About event format patterns

You can use formats and patterns to include specific information into the alerts generated by Kaspersky CyberTrace.

Formats are strings that determine the format of an alert or pattern. Patterns are special wildcards that you can use when specifying formats. A pattern is replaced by actual data when an alert is generated.

About alerts and detections

You can specify formats for two types of alerts generated by Kaspersky CyberTrace:

Detection alerts
These are outgoing alerts that hold information about detected matches with indicators.

For more information about the format of detection alerts, see subsection "Detection alerts format" below.
Service alerts
These are outgoing alerts that inform the event target software (for example, SIEM) about the state of Kaspersky CyberTrace Service.

For more information about the format of alerts, see subsection "Service alerts format" below.

Record context format

The %RecordContext% format specifies how context fields must be added to an alert. You can specify a format for this pattern in the Records context format field.

You can use the following patterns in the %RecordContext% format:

%ParamName%
The name of the field in the feed.
%ParamValue%
The value of the field.

The %RecordContext% format is used in the formats of detection and alert events:

Detection alerts
The %RecordContext% pattern determines the format of the context fields passed in a detection alert.

For example, if %RecordContext% is %ParamName%=%ParamValue%, then for a feed with the "Ip" and "Geo" fields, the following string can be produced (note the space symbol between the data of the two fields): "Ip=192.0.2.100 Geo=ru,br,ua,cz,us".
Service alerts
The %RecordContext% pattern determines the format of the context fields passed in an alert event.

The fields are specific for each type of service alert. For example, if %RecordContext% is %ParamName%=%ParamValue%, and a feed is updated, the following string can be produced: "feed=Phishing_URL_Data_Feed.json records=200473".

Actionable field context format

The %ActionableFields% format specifies how actionable fields must be added to an alert. You can set a separate format for this pattern in the Actionable fields context format field.

You can use the following patterns in the %ActionableFields% format:

%ParamName%
The name of the actionable field.
%ParamValue%
The value of the actionable field.

The %ActionableFields% format is used in the format of detection alerts:

The %ActionableFields% pattern determines the format of the actionable fields passed in a detection alert.

For example, if %ActionableFields% is %ParamName%:%ParamValue%, and the cn1 and cn2 fields are specified for the feed, then the following string can be produced: "cn1:Example Device cn2:Example Environment".

Service alerts format

You can specify this format in the Alert events format field.

You can use the following patterns in this format:

%Alert%
The type of the service alert.
%Date%
Current date and time in the Mon DD HH:MM:SS format.
%RecordContext%
Context of the alert, as described in the "Record context format" section above.

The following is an example of the alert events format:

%Date% alert=%Alert%%RecordContext%

If a feed update alert is generated, the example above produces the following alert:

Apr 16 09:05:41 alert=KL_ALERT_UpdatedFeed feed=Phishing_URL_Data_Feed.json records=200473

Detection alerts format

You can specify this format in the Detection events format field.

You can use the following patterns in this format:

%Category%
Category of the detected object.
%Date%
Current date and time in the Mon DD HH:MM:SS format.
Regular expression name
This pattern is a name of the regular expression. It is substituted by a value extracted from the event field that matches a regular expression. For example, if a regular expression has the name RE_URL, the pattern for it is %RE_URL%, and the generated alert holds the value that matched this regular expression.
%MatchedIndicator%
Detected indicator (a URL, hash, or IP address) that caused the event.
%SourceId%
Event source identifier. This is the name that you specified for the event source on the Matching tab.

The identifier of the preconfigured event source is Default.
%Confidence%
The level of confidence. This value is taken from the indicator confidence value of a feed that contains matched indicators from the detection alert.
%IndicatorInfo%
The link to the Kaspersky CyberTrace Web page that contains information about the detected indicator.
%ActionableFields%
Actionable fields, as described in the "Actionable field context format" section above.
%RecordContext%
Context of the alert, as described in the "Record context format section" above.

