Configuring CyberTrace to receive and process requests
You can configure CyberTrace to receive and process requests from KUMA immediately after its installation in the Quick Start Wizard or later in the program web interface.
To configure CyberTrace to receive and process requests in the Quick Start Wizard:
Wait for the CyberTrace Quick Start Wizard to start after the program is installed.
The Welcome to Kaspersky CyberTrace window opens.
In the <select SIEM> drop-down list, select KUMA and click Next.
This opens the Connection Settings window.
Do the following:
In the Service listens on settings block, select the IP and port option.
In the IP address field, enter 0.0.0.0.
In the Port field, enter the port for receiving events, the default port is 9999.
Under Service sends events to, specify 127.0.0.1 in the IP address or hostname field and in thePortfield, specify 9998.
Leave the default values for everything else.
Click Next.
This opens the Proxy Settings window.
If a proxy server is being used in your organization, define the settings for connecting to it. If not, leave all the fields blank and click Next.
This opens the Licensing Settings window.
In the Kaspersky CyberTrace license key field, add a license key for CyberTrace.
In the Kaspersky Threat Data Feeds certificate field, add a certificate that allows you to download updated data feeds from servers, and click Next.
CyberTrace will be configured.
To configure CyberTrace to receive and process requests in the program web interface:
In the CyberTrace web interface window, select Settings – Service.
In the Connection Settings block:
Select the IP and port option.
In the IP address field, enter 0.0.0.0.
In the Port field, specify the port for receiving events, the default port is 9999.
In the Web interface settings block, in the IP address or hostname field, enter 127.0.0.1.
In the upper toolbar, click Restart the CyberTrace Service.
Select Settings – Events format.
In the Alert events format field, enter %Date% alert=%Alert%%RecordContext%.
In the Detection events format field, enter Category=%Category%|MatchedIndicator=%MatchedIndicator%%RecordContext%.
In the Records context format field, enter |%ParamName%=%ParamValue%.
In the Actionable fields context format field, enter %ParamName%:%ParamValue%.
CyberTrace will be configured.
After updating CyberTrace configuration you have to restart the CyberTrace server.