This section describes how you can import files that contain Kaspersky CyberTrace rules and events to LogRhythm.
If for any reason the import fails, you can configure adding Kaspersky CyberTrace events and Kaspersky CyberTrace rules manually.
To import files with Kaspersky CyberTrace rules to LogRhythm:
mperule_%event_name%.xml
format from the integration/logrhythm/events/
directory, perform the following actions:MPERuleToMST > MsgSourceTypeID
and the MsgSourceType > MsgSourceTypeID
elements with the log source type ID, you have made a note of in the previous step.For example, <MsgSourceTypeID>1000000001</MsgSourceTypeID>
must change to <MsgSourceTypeID>%CYBERTRACE_ID%</MsgSourceTypeID>
, where %CYBERTRACE_ID%
stands for the log source type ID of Kaspersky CyberTrace.
The Rule Builder form opens.
If the import succeeds, the Rule Import Status window opens.
The Rule Browser window opens.
A window with rule settings opens.
Note that the imported rule arrives in LogRhythm in the Development
status and may not appear in the list of all rules. You can configure display in the Rule Browser window that opens by selecting View > Show Development rules.
The corresponding common events and MPE Rules will be added to LogRhythm for all events. The full list of the events is described in the section about adding Kaspersky CyberTrace events. The full list of MPE rules and their settings is described in the section about adding Kaspersky CyberTrace rules.
Some of the imported Kaspersky CyberTrace events might have a low Risk Rating according to the LogRhythm classification. Depending on the filters configuration, LogRhythm might ignore such events. Please check the classification and make sure that the Risk Rating of imported events allows LogRhythm to accept and process them correctly.
Page top