static

    CyberTrace matched hashes

    Filter for selecting hash detection events sent by Kaspersky CyberTrace.

    Static

    CyberTrace matched URLs

    Filter for selecting URL detection events sent by Kaspersky CyberTrace.

    Static

    CyberTrace matched IPs

    Filter for selecting IP detection events sent by Kaspersky CyberTrace.

    Static

  • When the Users item in the tree view is selected, the following objects will be at the Users > Shared > Custom User Groups > Kaspersky CyberTrace Connector location:

    Object

    Description

    Default state

    FwdCyberTrace

    Account that is used for configuring ArcSight event forwarding.

    Static

After the import is finished, make sure that the FwdCyberTrace user is created. To check, navigate to Users > Shared > Custom User Groups > Kaspersky CyberTrace Connector in ArcSight Console. If there is no FwdCyberTrace user, create it manually.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.