Step 4 (optional). Importing Feed Service rules to RSA NetWitness

The Kaspersky CyberTrace distribution kit contains the CyberTrace_Rules.zip file in the integration/additional_elements directory. This file contains a set of rules. You can use these rules to create reports, alerts, and dashboards.

To import the Feed Service rules to RSA NetWitness:

  1. On the RSA NetWitness menu, select Dashboard > Reports.

    In RSA NetWitness 11, you select Monitor > Reports instead.

  2. Click the Settings split button (200203) and select Import.

    17

    Importing rules

  3. Choose the CyberTrace_Rules.zip file.
  4. In the Import Rule window, select the Rule check box and the List check box.

    If you import the CyberTrace_Rules.zip file for the first time, you may leave these check boxes cleared.

  5. Click the Import button.

    18

    Importing Feed Service rules

The rules imported to RSA NetWitness are listed in the table below.

Rule

Description

CyberTrace Detect Botnet

Selects those detection events from Feed Service that have the Botnet category.

The following fields are selected:

  • url
  • checksum
  • ip.src
  • user.src
  • event.source

CyberTrace Detect Malware Hash

Selects hash detection events from Feed Service.

The following fields are selected:

  • virusname
  • checksum
  • ip.src
  • user.src
  • event.source

CyberTrace Detect Malware IP

Selects IP address detection events from Feed Service.

The following fields are selected:

  • virusname
  • ip.dst
  • ip.src
  • user.src
  • event.source

CyberTrace Detect Malware URL

Selects URL detection events from Feed Service.

The following fields are selected:

  • virusname
  • url
  • ip.src
  • user.src
  • event.source

CyberTrace Detect Stat

Selects all the categories involved in the detection process.

The following fields are selected:

  • virusname

CyberTrace Service events

Selects service events from Feed Service.

The following fields are selected:

  • action
  • msg

CyberTrace Top 10 IP

Selects Top 10 detected IP addresses.

The following fields are selected:

  • ip.dst

CyberTrace Top 10 URL

Selects Top 10 detected URLs.

The following fields are selected:

  • url

CyberTrace Top 10 Hash

Selects Top 10 detected hashes.

The following fields are selected:

  • checksum

CyberTrace Detected users

Calculates the number of detection events per user.

Page top