Step 6. Creating a search filter for CyberTrace events

This section describes how to create an event search.

To create an event search:

  1. In QRadar Console, select the Log Activity tab.
  2. Select Search > New Search.

    New search

    New search

  3. In the Column Definition form, add MD5 (custom), SHA1 (custom), SHA256 (custom), URL (custom), IP (custom) from the Available Columns to the Columns list.

    Column definition

    Defining columns

  4. Scroll down the page and in the Search Parameters form, set KL_Threat_Feed_Service_v2 as the log source:
    1. In the Parameter drop-down list, select Log Source [Indexed].
    2. In the Operator drop-down list, select Equals.
    3. In the Log Source list, select KL_Threat_Feed_Service_v2.

      The selection KL_Threat_Feed_Service_v2 is the log source name that is set in the OutputSettings > EventFormat element and the OutputSettings > AlertFormat element of the Feed Service configuration file (you can also set them by using Kaspersky CyberTrace Web).

    4. Click the Add Filter button.

      The Log Source is KL_Threat_Feed_Service_v2 string will be added to the Current Filters list.

    Setting the log source

  5. Click either the Filter button or the Save button to display the search result.
  6. Click the Save Criteria button.

    Save Criteria button

  7. In the Save Criteria form, type the name of the search in the Search Name text box, select the Include in my Quick Searches checkbox and then specify the analyzed interval for created search (for example, Real Time).
  8. Click OK.

    Saving criteria2

    Saving criteria

Page top