The following is an example of the OutputSettings > EventFormat element:

%Date% event_name=%Category% source=%SourceId% matchedIndicator=%MatchedIndicator% url=%RE_URL% ip=%RE_IP% md5=%RE_MD5% sha1=%RE_SHA1% sha256=%RE_SHA256% usrName=%RE_USERNAME% indicatorInfo=%IndicatorInfo% confidence=%Confidence%%RecordContext%

The format above generates the following alert:

Apr 16 09:05:41 eventName=KL_Malicious_Hash_MD5 source=ExampleSource matchedIndicator=C912705B4BBB14EC7E78FA8B370532C9 url=- src=192.0.2.4 ip=192.0.2.23 md5=C912705B4BBB14EC7E78FA8B370532C9 sha1=- sha256=- usrName=ExampleUser indicatorInfo=https://127.0.0.1/indicators?value=C912705B4BBB14EC7E78FA8B370532C9 confidence=100 MD5=C912705B4BBB14EC7E78FA8B370532C9 SHA1=8CBB395D31A711D683B1E36842AE851D5D000BAD SHA256=F6E62E9B3AF38A6BF331922B624844AAEB2D3658C4F0A54FA4651EAA6441C933 file_size=2989 first_seen=10.07.2016 23:53 last_seen=13.04.2020 08:08 popularity=1 threat=HEUR:Trojan.Win32.Generic

Patterns for ArcSight

Kaspersky CyberTrace Service sends service alerts in the CEF format. The alert formats for ArcSight must comply with the requirements of the CEF format.

For detection alerts, use the following format:

CEF:0|Kaspersky Lab|Kaspersky CyberTrace for ArcSight|2.0|2|CyberTrace Detection Event|8| reason=%Category% dst=%DST_IP% src=%DeviceIp% fileHash=%RE_HASH% request=%RE_URL% sourceServiceName=%Device% sproc=%Product% suser=%UserName% msg=CyberTrace detected %Category% externalId=%Id% %ActionableFields% cs5Label=MatchedIndicator cs5=%MatchedIndicator% cs6Label=Context cs6=%RecordContext%

In addition to the general patterns, the detection alerts format for ArcSight uses the following patterns with regular expression names:

%DST_IP%—Destination IP address.
%DeviceIp%—IP address of the endpoint device where the event occurred.
%RE_HASH%—Hash contained in the event.
%RE_URL%—URL contained in the event.
%Device%—Device vendor.
%Product%—Device name.
%UserName%—Name of the user that was active on the endpoint device.
%Id%—Event identifier.

For service alerts, use the following format:

CEF:0|Kaspersky Lab|Kaspersky CyberTrace for ArcSight|2.0|1|CyberTrace Service Event|4| reason=%Alert% msg=%RecordContext%

In the format above, 4 (or another value from 1 to 10) is the level (severity) of the alert events from Kaspersky CyberTrace.

Patterns for RSA NetWitness

The values of the detection alerts and service alerts formats must correspond to the formats set in the v20_cybertracemsg.xml file. If you change the formats, edit the v20_cybertracemsg.xml file accordingly.

The following is an example of the detection alert format:

<232>%CyberTrace:MATCH_EVENT category=%Category%,detected=%MatchedIndicator%,url=%RE_URL%,hash=%RE_HASH%,dst=%DST_IP%,src=%SRC_IP%,dvc=%DeviceIp%,dev_name=%Device%,dev_action=%DeviceAction%,user=%UserName%,actF:%ActionableFields%,context=%RecordContext%

In addition to the general patterns, the detection alerts format for RSA Net Witness uses the following patterns with regular expression names:

%RE_URL%—URL contained in the event.
%RE_HASH%—Hash contained in the event.
%DST_IP%—Destination IP address.
%SRC_IP%—Source IP address.
%DeviceIp%—IP address of the endpoint device where the event occurred.
%Device%—Device vendor.
%DeviceAction%—Action taken by the device.
%UserName%—Name of the user that was active on the endpoint device.

Page top