Step 5. Retrieving custom event properties

This section describes how to configure retrieval of custom event properties from Kaspersky CyberTrace outgoing events, in addition to standard fields. As a result of this setting, the MD5, SHA1, and SHA256 hashes will be extracted and the extraction rule of the Source IP field will be redefined.

To configure retrieval of custom event properties:

  1. Select the Log Activity tab, and then click Add Filter.

    The Add Filter form opens.

  2. Fill in the form:
    1. In the Parameter drop-down list, select Log Source [Indexed].
    2. In the Operator drop-down list, select Equals.
    3. In the Log Source list, select KL_Threat_Feed_Service_v2.

      The selection KL_Threat_Feed_Service_v2 is the log source name that is set in the OutputSettings > EventFormat element and the OutputSettings > AlertFormat element of the Kaspersky CyberTrace Service configuration file (you can also set them by using Kaspersky CyberTrace Web).

    Add Filter window in QRadar.

    Adding a filter

  3. Click Add Filter.
  4. Run the verification test, and then stop the events flow by clicking Pause (Pause icon in QRadar.) in the upper-right area of the window.
  5. Press Ctrl (or Shift) to select several records, and then select Actions > DSM editor.

    DSM Editor menu item in QRadar.

    The Log Activity window

    The DSM Editor window opens.

    DSM Editor window.

    The DSM Editor window

  6. In the DSM Editor window, click the + button near the Filters text box.

    The Choose a Custom Property Definition to Express form opens.

    Choose a Custom Property Definition to Express window in QRadar.

    Choosing a custom property

  7. Click Create new.

    The Create a new Custom Property Definition form opens.

  8. Fill in the form:
    1. In the Name field, enter MD5.
    2. In the Field Type drop-down list, select Text.
    3. In the Description field, enter a description of the property.
    4. Select the Enable this Property for Use in Rules and Search Indexing check box.
    5. Click Save.

    Creating a new Custom Property Definition window in QRadar.

    Creating a new custom property definition

  9. Add the SHA1 and SHA256 properties similarly.
  10. In the Choose a Custom Property Definition to Express window, select the created properties, add URL and Source IP, and then click Select.
  11. In the Log Activity Preview section, click Configure and then select the following properties:
    • Event Name
    • IP (custom)
    • MD5 (custom)
    • SHA1 (custom)
    • SHA256 (custom)
    • Source IP
    • URL (custom)
    • Username

    Click Update.

    Configuring Preview Columns window in QRadar.

    Configuring preview columns

  12. On the Properties tab, configure regular expressions as described in the table below:

    Custom property

    Regular expression

    MD5

    md5=([\da-fA-F]{32})

    SHA1

    sha1=([\da-fA-F]{40})

    SHA256

    sha256=([\da-fA-F]{64})

    URL

    url=([-a-zA-Z0-9()@:%_\+.~#?&\/\/=]{2,})

    Source IP

    src=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

    If necessary, type 1 in the Capture Group field.

  13. For the Source IP property, select the Override system behavior check box.

    Source IP configuration in QRadar. Override system behavior check box.

    Source IP configuration

    When changing the format for outgoing detection events in Kaspersky CyberTrace, the regular expressions that are specified above may require corresponding changes.

    If all of the settings above are specified correctly, you will find the configured Custom properties in the Log Activity Preview section.

  14. Click Save and close the window.
  15. On the Log Activity tab, perform the new verification test.

    After that, if you open the event received from KL_Threat_Feed_Service_v2, the configured custom properties will be displayed.

    Event Information section in QRadar.

    Event information

Page top