Creating notifications about incoming service events

You can create notifications about incoming Kaspersky CyberTrace service events by configuring alert rules.

To create notifications about service events from Kaspersky CyberTrace in RSA NetWitness:

  1. On the RSA NetWitness menu, select the Monitor > Reports and then select Manage > Rules.

    Manage/Rules form

    Manage > Rules form

  2. In the Groups section, select CyberTrace_Rules.

    CyberTrace rules

    CyberTrace rules

  3. In the Rules section, click the Add split button (Adding rules). In the drop-down list, select NetWitness Platform DB.

    The Build Rule window opens.

  4. In the Build Rule window, specify the following settings:
    • In the Name field, specify the name of the rule.

      You can specify any name.

    • In the Summarize field, specify the value different from None, if you want to agregate events.
    • In the Select field, specify the fields that contain values are used in notifications.

      In service events, Kaspersky CyberTrace uses the msg and action fields.

    • In the where field, specify the notification conditions. For example:

      device.type='cybertrace' && action contains 'KL_ALERT'

      This condition contains all Kaspersky CyberTrace service events.

    • If necessary, fill in the rest fields as you choose.

    Build Rule window

    The Build Rule window

  5. Click the Test Rule button to make sure that checking the specified rules is performed correctly.

    Test Rule window

    The Test Rule window

  6. Click Save to save the rule.
  7. Click Use, and in the window that opens select Alert and then Select.

    Use Rule window

    The Use Rule window

    The Create/Modify Alert window opens.

  8. In the Create/Modify Alert window, specify the following settings:
    • In the Data Source field, select an event source with Kaspersky CyberTrace events.
    • In the Description field, specify the alert description.

      You can specify any description.

    • In the Severity field, specify the severity of the alert.
    • In the Notification field, specify the following settings:
      • The way that RSA NetWitness will send notify you about alerts.
      • The body of the alert.

    Create/Modify Alert window

    The Create/Modify Alert window

  9. Click Create to save the rule.

    The rule will now be added to the Alert list of the Manage > Alerts tab.

  10. To browse all alerts that comply with the created rule, click the View Alerts button (View Alers button).
Page top