This section describes how you can add Kaspersky CyberTrace events to LogRhythm manually.
Skip this step, if the import described in section "Step 2. Importing Kaspersky CyberTrace rules and events" succeeds.
To add Kaspersky CyberTrace events to LogRhythm:
Common Event Manager menu item
The Common Event Manager window opens.
"Security : Compromise"
classificationEvent |
Description |
KL_APT_Hash_MD5 |
Hash of a malicious file used in an APT campaign is detected by Kaspersky CyberTrace. |
KL_APT_IP |
IP address used in an APT campaign is detected by Kaspersky CyberTrace. |
KL_APT_URL |
URL used in an APT campaign is detected by Kaspersky CyberTrace. |
KL_BlackList_Hash_MD5 |
Hash is in the black list of Kaspersky CyberTrace. |
KL_BlackList_Hash_SHA1 |
Hash is in the black list of Kaspersky CyberTrace. |
KL_BlackList_Hash_SHA256 |
Hash is in the black list of Kaspersky CyberTrace. |
KL_BlackList_IP |
IP address is in the black list of Kaspersky CyberTrace. |
KL_BlackList_URL |
URL is in the black list of Kaspersky CyberTrace. |
KL_BotnetCnC_Hash_MD5 |
Botnet hash is detected by Kaspersky CyberTrace. |
KL_BotnetCnC_Hash_SHA1 |
Botnet hash is detected by Kaspersky CyberTrace. |
KL_BotnetCnC_Hash_SHA256 |
Botnet hash is detected by Kaspersky CyberTrace. |
KL_BotnetCnC_URL |
Botnet C&C URL is detected by Kaspersky CyberTrace. |
KL_Exploit_Hash_MD5 |
Hash of exploit is detected by Kaspersky CyberTrace. |
KL_Exploit_Hash_SHA1 |
Hash of exploit is detected by Kaspersky CyberTrace. |
KL_Exploit_Hash_SHA256 |
Hash of exploit is detected by Kaspersky CyberTrace. |
KL_IoT_Hash_MD5 |
Hash of IoT is detected by Kaspersky CyberTrace. |
KL_IoT_Hash_SHA1 |
Hash of IoT is detected by Kaspersky CyberTrace. |
KL_IoT_Hash_SHA256 |
Hash of IoT is detected by Kaspersky CyberTrace. |
KL_IoT_URL |
URL that infects Internet of Things-enabled (IoT) devices is detected by Kaspersky CyberTrace. |
KL_IP_Reputation |
Malicious or suspicious IP address is detected by Kaspersky CyberTrace. |
KL_IP_Reputation_Hash_MD5 |
Hash of a file hosted on a malicious or suspicious IP address is detected by Kaspersky CyberTrace. |
KL_IP_Reputation_Hash_SHA1 |
Hash of a file hosted on a malicious or suspicious IP address is detected by Kaspersky CyberTrace. |
KL_IP_Reputation_Hash_SHA256 |
Hash of a file hosted on a malicious or suspicious IP address is detected by Kaspersky CyberTrace. |
KL_Malicious_URL |
Malicious URL is detected by Kaspersky CyberTrace. |
KL_Malicious_URL_Hash_MD5 |
Hash of a file hosted on a malicious URL is detected by Kaspersky CyberTrace. |
KL_Malicious_URL_Hash_SHA1 |
Hash of a file hosted on a malicious URL is detected by Kaspersky CyberTrace. |
KL_Malicious_URL_Hash_SHA256 |
Hash of a file hosted on a malicious URL is detected by Kaspersky CyberTrace. |
KL_Malicious_Hash_MD5 |
Malicious hash is detected by Kaspersky CyberTrace. |
KL_Malicious_Hash_SHA1 |
Malicious hash is detected by Kaspersky CyberTrace. |
KL_Malicious_Hash_SHA256 |
Malicious hash is detected by Kaspersky CyberTrace. |
KL_Mobile_Malicious_Hash_MD5 |
Mobile malicious hash is detected by Kaspersky CyberTrace. |
KL_Mobile_Malicious_Hash_SHA1 |
Mobile malicious hash is detected by Kaspersky CyberTrace. |
KL_Mobile_Malicious_Hash_SHA256 |
Mobile malicious hash is detected by Kaspersky CyberTrace. |
KL_Mobile_BotnetCnC_Hash_MD5 |
Mobile botnet C&C hash is detected by Kaspersky CyberTrace. |
KL_Mobile_BotnetCnC_Hash_SHA1 |
Mobile botnet C&C hash is detected by Kaspersky CyberTrace. |
KL_Mobile_BotnetCnC_Hash_SHA256 |
Mobile botnet C&C hash is detected by Kaspersky CyberTrace. |
KL_Mobile_BotnetCnC_URL |
Mobile botnet C&C URL is detected by Kaspersky CyberTrace. |
KL_Phishing_URL |
Phishing URL is detected by Kaspersky CyberTrace. |
KL_psms_Hash_MD5 |
SMS Trojan MD5 hash is detected by Kaspersky CyberTrace. |
KL_Ransomware_URL |
URL that hosts ransomware is detected by Kaspersky CyberTrace. |
KL_Ransomware_URL_Hash_MD5 |
Hash of ransomware is detected by Kaspersky CyberTrace. |
KL_Ransomware_URL_Hash_SHA1 |
Hash of ransomware is detected by Kaspersky CyberTrace. |
KL_Ransomware_URL_Hash_SHA256 |
Hash of ransomware is detected by Kaspersky CyberTrace. |
KL_Vulnerable_File_Hash_MD5 |
Hash of vulnerable software and related exploits is detected by Kaspersky CyberTrace. |
KL_Vulnerable_File_Hash_SHA1 |
