About event format patterns

You can use formats and patterns to include specific information into the events generated by Kaspersky CyberTrace.

Formats are strings that determine the format of an event or pattern. Patterns are special wildcards that you can use when specifying formats. A pattern is replaced by actual data when an event is generated.

About alert and detection events

You can specify formats for two types of events generated by Kaspersky CyberTrace:

Record context format

The %RecordContext% format specifies how context fields must be added to an event. You can specify a format for this pattern in the Records context format field.

You can use the following patterns in the %RecordContext% format:

The %RecordContext% format is used in the formats of detection and alert events:

Actionable field context format

The %ActionableFields% format specifies how actionable fields must be added to an event. You can set a separate format for this pattern in the Actionable fields context format field.

You can use the following patterns in the %ActionableFields% format:

The %ActionableFields% format is used in the format of detection events:

The %ActionableFields% pattern determines the format of the actionable fields passed in a detection event.

For example, if %ActionableFields% is %ParamName%:%ParamValue%, and the cn1 and cn2 fields are specified for the feed, then the following string can be produced: "cn1:Example Device cn2:Example Environment".

Alert events format

You can specify this format in the Alert events format field.

You can use the following patterns in this format:

The following is an example of the alert events format:

%Date% alert=%Alert%%RecordContext%

If a feed update event is generated, the example above produces the following event:

Apr 16 09:05:41 alert=KL_ALERT_UpdatedFeed feed=Phishing_URL_Data_Feed.json records=200473

Detection events format

You can specify this format in the Detection events format field.

You can use the following patterns in this format:

The following is an example of the OutputSettings > EventFormat element:

%Date% event_name=%Category% source=%SourceId% matchedIndicator=%MatchedIndicator% url=%RE_URL% ip=%RE_IP% md5=%RE_MD5% sha1=%RE_SHA1% sha256=%RE_SHA256% usrName=%RE_USERNAME% indicatorInfo=%IndicatorInfo% confidence=%Confidence%%RecordContext%

The example above produces the following events:

Apr 16 09:05:41 eventName=KL_Malicious_Hash_MD5 source=ExampleSource matchedIndicator=C912705B4BBB14EC7E78FA8B370532C9 url=- src=192.0.2.4 ip=192.0.2.23 md5=C912705B4BBB14EC7E78FA8B370532C9 sha1=- sha256=- usrName=ExampleUser indicatorInfo=https://127.0.0.1/indicators?value=C912705B4BBB14EC7E78FA8B370532C9 confidence=100 MD5=C912705B4BBB14EC7E78FA8B370532C9 SHA1=8CBB395D31A711D683B1E36842AE851D5D000BAD SHA256=F6E62E9B3AF38A6BF331922B624844AAEB2D3658C4F0A54FA4651EAA6441C933 file_size=2989 first_seen=10.07.2016 23:53 last_seen=13.04.2020 08:08 popularity=1 threat=HEUR:Trojan.Win32.Generic

Patterns for ArcSight

Feed Service sends service events in the CEF format. The event formats for ArcSight must comply with the requirements of the CEF format.

For detection events, specify the following format:

CEF:0|Kaspersky Lab|Kaspersky CyberTrace for ArcSight|2.0|2|CyberTrace Detection Event|8| reason=%Category% dst=%DST_IP% src=%DeviceIp% fileHash=%RE_HASH% request=%RE_URL% sourceServiceName=%Device% sproc=%Product% suser=%UserName% msg=CyberTrace detected %Category% externalId=%Id% %ActionableFields% cs5Label=MatchedIndicator cs5=%MatchedIndicator% cs6Label=Context cs6=%RecordContext%

In addition to the general patterns, the detection events format for ArcSight uses the following regular expression patterns referenced by regular expression names:

For alert events, specify the following format:

CEF:0|Kaspersky Lab|Kaspersky CyberTrace for ArcSight|2.0|1|CyberTrace Service Event|4| reason=%Alert% msg=%RecordContext%

In the format above, 4 (or another value from 1 to 10) is the level (severity) of the alert events from Kaspersky CyberTrace.

Patterns for RSA NetWitness

The values of the detection and alert event formats must correspond to the event formats set in the v20_cybertracemsg.xml file. If you change the formats, edit the v20_cybertracemsg.xml file accordingly.

The following is an example of the detection events format:

<232>%CyberTrace:MATCH_EVENT category=%Category%,detected=%MatchedIndicator%,url=%RE_URL%,hash=%RE_HASH%,dst=%DST_IP%,src=%SRC_IP%,dvc=%DeviceIp%,dev_name=%Device%,dev_action=%DeviceAction%,user=%UserName%,actF:%ActionableFields%,context=%RecordContext%

In addition to the general patterns, the detection events format for RSA Net Witness uses the following regular expression patterns referenced by regular expression names:

Page top