Step 2. Importing Kaspersky CyberTrace rules and events

This section describes how you can import files that contain Kaspersky CyberTrace rules and events to LogRhythm.

If for any reason the import fails, you can configure adding Kaspersky CyberTrace events and Kaspersky CyberTrace rules manually.

To import files with Kaspersky CyberTrace rules to LogRhythm:

  1. For each file of the mperule_%event_name%.xml format from the integration/logrhythm/events/ directory, perform the following actions:
    1. Open the file in a text editor.
    2. Replace the values of both the MPERuleToMST > MsgSourceTypeID and the MsgSourceType > MsgSourceTypeID elements with the log source type ID that you made a note of in the previous step.

      For example, <MsgSourceTypeID>1000000001</MsgSourceTypeID> must change to <MsgSourceTypeID>%CYBERTRACE_ID%</MsgSourceTypeID>, where %CYBERTRACE_ID% stands for the log source type ID of Kaspersky CyberTrace.

    3. Save the file.
  2. Open LogRhythm Console.
  3. Select Deployment Manager > Tools > Knowledge > MPE Rule Builder.

    The Rule Builder form opens.

  4. For each file edited in step 1 above, perform the following actions:
    1. Select File > Import.

      Import menu item in LogRhythm.

    2. In the Import Actions window, click Yes.

      Import Actions window in LogRhythm.

      If the import succeeds, the Rule Import Status window opens.

      Rule Import Status window in LogRhythm.

    3. On the toolbar of the Rule Builder form, click the Open rule library (Open rule library button in LogRhythm.) button.

      The Rule Browser window opens.

    4. Double-click the event that was imported in step b.

      A window with rule settings opens.

      Note that the imported rule arrives in LogRhythm in the Development status and may not appear in the list of all rules. You can configure display in the Rule Browser window that opens by selecting View > Show Development rules.

      View → Show Development Rules menu item in LogRhythm.

    5. In the General settings window that opens, in the Rule Status section, select Production or Test.

      General settings window in LogRhythm.

    6. Click Save.

    The corresponding common events and MPE Rules will be added to LogRhythm for all events. The full list of the events is described in the section about adding Kaspersky CyberTrace events. The full list of MPE rules and their settings is described in the section about adding Kaspersky CyberTrace rules.

Some of the imported Kaspersky CyberTrace events might have a low Risk Rating according to the LogRhythm classification. Depending on the filters configuration, LogRhythm might ignore such events. Please check the classification and make sure that the Risk Rating of imported events allows LogRhythm to accept and process them correctly.

Page top