Adding normalizing rules

This section explains how to add normalizing rules to an event source.

About normalizing rules

Normalizing rules are used for transforming events. After Kaspersky CyberTrace applies normalizing rules to an incoming event, the event is processed using regular expressions.

There are two types of normalizing rules:

• Replacing rules

  Rules for replacing one character sequence with another.

• Ignoring rules

  Rules for ignoring events that contain a character sequence.

If the replacing rules and ignoring rules are set, replacing rules are applied first and ignoring rules are applied second.

In the specified regular expressions, the asterisk (*) and question mark (?) are not treated as wildcard characters.

Adding normalizing rules

Adding normalizing rules

To add a normalizing rule:

1. Navigate to the Settings page.
2. Open the Matching tab.
3. Locate an event source that must use the new normalizing rule. Click to open source properties.

   The window with the properties of the selected event source opens.

4. Locate the Normalizing rules tab.
5. Select the Apply normalizing rules check box.
6. If normalizing rules are already specified for the event source, add a new entry. Click Add new rule to add extra text boxes for new rule parameters.
7. Specify rule parameters:
   • For a replacing rule, specify a regular expression in the Regexp to replace text box and a replacement in the Replace with text box.
   • For an ignoring rule, specify a regular expression in the Ignore events that contain this expression text box.
8. Click the OK button.

Page top