About Kaspersky CyberTrace

Welcome to Kaspersky CyberTrace documentation.

What is Kaspersky CyberTrace

Kaspersky CyberTrace is a Threat Intelligence Platform that aggregates indicators of compromise (IoC) from various sources, including Kaspersky Threat Data Feeds, and integrates threat data feeds with SIEM solutions for automatic search of indicators of compromise in security events logs as well as for generating alerts on incidents in the existing security operations workflow of an organization.

Kaspersky CyberTrace uses regularly updated threat data feeds for updating the IoC database in use, detecting cyberthreats in the security events logs, and informing security specialists about the risks associated with the threat.

Kaspersky CyberTrace integrates with threat data sources (threat data feeds from Kaspersky, other vendors, OSINT, or custom sources), SIEM solutions, and security events logs sources. If indicators of compromise (IoC) are detected in your environment, Kaspersky CyberTrace automatically sends to SIEM an alert on the detected indicator along with the additional context information. Kaspersky CyberTrace provides analysts with a set of instruments for conducting alert and response triage through categorization and deduplication.

Kaspersky CyberTrace inside a corporate network

Features of Kaspersky CyberTrace:

• Automatic high-performance matching of incoming security events logs with Kaspersky Threat Data Feeds, OSINT feeds, or custom feeds in popular formats (JSON, STIX™, XML, CSV, MISP). Demo feeds from Kaspersky and OSINT are available out of the box.
• Internalized process of parsing and matching incoming events with IoCs by Kaspersky CyberTrace significantly reduces SIEM solution load. Kaspersky CyberTrace parses incoming logs and events, matches the resulting data to feeds, and generates alerts on threat detection. Consequently, a SIEM solution processes much less data.
• Generates feed usage statistics for measuring the effectiveness of feeds.
• Threat investigation by using on-demand search of certain indicators (hashes, IP addresses, domains, URLs), as well as possibility of manual downloading of security events to generate report on the detected IoCs.
• Universal approach to integration with SIEM solutions and other security controls. Connectors for a wide range of SIEM solutions can be used to visualize and efficiently manage data about threat detections.
• IoC data and related context information are stored in RAM for rapid access and filtering.
• Kaspersky CyberTrace Web, a web user interface for Kaspersky CyberTrace, provides data visualization, on-demand IoC search functionality, and access to Kaspersky CyberTrace configuration. Kaspersky CyberTrace Web also supports the management of feeds, log parsing rules, Internal TI and false positives lists, and event sources.
• Command-line interface for Windows and Linux® platforms.
• Advanced filtering for feeds and log events. Feeds can be converted and filtered based on a broad set of criteria such as time, popularity, geographical location, and threat type. Log events can be filtered based on custom conditions.
• DMZ partial deployment support. The computer on which event data is matched against feeds may be isolated from the Internet and receive the threat feeds updates from the component located in DMZ.
• In standalone mode, where Kaspersky CyberTrace is not integrated with a SIEM solution, Kaspersky CyberTrace receives logs from various sources such as networking devices, processes these logs according to the defined normalization rules, and parses the logs according to the defined regular expressions.
• Export lookup results that match feeds to CSV format for integration with other systems (firewalls, network and host IDS/IPS, custom tools).
• Exposes obfuscation techniques used by some threats to hide malicious activities in security logs.

The main parts of Kaspersky CyberTrace are Kaspersky CyberTrace Service, Feed Utility, Log Scanner, and Kaspersky CyberTrace Web.

Main components of Kaspersky CyberTrace

For more information about how Kaspersky CyberTrace works, watch the video below:

Documentation contents

This documentation is divided into several chapters:

• Installation and integration guides

  This chapter provides guides about installing Kaspersky CyberTrace, integrating it with SIEM solutions and event sources, and configuring Kaspersky CyberTrace after the integration is completed.

  For a starting point of the installation and integration process, see section "Getting started".

• User guides

  This chapter provides information about Kaspersky CyberTrace Web, which is a web interface of Kaspersky CyberTrace, and about apps and dashboards that provide access to Kaspersky CyberTrace from a SIEM solution.

• Administrator guides

  This chapter provides information about managing Kaspersky CyberTrace and covers advanced topics of Kaspersky CyberTrace usage. Descriptions of Kaspersky CyberTrace components and workflow of these components can also be found in this chapter.

• Troubleshooting

  This section provides solutions to common problems encountered while using Kaspersky CyberTrace.

• Risk mitigation

  This section provides guidelines for mitigating potential security risks when working with Kaspersky CyberTrace.