Creating notifications about incoming service events

You can create notifications about incoming Kaspersky CyberTrace service events by configuring alert rules.

To create notifications about service events from Kaspersky CyberTrace in ArcSight ESM:

  1. Run ArcSight Console.
  2. In the Navigator pane, select Rules in the drop-down-list.
  3. In the tree view, select the Rules > Shared > All Rules > Public directory.

    Rules tree view

    The Rules tree view

  4. Right-click the filter node in the Kaspersky CyberTrace Connector tree and select New Rule > Standard Rule.
  5. In the Inspect > Edit pane, specify the following settings:
    • In the Name field of the Attributes tab, specify the name of the rule.

      You can specify any name.

    • In the Conditions tab, specify the following conditions:
      • Device Product = Kaspersky CyberTrace for ArcSight
      • Reason = %ServiceEventCode%

        Where %ServiceEventCode% is a code of a service event that is used for generating notifications.

        To get more information about all Kaspersky CyberTrace service events, see subsection "Types of alert events" of the "About output format settings" section.

    Event conditions

    Event conditions

    • Right-click the Actions tab, choose On Every Event and then select the following:
      • Activate Trigger
      • Add

        This setting must contain the action that will be performed when a service event that is specified in the Conditions tab is received. For example, Send Notification.

    Adding actions

    Adding actions

  6. Click Apply.

Page top