You can manage the settings for formats of events in the CyberTrace web user interface by selecting the Settings tab and then the Events format tab. Depending on the item selected in the drop-down list with all available tenants in the upper-left area of the window, you edit either the general event format settings (if General is selected) or the event format settings for a particular settings tenant (if a particular settings tenant is selected).
Kaspersky CyberTrace events formats
On the Events format tab, you can specify the formats of detection events, alert events, record context, and actionable fields context.
We do not recommend changing the format of events format manually. Select the check boxes with the patterns that you want to use in outgoing events and Kaspersky CyberTrace will update the format automatically.
Some event sources may require that you change the event format, depending on your integration. For more information, see subsection "Setting event formats for specific event sources" below.
For more information about formats and patterns that you can specify, see section "About event formats and patterns".
This tab has the following text fields:
This section consists of two subsections:
Values of these fields are patterns generated by Kaspersky CyberTrace.
Select the check boxes with the patterns that you want to use in outgoing detection events. Kaspersky CyberTrace will update the format automatically.
Values of these fields are extracted from the incoming events with regular expressions defined for the event source.
Select the check boxes with the patterns that you want to use in outgoing detection events. Kaspersky CyberTrace will update the format automatically.
Setting event formats for specific SIEM solutions
The correct format of alert and detection events depends on your SIEM solution. If you change the format of events in CyberTrace, you may also need to update your integration with the SIEM solution.
For ArcSight:
For more information, see section "Step 3. Configuring CyberTrace for interaction with ArcSight".
For Qradar:
For more information, see section "Step 5. Retrieving custom event properties".
For RSA NetWitness:
For more information, see section "Step 2. Sending events from Feed Service to RSA NetWitness and RSA NetWitness troubleshooting".
For LogRhythm:
For more information, see section "Adding Kaspersky CyberTrace events".