OutputSettings

Contains output settings for the General tenant.

Defines the address and port of the event target software to send the outgoing events to, and the format of the outgoing events.

Path

OutputSettings

Attributes

This element has no attributes.

Nested elements

This element is a container for the following nested elements:

• EventFormat

  Specifies the format of outgoing events.

  For more information about the values of this element, see section "About event format patterns".

  The EventFormat element is mandatory.

• RecordFieldContextFormat

  Specifies how context fields must be added to an event.

  For more information about the values of this element, see section "About event format patterns".

  The RecordFieldContextFormat element is mandatory.

• ActionableFieldContextFormat

  Specifies how actionable fields must be added to an event.

  For more information about the values of this element, see section "About event format patterns".

  The ActionableFieldContextFormat element is mandatory.

• AlertFormat

  Specifies the format for outgoing events that inform the event target software of the Kaspersky CyberTrace Service state.

  For more information about the values of this element, see section "About event format patterns".

  The AlertFormat element is optional. If it is absent from the configuration file, no notification is made.

• ConnectionString

  Specifies the IP address and port (or the Windows-named pipe) to which the service will send outgoing events.

  The ConnectionString element is mandatory.

  For more information about this element, see the "OutputSettings > ConnectionString" subsection below.

• AlertConnectionString

  Specifies the IP address (or host) and port to which the service will send service alerts.

  The AlertConnectionString element is optional.

  For more information about this element, see the "OutputSettings > AlertConnectionString" subsection below.

• FinishedEventFormat

  Specifies the format of the informational event that is generated for each processed event.

  The FinishedEventFormat element is mandatory.

  For more information about this element, see the "OutputSettings > FinishedEventFormat" subsection below.

OutputSettings > ConnectionString

Specifies the IP address (or host) and port to which the service will send service alerts.

The string is formatted as <ip_address>:<port> (if an IP address and port are used) or as \\.\pipe\<pipe_name> (if a Windows-named pipe is used).

You can use an IPv4 or an IPv6 address.

OutputSettings > AlertConnectionString

Specifies the IP address (or host) and port to which the service will send service alerts.

The value of this element is formatted as <ip_address>:<port> (if an IP address and port are used) or as \\.\pipe\<pipe_name> (if a Windows-named pipe is used). The IP address must consist of four decimal octets, each separated by a dot. The value in each octet must be less than 256.

The AlertConnectionString element is optional. If the element is omitted, the enabled attribute with the false value is used for this element.

This element has the following attributes:

AlertConnectionString element attributes

Attribute

Description

enabled

Defines whether Kaspersky CyberTrace Service sends alert events to the specified IP address and port. Possible values: true, false. If the value is true, Kaspersky CyberTrace Service will send alert events to the IP address and port that are specified in this element. If the value is false, Kaspersky CyberTrace Service will send alert events to the IP address and port that are specified in the OutputSettings > ConnectionString element.

OutputSettings > FinishedEventFormat

Specifies the format of the informational event that is generated after an event is processed.

If this parameter is enabled, Kaspersky CyberTrace will generate an informational event for each event that it processes. An informational event is generated even if there were no detections.

The FinishedEventFormat element is mandatory.

The value of this element specifies the event format. You can use the %RecordContext% pattern and regular expression names in the format. For more information about patterns, see section "About event format patterns".

The %RecordContext% pattern will provide the following fields, if used:

• category

  It is "LookupFinished" for events of this type.

• sent_events

  The number of events sent to a SIEM solution.

• total

  Concatenation of the following substrings formed for every category assigned to detection events:

  <category>:<number_of_detections>;

  If there were no detections, the sent_events parameter is set to 0, and the total string is empty.

This element has the following attributes:

FinishedEventFormat element attributes

Attribute	Description
enabled	Defines whether special informational events are generated. Possible values: true, false. If the value is true, Kaspersky CyberTrace Service will generate special informational events. If the value is false, or this attribute is omitted, Kaspersky CyberTrace Service will not generate special informational events. This attribute is optional.

Example

The following is an example of this element.

<OutputSettings> <RecordFieldContextFormat><![CDATA[ %ParamName%=%ParamValue%]]></RecordFieldContextFormat> <AlertFormat>%Date% alert=%Alert%%RecordContext%</AlertFormat> <EventFormat>%RE_DATE% category=%Category% matchedIndicator=%MatchedIndicator% url=%RE_URL% src=%SRC_IP% ip=%RE_IP% md5=%RE_MD5% sha1=%RE_SHA1% sha256=%RE_SHA256% usrName=%RE_USERNAME%%RecordContext%</EventFormat> <FinishedEventFormat enabled="true">LookupFinished %RecordContext%</FinishedEventFormat> <ActionableFieldContextFormat><![CDATA[ %ParamName%:%ParamValue%]]></ActionableFieldContextFormat> <ConnectionString>127.0.0.1:9998</ConnectionString> <AlertConnectionString>192.0.2.145:9998</AlertConnectionString> </OutputSettings>

Page top