Configuring event enrichment and retroscan

Integration of KUMA with Kaspersky CyberTrace (hereinafter referred to as CyberTrace) version 5.0 and later allows enriching events with information about indicators of compromise (IoC) and retrospectively scanning events (performing a retroscan). Retroscan helps detect indicators that had not been detected at the time of initial enrichment, but appeared later in updated CyberTrace feeds. Retroscan can be used in the following cases:

The incident has already occurred, but its indicators became known only after the feeds were updated.
You want to rescan saved events for new threats.

To set up data enrichment and retroscan:

Perform the initial configuration in KUMA by following these steps:
1. Configure CyberTrace integration.
2. Create two collectors to receive events that you want to enrich with CyberTrace data.
  - To get notifications from CyberTrace about the triggering of indicators, create a collector in which a connector of the tcp type is used as the transport, and the normalizer is [OOTB] CyberTrace.
  - To configure event enrichment, create a collector with the following parameters:
    - Select any connector (for example, http) as the transport.
    - You can choose any normalization method (for example, json) with the mapping of the following fields: SourceHostName, DestinationHostName, Message, DeviceHostName, DeviceAddress, FileHash, OldFileHash, RequestUrl.
    - As the enrichment, create an event enrichment rule in which the data source type is cybertrace-http, the CyberTrace version is ≥ 5.0, and the following normalizer fields are selected in the Key fields drop-down list: SourceHostName, DestinationHostName, Message, DeviceHostName, DeviceAddress, FileHash, OldFileHash, RequestUrl.
To configure retroscan in the CyberTrace web interface, follow these steps:
1. In the Settings → General section, enable API lookup to save detected indicators and collect statistics a public API request is used.
2. On the Settings → Retroscan page, enable retroscan, then select the Regular expressions and enable the sources and regular expressions that you want to use for retroscan.
3. In the Settings → General section, under Detection alerts, specify the IP address and port that CyberTrace will use to send alerts about the detection of indicators of compromise.
4. In the Settings → General section, under Service alerts, configure CyberTrace service notifications (for example, notifications about the retroscan task finishing or license key replacement) by specifying the IP address of the collector and the port of the KUMA TCP connector.
For more information on configuring retroscan, see the Kaspersky CyberTrace Help.

Event processing stages during retroscan

Retroscan allows detecting indicators of compromise that had not been known when an event was received, but became available later after an update of Kaspersky CyberTrace feeds.

The retroscan algorithm comprises the following steps:

Sending an event to CyberTrace
An event containing indicators is received at the CyberTrace collector. When received, these indicators may not be present in active feeds.

Example event:

{

"SourceHostName": "45.54.64.52",

"DestinationHostName": "geardox.site",

"Message": "5BA7335AD847E5ED6211FB27094B9855",

"DeviceHostName": "test.domain.ru",

"DeviceAddress": "5.8.16.77",

"FileHash": "E1B85D995DC09DE25603D0B7A67D998015F6C045",

"OldFileHash": "B276263D373A6B56EEAB09673429E1490AEFC5E14738CDF9E1661C36EBD80656",

"RequestUrl": "https://kaspersky.com/"

}
Saving the event in the CyberTrace database
If integration over TCP is used, CyberTrace uses regular expressions to extract indicators from the event. If integrated via the REST API (using API lookup), indicators are passed directly in the body of the request. If at the moment when an indicator is processed, the feeds do not contain information that allows to classify it, CyberTrace saves the indicator to the retroscan database for subsequent analysis after feeds are updated.
Running the retroscan task
The retroscan task can be scheduled or run manually. To run a retroscan manually, go to the System → Retroscan page and click Start now.
Detecting indicators after a feed update
If, during the update process, the feeds deliver indicators that match previously saved events, CyberTrace detects such matches when running the retroscan task.
Generating alerts based on retroscan results
After the retroscan is completed, CyberTrace generates alerts about the detection of indicators of compromise and sends these alerts to the KUMA collector.

Example alert:

Category=KUMA_Demo_1_Hash_SHA1|MatchedIndicator=E1B85D995DC09DE25603D0B7A67D998015F6C045|MD5=5BA7335AD847E5ED6211FB27094B9855|SHA1=E1B85D995DC09DE25603D0B7A67D998015F6C045|SHA256=B276263D373A6B56EEAB09673429E1490AEFC5E14738CDF9E1661C36EBD80656|file_names=draft_pi.exe|file_size=759296|file_type=PE|first_seen=02.12.2020 05:34|geo=bd, eg, in|last_seen=02.02.2021 11:36|popularity=2|threat=HEUR:Trojan.MSIL.Taskun.gen
Event processing in KUMA
The event is processed by the [OOTB] CyberTrace normalizer. The user can match the received notification with the original event for subsequent analysis.
Getting a service alert about the completion of the task
If CyberTrace is configured to send service alerts, CyberTrace sends an alert about the completion of the retroscan task.

Example alert:

Jun 05 16:08:33 alert=KL_ALERT_RetroScanCompleted|iocs_detected=168|iocs_rescanned=1511177|retroscan_report=https://127.0.0.1/retroscan/C4C76046-C2DF-4AED-B430-2E64AEF781FC

Page top