JSA DSM for Kaspersky CyberTrace collects events from Kaspersky Feed Service.
To integrate Kaspersky CyberTrace with JSA, complete the following steps:
- If automatic updates are not enabled, download and install
the most recent version of the following RPMs onto your JSA
DSM Common RPM
Kaspersky CyberTrace DSM RPM
- Install Kaspersky CyberTrace and configure Feed Service during the installation.
- Integrate Kaspersky CyberTrace with JSA.
Configure forwarding events from JSA to Kaspersky CyberTrace.
Complete one of the following options.
Complete the verification test.
Install the Kaspersky Threat Feed App for JSA.
- If JSA does not automatically detect the
log source, add a Kaspersky CyberTrace log source on the desired event
collector. The following table describes the parameters that require
specific values for Kaspersky CyberTrace event collection:
You need to clear the Coalescing Events check box when you configure the log source.
Table 1: Kaspersky CyberTrace Log Source Parameters
Log Source type
Log Source Identifier
If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.
Configuring Kaspersky CyberTrace Appliances to Communicate with JSA
To enable Kaspersky CyberTrace to communicate with JSA, install and configure the Threat Feed Service on a device.
Before you install Kaspersky CyberTrace on a device, ensure that your device meets the hardware and software requirements. The requirements are specified in the Kaspersky CyberTrace documentation.
RPM installation - For this installation you must run the run.sh installation script, which installs the RPM package and runs the configurator. The configurator completes an interactive setup of Feed Service, Feed Utility, and Log Scanner.
DEB installation - The DEB installation is used on Linux systems that are based on Debian Linux. For this installation you must run the run.sh installation script, which installs the DEB package and runs the configurator. The configurator completes an interactive setup of Feed Service, Feed Utility, and Log Scanner.
TGZ installation - For this installation, you manually
unpack the TGZ archive to the
/opt/kaspersky/ktfs directory, create symbolic links to the configuration files and
startup scripts, and register Fee Service in crontab. Then, you must
manually run the configurator binary file and accept the End User
License Agreement. The configurator completes an interactive setup
of Feed Service, Feed Utility, and Log Scanner.
You can install CyberTrace by using one of the following installation methods.
- Install CyberTrace by using the RPM/DEB method.
Unpack the distribution kit contents to any directory on your system. The RPM/DEB package, installation script, and documentation is unpacked to this directory.
run.shinstallation script. The installation script installs the RPM/DEB package, adds Feed Service to the list of services by using
systemd, and then creates a cron job to update feeds every 30 minutes. Feed Service starts automatically on a system boot.
After the RPM/DEB package is installed, the installation script automatically runs the configurator wizard.
- To accept the End user License Agreement, print Yes. Use PgUp and PgDn keys to navigate. Press q to quit.
the path to the certificate.
If you want to use a demo certificate, click Enter.
If you have a certificate for commercial feeds, specify the full path to it, and then click Enter.
The certificate must be in PEM format. The user who runs the configurator binary file must have read permissions for this file. The configurator creates a copy of the certificate file and stores it in a different directory. If you want to replace the certificate file, you must run the configurator again.
- Specify the proxy server settings by following the instructions.
The specified proxy credentials are stored in encrypted form.
To remove the specified proxy settings and stop using a proxy, you must manually delete the ProxySettings element and all nested elements from the Feed Utility configuration files.
- Specify the feeds that you want to use. The configurator obtains a list of feeds that are available for the certificate that you specified in Step 3.
- Specifying the connection parameters. The configuration
automatically checks whether the specified connection parameters are
correct. For example, the configurator checks that the SIEM software
is present at the address and port for outbound events.
The IP address must consist of four decimal octets that are separated by a dot. For example, 192.0.2.254 is a valid IP address.
The following connection parameters are included:
IP address and port for incoming events - Feed Service listens on the specified address and port for incoming events.
JSA connection string - Feed Service sends outbound events to the specified IP address and port or UNIX socket.
- After the installation is complete, you can change the setting by using CybreTrace Web. See the product online help for details.
Completing the Verification Test
The verification test is a procedure that is used to check the capabilities of Kaspersky CyberTrace and to confirm the accuracy of the integration.
