Event format settings

You can manage the settings for formats of events in the CyberTrace web user interface by selecting the Settings tab and then the Events format tab. Depending on the item selected in the drop-down list with all available tenants in the upper-left area of the window, you edit either the general event format settings (if General is selected) or the event format settings for a particular settings tenant (if a particular settings tenant is selected).

Kaspersky CyberTrace events formats

On the Events format tab, you can specify the formats of detection events, alert events, record context, and actionable fields context.

We do not recommend changing the format of events format manually. Select the check boxes with the patterns that you want to use in outgoing events and Kaspersky CyberTrace will update the format automatically.

Some event sources may require that you change the event format, depending on your integration. For more information, see subsection "Setting event formats for specific event sources" below.

For more information about formats and patterns that you can specify, see section "About event formats and patterns".

This tab has the following text fields:

• Alert events format—Specify the format for outgoing events that inform the event target software of the state of Feed Service.
• Detection events format—Specify the format for outgoing detection events.

  This section consists of two subsections:

  • Service fields

    Values of these fields are patterns generated by Kaspersky CyberTrace.

    Select the check boxes with the patterns that you want to use in outgoing detection events. Kaspersky CyberTrace will update the format automatically.

  • Value from the event

    Values of these fields are extracted from the incoming events with regular expressions defined for the event source.

    Select the check boxes with the patterns that you want to use in outgoing detection events. Kaspersky CyberTrace will update the format automatically.

• Records context format—Specify the format in which the names and values of the feed fields are inserted into outgoing events.
• Actionable fields context format—Specify the format in which the names and values of the actionable feed fields are inserted into outgoing events.

Setting event formats for specific SIEM solutions

The correct format of alert and detection events depends on your SIEM solution. If you change the format of events in CyberTrace, you may also need to update your integration with the SIEM solution.

For ArcSight:

• You may need to update the event formats and actionable fields.

  For more information, see section "Step 3. Configuring CyberTrace for interaction with ArcSight".

For Qradar:

• You may need to add parsing for new fields.

  For more information, see section "Step 5. Retrieving custom event properties".

For RSA NetWitness:

• You may need to specify how new fields are parsed.

  For more information, see section "Step 2. Sending events from Feed Service to RSA NetWitness and RSA NetWitness troubleshooting".

For LogRhythm:

• You may need to specify how new fields are parsed.

  For more information, see section "Adding Kaspersky CyberTrace events".

Page top