Configuring Kaspersky CyberTrace for integration with McAfee Enterprise Security Manager
April 11, 2024
ID 183459
This section describes how to configure Kaspersky CyberTrace for integration with McAfee ESM.
To configure Kaspersky CyberTrace for integration with McAfee ESM:
- Download Kaspersky CyberTrace from https://support.kaspersky.com/datafeeds/download/15920.
- Install Kaspersky CyberTrace.
- When you login to Kaspersky CyberTrace Web UI for the first time, the Initial Setup Wizard window opens. Make the following settings:
- Select Other in the SIEM field, and then click Next.
- In the Connection Settings window that opens, specify the following:
- IP address and port on which Kaspersky CyberTrace will listen for incoming events
- IP address and port of McAfee ESM to which Kaspersky CyberTrace will send detection events and alert events
For McAfee ESM, the port is 514.
Click Next.
- If necessary, specify the proxy server connection parameters in the Proxy Settings window.
- Perform the remaining steps of the initial setup as required.
- On the Settings > Matching tab, click Edit default rules, select the Regular expressions tab, and then specify the following regular expressions:
Regular expressions for integration with McAfee ESM
Indicator type
Rule name
Regular expression
Additional options
CONTEXT
Device
deviceExternalId\=(.*?)\s
CONTEXT
DeviceAction
act\=(.*?)\s
CONTEXT
DeviceIp
deviceTranslatedAddress\=(.*?)\s
HASH
RE_HASH
([\da-fA-F]{32,64})
Extract all: True
IP
RE_IP
dst\=(.*?)\s
URL
RE_URL
(?:\:\/\/)((?:\S+(?::\S*)?+@)?(?:(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-*)*[a-z\x{00a1}-\x{ffff}0-9]*)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-)*+[a-z\x{00a1}-\x{ffff}0-9]++)*(?:\.(?:[a-z\x{00a1}-\x{ffff}\-0-9]{2,}+)))(?:\.*:\d{2,5})?+(?:\.*\/[^\s\"\<\>]*+)?+)
Extract all: True
IP
SRC_IP
src\=(.*?)\s
CONTEXT
UserName
duser\=(.*?)\s
- On the Normalization rules tab, specify the following replacement rule:
Replacement rule for integration with McAfee ESM
- Save the changes.
- Select Settings > Events format, and then specify the following formats:
Events format for integration with McAfee ESM
Field
Value
Alert events format
Kaspersky CyberTrace Service Event| date=%Date% alert=%Alert% msg:%RecordContext%
Detection events format
Kaspersky CyberTrace Detection Event| date=%Date% reason=%Category% detected=%MatchedIndicator% act=%DeviceAction% dst=%RE_IP% src=%SRC_IP% hash=%RE_HASH% request=%RE_URL% dvc=%DeviceIp% sourceServiceName=%Device% suser=%UserName% msg:%RecordContext%
Records context format
%ParamName%=%ParamValue%
Note the space before
%ParamName%
.Actionable fields context format
%ParamName%:%ParamValue%
Note the space before
%ParamName%
.Save the changes.