QRadar must correctly process the incoming events from Kaspersky CyberTrace Service. For this purpose, you must add a list of permissible events (a list of QRadar identifiers (QIDs)) to QRadar. In Kaspersky CyberTrace Service, the event categories are defined in the configuration file, in the Feeds
> Feed
> Field
element, the category
attribute.
The distribution kit of Kaspersky CyberTrace includes a file named sample_qid.txt that contains necessary events from Kaspersky CyberTrace Service. Do not alter the descriptions of these events but, instead, add your own events to this file.
We recommend that you name the event categories according to the format "KL_<feed>_<object_type>"
, where:
<feed>
—The name of the feed which detects the event (for example, PhishingUrl
).<object_type>
—The field by which the event is detected (for example, URL
, Hash_MD5
, Hash_SHA1
, Hash_SHA256
).To import the list of QIDs to QRadar:
%service_dir%/integration/qradar/sample_qid.txt
file by adding to it all the event categories contained in the configuration file.Every event category must be described in a single line that has the following format:
,<event>,<descr>,<sev>,<cat_id>
where:
<event>
—The name of the incoming event.<descr>
—The description of the event.<sev>
—The severity of the event.<cat_id>
—A low-level QRadar event identifier.The total list of QRadar event identifiers can be printed by the following command:
/opt/qradar/bin/qidmap_cli.sh -l
We recommend that you use values for <sev>
and <cat_id>
according to QRadar documentation.
For example:
,KL_Malicious_URL,Malicious URL is detected by Kaspersky Threat Feed Service,8,7058
%service_dir%/integration/qradar/sample_qid.txt
file to the server that has QRadar installed./opt/qradar/bin/qidmap_cli.sh -i -f <filename>
where <filename>
is the destination path of the sample_qid.txt
file uploaded in step 2.
/opt/qradar/bin/qidmap_cli.sh –e
If an error occurs, refer to IBM Security QRadar SIEM Administration Guide for information on resolving the problem.
Page top