Step 3. Forwarding events from QRadar to Kaspersky CyberTrace Service

To check events that arrive in QRadar by way of Kaspersky CyberTrace Service, you must configure QRadar to forward the events to Kaspersky CyberTrace Service.

To forward events from QRadar to Kaspersky CyberTrace Service:

1. Select Admin > System Configuration > Forwarding Destinations > Add.
2. In the Forwarding Destination Properties window, type the identifier of the destination (for example, "KL_Threat_Feed_Service_v2").
3. Type the destination address (the host where Kaspersky CyberTrace Service runs).
4. Select Payload as the events format and TCP as the protocol.

   The Payload format can contain less information, in comparison with the JSON format. For example, if event source names are used, QRadar may remove them from the event. You can specify the JSON format instead, but make sure to configure it properly. For the instructions on how to configure events in the JSON format to forward to Kaspersky CyberTrace, see subsection "Recommendations on configuring events in JSON format" below.

5. Set the port according to the parameters for inbound events of Kaspersky CyberTrace. You can find this information on the Settings > Service tab of Kaspersky CyberTrace Web.

   

   Adding a forwarding destination

6. Click Save.
7. Select Admin > Routing rules > Add.
8. In the Routing Rule window, type the rule name (for example, KL_Threat_Feed_Service_v2_Rule).
9. Select Online as the mode.
10. Leave the default value in the Forwarding Event Collector drop-down list.
11. Select Events as the data source.
12. In the Event Filters group, set the event filter.

    Choose the log sources together with KL_Verification_Tool, and use the Equals any of operator in the filter. Also, to achieve maximum performance of the service, you are advised to select only those events that contain indicators to look up in the feeds (such as URLs, hashes (MD5, SHA1, SHA256), and IP addresses).

    Clear the Match all incoming events check box or leave it cleared so that the detection events received from Kaspersky CyberTrace Service will not be sent back to Kaspersky CyberTrace Service.

13. Select the Forward check box. In the table, next to the Name column, select the check box next to the item added in step 1 (in this case, it is KL_Threat_Feed_Service_v2).

    

    Adding a routing rule

14. Click Save.

Recommendations for configuring events in the JSON format

A number of QRadar versions (such as, 7.3.2 Patch 6 and 7.4.0) can drop some forwarded events in the JSON format, which may lead to incorrect results. To prevent this, we recommend that you exclude some fields from the event in JSON (for an exact list of such fields, contact IBM's QRadar Support team or try to determine this list manually). You must specify additional normalization rules in Kaspersky CyberTrace Web (see below).

Therefore, use the JSON format instead of the Payload format if the event in the Payload format does not contain the necessary fields. In this case, make sure that the following conditions are met:

• In the Forwarding Destination Properties window, only fields that you need are selected. QRadar does not drop forwarded events. To enable or disable fields that will be forwarded within an event, open the Forwarding Profile Properties window by clicking the button near the Profile field.

  

  Configuring events in JSON format

• On the Settings > Matching tab of Kaspersky CyberTrace Web, the following normalization rules are specified:

  

  Configuring additional normalization rules