Matching process settings

You can manage the matching process settings by selecting the Settings tab and then the Matching tab.

Event sources window.

Event sources

In Kaspersky CyberTrace, regular expressions and event normalization rules are grouped by event source. Regular expressions and event normalization rules that are not related to a specific event source are grouped under the default event source. Each event source must have at least one regular expression. You can add or remove event sources other than default or edit their properties.

The Event sources page displays all event sources defined in the Kaspersky CyberTrace Service configuration file, except the default event source. You can edit the following properties of the displayed event sources directly in the Event sources page:

To edit the event normalization rules and regular expressions defined for a displayed event source, select the corresponding Properties link. For the default event source, you must select the Edit default rules link. In both cases, the form for editing event source properties opens (see subsection "Form for editing event source properties" below).

For more information on event sources and regular expressions used for parsing events that are issued by various devices, see section "About regular expressions".

Adding event sources

To add an event source:

  1. Select the Add new event source link.

    The Add New Event Source Wizard starts.

    Add new event source window.

    Adding a new event source (step 1)

  2. Specify the name and the IP address or host name or the regular expression of a new event source.

    Both IPv4 and IPv6 addresses are supported.

  3. Click Next.

    If the data entered at the previous step is correct, the form for specifying regular expressions and event normalization rules opens (see subsection "Form for editing event source properties" below).

    Kaspersky CyberTrace will attempt to obtain data from received events by using the default regular expressions. We recommend that you keep collecting events for at least five seconds.

    Defining the event source properties window.

    Specifying the event source properties

  4. Specify the event source properties and click OK.

    If the entered event source properties are correct, a new event source is created.

Form for editing event source properties

The form for editing event source properties has an upper area and the lower area. The upper area displays events and highlights substrings that are extracted by a selected regular expression. The lower area has two tabs: the Normalizing rules tab and the Regular expressions tab.

When the form for editing event source properties opens, it starts collecting events that are issued by the event source. These events are processed according to the normalization rules and the result is displayed in the upper area of the form.

If you have specified the host name of the event source, but the HOSTNAME field of incoming events cannot be extracted, no event is displayed. To fix this problem, either specify the IP address or regular expression of the event source, or change the format of events.

You can pause (or resume), or restart collecting the arriving events in real time. If you restart collecting the incoming events, the text box for displaying events is cleared. This text box can contain up to 50 lines. If more data arrives, older data is removed.

Specifying event normalization rules

In the lower area of the form for editing event source properties, select the Normalizing rules tab to add, remove, or edit normalization rules that will be applied to incoming events that meet the conditions of the event source. You can specify which character sequences must be replaced with others (replacing rules) and which character sequences must be used for identifying events to ignore (ignoring rules). If you clear the Apply normalizing rules check box, all the controls for specifying normalization rules will be disabled, and no normalization rule will be saved for the event source being edited.

Do not specify the newline character (\n) in replacing rules. Use the InputSettings > EventDelimiter element of the Kaspersky CyberTrace Service configuration file to separate compound incoming events into individual events.

For an event source that is being created, initially the form under the Normalizing rules tab is filled with the normalization rules specified for the default event source.

Specifying regular expressions

In the lower area of the form for editing event source properties, select the Regular expressions tab to add, remove, or edit regular expressions that will be applied to incoming events that meet the conditions of the event source. For an event source that is being created, initially the form under the Regular expressions tab is filled with the regular expressions that are specified for the default event source and that extract at least some data from the events that are displayed.

Regular expressions have the following properties:

You can highlight values that match the regular expressions that you specified for the event source. Click inside the text box that contains the regular expression that you want to highlight.

Specifying event filters

You can specify filtering rules for detection events sent to a SIEM system from Kaspersky CyberTrace. Kaspersky CyberTrace will send detection events only if the flag for sending detection events to the SIEM system (the ioc_supplier_send_match event attribute from the indicator database) is set to true and all fields of a feed record that matched the indicator meet the filtering criteria. Note that if the detected indicator does not have the attribute specified in the filtering rule, this indicator is considered to meet the filter. However, all detection events will be included in statistics and displayed on the Dashboard and Detections tabs.

To specify filters for detection events:

  1. In the Field name drop-down list, select the value corresponds to the indicator attribute name from the indicator database to which filtering rules are applied.

    To learn more about possible values for %FIELD_NAME%, see section "Working with indicators".

  2. In the Condition drop-down list, select a filtering condition.

    For the list of possible filtering conditions, see section "About filtering criteria for sending events to SIEM".

  3. In the Value text box, specify a filtering value.

    Do not use a semicolon (';') to separate values in this text box. Instead, select value is one of (separated by a new line) in the Condition drop-down list and use a newline character ('\n') or press Enter to separate values. Otherwise, the filter will not be applied correctly.

  4. Click the Add new filter button if you want to add new event filter.

If necessary, you can edit or delete any filtering rules.

Page top