During this test you check to see whether events from JSA are received by Feed Service, whether events from Feed Service are received by JSA, and whether events are correctly parsed by Feed Service using the regular expressions.
The verification test file is a file that contains a set of
events with URLs, IP addresses, and hashes. This file is located in
./verification directory in the distribution
kit. The name of this file is
- Start Feed Service. For example,
- Ensure that the KL_Verification_Tool log source is added to JSA, and routing rules are set in such a way that events from KL_Verification_Tool are sent to Feed Service.
- Log in to the JSA Console.
- Click Admin > Add Filter.
- From the Parameter list, select Log Source.
- From the Operator list, select Equals.
- From the Log Source list, in the Value group, select the required service name.
- From the View list, select Real Time to clear the filter area. You can now browse the information about the service events.
- In the Connection element of the Log Scanner configuration
./log_sanner/log_scanner.conf, specify the IPV4 address and port of your JSA Event Collector.
- Run Log Scanner to send the
kl_verification_test.txtfile to JSA (
./log_scanner -p ../ verification/kl_verification_test.txt)
The expected results that are displayed by JSA depend on the feeds that you use. The following table displays the verification results.
Table 2: Verification Test Results Parameters
Malicious URL Data Feed
http://badb86360457963b90faac9ae17578ed.com and many others, such as kaspersky.com/test/wmuf
Phishing URL Data Feed
Botnet CnC URL Data Feed
IP Reputation Data Feed
Malicious Hash Data Feed
FEAF2058298C1E174C2B79AFFC7CF4DF 44D88612FEA8A8F36DE82E1278ABB02F (The EICAR standard anti-virus test file.)
Mobile Malicious Hash Data Feed
Mobile Botnet Data Feed
001F6251169E6916C455495050A3FB8D (MD5 hash)
sdfed7233dsfg93acvbhl.su/steallallsms.php (URL mask)
P-SMS Trojan Data Feed
FFAD85C453F0F29404491D8DAF0C646E (MD5 hash)
Demo Botnet CnC URL Data Feed
Demo IP Reputation Data Feed
Demo Malicious Hash Data Feed
776735A8CA96DB15B422879DA599F474 FEAF2058298C1E174C2B79AFFC7CF4DF 44D88612FEA8A8F36DE82E1278ABB02F
Configuring JSA to forward events to Kaspersky CyberTrace
To have the Threat Feed Service check events that arrive in JSA, you must configure JSA to forward events to the Threat Feed Service.
- Log in to the JSA Console UI.
- Click the Admin tab, and select System Configuration > Forwarding Destinations.
- In the Forwarding Destinations window, click Add.
- In the Forwarding Destination Properties pane, configure
the Forwarding Destination Properties.
Table 3: Forwarding Destination Parameters
An identifier for the destination. For example,
IP address of the host that runs the Threat Feed Service.
The port that is specified in
kl_feed_service.conf InputSetting > ConnectionString.
The default value is 9995.
- Click Save.
- Click the Admin tab, and then select System Configuration > Routing Rule.
- In the Routing Rules window, click Add.
- In the Routing Rules window, configure the
routing rule parameters.
Table 4: Routing Rules Parameters
An identifier for the rule name. For example,
Create a description for the routing rule that you are creating
Forwarding Event Collector
Select the event collector that is used to forward events to the Threat Feed Service.
Create a filter for the events that are going to be forwarded to the Threat Feed Service. To achieve maximum performance of the Threat Feed Service, only forward events that contain a URL or hash.
Enable Forward, and then select the <forwarding destination> that you created
- Click Save.
Kaspersky CyberTrace DSM Specifications
The following table describes the specifications for the Kaspersky CyberTrace DSM.
Table 5: Kaspersky CyberTrace DSM Specifications
RPM file name
Recorded event types
Detect, Status, Evaluation
Includes custom properties?
Sample Event Messages
Use these sample event messages as a way of verifying a successful integration with JSA.
The following table shows a sample event message when using the syslog protocol for the Kaspersky CyberTrace DSM:
Table 6: Kaspersky CyberTrace Sample Message Supported by the Cisco IronPort Device
Low level category
Sample log message