Support

Support for business applications

Kaspersky CyberTrace

Installation and integration guides

Part 2: Integrating Kaspersky CyberTrace with an event source

Integration with Splunk

Distributed integration scheme (Splunk)

About the distributed integration scheme
Kaspersky CyberTrace
Нет результатов
Online Help
FAQ System requirements Download Contact support Recovery tools Product videos

About the distributed integration scheme

April 11, 2024

ID 166123

Kaspersky CyberTrace supports distributed Splunk environments. The integration scheme for distributed Splunk environments is called the distributed integration scheme.

About the apps and services used in the distributed integration scheme

In the distributed integration scheme, Kaspersky CyberTrace is divided into two apps and one service:

  • Kaspersky CyberTrace Service

    This service matches Splunk events against Kaspersky Threat Data Feeds.

    Kaspersky CyberTrace Service sends the resulting events to a single indexer that keeps the index with events from Kaspersky CyberTrace.

    This service can be installed on a separate computer.

  • Kaspersky CyberTrace App Search Head (or Search Head App)

    This app contains Kaspersky CyberTrace App dashboards, alert templates, and the lookup script.

    This app is intended for installation on a Splunk instance that acts as a search head and sends search requests to the indexer that keeps the index with events from Kaspersky CyberTrace.

  • Kaspersky CyberTrace App Forwarder (or Forwarder App)

    This app contains rules for forwarding events from Splunk to Kaspersky CyberTrace Service. It also receives events from Kaspersky CyberTrace Service.

    This app is intended for installation on Splunk instances that must forward events to Kaspersky CyberTrace Service.

    Kaspersky CyberTrace App Forwarder is divided into two apps, depending on the type of Splunk forwarder used in your distributed integration scheme:

    • App for Heavy Forwarder.
    • App for Universal Forwarder.

About the integration scheme variants

The following variants of the distributed integration scheme demonstrate a general approach to integrating Kaspersky CyberTrace with your distributed Splunk environment. Depending on how your distributed Splunk environment is organized, you may have to change or combine these variants.

One indexer, multiple forwarders variant

Diagram of distributed integration with Splunk. One indexer, multiple forwarders variant.

One indexer, multiple forwarders

In the one indexer, multiple forwarders variant, several Heavy or Universal forwarders receive and forward events directly to Kaspersky CyberTrace Service. These forwarders must use Forwarder App (for the respective forwarder type). One of the forwarders receives matches from Kaspersky CyberTrace Service. The forwarder sends the matches to the indexer that stores them in the main index used by Kaspersky CyberTrace for Splunk Search Head App.

Multiple indexers, multiple forwarders variant

In the multiple indexers, multiple forwarders variant, several Heavy or Universal forwarders receive and forward events directly to Kaspersky CyberTrace Service. These forwarders must use Forwarder App (for the respective forwarder type). One of the forwarders receives matches from Kaspersky CyberTrace Service. The forwarder sends the matches to the indexers that store them in the main index used by Kaspersky CyberTrace App.

Default ports and addresses

By default, Forwarder App and Kaspersky CyberTrace Service are configured to use certain addresses and ports for forwarding events and receiving matches. You must change these addresses and ports based on the organization of your distributed Splunk environment.

You must change the default addresses and ports that are used by Forwarder App and Kaspersky CyberTrace Service.

By default, Forwarder App:

  • Receives events at :3000 port.
  • Receives events from Kaspersky CyberTrace at :9998 port. These events are stored in the main index.
  • Forwards events to 127.0.0.1:9999.

By default, Kaspersky CyberTrace Service does the following:

  • Receives events at 127.0.0.1:9999.
  • Sends its own events to 127.0.0.1:9998.

Event format

By default, Kaspersky CyberTrace App and Kaspersky CyberTrace Service are configured to receive events in a certain format:

  • Kaspersky CyberTrace Service parses events with regular expressions defined in its configuration file (the regular expressions are also displayed in Kaspersky CyberTrace Web). These regular expressions are created for a specific format of inbound data. For example, the default regular expression for URLs will match a URL containing the protocol (for example, HTTP, HTTPS). If the URLs in the events generated by your devices do not contain the protocol, change the regular expression accordingly.
  • The lookup script that comes with Kaspersky CyberTrace App (or Search Head App in the case of the distributed integration scheme) sends events to Kaspersky CyberTrace Service in a format that matches the regular expressions used by Kaspersky CyberTrace Service.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.