About output format settings

Feed Service uses output settings defined in the OutputSettings element to create outgoing events.

Elements that define the format for outgoing events

Four elements define the format for outgoing events:

• OutputSettings > RecordFieldContextFormat

  Defines the format in which the names and values of the feed fields are inserted into the outgoing events. These result strings (name-value pairs of feed fields) are referred to by the pattern "%RecordContext%" in OutputSettings > EventFormat and OutputSettings > AlertFormat.

• OutputSettings > ActionableFieldContextFormat

  Defines the format in which the names and values of actionable feed fields are inserted into the outgoing events. These result strings (name-value pairs of actionable feed fields) are referred to by the pattern "%ActionableFields%" in OutputSettings > EventFormat.

• OutputSettings > EventFormat

  Defines the final format for outgoing detection events. It refers to intermediate substrings—name-value pairs of feed fields, defined by the OutputSettings > RecordFieldContextFormat element—by the pattern "%RecordContext%".

• OutputSetings > AlertFormat

  Defines the format for outgoing events that inform the event target software of the state of Feed Service.

All of the above elements are strings in which values substitute for patterns. For example, the %Date% pattern is substituted with the current time stamp.

Patterns for OutputSettings > RecordFieldContextFormat

OutputSettings > RecordFieldContextFormat uses the following patterns:

• %ParamName%

  The name of the field in the feed.

• %ParamValue%

  The value of the field.

The following is an example of OutputSettings > RecordFieldContextFormat:

<RecordFieldContextFormat><![CDATA[ %ParamName%=%ParamValue%]]></RecordFieldContextFormat>

For a feed with the "Ip" and "Geo" fields, this example will produce the following output string (note the space symbol between the data of the two fields): "Ip=10.10.10.10 Geo=ru,br,ua,cz,us"

Patterns for OutputSettings > ActionableFieldContextFormat

OutputSettings > ActionableFieldContextFormat uses the following patterns:

• %ParamName%

  The name of the field in the feed.

• %ParamValue%

  The value of the field.

The following is an example of OutputSettings > ActionableFieldContextFormat:

<ActionableFieldContextFormat><![CDATA[ %ParamName%:%ParamValue%]]></ActionableFieldContextFormat>

Patterns for OutputSettings > EventFormat

OutputSettings > EventFormat uses the following patterns:

• %Category%

  The value provided in the category attribute of the Feeds > Feed > Field element.

• %RecordContext%

  Values of the record fields, formatted in the pattern OutputSettings > RecordFieldContextFormat.

• %Date%

  Current time stamp.

• %MatchedIndicator%

  The detected indicator (the URL, hash, or IP address) that caused the event.

• %ActionableFields%

  Actionable feed fields that will be added to the outgoing event.

• %SourceId%

  The event source identifier, namely, the value of the id attribute of the Source element that the matching regular expression belongs to.

• Regular expression names

  Values from the event fields that matched regular expressions defined in InputSettings > RegExps. For example, if a regular expression has the name RE_URL, the %RE_URL% pattern is substituted with the value that matched this regular expression.

The following is an example of the OutputSettings > EventFormat element:

<EventFormat>%Date% category=%Category% url=%RE_URL% ip=%RE_IP% md5=%RE_MD5% sha1=%RE_SHA1% sha256=%RE_SHA256% usrName=%RE_USERNAME%%RecordContext%</EventFormat>

The OutputSettings > AlertFormat element uses the following patterns:

• %Alert%

  The type of the event.

• %Date%

  Current time stamp.

• %RecordContext%

  Additional parameters for an event formatted according to OutputSettings > RecordFieldContextFormat.

  Depending on the type of event, %RecordContext% generates different outputs.

Patterns for OutputSettings > EventFormat (ArcSight)

Feed Service sends service events in CEF format, and so the value contained in the AlertFormat element must comply with the requirements of this format.

In the EventFormat element, specify the following string:

<EventFormat><![CDATA[CEF:0|Kaspersky Lab|Kaspersky CyberTrace for ArcSight|2.0|2|CyberTrace Detection Event|8| reason=%Category% dst=%DST_IP% src=%DeviceIp% fileHash=%RE_HASH% request=%RE_URL% sourceServiceName=%Device% sproc=%Product% suser=%UserName% msg=CyberTrace detected %Category% externalId=%Id% %ActionableFields% cs5Label=MatchedIndicator cs5=%MatchedIndicator% cs6Label=Context cs6=%RecordContext%]]></EventFormat>

Here

• %Category%—Category of the URL or of the hash.

  This value is assigned by Feed Service.

• %DST_IP%—Destination IP address.
• %DeviceIp%—IP address of the endpoint device where the event occurred.
• %RE_HASH%—Hash contained in the event.
• %RE_URL%—URL contained in the event.
• %Device%—Device vendor.

  This value corresponds to the Device element (regular expression) in the RegExps element.

• %Product%—Device name.

  This value corresponds to the Product element (regular expression) in the RegExps element.

• %UserName%—Name of the user that was active on the endpoint device.
• %Id%—Event identifier.

  This value corresponds to the EventId element (regular expression) in the RegExps element.

• %ActionableFields%—Actionable feed fields that will be added to the outgoing event.
• %MatchedIndicator%—Detected indicator (URL, hash, or IP address) that caused the event.
• %RecordContext%—Context of the feed record that was involved in the detection process.

In the AlertFormat element, specify the following string:

<AlertFormat><![CDATA[CEF:0|Kaspersky Lab|Kaspersky CyberTrace for ArcSight|2.0|1|CyberTrace Service Event|4| reason=%Alert% msg=%RecordContext%]]></AlertFormat>

Here

• 4 (or another value from 1 to 10)—Level (severity) of the service events from Feed Service.
• %Alert%—Information about the Feed Service state.
• %RecordContext%—Context information about the service event.

Patterns for OutputSettings > EventFormat (RSA NetWitness)

The values of the OutputSettings > EventFormat and OutputSettings > AlertFormat elements must correspond to the event formats set in the v20_cybertracemsg.xml file. So if you change the values of these elements, edit the v20_cybertracemsg.xml file accordingly.

The following is an example of the OutputSettings > EventFormat element:

<EventFormat><![CDATA[<232>%CyberTrace:MATCH_EVENT category=%Category%,detected=%MatchedIndicator%,url=%RE_URL%,hash=%RE_HASH%,dst=%DST_IP%,src=%SRC_IP%,dvc=%DeviceIp%,dev_name=%Device%,dev_action=%DeviceAction%,user=%UserName%,actF:%ActionableFields%,context=%RecordContext%]]></EventFormat>

Here

• %Category%—The value provided in the category attribute of the Feeds > Feed > Field element.
• %MatchedIndicator%—The detected indicator (the URL, hash, or IP address) that caused the event.
• %RE_URL%—URL contained in the event.
• %RE_HASH%—Hash contained in the event.
• %DST_IP%—Destination IP address.
• %SRC_IP%—Source IP address.
• %DeviceIp%—IP address of the endpoint device where the event occurred.
• %Device%—Device vendor.

  This value corresponds to the Device element (regular expression) in the RegExps element.

• %DeviceAction%—Action taken by the device.
• %UserName%—Name of the user that was active on the endpoint device.
• %ActionableFields%—Actionable feed fields that will be added to the outgoing event.
• %RecordContext%—Additional parameters for an event.

  Depending on the event type, %RecordContext% generates different outputs.

Types of alert events

The following types of alert events can be sent:

• KL_ALERT_ConfigurationUpdated

  This event is generated if Feed Service has reloaded the configuration file.

  For this event type, %RecordContext% contains no parameters.

• KL_ALERT_FeedBecameAvailable

  This event is generated if a feed that can be used with the current certificate has become available.

  For this event type, %RecordContext% contains the feed parameter with the name of the feed.

• KL_ALERT_FeedBecameUnavailable

  This event is generated if a feed that is being used with the current certificate has become unavailable.

  For this event type, %RecordContext% contains the feed parameter with the name of the feed.

• KL_ALERT_OutdatedFeed

  This event is generated if a feed has not been updated during the specified period.

  For this event type, %RecordContext% contains the feed parameter with the name of the feed.

• KL_ALERT_ServiceUnavailable

  This event is generated when the watchdog module has detected that Feed Service has crashed or frozen.

  For this event type, %RecordContext% contains no parameters.

• KL_ALERT_ServiceStopped

  This event is generated when Feed Service is stopped successfully.

  For this event type, %RecordContext% contains no parameters.

• KL_ALERT_ServiceStarted

  This event is generated when Feed Service is started successfully.

  For this event type, %RecordContext% contains no parameters.

• KL_ALERT_UpdatedFeed

  This event is generated when a feed is updated and loaded by Feed Service.

  For this event type, %RecordContext% contains the feed parameter (the name of the feed) and the records parameter (the number of records loaded from the feed).

• KL_ALERT_FailedToUpdateFeed

  This event is generated when Feed Service fails to load a new feed and continues using an old feed.

  For this event type, %RecordContext% contains the feed parameter (the name of the feed) and the error parameter (error message from Feed Utility or the text "Error while applying feed <FeedName>").

• KL_ALERT_LicenseExpires

  This event is generated to inform you that the license key that is being used will expire in less than 30 days.

  For this event type, %RecordContext% contains the license_name parameter (the name of the license key) and the expiration_date parameter (the expiration date of the license key).

• KL_ALERT_LicenseExpired

  This event is generated when your license key has expired.

  For this event type, %RecordContext% contains the license_name parameter (the name of the license key) and the expiration_date parameter (the expiration date of the license key).

• KL_ALERT_EPSLimitExceeded

  This event is generated when the limit on the number of processed events per second (EPS) imposed by the licensed key or licensing level has been exceeded.

  For this event type, %RecordContext% contains the current_eps parameter (the actual number of EPS that arrive in Feed Service) and the license_limit_eps parameter (the limit on the number of EPS that is imposed by the license key or licensing level).

• KL_ALERT_EPSHardLimit

  This event is generated when Feed Service limits the number of events processed per second to the maximum number of events for the current license key or licensing level. The limit applies regardless of the number of incoming events.

  For this event type, %RecordContext% contains the license_limit_eps parameter (the limit on the number of EPS).

• KL_ALERT_FeedLoadedPartially

  This event is generated when a feed is not loaded or is loaded partially due to the limit on the maximum number of indicators imposed by the license key or licensing level.

  For this event type, %RecordContext% contains the feed parameter (the name of the feed) and the loaded_records parameter (the number of records loaded from the feed).

• KL_ALERT_LicenseChanged

  This event is generated when Kaspersky CyberTrace starts to use another license key or licensing level.

  For this event type, %RecordContext% contains the license_name parameter (the name of the new license key, if it is used), the expiration_date parameter (the expiration date of the new license key, if it is used), and the licensing_level parameter (the licensing level).

Page top