Kaspersky CyberTrace

Step 4. Performing the verification test (QRadar)

27 February 2024

ID 167599

This section explains how to check the capabilities of Kaspersky CyberTrace by performing the verification test.

Please make sure you perform the verification test before editing any matching process settings.

What is the verification test

The verification test is a procedure that is used to check the capabilities of Kaspersky CyberTrace and to confirm the accuracy of the integration.

During this test you will check whether events from QRadar are received by Kaspersky CyberTrace Service, whether events from Kaspersky CyberTrace Service are received by QRadar, and whether events are correctly parsed by Kaspersky CyberTrace Service using the regular expressions.

About the verification test file

The verification test file is a file that contains a collection of events with URLs, IP addresses, and hashes. This file is located in the ./verification directory in the distribution kit. The name of this file is kl_verification_test_leef.txt.

Verification procedure

To verify the installation:

  1. Make sure that the "KL_Verification_Tool" log source is added to QRadar and routing rules are set in such a way that events from "KL_Verification_Tool" are sent to Kaspersky CyberTrace Service.
  2. Open QRadar Console and select the Log Activity tab.
  3. Add a filter:
    1. Click the Add Filter button.
    2. In the Parameter drop-down list, select Log Source.
    3. In the Operator drop-down list, select Equals.
    4. In the Value group, in the Log Source drop-down list select the required service name.

    Add Filter window in QRadar.

    Adding a filter for browsing events

    1. Click the Add Filter button.

    The Log Source is KL_Threat_Feed_Service_v2 string will be displayed under Current Filters.

  4. In the View drop-down list, select Real Time to clear the event area.

    You now can browse information about the service events.

    Browsing filtered information in QRadar.

    Browsing filtered information

  5. Send the kl_verification_test_leef.txt file to QRadar by using Log Scanner, by running the following command:

    For Linux: ./log_scanner -p ../verification/kl_verification_test_leef.txt

    For Windows: log_scanner.exe -p ..\verification\kl_verification_test_leef.txt

    If you specify the -r flag in this command, the test results are written to the Log Scanner report file. If you do not specify the -r flag, the test results are sent to the SIEM solution by using the settings for outbound events specified for Kaspersky CyberTrace Service.

    The expected results to be displayed by QRadar depend on the feeds you use. The verification test results are listed in the following table.

    Verification test results

    Feed used

    Detected objects

    Malicious URL Data Feed



    Phishing URL Data Feed



    Botnet CnC URL Data Feed



    IP Reputation Data Feed

    Malicious Hash Data Feed


    44D88612FEA8A8F36DE82E1278ABB02F (stands for EICAR Standard Anti-Virus Test File)


    Mobile Malicious Hash Data Feed


    Mobile Botnet CnC URL Data Feed

    001F6251169E6916C455495050A3FB8D (MD5 hash)

    http://sdfed7233dsfg93acvbhl.su/steallallsms.php (URL mask)

    Ransomware URL Data Feed



    APT URL Data Feed


    APT Hash Data Feed


    APT IP Data Feed

    IoT URL Data Feed


    Demo Botnet CnC URL Data Feed



    Demo IP Reputation Data Feed

    Demo Malicious Hash Data Feed




    ICS Hash Data Feed


    List of events in QRadar.

    Browsing events from Kaspersky CyberTrace Service

If the actual results of the test are the same as those expected, the integration of Kaspersky CyberTrace Service with QRadar is correct.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.