Feed Service checks incoming events against the feeds specified in the Feeds > Feed
elements. For each specified feed, matching rules are set with one or more Field
elements. Each Field
element describes how a particular field in the feed must match the data from incoming events.
The following is an example of a Field
element:
<Field name="mask" matching_type="Url" input_regexp_to_match="RE_URL" category="KL_BotnetCnC_URL" /> |
The Field
element must have the following attributes:
name
The name of the field in the feed must be specified in the name
attribute. Note that field names are case-sensitive. For example, fields "md5"
and "MD5"
are different fields.
To specify nested fields, use the '/'
delimiter. For example, name="detail/info"
specifies the info
field in a feed that has the following content:[ { "hash":"234D123...", "detail": [ { "info" : "some value" } ] } ]
.
matching_type
The type of matching must be specified in the matching_type
attribute.
The following values are possible:
"Url"
The event field will be checked for conformance to the URL masks stored in the feed. For more information about the masks stored in feeds, contact your technical account manager (TAM).
"Exact"
Comparison of two strings will be performed: the event field and the field stored in the feed.
"Hash"
The event field will be checked to determine whether it is equal to the one stored in the feed. This matching type is used only for hashes.
input_regexp_to_match
Name of a regular expression that is used for matching. The value of this attribute must be one of the regular expression names from the InputSettings > RegExps
element.
category
The category that will be used in the outgoing event.
All the attributes of the Field
element are required.
The following is an example of the feed matching rules for a specific feed:
<Feed filename="Botnet_CnC_URL_Data_Feed.json"> <Field name="mask" matching_type="Url" input_regexp_to_match="RE_URL" category="KL_BotnetCnC_URL" /> <Field name="files/MD5" matching_type="Hash" input_regexp_to_match="RE_MD5" category="KL_BotnetCnC_Hash_MD5" /> <Field name="files/SHA1" matching_type="Hash" input_regexp_to_match="RE_SHA1" category="KL_BotnetCnC_Hash_SHA1" /> <Field name="files/SHA256" matching_type="Hash" input_regexp_to_match="RE_SHA256" category="KL_BotnetCnC_Hash_SHA256" /> </Feed> |
The following is an example of the feed matching rules for a specific feed for ArcSight:
<Feed filename="Botnet_CnC_URL_Data_Feed.json"> <Field name="mask" matching_type="Url" input_regexp_to_match="RE_URL" category="KL_BotnetCnC_URL" /> <Field name="files/MD5" matching_type="Hash" input_regexp_to_match="RE_HASH" category="KL_BotnetCnC_Hash_MD5" /> <Field name="files/SHA1" matching_type="Hash" input_regexp_to_match="RE_HASH" category="KL_BotnetCnC_Hash_SHA1" /> <Field name="files/SHA256" matching_type="Hash" input_regexp_to_match="RE_HASH" category="KL_BotnetCnC_Hash_SHA256" /> </Feed> |
If you have events that contain the event source IP address, we recommend that you check them against IP Reputation Data Feed. This must be done because the event source may be a bot or a malicious device of some other kind that takes part in a DoS attack on the user resources. To check such events against IP Reputation Data Feed, add an SRC_IP
regular expression to find the event source IP addresses. Also, add a rule for IP Reputation Data Feed to use the SRC_IP
regular expression, so that the configuration file will contain the following records:
<Feed filename="IP_Reputation_Data_Feed.json"> <Field name="ip" matching_type="Exact" input_regexp_to_match="RE_IP" category="KL_IP_Reputation" /> <Field name="ip" matching_type="Exact" input_regexp_to_match="SRC_IP" category="KL_IP_Reputation" /> </Feed> |
Also, add the reference to the value found by the SRC_IP
regular expression (%SRC_IP%
) to the OutputSettings > EventFormat
element.