Step 5. Retrieving custom event properties

This section describes how to configure retrieval of custom event properties from Kaspersky CyberTrace outgoing events in addition to standard fields. This configuration enables the MD5, SHA1, and SHA256 hashes to be extracted and the extraction rule of the Source IP field will be redefined.

To configure retrieval of custom event properties:

  1. Select the Log Activity tab, and then click the Add Filter button.

    The Add Filter form opens.

  2. Fill in the form:
    1. In the Parameter drop-down list, select Log Source [Indexed].
    2. In the Operator drop-down list, select Matched.
    3. In the Log Source list, select KL_Threat_Feed_Service_v2.

      The KL_Threat_Feed_Service_v2 selection is the log source name that is set in the OutputSettings > EventFormat element and the OutputSettings > AlertFormat element of the Feed Service configuration file (you can also set them by using Kaspersky CyberTrace Web).

    Adding a filter in QRadar

    Adding a filter

  3. Click Add Filter.
  4. Run the verification test, and then stop the flow of events by clicking Pause (QRadar_pause) in the upper-right area of the window.
  5. Press the CTRL key (or the SHIFT key) to select several records, and then select Actions > DSM editor.

    Log activity tab

    The Log Activity window

    The DSM Editor window opens.

    DSM Editor window

    The DSM Editor window

  6. In the DSM Editor window, click the plus sign button (+) near the Filters text box.

    The Choose a Custom Property Definition to Express form opens.

    Choosing a custom property

    Choosing a custom property

  7. Click Create new.

    The Create a new Custom Property Definition form opens.

  8. Fill the form:
    1. In the Name field, enter MD5.
    2. In the Field Type drop-down list, select Text.
    3. In the Description field, enter a description of the property.
    4. Select the Enable this Property for Use in Rules and Search Indexing check box.

    Creating a new custom property definition

    Creating a new custom property definition

  9. Add the SHA1, SHA256, URL and IP properties in the same way.
  10. In the Choose a Custom Property Definition to Express window, select the created properties, then click Select.
  11. In the Log Activity Preview section, click Configure and then select the following properties:
    • Event Name
    • IP (custom)
    • MD5 (custom)
    • SHA1 (custom)
    • SHA256 (custom)
    • Source IP
    • URL (custom)
    • Username

    Configuring preview columns

    Configuring preview columns

  12. On the Properties tab, configure regular expressions as described in the table below:

    Custom property

    Regular expression

    MD5

    md5=([\da-fA-F]{32})

    SHA1

    sha1=([\da-fA-F]{40})

    SHA256

    sha256=([\da-fA-F]{64})

    URL

    url=([-a-zA-Z0-9()@:%_\+.~#?&\/\/=]{2,})

    Source IP

    src=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

    IP

    ip=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

    For the MD5, SHA1, SHA256, URL and IP custom properties, specify 1 in the Capture Group field. For the Source IP property, specify $1 in the Format String field.

  13. For the Source IP property, select the Override system behavior check box.

    Source IP configuration

    Source IP configuration

    When changing the format for outgoing detection events in Kaspersky CyberTrace, the regular expressions that are specified above may require corresponding changes.

    If all the setings above are specified correctly, you will find the configured Custom properties in the Log Activity Preview section.

  14. Click Save and close the window.
  15. On the Log Activity tab, perform the new verification test.

    If you now open the event received from KL_Threat_Feed_Service_v2, the configured custom properties will be displayed.

    Event information

    Event information

Page top