Support

Support for business applications

Kaspersky CyberTrace

Installation and integration guides

Part 2: Integrating Kaspersky CyberTrace with an event source

Integration with RSA NetWitness

Before you begin (RSA NetWitness)

Checking software settings (RSA NetWitness)
Kaspersky CyberTrace
Нет результатов
Online Help
FAQ System requirements Download Contact support Recovery tools Product videos

Checking software settings (RSA NetWitness)

April 11, 2024

ID 167743

This section describes the requirements that the RSA NetWitness services must meet.

Check that the following conditions are met:

  • The index file (index-concentrator-custom.xml) of the Concentrator which receives Kaspersky CyberTrace Service events must contain the following metafields:
    • virusname

      This and other metafields (except for msg) must have the IndexValues level. Also, set the defaultAction value of these metafields to Open.

    • user.src
    • ip.src
    • action
    • msg

      This metafield must have the IndexKeys (the presence of the metafield in an event is indexed) or IndexNone (the metafield is not indexed) level in the index-concentrator-custom.xml file. If you set the IndexValues level for this metafield, the hard drive space will be consumed rapidly.

    • event.source
    • device.ip
    • ip.dst
    • url
    • checksum

    If any of these fields are absent from the index file, add them there and restart the Concentrator, as described in the section about RSA NetWitness troubleshooting.

    If you do not have a Concentrator but you use a Log Decoder for storing data from Kaspersky CyberTrace Service, change the index-logdecoder-custom.xml file and restart the Log Decoder as described above.

    Update only the index file of a Concentrator (index-concentrator-custom.xml) if the Concentrator receives data from a Log Decoder. For more information, refer to https://community.rsa.com/docs/DOC-41760. Also, update the index file of a Log Decoder (index-logdecoder-custom.xml) if you use the Log Decoder as the source of data in which you search for events or if you use the Log Decoder to create reports or dashboards.

  • The table-map-custom.xml configuration file (the configuration file of a Log Decoder) must contain the following metafields:
    • virusname
    • c_username
    • saddr
    • daddr
    • url
    • checksum
    • msg
    • event_source
    • hostip
    • action

    The value of the flags attribute must be None for each of these metafields.

    If any of these fields are absent from the index files, refer to the section about RSA NetWitness troubleshooting.

Detection events sent by Kaspersky CyberTrace Service contain the context from the feeds in separate fields. You can display and use these fields in RSA NetWitness. (In RSA NetWitness, the names of these fields will have the kl. prefix.)

To display the context fields:

  1. Add the contents of %service_dir%/integration/rsa/additional_elements/table-map-custom.xml to the table-map-custom.xml file of the log decoder to which Kaspersky CyberTrace Service will send detection events.
  2. Add the contents %service_dir%/integration/rsa/additional_elements/index-concentrator-custom.xml to the index-concentrator-custom.xml file of the Concentrator that will store the events from Kaspersky CyberTrace Service.

You can specify all the settings described above by using the RSA NetWitness web user interface in the Services (Log Decoder and Concentrator) > Config view.

Restart the log decoder and Concentrator after you have edited the table-map-custom.xml and index-concentrator-custom.xml files.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.