Step 8 (optional). Creating notifications about incoming service events

You can create notifications about issues with Kaspersky CyberTrace by configuring alert rules.

To create notifications about service events from Kaspersky CyberTrace in QRadar:

  1. Run QRadar Console.
  2. Select any of the Offenses, Log Activity or Network Activity tabs, and then select Rules.
  3. In the Actions drop-down list, select New Event Rule.

    New event rule

    The Rules page

    The Rule Wizard page opens.

  4. On the Rule Wizard page, click Next to select the source from which you want the rule to be generated.

    Rule Wizard

    The Rules Wizard window

  5. Select Events, and then click Next.
  6. On the Rule Test Stack Editor page, perform the following actions:
    • Add the following test conditions for a new rule:
      • when the event(s) were detected by one or more of these log sources
      • when the event matches this search filter
    • For each specified condition, set a logical and operator.
    • For the when the event(s) were detected by one or more of these log sources condition, specify Log Source that is equal to KL_Threat_Feed_Service_v2. If this event source is absent, add Feed Service as a log source.
    • For the when the event matches this search filter condition, specify a filter for comparing Event Name with the value of the event source name by performing the following actions:
      1. In the list of the event fields, select Event Name.
      2. In the list of conditions, select Equals.
      3. Click Browse to choose the name of the service event for which the rule is created.

        Adding a filter

      4. Click Add+, and then Submit.

        If the necessary event is absent, add it to the QRadar Identifiers (QID) list.

    • Enter the name of the rule and select the way in which this rule will be applied to the incoming events (Local or Global). For more information about the Local and Global rules, see IBM documentation.
    • Select the group that you need for the rule.
    • Add a description for the rule.

    Rule editor

    The Rule Editor window

    • Click Next.
  7. On the Rule Response page, perform the following actions:
    • Select Notify.
    • If necessary, specify a limit on a rule triggering in the Response Limiter section.
    • Check the Enable Rule section.

    Rule editor2

    The Rule Editor page

    • Click Next
  8. On the Rule Summary page, make sure that all settings are specified correctly, and click Finish.

    Rule summary

    The Rule Summary page

    The rule will now be added to the Rules list.

    Rules list

    The Rules list

The added rule generates a notification about an incoming service event. You can browse these notifications by clicking the Messages drop-down list. Also, notifications are displayed in QRadar Console as a pop-up message.

Messages list

The Messages drop-down list

You can configure displaying of notifications on the Dashboard tab.

System notifications

System notifications on the Dashboard tab

To configure displaying of notifications on the Dashboard tab:

  1. Select the Dashboard tab.
  2. In the Add Item drop-down list, select System Notifications.

    Configuring system notifications

    Adding system notifications on the Dashboard tab

Page top