Configuring Kaspersky CyberTrace for integration with McAfee Enterprise Security Manager

Support

Support for business applications

Kaspersky CyberTrace

Installation and integration guides

Part 2: Integrating Kaspersky CyberTrace with an event source

Integration with McAfee Enterprise Security Manager

Configuring Kaspersky CyberTrace for integration with McAfee Enterprise Security Manager

April 11, 2024

ID 183459

This section describes how to configure Kaspersky CyberTrace for integration with McAfee ESM.

To configure Kaspersky CyberTrace for integration with McAfee ESM:

Download Kaspersky CyberTrace from https://support.kaspersky.com/datafeeds/download/15920.
Install Kaspersky CyberTrace.
When you login to Kaspersky CyberTrace Web UI for the first time, the Initial Setup Wizard window opens. Make the following settings:
1. Select Other in the SIEM field, and then click Next.
2. In the Connection Settings window that opens, specify the following:
  - IP address and port on which Kaspersky CyberTrace will listen for incoming events
  - IP address and port of McAfee ESM to which Kaspersky CyberTrace will send detection events and alert events
    For McAfee ESM, the port is 514.
  Click Next.
3. If necessary, specify the proxy server connection parameters in the Proxy Settings window.
4. Perform the remaining steps of the initial setup as required.

On the Settings > Matching tab, click Edit default rules, select the Regular expressions tab, and then specify the following regular expressions:

Regular expressions for integration with McAfee ESM

Indicator type	Rule name	Regular expression	Additional options
CONTEXT	Device	deviceExternalId\=(.*?)\s
CONTEXT	DeviceAction	act\=(.*?)\s
CONTEXT	DeviceIp	deviceTranslatedAddress\=(.*?)\s
HASH	RE_HASH	([\da-fA-F]{32,64})	Extract all: True
IP	RE_IP	dst\=(.*?)\s
URL	RE_URL	(?:\:\/\/)((?:\S+(?::\S)?+@)?(?:(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-)[a-z\x{00a1}-\x{ffff}0-9])(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-)+[a-z\x{00a1}-\x{ffff}0-9]++)(?:\.(?:[a-z\x{00a1}-\x{ffff}\-0-9]{2,}+)))(?:\.:\d{2,5})?+(?:\.\/[^\s\"\<\>]*+)?+)	Extract all: True
IP	SRC_IP	src\=(.*?)\s
CONTEXT	UserName	duser\=(.*?)\s

On the Normalization rules tab, specify the following replacement rule:

Replacement rule for integration with McAfee ESM
Save the changes.

Select Settings > Events format, and then specify the following formats:

Events format for integration with McAfee ESM

Field	Value
Alert events format	`Kaspersky CyberTrace Service Event\| date=%Date% alert=%Alert% msg:%RecordContext%`
Detection events format	`Kaspersky CyberTrace Detection Event\| date=%Date% reason=%Category% detected=%MatchedIndicator% act=%DeviceAction% dst=%RE_IP% src=%SRC_IP% hash=%RE_HASH% request=%RE_URL% dvc=%DeviceIp% sourceServiceName=%Device% suser=%UserName% msg:%RecordContext%`
Records context format	`%ParamName%=%ParamValue%` Note the space before `%ParamName%`.
Actionable fields context format	`%ParamName%:%ParamValue%` Note the space before `%ParamName%`.

Save the changes.

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.