This section describes how to configure CyberTrace for interaction with ArcSight during normal work.
To configure CyberTrace for interaction with ArcSight:
127.0.0.1:9999
).The Default properties form opens.
\=
=
After you make the changes, the Normalizing rules tab must look like this:
Normalizing rules tab
CEF:0|Kaspersky|Kaspersky CyberTrace for ArcSight|2.0|1|CyberTrace Service Event|4| reason=%Alert% msg=%RecordContext%
CEF:0|Kaspersky|Kaspersky CyberTrace for ArcSight|2.0|2|CyberTrace Detection Event|8| reason=%Category% dst=%DST_IP% src=%DeviceIp% fileHash=%RE_HASH% request=%RE_URL% sourceServiceName=%Device% sproc=%Product% suser=%UserName% msg=CyberTrace detected %Category% externalId=%Id% %ActionableFields% cs5Label=MatchedIndicator cs5=%MatchedIndicator% cn3Label=Confidence cn3=%Confidence% cs6Label=Context cs6=%RecordContext%
ArcSight and actionable fields
The following actionable fields are used in Kaspersky Data Feeds. You can review the actionable fields on the Settings > Feeds tab. For more information, see section "Adding actionable fields to a feed".
Field name |
Output |
CEF field |
mask |
cs1 |
deviceCustomString1 |
first_seen |
flexString1 |
flexString1 |
last_seen |
flexString2 |
flexString2 |
popularity |
cn2 |
deviceCustomNumber2 |
threat |
cs3 |
deviceCustomString3 |
urls/url |
cs4 |
deviceCustomString4 |
whois/domain |
cs2 |
deviceCustomString2 |
Field name |
Output |
CEF field |
first_seen |
flexString1 |
flexString1 |
last_seen |
flexString2 |
flexString2 |
popularity |
cn2 |
deviceCustomNumber2 |
threat |
cs3 |
deviceCustomString3 |
urls/url |
cs4 |
deviceCustomString4 |
file_size |
fsize |
file_size |
Field name |
Output |
CEF field |
first_seen |
flexString1 |
flexString1 |
last_seen |
flexString2 |
flexString2 |
popularity |
cn2 |
deviceCustomNumber2 |
threat_score |
cn1 |
deviceCustomNumber1 |
domains |
cs2 |
deviceCustomString2 |
urls/url |
cs4 |
deviceCustomString4 |
files/threat |
cs3 |
deviceCustomString3 |
Field name |
Output |
CEF field |
mask |
cs1 |
deviceCustomString1 |
first_seen |
flexString1 |
flexString1 |
last_seen |
flexString2 |
flexString2 |
popularity |
cn2 |
deviceCustomNumber2 |
files/threat |
cs3 |
deviceCustomString3 |
category |
cs4 |
deviceCustomString4 |
whois/domain |
cs2 |
deviceCustomString2 |
Field name |
Output |
CEF field |
first_seen |
flexString1 |
flexString1 |
last_seen |
flexString2 |
flexString2 |
popularity |
cn2 |
deviceCustomNumber2 |
threat |
cs3 |
deviceCustomString3 |
file_size |
fsize |
file_size |
Field name |
Output |
CEF field |
mask |
cs1 |
deviceCustomString1 |
first_seen |
flexString1 |
flexString1 |
last_seen |
flexString2 |
flexString2 |
popularity |
cn2 |
deviceCustomNumber2 |
industry |
deviceFacility |
deviceFacility |
whois/domain |
cs2 |
deviceCustomString2 |
Field name |
Output |
CEF field |
threat |
cs3 |
deviceCustomString3 |
Field name |
Output |
CEF field |
detection_date |
flexString1 |
flexString1 |
publication_name |
cs3 |
deviceCustomString3 |
Field name |
Output |
CEF field |
detection_date |
flexString1 |
flexString1 |
publication_name |
cs3 |
deviceCustomString3 |
Field name |
Output |
CEF field |
detection_date |
flexString1 |
flexString1 |
publication_name |
cs3 |
deviceCustomString3 |
Field name |
Output |
CEF field |
mask |
cs1 |
deviceCustomString1 |
first_seen |
flexString1 |
flexString1 |
last_seen |
flexString2 |
flexString2 |
popularity |
cn2 |
deviceCustomNumber2 |
files/threat |
cs3 |
deviceCustomString3 |
Clearing ArcSight fields occupied by information from Kaspersky Data Feeds
If you want to use a CEF field for data other than information from Kaspersky Data Feeds, you must clear this field.
To clear a CEF field: