You can use formats and patterns to include specific information into the events generated by Kaspersky CyberTrace.
Formats are strings that determine the format of an event or pattern. Patterns are special wildcards that you can use when specifying formats. A pattern is replaced by actual data when an event is generated.
About alert and detection events
You can specify formats for two types of events generated by Kaspersky CyberTrace:
These are outgoing events that hold information about detected matches with indicators.
For more information about the format of detection events, see subsection "Detection events format" below.
These are outgoing events that inform the event target software about the state of Feed Service.
For more information about the format of alert events, see subsection "Alert events format" below.
Record context format
The %RecordContext% format specifies how context fields must be added to an event. You can specify a format for this pattern in the Records context format field.
You can use the following patterns in the %RecordContext% format:
The name of the field in the feed.
The value of the field.
The %RecordContext% format is used in the formats of detection and alert events:
The %RecordContext% pattern determines the format of the context fields passed in a detection event.
For example, if %RecordContext% is %ParamName%=%ParamValue%, then for a feed with the "Ip" and "Geo" fields, the following string can be produced (note the space symbol between the data of the two fields): "Ip=192.0.2.100 Geo=ru,br,ua,cz,us".
The %RecordContext% pattern determines the format of the context fields passed in an alert event.
For more information about information contained in alert fields, see section "Alert events sent by Kaspersky CyberTrace".
The fields are specific for each type of alert event. For example, if %RecordContext% is %ParamName%=%ParamValue%, and a feed is updated, the following string can be produced: "feed=Phishing_URL_Data_Feed.json records=200473".
Actionable field context format
The %ActionableFields% format specifies how actionable fields must be added to an event. You can set a separate format for this pattern in the Actionable fields context format field.
You can use the following patterns in the %ActionableFields% format:
The name of the actionable field.
The value of the actionable field.
The %ActionableFields% format is used in the format of detection events:
The %ActionableFields% pattern determines the format of the actionable fields passed in a detection event.
For example, if %ActionableFields% is %ParamName%:%ParamValue%, and the cn1 and cn2 fields are specified for the feed, then the following string can be produced: "cn1:Example Device cn2:Example Environment".
Alert events format
You can specify this format in the Alert events format field.
You can use the following patterns in this format:
The type of the event.
Current date and time in the Mon DD HH:MM:SS format.
Context of the event, as described in the "Record context format" section above.
The following is an example of the alert events format:
%Date% alert=%Alert%%RecordContext% |
If a feed update event is generated, the example above produces the following event:
Apr 16 09:05:41 alert=KL_ALERT_UpdatedFeed feed=Phishing_URL_Data_Feed.json records=200473 |
Detection events format
You can specify this format in the Detection events format field.
You can use the following patterns in this format:
Category of the detected object.
Current date and time in the Mon DD HH:MM:SS format.
This pattern is a name of the regular expression. It is substituted by a value extracted from the event field that matches a regular expression. For example, if a regular expression has the name RE_URL, the pattern for it is %RE_URL%, and the generated event holds the value that matched this regular expression.
Detected indicator (a URL, hash, or IP address) that caused the event.
Event source identifier. This is the name that you specified for the event source on the Matching tab.
The identifier of the preconfigured event source is Default.
The level of confidence. This value is taken from the indicator confidence value of a feed that contains matched indicators from the detection event.
The link to the Kaspersky CyberTrace Web page that contains information about the detected indicator.
Actionable fields, as described in the "Actionable field context format" section above.
Context of the event, as described in the "Record context format section" above.
The following is an example of the OutputSettings > EventFormat element:
%Date% event_name=%Category% source=%SourceId% matchedIndicator=%MatchedIndicator% url=%RE_URL% ip=%RE_IP% md5=%RE_MD5% sha1=%RE_SHA1% sha256=%RE_SHA256% usrName=%RE_USERNAME% indicatorInfo=%IndicatorInfo% confidence=%Confidence%%RecordContext% |
The example above produces the following events:
Apr 16 09:05:41 eventName=KL_Malicious_Hash_MD5 source=ExampleSource matchedIndicator=C912705B4BBB14EC7E78FA8B370532C9 url=- src=192.0.2.4 ip=192.0.2.23 md5=C912705B4BBB14EC7E78FA8B370532C9 sha1=- sha256=- usrName=ExampleUser indicatorInfo=https://127.0.0.1/indicators?value=C912705B4BBB14EC7E78FA8B370532C9 confidence=100 MD5=C912705B4BBB14EC7E78FA8B370532C9 SHA1=8CBB395D31A711D683B1E36842AE851D5D000BAD SHA256=F6E62E9B3AF38A6BF331922B624844AAEB2D3658C4F0A54FA4651EAA6441C933 file_size=2989 first_seen=10.07.2016 23:53 last_seen=13.04.2020 08:08 popularity=1 threat=HEUR:Trojan.Win32.Generic |
Patterns for ArcSight
Feed Service sends service events in the CEF format. The event formats for ArcSight must comply with the requirements of the CEF format.
For detection events, specify the following format:
|
In addition to the general patterns, the detection events format for ArcSight uses the following regular expression patterns referenced by regular expression names:
%DST_IP%—Destination IP address.%DeviceIp%—IP address of the endpoint device where the event occurred.%RE_HASH%—Hash contained in the event.%RE_URL%—URL contained in the event.%Device%—Device vendor.%Product%—Device name.%UserName%—Name of the user that was active on the endpoint device.%Id%—Event identifier. For alert events, specify the following format:
|
In the format above, 4 (or another value from 1 to 10) is the level (severity) of the alert events from Kaspersky CyberTrace.
Patterns for RSA NetWitness
The values of the detection and alert event formats must correspond to the event formats set in the v20_cybertracemsg.xml file. If you change the formats, edit the v20_cybertracemsg.xml file accordingly.
The following is an example of the detection events format:
|
In addition to the general patterns, the detection events format for RSA Net Witness uses the following regular expression patterns referenced by regular expression names:
%RE_URL%—URL contained in the event.%RE_HASH%—Hash contained in the event.%DST_IP%—Destination IP address.%SRC_IP%—Source IP address.%DeviceIp%—IP address of the endpoint device where the event occurred.%Device%—Device vendor.%DeviceAction%—Action taken by the device.%UserName%—Name of the user that was active on the endpoint device.