Step 3. Configuring CyberTrace for interaction with ArcSight

This section describes how to configure CyberTrace for interaction with ArcSight during normal work.

To configure CyberTrace for interaction with ArcSight:

  1. Open Kaspersky CyberTrace Web.
  2. Select the Settings > Service tab.
  3. In the Connection settings section, for Service listens on, select the IP address and port that Feed Service listens on for incoming events. The IP address and port are set when ArcSight Forwarding Connector is installed (its default value is 127.0.0.1:9999).
  4. Select the Matching tab, and then select the Edit default rules link.

    The Default properties form opens.

  5. On the Normalizing rules tab, do the following:
    • In the Regexp to replace field, enter the symbol sequence \=
    • In the Replace with field,enter the symbol =

    After you make the changes, the Normalizing rules tab must look like this:

    Arcsight

    Normalizing rules tab

  6. Select the Regular expressions tab. This tab contains universal regular expressions that match URLs (with protocol), hashes, IP addresses (src and dst), device name, vendor name, device IP address, user name, and event ID. Change these regular expressions to match the events.
  7. Close the Default properties form.
  8. On the Events format tab, in the Alert events format field, enter the following string:

    CEF:0|Kaspersky|Kaspersky CyberTrace for ArcSight|2.0|1|CyberTrace Service Event|4| reason=%Alert% msg=%RecordContext%

  9. In the Detection events format field, specify the following string:

    CEF:0|Kaspersky|Kaspersky CyberTrace for ArcSight|2.0|2|CyberTrace Detection Event|8| reason=%Category% dst=%DST_IP% src=%DeviceIp% fileHash=%RE_HASH% request=%RE_URL% sourceServiceName=%Device% sproc=%Product% suser=%UserName% msg=CyberTrace detected %Category% externalId=%Id% %ActionableFields% cs5Label=MatchedIndicator cs5=%MatchedIndicator% cn3Label=Confidence cn3=%Confidence% cs6Label=Context cs6=%RecordContext%

ArcSight and actionable fields

The following actionable fields are used in Kaspersky Data Feeds. You can review the actionable fields on the Settings > Feeds tab. For more information, see section "Adding actionable fields to a feed".

Clearing ArcSight fields occupied by information from Kaspersky Data Feeds

If you want to use a CEF field for data other than information from Kaspersky Data Feeds, you must clear this field.

To clear a CEF field:

  1. Select the Settings tab of Kaspersky CyberTrace Web.
  2. Select the Feeds tab.
  3. In the Filtering rules for feeds section, make sure the Kaspersky feeds tab is selected and then click the Kaspersky Threat Data Feed that contains the field that you want to clear.
  4. In the Actionable fields section, find the Output field containing the name of the CEF field that you want to clear.
  5. Click the Delete icon (The "delete" icon) next to the Output field that you found in the previous step.

Page top