Step 8 (optional). Creating alerts about incoming Kaspersky CyberTrace service events
You can create notifications about incoming Kaspersky CyberTrace service events by configuring alert rules.
To create notifications about service events from Kaspersky CyberTrace in LogRhythm:
Run LogRhythm Console.
Select Deployment Manager > Alarm Rules and click New.
In the Create Global Rule confirmation window, click Yes if you want to give access to manage this rule for all users with the Global Admin role. Click No, if you want to manage this rule only by yourself.
Perform the following actions for each tab at the bottom of the page:
On the Primary Criteria tab, do the following:
Click New, and select the Common Event value in the Add New Field Filter drop-down list.
Click Edit values.
The Field Filter Values window opens.
In the Field Filter Values window, click Add Item.
Select the name of the Kaspersky CyberTrace service event from the list. If such events are absent, add them as described in the "Adding Kaspersky CyberTrace events" section.
Click OK.
Leave the Include Filters, Exclude Filters and Day and Time Criteria tabs unchanged.
On the Log Source Criteria tab, check Include the Selected Log Sources and then click Add.
The Alarm Rule window
Select a source that corresponds to Kaspersky CyberTrace and click OK. For information on how to add Kaspersky CyberTrace event source, see section "Adding a log source to System Monitor Agent".
The Log Source Criteria Add window
Leave the Aggregation tab unchanged.
In the Settings tab, specify a period of time during which identical alerts that are associated with the occurrence of any new service events from Kaspersky CyberTrace have to be suppressed.
Alert suppression settings
On the Notify tab, select a role or user you want to address notifications.
Choosing the roles to notificate
Leave the Actions tab unchanged.
On the Information tab, specify the name of the rule and its description.
Alarm Rule Name/Brief Description
Click OK.
On the Alarm Rules tab, right-click the new rule and select Actions > Enable.