QRadar troubleshooting

This section provides information to help you solve problems you might encounter when using Kaspersky CyberTrace with QRadar.

If you encounter a problem while using Kaspersky CyberTrace, the specialists at Kaspersky can assist you. Contact your technical account manager (TAM) for more information about solutions to problems.

Problem: QRadar does not display the events from Feed Service or displays them incorrectly

To solve this problem, try the following actions:

Problem: Feed Service does not receive events from QRadar

To solve this problem, try the following actions:

Problem: After Kaspersky Threat Feed App is installed and custom event properties are added, some of these event properties are incorrectly extracted from the detection event context

To solve this problem, try the following actions:

  1. In QRadar Console, select Admin > Custom Event Properties.
  2. Locate the custom event properties with the Log Source Type value of Kaspersky CyberTrace by sorting the table by log source type.
  3. Select the row corresponding to the property that is extracted incorrectly and click Edit.

    The Custom Event Property Definition window opens.

  4. In the Test Field form, paste an example of an event generated by Kaspersky CyberTrace that contains the incorrectly extracted property.
  5. In the Property Expression Definition pane, in the Extraction section, change the value in the RegEx field from %property%=([^=]*)(?:\s[^=]+=) to %property%=\[(.*)\], where %property% is the property name.
  6. Click Test to make sure the required part of the event is highlighted in the Test Field form.
  7. Click Save to apply the changes.

Problem: After Kaspersky Threat Feed App is installed, no chart is displayed

To solve this problem, try the following actions:

Problem: A search cannot be made using Kaspersky Threat Feed App, or the self-test of Kaspersky Threat Feed App fails

To solve this problem, try the following actions:

Problem: When you add a new regular expression to the event output format, QRadar extracts the incorrect corresponding value from Kaspersky CyberTrace detection events

To solve this problem, make sure that event fields in a row are separated by a tab character, as required by the LEEF standard.

Page top