Step 5. Retrieving custom event properties

This section describes how to configure retrieval of custom event properties from Kaspersky CyberTrace outgoing events, in addition to standard fields. As a result of this setting, the MD5, SHA1, and SHA256 hashes will be extracted and the extraction rule of the Source IP field will be redefined.

To configure retrieval of custom event properties:

1. Select the Log Activity tab, and then click Add Filter.

   The Add Filter form opens.

2. Fill in the form:
   1. In the Parameter drop-down list, select Log Source [Indexed].
   2. In the Operator drop-down list, select Equals.
   3. In the Log Source list, select KL_Threat_Feed_Service_v2.

      The selection KL_Threat_Feed_Service_v2 is the log source name that is set in the OutputSettings > EventFormat element and the OutputSettings > AlertFormat element of the Kaspersky CyberTrace Service configuration file (you can also set them by using Kaspersky CyberTrace Web).

   

   Adding a filter

3. Click Add Filter.
4. Run the verification test, and then stop the events flow by clicking Pause () in the upper-right area of the window.
5. Press Ctrl (or Shift) to select several records, and then select Actions > DSM editor.

   

   The Log Activity window

   The DSM Editor window opens.

   

   The DSM Editor window

6. In the DSM Editor window, click the + button near the Filters text box.

   The Choose a Custom Property Definition to Express form opens.

   

   Choosing a custom property

7. Click Create new.

   The Create a new Custom Property Definition form opens.

8. Fill in the form:
   1. In the Name field, enter MD5.
   2. In the Field Type drop-down list, select Text.
   3. In the Description field, enter a description of the property.
   4. Select the Enable this Property for Use in Rules and Search Indexing check box.
   5. Click Save.

   

   Creating a new custom property definition

9. Add the SHA1 and SHA256 properties similarly.
10. In the Choose a Custom Property Definition to Express window, select the created properties, add URL and Source IP, and then click Select.
11. In the Log Activity Preview section, click Configure and then select the following properties:
    • Event Name
    • IP (custom)
    • MD5 (custom)
    • SHA1 (custom)
    • SHA256 (custom)
    • Source IP
    • URL (custom)
    • Username

    Click Update.

    

    Configuring preview columns

12. On the Properties tab, configure regular expressions as described in the table below:

    Custom property	Regular expression
    MD5	md5=([\da-fA-F]{32})
    SHA1	sha1=([\da-fA-F]{40})
    SHA256	sha256=([\da-fA-F]{64})
    URL	url=([-a-zA-Z0-9()@:%_\+.~#?&\/\/=]{2,})
    Source IP	src=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

    If necessary, type 1 in the Capture Group field.

13. For the Source IP property, select the Override system behavior check box.

    

    Source IP configuration

    When changing the format for outgoing detection events in Kaspersky CyberTrace, the regular expressions that are specified above may require corresponding changes.

    If all of the settings above are specified correctly, you will find the configured Custom properties in the Log Activity Preview section.

14. Click Save and close the window.
15. On the Log Activity tab, perform the new verification test.

    After that, if you open the event received from KL_Threat_Feed_Service_v2, the configured custom properties will be displayed.

    

    Event information