About Balancer

Balancer is one of the components of Kaspersky CyberTrace. It runs as a service and allows using Kaspersky CyberTrace in the High Availability mode.

High Availability mode is used when there are several instances of Kaspersky CyberTrace deployed within the same local network.

When establishing HTTPS connections with CyberTrace instances, Balancer checks HTTPS certificates for matching with the reference certificates.

In High Availability mode, the following features of Kaspersky CyberTrace are supported:

• Matching incoming events against feeds and suppliers.
• Kaspersky CyberTrace REST API.

  You can use the following REST API requests:

  • POST lookup
  • GET suppliers
  • GET suppliers/{supplier}
• Exporting indicators to CSV

This type of deployment scheme allows you to achieve the following:

1. Reduced load on each instance of Kaspersky CyberTrace.
2. Sustainable matching of incoming events, processing REST API requests, and indicators export in case one instance fails.

Balancer sends incoming events and REST API requests to the instances of Kaspersky CyberTrace where the matching process is performed. Balancer then receives the results of matching by using the ReplyBack mode.

Using Kaspersky CyberTrace in High Availability mode

Requirements and limitations

To ensure that Kaspersky CyberTrace operates properly in High Availability mode, make sure that the following conditions are met:

1. All Kaspersky CyberTrace instances must have identical settings.
2. Manually added context fields, as well as indicators in the FalsePositive and InternalTI suppliers that were added by using Kaspersky CyberTrace Web or the REST API, must be identical in all Kaspersky CyberTrace instances.
3. All Kaspersky CyberTrace instances must have indicators export tasks with identical names and filtering rules.
4. All Kaspersky CyberTrace instances and Balancer must use the same license key file.

It is the responsibility of administrator to provide the above conditions. Otherwise, the correct operation of Kaspersky CyberTrace in High Availability mode is not guaranteed.

Using Kaspersky CyberTrace in High Availability mode has the following limitations:

1. As there is no synchronization between Kaspersky CyberTrace instances, the indicators in their databases may differ slightly at a point in time.
2. High Availability mode supports only a limited set of REST API requests. Balancer is preconfigured for using all supported request types (for more information, see the description of the AllowedRequests element in the "Configuring Balancer" section).
3. You cannot view detection statistics for all Kaspersky CyberTrace instances on any particular instance.
4. If an instance of Kaspersky CyberTrace becomes inaccessible after an event or a REST API request has been sent to that instance, the result of event matching or request processing will be lost.
5. Informational events are not sent to a SIEM.