Installation and integration overview
April 11, 2024
ID 162415
This section explains the installation and integration process for Kaspersky CyberTrace.
Introduction
Kaspersky CyberTrace can integrate with many different event sources. The procedure for installation and integration is split into two parts:
- Installing Kaspersky CyberTrace
We recommend installing Kaspersky CyberTrace by using one of the installer packages for your operating system. On Linux, you can install DEB and RPM packages. On Windows, you can use an executable installer.
After Kaspersky CyberTrace is installed, you can perform the post-installation configuration by using a wizard in the web interface of Kaspersky CyberTrace. During this process, you select an event source, such as a SIEM solution, provide connection parameters for it, and configure feed updates.
If you want to use differential versions of Kaspersky Threat Data Feeds, you need to enable them before you perform the post-installation configuration of Kaspersky CyberTrace.
After the post-installation configuration is completed, Kaspersky CyberTrace uses by default the parameters for a set event source. For example, Kaspersky CyberTrace by default parses the incoming events by using the regular expressions set for the chosen event source, and uses the special format for threat detection alerts. If necessary, you may change the specified parameters.
- Integrating Kaspersky CyberTrace with an event source
In this part, you configure the event source so that it can send its events to Kaspersky CyberTrace and receive threat detection alerts from Kaspersky CyberTrace. Depending on the chosen event source, you can also additionally install specific applications and tools that work with Kaspersky CyberTrace events. For example, Kaspersky CyberTrace provides applications for Splunk® and QRadar, and a preconfigured dashboard for RSA NetWitness. In addition to applications for specific event sources, you can use the LogScanner utility to send log files, IP addresses, URLs, and hashes for checking to Kaspersky CyberTrace.
Before you begin
Make sure that the computer you plan to use for running Kaspersky CyberTrace meets the hardware and software requirements.
Make sure the date and time settings are precise on the server where you are installing Kaspersky CyberTrace. You can use an NTP server to get the precise date and time.
For ArcSight products, ArcSight SmartConnector must be installed before the installation of Kaspersky CyberTrace. For more information, see sections "Before you begin (ArcSight)" and "Integration guide (ArcSight)".
Part 1. Installing Kaspersky CyberTrace
When you install Kaspersky CyberTrace, all of the components required for working with feeds, such as Kaspersky CyberTrace Service and Feed Utility, are installed and configured.
Kaspersky CyberTrace can be installed on any computer that can receive events from your chosen event source, such as a SIEM solution, a firewall, or a proxy server. By configuring Kaspersky CyberTrace during its installation, you specify how it will receive and send events.
Make sure to install Kaspersky CyberTrace according to your chosen integration scheme. For example, if you should install Kaspersky CyberTrace and a SIEM solution on separate computers, check the available integration schemes for your SIEM solution and determine where to install Kaspersky CyberTrace.
Depending on your operating system, install Kaspersky CyberTrace as described in the following sections:
After you install Kaspersky CyberTrace perform the following:
- If you want to use differential versions of Kaspersky Threat Data Feeds, enable them.
- If you do not want to use differential versions of Kaspersky Threat Data Feeds, open Kaspersky CyberTrace Web and follow the instructions of the Initial Setup Wizard.
Part 2. Integrating Kaspersky CyberTrace with an event source
To automatically detect indicators of compromise in security events logs, Kaspersky CyberTrace should be integrated with an event source. This event source can either be a standalone event source (for example, a firewall or a proxy server) or a SIEM solution. The event source then sends events to Kaspersky CyberTrace, and Kaspersky CyberTrace sends the alerts on detected threats to a SIEM or other application, as configured.
The following SIEM solutions are supported: