This section describes how to configure Feed Service for interaction with ArcSight during normal work.
Specify the following data in the Feed Service configuration file (you can also make these changes by using Kaspersky CyberTrace Web):
InputSettings > RegExp > Source id="default" element contains universal regular expressions that match URLs (with protocol), hashes, IP addresses (src and dst), device name, vendor name, device IP address, user name, and event ID. Change these regular expressions to match the events.InputSettings > ConnectionString element, specify the IP address and port of the event destination that are set when installing ArcSight Forwarding Connector (its default value is 127.0.0.1:9999).NormalizingRules element, specify the rule that replaces the symbol sequence \= with the symbol = as follows:<NormalizingRules>
<Replace input="\=" output="=" />
</NormalizingRules>
OutputSettings > ConnectionString element, specify the IP address and port of the installed ArcSight SmartConnector (its default value is 127.0.0.1:9998).EventFormat element, specify the following string:<![CDATA[CEF:0|Kaspersky Lab|Kaspersky CyberTrace for ArcSight|2.0|2|CyberTrace Detection Event|8| reason=%Category% dst=%DST_IP% src=%DeviceIp% fileHash=%RE_HASH% request=%RE_URL% sourceServiceName=%Device% sproc=%Product% suser=%UserName% msg=CyberTrace detected %Category% externalId=%Id% %ActionableFields% cs5Label=MatchedIndicator cs5=%MatchedIndicator% cs6Label=Context cs6=%RecordContext%]]>
Here
%Category%—Category of the detected URL, IP address, or hash%DST_IP%—Destination IP address%RE_HASH%—Hash of the object%RE_URL%—URL%DeviceIp%—IP address of the device that sent the event%Product%—Name of the device that sent the event%Device%—Vendor of the device that sent the event%UserName%—Name of the user that executed the request%Id%—Identifier of the original event in ArcSight%RecordContext%—Context of the feed record which was involved in the detection process%MatchedIndicator%—Detected indicator%ActionableFields%—Fields of the feed record that are inserted in the detection event apart from the contextAlertFormat element, specify the following string:<![CDATA[CEF:0|Kaspersky Lab|Kaspersky CyberTrace for ArcSight|2.0|1|CyberTrace Service Event|4| reason=%Alert% msg=%RecordContext%]]>
Here:
%Alert%—Service event from Feed Service%RecordContext%—Context information about the service eventSpecifying actionable fields
Specify the actionable fields in the Feed Service configuration file in the Feeds > Feed > ActionableFields elements (or do this in Kaspersky CyberTrace Web).
<ActionableField name="mask" output_name="cs1" />
<ActionableField name="first_seen" output_name="flexString1" />
<ActionableField name="last_seen" output_name="flexString2" />
<ActionableField name="popularity" output_name="cn2" />
<ActionableField name="threat" output_name="cs3" />
<ActionableField name="urls/url" output_name="cs4" />
<ActionableField name="whois/domain" output_name="cs2" />
<ActionableField name="first_seen" output_name="flexString1" />
<ActionableField name="last_seen" output_name="flexString2" />
<ActionableField name="popularity" output_name="cn2" />
<ActionableField name="threat" output_name="cs3" />
<ActionableField name="urls/url" output_name="cs4" />
<ActionableField name="file_size" output_name="fsize" />
<ActionableField name="first_seen" output_name="flexString1" />
<ActionableField name="last_seen" output_name="flexString2" />
<ActionableField name="popularity" output_name="cn2" />
<ActionableField name="threat_score" output_name="cn1" />
<ActionableField name="domains" output_name="cs2" />
<ActionableField name="category" output_name="cs4" />
<ActionableField name="files/threat" output_name="cs3" />
<ActionableField name="mask" output_name="cs1" />
<ActionableField name="first_seen" output_name="flexString1" />
<ActionableField name="last_seen" output_name="flexString2" />
<ActionableField name="popularity" output_name="cn2" />
<ActionableField name="files/threat" output_name="cs3" />
<ActionableField name="category" output_name="cs4" />
<ActionableField name="whois/domain" output_name="cs2" />
<ActionableField name="first_seen" output_name="flexString1" />
<ActionableField name="last_seen" output_name="flexString2" />
<ActionableField name="popularity" output_name="cn2" />
<ActionableField name="threat" output_name="cs3" />
<ActionableField name="file_size" output_name="fsize" />
<ActionableField name="mask" output_name="cs1" />
<ActionableField name="first_seen" output_name="flexString1" />
<ActionableField name="last_seen" output_name="flexString2" />
<ActionableField name="popularity" output_name="cn2" />
<ActionableField name="industry" output_name="deviceFacility" />
<ActionableField name="whois/domain" output_name="cs2" />
<ActionableField name="AV Verdict" output_name="cs3" />
<ActionableField name="threat" output_name="cs3"/>
<ActionableField name="severity" output_name="cs3" />
<ActionableField name="detection_date" output_name="flexString1" />
<ActionableField name="detection_date" output_name="flexString1"/>
<ActionableField name="publication_name" output_name="cs3"/>
<ActionableField name="detection_date" output_name="flexString1"/>
<ActionableField name="publication_name" output_name="cs3"/>
<ActionableField name="detection_date" output_name="flexString1"/>
<ActionableField name="publication_name" output_name="cs3"/>
<ActionableField name="mask" output_name="cs1" />
<ActionableField name="first_seen" output_name="flexString1" />
<ActionableField name="last_seen" output_name="flexString2" />
<ActionableField name="popularity" output_name="cn2" />
<ActionableField name="files/threat" output_name="cs3" />