Event format settings

You can manage the settings for formats of events in the Kaspersky CyberTrace web user interface by selecting the Settings tab and then the Events format tab. Depending on the item selected in the drop-down list with all available tenants in the upper-left area of the window, you edit either the general event format settings (if General is selected) or the event format settings for a particular settings tenant (if a particular settings tenant is selected).

Format of CyberTrace events section.

Kaspersky CyberTrace events formats

On the Events format tab, you can specify the formats of detection events, alert events, record context, and actionable fields context.

We do not recommend changing the format of events manually. Select the check boxes with the patterns that you want to use in outgoing events and Kaspersky CyberTrace will update the format automatically.

Some event sources may require that you change the event format, depending on your integration. For more information, see subsection "Setting event formats for specific event sources" below.

For more information about formats and patterns that you can specify, see section "About event formats and patterns".

This tab has the following text fields:

Alert events format—Specify the format for outgoing events that inform the event target software of the state of Kaspersky CyberTrace Service.
Detection events format—Specify the format for outgoing detection events.
This section consists of two subsections:
- Service fields
  Values of these fields are patterns generated by Kaspersky CyberTrace.
  
  Select the check boxes with the patterns that you want to use in outgoing detection events. Kaspersky CyberTrace will update the format automatically.
- Value from the event
  Values of these fields are extracted from the incoming events with regular expressions defined for the event source.
  
  Select the check boxes with the patterns that you want to use in outgoing detection events. Kaspersky CyberTrace will update the format automatically.
Records context format—Specify the format in which the names and values of the feed fields are inserted into outgoing events.
Actionable fields context format—Specify the format in which the names and values of the actionable feed fields are inserted into outgoing events.

Setting event formats for specific SIEM systems

The correct format of alert and detection events depends on your SIEM system. If you change the format of events in Kaspersky CyberTrace, you may also need to update your integration with the SIEM system.

For ArcSight, you may need to update the event formats and actionable fields.
For QRadar, you may need to add parsing for new fields.
For RSA NetWitness, you may need to specify how new fields are parsed (see also RSA NetWitness troubleshooting).
For LogRhythm, you may need to specify how new fields are parsed.

Page top