Step 6. Creating a search filter for CyberTrace events

This section describes how to create an event search.

To create an event search:

1. Stop the events flow by clicking Pause () in the upper-right area of the window.
2. In QRadar Console, select the Log Activity tab.
3. Select Search > New Search.

   

   New search

4. In the Column Definition form, add MD5 (custom), SHA1 (custom), SHA256 (custom), URL (custom), IP (custom) from the Available Columns to the Columns list.

   

   Defining columns

5. Scroll down the page and in the Search Parameters form, set KL_Threat_Feed_Service_v2 as the log source:
   1. In the Parameter drop-down list, select Log Source [Indexed].
   2. In the Operator drop-down list, select Equals.
   3. In the Log Source list, select KL_Threat_Feed_Service_v2.

      The selection KL_Threat_Feed_Service_v2 is the log source name that is set in the OutputSettings > EventFormat element and the OutputSettings > AlertFormat element of the Feed Service configuration file (you can also set them by using Kaspersky CyberTrace Web).

   4. Click the Add Filter button.

      The Log Source is KL_Threat_Feed_Service_v2 string will be added to the Current Filters list.

   

   Setting the log source

6. Click either the Search button to display the search result.
7. Click the Save Criteria button.

   

   Save Criteria button

8. In the Save Criteria form, type the name of the search in the Search Name text box, select the Include in my Quick Searches checkbox and then specify the analyzed interval for created search (for example, Real Time).
9. Click OK.

   

   Saving criteria