Adding Kaspersky CyberTrace Service as a log source

QRadar must treat Kaspersky CyberTrace Service as a log source to receive the events sent by the service. The events sent by Kaspersky CyberTrace Service are in the QRadar Log Event Extended Format (LEEF) format, and the new log source in QRadar will be a Universal LEEF log source.

To add Kaspersky CyberTrace Service to QRadar as a log source:

1. Select the Admin > Log Sources > Add menu item.
2. In the Add a log source window, type a unique name for the log source.

   This name will be displayed in the GUI for any event from this source.

3. Type the description of the log source.
4. Select Universal LEEF in the Log Source Type control.
5. Select "Syslog" in the Protocol Configuration drop-down list.
6. In the Log Source Identifier text box, type the identifier that is set in the Kaspersky CyberTrace Service configuration file—in this case, it is KL_Threat_Feed_Service_v2. This identifier is used in the EventFormat and AlertFormat parameters.

   Do not select the Coalescing Events check box. If you select it, all the events from Kaspersky CyberTrace Service will coalesce into a single event that will contain no useful information.

   

   Adding a log source to QRadar

7. Click Save.

Perform the same actions to add another log source with the KL_Verification_Tool identifier. It will be used for testing the interaction between Kaspersky CyberTrace Service and QRadar.

After the two log sources are added, select the Admin > Deploy Changes menu item.