Step 2. Importing Kaspersky CyberTrace rules and events

This section describes how you can import files that contain Kaspersky CyberTrace rules and events to LogRhythm.

If for any reason the import fails, you can configure adding Kaspersky CyberTrace events and Kaspersky CyberTrace rules manually.

To import files with Kaspersky CyberTrace rules to LogRhythm:

  1. Open LogRhythm Console.
  2. Select Deployment Manager > Tools > Knowledge > MPE Rule Builder.

    The Rule Builder form opens.

  3. For every XML file from the package (files in the mperule_%event_name%.xml format), perform the following actions:
    1. Select File > Import.

      Importing files

    2. In the Import Actions window, click Yes.

      Imort Actions window

      If the import succeeds, the Rule Import Status window opens.

      Rule Import Status window

    3. On the toolbar of the Rule Builder form, click the Open rule library (Open rule library) button.

      The Rule Browser window opens.

    4. Double-click the event that was imported in step b.

      A window with rule settings opens.

      Note that the imported rule arrives in LogRhythm in the Development status and may not appear in the list of all rules. You can configure display in the Rule Browser window that opens by selecting View > Show Development rules.

      Show development rules

    5. In the General settings window that opens, in the Rule Status section, select Production or Test.

      Development rules settings

    6. Click Save.

    The corresponding common events (see the full list of these events in section "Step 3 (optional). Adding Kaspersky CyberTrace events") and MPE Rules (see the full list of MPE rules and their settings in section "Step 4 (optional). Adding Kaspersky CyberTrace rules") will be added to LogRhythm for all events.

Page top