Contains output settings for the General tenant.
Defines the address and port of the event target software to send the outgoing events to, and the format of the outgoing events.
Path
OutputSettings
Attributes
This element has no attributes.
Nested elements
This element is a container for the following nested elements:
Specifies the format of outgoing events.
For more information about the values of this element, see section "About event format patterns".
The EventFormat element is mandatory.
Specifies how context fields must be added to an event.
For more information about the values of this element, see section "About event format patterns".
The RecordFieldContextFormat element is mandatory.
Specifies how actionable fields must be added to an event.
For more information about the values of this element, see section "About event format patterns".
The ActionableFieldContextFormat element is mandatory.
Specifies the format for outgoing events that inform the event target software of the Kaspersky CyberTrace Service state.
For more information about the values of this element, see section "About event format patterns".
The AlertFormat element is optional. If it is absent from the configuration file, no notification is made.
Specifies the IP address and port (or the Windows-named pipe) to which the service will send outgoing events.
The ConnectionString element is mandatory.
For more information about this element, see the "OutputSettings > ConnectionString" subsection below.
Specifies the IP address (or host) and port to which the service will send service alerts.
The AlertConnectionString element is optional.
For more information about this element, see the "OutputSettings > AlertConnectionString" subsection below.
Specifies the format of the informational event that is generated for each processed event.
The FinishedEventFormat element is mandatory.
For more information about this element, see the "OutputSettings > FinishedEventFormat" subsection below.
OutputSettings > ConnectionString
Specifies the IP address (or host) and port to which the service will send service alerts.
The string is formatted as <ip_address>:<port>
(if an IP address and port are used) or as \\.\pipe\<pipe_name>
(if a Windows-named pipe is used).
You can use an IPv4 or an IPv6 address.
OutputSettings > AlertConnectionString
Specifies the IP address (or host) and port to which the service will send service alerts.
The value of this element is formatted as <ip_address>:<port>
(if an IP address and port are used) or as \\.\pipe\<pipe_name>
(if a Windows-named pipe is used). The IP address must consist of four decimal octets, each separated by a dot. The value in each octet must be less than 256.
The AlertConnectionString element is optional. If the element is omitted, the enabled attribute with the false
value is used for this element.
This element has the following attributes:
AlertConnectionString element attributes
Attribute |
Description |
---|---|
|
Defines whether Kaspersky CyberTrace Service sends alert events to the specified IP address and port. Possible values: If the value is If the value is |
OutputSettings > FinishedEventFormat
Specifies the format of the informational event that is generated after an event is processed.
If this parameter is enabled, Kaspersky CyberTrace will generate an informational event for each event that it processes. An informational event is generated even if there were no detections.
The FinishedEventFormat element is mandatory.
The value of this element specifies the event format. You can use the %RecordContext% pattern and regular expression names in the format. For more information about patterns, see section "About event format patterns".
The %RecordContext% pattern will provide the following fields, if used:
It is "LookupFinished"
for events of this type.
The number of events sent to a SIEM system.
Concatenation of the following substrings formed for every category assigned to detection events:
<category>:<number_of_detections>;
If there were no detections, the sent_events parameter is set to 0
, and the total string is empty.
This element has the following attributes:
FinishedEventFormat element attributes
Attribute |
Description |
---|---|
|
Defines whether special informational events are generated. Possible values: If the value is If the value is This attribute is optional. |
Example
The following is an example of this element.
<OutputSettings> <RecordFieldContextFormat><![CDATA[ %ParamName%=%ParamValue%]]></RecordFieldContextFormat> <AlertFormat>%Date% alert=%Alert%%RecordContext%</AlertFormat> <EventFormat>%RE_DATE% category=%Category% matchedIndicator=%MatchedIndicator% url=%RE_URL% src=%SRC_IP% ip=%RE_IP% md5=%RE_MD5% sha1=%RE_SHA1% sha256=%RE_SHA256% usrName=%RE_USERNAME%%RecordContext%</EventFormat> <FinishedEventFormat enabled="true">LookupFinished %RecordContext%</FinishedEventFormat> <ActionableFieldContextFormat><![CDATA[ %ParamName%:%ParamValue%]]></ActionableFieldContextFormat> <ConnectionString>127.0.0.1:9998</ConnectionString> <AlertConnectionString>192.0.2.145:9998</AlertConnectionString> </OutputSettings> |