Kaspersky CyberTrace

Configuring Kaspersky CyberTrace instances

27 February 2024

ID 215368

This section describes how to configure Kaspersky CyberTrace instances for using them in High Availability mode.

To use Kaspersky CyberTrace in High Availability mode, configure all instances of Kaspersky CyberTrace as follows:

  1. Import the same certificate for Kaspersky Threat Data Feeds.
  2. Enable the same Kaspersky Threat Data Feeds.
  3. Enable the same OSINT feeds, and add and configure identical custom and third-party feeds, if required.

    Manually added context fields, as well as indicators in the FalsePositive and InternalTI suppliers that were added by using Kaspersky CyberTrace Web or REST API, must be identical in all Kaspersky CyberTrace instances.

  4. Add the same license key or use Community Edition in all instances.
  5. Add indicators export tasks with identical names and filtering rules.
  6. Specify identical regular expressions for matching the incoming events from Balancer as follows:

    Regular expression for matching the incoming events from Balancer

    Indicator type

    Rule name

    Regular expression




    You can use any allowed name for the regular expression, but make sure to use the same regular expression name in the configuration steps below.

    You can specify the regular expression in the default event source or create a new one.

  7. Specify identical event format settings for detection and informational events.

    Each event must start with the value that was extracted from the incoming event by the REQ regular expression. For example: %REQ% category=%Category% %RecordContext%.

  8. Configure the format of events that are generated by Kaspersky CyberTrace in response to each received event:
    1. Stop Kaspersky CyberTrace Service by running the following command:
      • systemctl stop cybertrace.service (in Linux)
      • sc stop cybertrace (in Windows)
    2. In the OutputSettings > FinishedEventFormat element of the Kaspersky CyberTrace Service configuration file, specify the format of informational events as follows:

      <FinishedEventFormat enabled="true">%REQ% LookupFinished</FinishedEventFormat>

      These events are for internal use only. They are not sent to a SIEM.

    3. Save the configuration file.
    4. Start Kaspersky CyberTrace Service:
      • systemctl start cybertrace.service (in Linux)
      • sc start cybertrace (in Windows)

Optionally, specify the connection settings for sending alert events to Balancer in the Connection settings section of the Settings > Service tab. Use the following parameters from the kl_balancer.conf file:

  • IP address specified in the Balancer element
  • Port specified in the cybertrace_port parameter of the Balancer element

You can send alert events directly to the SIEM.

The settings for sending detection events are not used in High Availability mode, because Balancer receives results of events matching in ReplyBack mode.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.