Event sources settings of a tenant

You can manage the settings of event sources on the Settings → Event sources page. To access this page, you need to switch to the Data management mode.

The Settings → Event sources page

In Kaspersky CyberTrace, regular expressions and event normalization rules are grouped by event source. Regular expressions and event normalization rules that are not related to a specific event source are grouped under the default event source. All regular expressions from the default event source are copied to a new event source. Each event source must have at least one regular expression. You can add or remove event sources other than default or edit their properties. You can also delete event sources other than default.

The Event sources page displays all event sources defined in the Kaspersky CyberTrace Service configuration file.

Adding an event source

To add an event source:

1. Click the Add event source button.

   The Add event source wizard starts.

   

   Add event source wizard. Step 1

2. Define the following settings of the new event source:
   • Source ID

     The name of the event source. It must be unique among the event source names used. In the name the following characters are allowed: Latin letters, digits, a hyphen (-), a period (.), and an underscore (_).

   • Type

     You can select one of the following options:

     • IP address

       The IP address of a device that issues events for which you want to add parsing rules.

       Both IPv4 and IPv6 addresses are supported.

     • Host name

       The host name of a device that issues events.

       The value must be the same as the value in the HOSTNAME field of the incoming syslog messages from this event source.

     • Regular expression

       The regular expression that will match the source in the events received by Kaspersky CyberTrace. This regular expression must be optimized.

3. Click Next.

   If the data entered at the previous step is correct, the form for specifying regular expressions and event normalization rules opens (see subsection "Form for editing event source properties" below).

   All regular expressions from the default event source are copied to the new event source. Kaspersky CyberTrace attempts to obtain data from received events by using the copied regular expressions. We recommend that you keep collecting events for some time that is needed for the data to appear in the wizard window.

   

   Add event source wizard. Step 2

4. Judging from the data in the wizard window, specify regular expressions and event normalization rules, and then click the Add button.

   For normalization rules, enable the Apply normalization rules toggle switch. Otherwise, the normalization rules will not be related to the new event source.

If the entered event source properties are correct, the new event source is created.

Editing an event source

To edit an event source, do any of the following:

• To edit the main settings of the event source (name, type, and value), change them on the Event sources page.

  You cannot edit the main settings of the Default event source.

• To edit the event normalization rules and regular expressions defined for an event source, click the (Edit) button next to the required event source. The form for editing event source properties opens (see subsection "Form for editing event source properties" below).

Form for editing event source properties

The form for editing event source properties (event normalization rules and regular expressions) has the upper area and the lower area. The upper area displays events and highlights substrings that are extracted by a selected regular expression. The lower area has two tabs: the Normalization rules tab and the Regular expressions tab.

When the form for editing event source properties opens, it starts collecting events that are issued by the event source. These events are processed according to the normalization rules and the result is displayed in the upper area of the form.

If you have specified the host name of the event source, but the HOSTNAME field of incoming events cannot be extracted, no event is displayed. To fix this problem, either specify the IP address or regular expression of the event source, or change the format of events.

You can pause (or resume), or restart collecting the arriving events in real time. If you restart collecting the incoming events, the text box for displaying events is cleared. This text box can contain up to 100 lines. If more data arrives, older data is removed.

Specifying event normalization rules

In the lower area of the form for editing event source properties, select the Normalization rules tab to add, remove, or edit normalization rules that will be applied to incoming events that meet the conditions of the event source. You can specify which character sequences must be replaced with others (replacement rules) and which character sequences must be used for identifying events to ignore (ignore rules). If you disable the Apply normalization rules toggle switch, all the controls for specifying normalization rules will be disabled, and no normalization rule will be saved for the event source being edited.

Do not specify the newline character (\n) in replacement rules. Use the InputSettings > EventDelimiter element of the Kaspersky CyberTrace Service configuration file to separate compound incoming events into individual events.

For an event source that is being created, initially the form under the Normalization rules tab is filled with the normalization rules specified for the default event source.

Specifying regular expressions

In the lower area of the form for editing event source properties, select the Regular expressions tab to add, remove, or edit regular expressions that will be applied to incoming events that meet the conditions of the event source. For an event source that is being created, initially the form under the Regular expressions tab is filled with the regular expressions that are specified for the default event source and that extract at least some data from the events that are displayed.

Regular expressions have the following properties:

• Indicator type

  The type of data to be extracted from an event. You can set one of the following indicator types:

  • URL
  • MD5
  • SHA1
  • SHA256
  • HASH
  • IP
  • DOMAIN
  • CONTEXT
• Regular expression name

  The regular expression name must be unique among the names of the regular expressions that relate to the same event source.

• Regular expression itself

  The regular expression used for extracting the required value from an event.

• Extract all check box

  If this check box is cleared, the regular expression will extract only the first matched value. If this check box is selected, the regular expression will extract all of the matched values.

• Concatenation rules

  You can specify how to concatenate different parts of extracted data to a single value. (Learn more about compound values)

  

  Setting regular expressions and their properties

You can highlight values that match the regular expressions that you specified for the event source. Click inside the text box that contains the regular expression that you want to highlight.

Deleting an event source

To delete an event source:

1. Click the (Delete) button next to the event source that you want to delete.
2. In the confirmation window that opens, click the Delete button.

The deleted event source disappears from the list of event sources.

Page top