Installation and integration overview

February 27, 2024

ID 162415

This section explains the installation and integration process for Kaspersky CyberTrace.

Introduction

Kaspersky CyberTrace can integrate with many different event sources. The procedure for installation and integration is split into two parts:

  1. Installing Kaspersky CyberTrace

    We recommend installing Kaspersky CyberTrace by using one of the installer packages for your operating system. On Linux, you can install DEB and RPM packages. On Windows, you can use an executable installer.

    After Kaspersky CyberTrace is installed, you can perform the post-installation configuration by using a wizard in the web interface of Kaspersky CyberTrace. During this process, you select an event source, such as a SIEM solution, provide connection parameters for it, and configure feed updates.

    If you want to use diff versions of Kaspersky Threat Data Feeds, you need to enable them before you perform the post-installation configuration of Kaspersky CyberTrace.

    After the post-installation configuration is completed, Kaspersky CyberTrace uses by default the parameters for a set event source. For example, Kaspersky CyberTrace by default parses the incoming events by using the regular expressions set for the chosen event source, and uses the special format for threat detection alerts. If necessary, you may change the specified parameters.

  2. Integrating Kaspersky CyberTrace with an event source

    In this part, you configure the event source so that it can send its events to Kaspersky CyberTrace and receive threat detection alerts from Kaspersky CyberTrace. Depending on the chosen event source, you can also additionally install specific applications and tools that work with Kaspersky CyberTrace events. For example, Kaspersky CyberTrace provides applications for Splunk® and QRadar, and a preconfigured dashboard for RSA NetWitness. In addition to applications for specific event sources, you can use the LogScanner utility to send log files, IP addresses, URLs, and hashes for checking to Kaspersky CyberTrace.

Before you begin

Make sure that the computer you plan to use for running Kaspersky CyberTrace meets the hardware and software requirements.

Make sure the date and time settings are precise on the server where you are installing Kaspersky CyberTrace. You can use an NTP server to get the precise date and time.

For ArcSight products, ArcSight SmartConnector must be installed before the installation of Kaspersky CyberTrace. For more information, see sections "Before you begin (ArcSight)" and "Integration guide (ArcSight)".

Part 1. Installing Kaspersky CyberTrace

When you install Kaspersky CyberTrace, all of the components required for working with feeds, such as Kaspersky CyberTrace Service and Feed Utility, are installed and configured.

Kaspersky CyberTrace can be installed on any computer that can receive events from your chosen event source, such as a SIEM solution, a firewall, or a proxy server. By configuring Kaspersky CyberTrace during its installation, you specify how it will receive and send events.

Make sure to install Kaspersky CyberTrace according to your chosen integration scheme. For example, if you should install Kaspersky CyberTrace and a SIEM solution on separate computers, check the available integration schemes for your SIEM solution and determine where to install Kaspersky CyberTrace.

Depending on your operating system, install Kaspersky CyberTrace as described in the following sections:

After you install Kaspersky CyberTrace perform the following:

  • If you want to use diff versions of Kaspersky Threat Data Feeds, enable them.
  • If you do not want to use diff versions of Kaspersky Threat Data Feeds, open Kaspersky CyberTrace Web and follow the instructions of the Initial Setup Wizard.

Part 2. Integrating Kaspersky CyberTrace with an event source

To automatically detect indicators of compromise in security events logs, Kaspersky CyberTrace should be integrated with an event source. This event source can either be a standalone event source (for example, a firewall or a proxy server) or a SIEM solution. The event source then sends events to Kaspersky CyberTrace, and Kaspersky CyberTrace sends the alerts on detected threats to a SIEM or other application, as configured.

Kaspersky CyberTrace supports integration with the following SIEM solutions:

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.