This section describes how to configure retrieval of custom event properties from Kaspersky CyberTrace outgoing events, in addition to standard fields. As a result of this setting, the MD5, SHA1, and SHA256 hashes will be extracted and the extraction rule of the Source IP field will be redefined.
To configure retrieval of custom event properties:
The Add Filter form opens.
Log Source [Indexed]
.Equals
.KL_Threat_Feed_Service_v2
.The selection KL_Threat_Feed_Service_v2
is the log source name that is set in the OutputSettings > EventFormat
element and the OutputSettings > AlertFormat
element of the Feed Service configuration file (you can also set them by using Kaspersky CyberTrace Web).
Adding a filter
The Log Activity window
The DSM Editor window opens.
The DSM Editor window
The Choose a Custom Property Definition to Express form opens.
Choosing a custom property
The Create a new Custom Property Definition form opens.
MD5
.Text
.Creating a new custom property definition
SHA1
and SHA256
properties similarly.Event Name
IP (custom)
MD5 (custom)
SHA1 (custom)
SHA256 (custom)
Source IP
URL (custom)
Username
Click Update.
Configuring preview columns
Custom property |
Regular expression |
MD5 |
|
SHA1 |
|
SHA256 |
|
URL |
|
Source IP |
|
If necessary, type 1
in the Capture Group field.
Source IP configuration
When changing the format for outgoing detection events in Kaspersky CyberTrace, the regular expressions that are specified above may require corresponding changes.
If all of the settings above are specified correctly, you will find the configured Custom properties in the Log Activity Preview section.
After that, if you open the event received from KL_Threat_Feed_Service_v2
, the configured custom properties will be displayed.
Event information