Configuring event enrichment and retroscan

Integration of KUMA with Kaspersky CyberTrace (hereinafter referred to as CyberTrace) version 5.0 and later allows enriching events with information about indicators of compromise (IoC) and retrospectively scanning events (performing a retroscan). Retroscan helps detect indicators that had not been detected at the time of initial enrichment, but appeared later in updated CyberTrace feeds. Retroscan can be used in the following cases:

To set up data enrichment and retroscan:

  1. Perform the initial configuration in KUMA by following these steps:
    1. Configure CyberTrace integration.
    2. Create two collectors to receive events that you want to enrich with CyberTrace data.
      • To get notifications from CyberTrace about the triggering of indicators, create a collector in which a connector of the tcp type is used as the transport, and the normalizer is [OOTB] CyberTrace.
      • To configure event enrichment, create a collector with the following parameters:
        • Select any connector (for example, http) as the transport.
        • You can choose any normalization method (for example, json) with the mapping of the following fields: SourceHostName, DestinationHostName, Message, DeviceHostName, DeviceAddress, FileHash, OldFileHash, RequestUrl.
        • As the enrichment, create an event enrichment rule in which the data source type is cybertrace-http, the CyberTrace version is ≥ 5.0, and the following normalizer fields are selected in the Key fields drop-down list: SourceHostName, DestinationHostName, Message, DeviceHostName, DeviceAddress, FileHash, OldFileHash, RequestUrl.
  2. To configure retroscan in the CyberTrace web interface, follow these steps:
    1. In the Settings → General section, enable API lookup to save detected indicators and collect statistics a public API request is used.
    2. On the Settings → Retroscan page, enable retroscan, then select the Regular expressions and enable the sources and regular expressions that you want to use for retroscan.
    3. In the Settings → General section, under Detection alerts, specify the IP address and port that CyberTrace will use to send alerts about the detection of indicators of compromise.
    4. In the Settings → General section, under Service alerts, configure CyberTrace service notifications (for example, notifications about the retroscan task finishing or license key replacement) by specifying the IP address of the collector and the port of the KUMA TCP connector.

    For more information on configuring retroscan, see the Kaspersky CyberTrace Help.

Event processing stages during retroscan

Page top