Adding normalization rules

This section explains how to add normalization rules to an event source.

About normalization rules

Normalization rules are used for transforming events. After Kaspersky CyberTrace applies normalization rules to an incoming event, the event is processed using regular expressions.

There are two types of normalization rules:

• Replacing rules

  Rules for replacing one character sequence with another.

• Ignoring rules

  Rules for ignoring events that contain a character sequence.

If the replacing rules and ignoring rules are set, replacing rules are applied first and ignoring rules are applied second.

In the specified regular expressions, the asterisk (*) and question mark (?) are not treated as wildcard characters.

Adding normalization rules

Adding normalization rules

To add a normalization rule:

1. Navigate to the Settings page.
2. Open the Matching tab.
3. Locate an event source that must use the new normalization rule. Click to open source properties.

   The window with the properties of the selected event source opens.

4. Locate the Normalization rules tab.
5. Select the Apply normalization rules check box.
6. If normalization rules are already specified for the event source, add a new entry. Click Add new rule to add extra text boxes for new rule parameters.
7. Specify rule parameters:
   • For a replacing rule, specify a regular expression in the To replace text box and a replacement in the Replace with text box.
   • For an ignoring rule, specify a regular expression in the Ignore events that contain this text box.
8. Click the OK button.

Page top