Hash of vulnerable software and related exploits is detected by Kaspersky CyberTrace. |
KL_Vulnerable_File_Hash_SHA256 |
Hash of vulnerable software and related exploits is detected by Kaspersky CyberTrace. |
AbuseCh_Feodo_Block_IP |
IP address from the Abuse.Ch_Feodo_Block_IP feed is detected by Kaspersky CyberTrace. |
AbuseCh_Feodo_Malware_Hash_MD5 |
Hash from the Abuse.Ch_Feodo_Malware_Hash_MD5 feed is detected by Kaspersky CyberTrace. |
AbuseCh_Ransomware_Block_URL |
URL from the Abuse.Ch_Ransomware_Block_URL feed is detected by Kaspersky CyberTrace. |
AbuseCh_Ransomware_Block_Domain |
Domain from the Abuse.Ch_Ransomware_Block_Domain feed is detected by Kaspersky CyberTrace. |
AbuseCh_Ransomware_Block_IP |
IP address from the Abuse.Ch_Ransomware_Block_IP feed is detected by Kaspersky CyberTrace. |
AbuseCh_Ransomware_Common_URL |
URL from the Abuse.Ch_Ransomware_Common_URL feed is detected by Kaspersky CyberTrace. |
AbuseCh_SSL_Certificate_Block_IP |
IP address from the AbuseCh_SSL_Certificate_Block_IP feed is detected by Kaspersky CyberTrace. |
AbuseCh_SSL_Certificate_Hash_SHA1 |
Hash from the AbuseCh_SSL_Certificate_Hash_SHA1 feed is detected by Kaspersky CyberTrace. |
BlocklistDe_Block_IP |
IP from the BlocklistDe_Block_IP feed is detected by Kaspersky CyberTrace. |
CyberCrime_Tracker_Block_Url |
URL from the CyberCrime_Tracker_Block_Url is detected by Kaspersky CyberTrace. |
EmergingThreats_Block_IP |
IP address from the EmergingThreats_Block_IP feed is detected by Kaspersky CyberTrace. |
EmergingThreats_Compromised_IP |
IP address from the EmergingThreats_Compromised_IP feed is detected by Kaspersky CyberTrace. |
Event |
Description |
Classification |
KL_ALERT_ConfigurationUpdated |
This event is generated if Feed Service has reloaded the configuration file. |
Audit : Configuration |
KL_ALERT_FeedBecameAvailable |
This event is generated if a feed that can be used with the current certificate has become available. |
Audit : Other Audit Success |
KL_ALERT_FeedBecameUnavailable |
This event is generated if a feed that is being used with the current certificate has become unavailable. |
Audit : Other Audit Failure |
KL_ALERT_OutdatedFeed |
This event is generated if a feed has not been updated during the specified period. |
Audit : Other Audit Failure |
KL_ALERT_ServiceUnavailable |
This event is generated when the watchdog module has detected that Feed Service has crashed or frozen. |
Audit : Other Audit Failure |
KL_ALERT_ServiceStopped |
This event is generated when Feed Service is stopped successfully. |
Audit : Startup and Shutdown |
KL_ALERT_ServiceStarted |
This event is generated when Feed Service is started successfully. |
Audit : Startup and Shutdown |
KL_ALERT_UpdatedFeed |
This event is generated when a feed is updated and loaded by Feed Service. |
Audit : Other Audit Success |
KL_ALERT_FailedToUpdateFeed |
This event is generated when Feed Service fails to load a new feed and continues using an old feed. |
Audit : Other Audit Failure |
KL_ALERT_LicenseExpires |
This event is generated to inform you that the license key that is being used will expire in less than 30 days. |
Audit : Policy |
KL_ALERT_LicenseExpired |
This event is generated when your license key has expired. |
Audit : Policy |
KL_ALERT_EPSLimitExceeded |
This event is generated when the limit on the number of processed events per second (EPS) imposed by the licensed key or licensing level has been exceeded. |
Audit : Policy |
KL_ALERT_EPSHardLimit |
This event is generated when Feed Service limits the number of events processed per second (EPS) to the maximum number of events for the current license key or licensing level. The limit applies regardless of the number of incoming events. |
Audit : Policy |
KL_ALERT_FeedLoadedPartially |
This event is generated when a feed is not loaded or is loaded partially when a limit on the maximum number of indicators is imposed by the license key or licensing level. |
Audit : Policy |
KL_ALERT_LicenseChanged |
This event is generated when Kaspersky CyberTrace starts to use another license key or licensing level. |
Audit : Configuration |
Common Event Properties window
After the events are added, the Common Event Manager window must contain the events as shown in the figure below.
Added events
Page top