About the standard integration scheme (QRadar)
April 11, 2024
ID 173820
This section describes the standard integration scheme for QRadar and Kaspersky CyberTrace.
For the standard integration scheme to work properly, you must install the update DSM-KasperskyCyberTrace-%version%-20180802144954.noarch.rpm, where %version% is the version of QRadar. Usually, you receive these updates as part of the auto-update process, but you can also visit IBM Fix Central and download them manually.
About the components of the standard integration scheme
The following components are used in the standard integration scheme for QRadar:
- Kaspersky CyberTrace Service
This service matches QRadar events against Kaspersky Threat Data Feeds.
- QRadar
The SIEM solution used in this integration.
- Security controls
These are sources of events for QRadar such as firewalls, proxies, intrusion detection systems, and other networking devices.
Security controls can send events to QRadar by any method supported by QRadar.
Standard integration scheme
In the standard integration scheme, Kaspersky CyberTrace Service by default is configured to listen for incoming events from QRadar on 0.0.0.0:9999 (all interfaces).
Kaspersky CyberTrace Service sends detection events to port 514 of the interface defined in QRadar configuration. The address of this interface is specified when you install Kaspersky CyberTrace.
Security controls can send events to QRadar in any format that is supported by QRadar, for example, Syslog, JDBC, OPSEC, File, or SNMP.
Standard integration scheme for QRadar
