Configuring event enrichment and retroscan

Integration of KUMA with Kaspersky CyberTrace (hereinafter referred to as CyberTrace) version 5.0 and later allows enriching events with information about indicators of compromise (IoC) and retrospectively scanning events. Retroscan allows detecting indicators that had not been detected at the time of initial enrichment, but appeared later in updated CyberTrace feeds. Retroscan can be useful in the following cases:

The incident has already occurred, but its indicators became known only after the feeds were updated.
You want to rescan saved events for new threats.
You need to improve the accuracy of incident investigation.

To configure data enrichment and retroscan, follow these steps:

Perform initial configuration in KUMA:
1. Configure CyberTrace integration.
2. Create a collector to receive events that you want to enrich with CyberTrace data.
  - To configure the enrichment of events with data from CyberTrace select a connector of the http type as the transport. You can choose any normalizer (for example, json) with the mapping of the following fields: SourceHostName, DestinationHostName, Message, DeviceHostName, DeviceAddress, FileHash, OldFileHash, RequestUrl.
  - To configure the receipt of events from CyberTrace, you need to select a connector of the tcp type as the transport, and [OOTB] CyberTrace as the normalizer.
3. Create event enrichment rules in KUMA.
  - We recommend selecting cybertrace-http as the source kind.
  - Use the Major version of CyberTrace toggle switch to specify ≥ 5.0 as the CyberTrace version.
  - In the Key fields drop-down list, select the following normalizer fields: SourceHostName, DestinationHostName, Message, DeviceHostName, DeviceAddress, FileHash, OldFileHash, RequestUrl.
Configure retroscan in the CyberTrace web interface:
1. On the Settings → General page, enable API lookup to save detected indicators and collect statistics a public API request is used.
2. On the Settings → Retroscan page, enable retroscan, then select the Regular expressions and enable only those sources and regular expressions that you want to use for retroscan.
3. On the Settings → General page, in the Detection alerts section, specify the IP address and port that CyberTrace will use to send alerts about the detection of indicators of compromise.
4. On the Settings → General page, in the Service alerts section, configure CyberTrace service notifications (for example, notifications about the retroscan task finishing or license change) by specifying the IP address of the collector and the port of the KUMA TCP connector.
You can get detailed information on configuring retroscan from the Kaspersky CyberTrace Administrator Guide.

Event processing stages during retroscan

Retroscan allows detecting indicators of compromise that had not been known when an event was received, but became available later after an update of Kaspersky CyberTrace feeds.

The retroscan algorithm comprises the following steps:

Sending an event to CyberTrace
An event containing indicators is received at the CyberTrace collector. When received, these indicators may not be present in active feeds.

Example event:

{

"SourceHostName": "45.54.64.52",

"DestinationHostName": "geardox.site",

"Message": "5BA7335AD847E5ED6211FB27094B9855",

"DeviceHostName": "test.domain.ru",

"DeviceAddress": "5.8.16.77",

"FileHash": "E1B85D995DC09DE25603D0B7A67D998015F6C045",

"OldFileHash": "B276263D373A6B56EEAB09673429E1490AEFC5E14738CDF9E1661C36EBD80656",

"RequestUrl": "https://kaspersky.com/"

}
Saving the event in the CyberTrace database
If integration over TCP is used, CyberTrace uses regular expressions to extract indicators from the event. If integrated via the REST API (using API lookup), indicators are passed directly in the body of the request. If at the moment when an indicator is processed, the feeds do not contain information that allows to classify it, CyberTrace saves it to the retroscan database for subsequent analysis after feeds are updated.
Running the retroscan task
The retroscan task can be scheduled or run manually. To run a retroscan manually, go to the System → Retroscan page and click Start now.
Detecting indicators after a feed update
If, during the update process, the feeds deliver indicators that match previously saved events, CyberTrace detects such matches when running the retroscan task.
Generating alerts based on retroscan results
After the retroscan is completed, CyberTrace generates alerts about the detection of indicators of compromise and sends these alerts to the KUMA collector.

Example alert:

Category=KUMA_Demo_1_Hash_SHA1|MatchedIndicator=E1B85D995DC09DE25603D0B7A67D998015F6C045|MD5=5BA7335AD847E5ED6211FB27094B9855|SHA1=E1B85D995DC09DE25603D0B7A67D998015F6C045|SHA256=B276263D373A6B56EEAB09673429E1490AEFC5E14738CDF9E1661C36EBD80656|file_names=draft_pi.exe|file_size=759296|file_type=PE|first_seen=02.12.2020 05:34|geo=bd, eg, in|last_seen=02.02.2021 11:36|popularity=2|threat=HEUR:Trojan.MSIL.Taskun.gen
Event processing in KUMA
The event is processed by the [OOTB] CyberTrace normalizer. The user can match the received notification with the original event for subsequent analysis.
Getting a service alert about the completion of the task
If CyberTrace is configured to send service alerts, CyberTrace sends an alert about the completion of the retroscan task.

Example alert:

Jun 05 16:08:33 alert=KL_ALERT_RetroScanCompleted|iocs_detected=168|iocs_rescanned=1511177|retroscan_report=https://127.0.0.1/retroscan/C4C76046-C2DF-4AED-B430-2E64AEF781FC

Page top