Configuring normalization rules

This section explains how to configure normalization rules of an event source.

About normalization rules

Normalization rules are used for transforming events. After Kaspersky CyberTrace applies normalization rules to an incoming event, the event is processed by using regular expressions.

There are two types of normalization rules:

• Replacement rules

  Rules for replacing one character sequence with another.

• Ignore rules

  Rules for ignoring events that contain a character sequence.

If the replacement rules and ignore rules are set, replacement rules are applied first and ignore rules are applied second.

In the specified regular expressions, the asterisk (*) and question mark (?) are not treated as wildcard characters.

To configure normalization rules,

Start creating or editing an event source.

Configuring normalization rules

Adding a normalization rule

To add a normalization rule:

1. Click the Normalization rules tab.
2. Enable the Apply normalization rules toggle switch.
3. Do either of the following:
   • To add a replacement rule:
     1. Click the Add rule button under Replacement rules.
     2. Specify a regular expression in the To replace text box and a replacement in the Replace with text box.
   • To add an ignore rule:
     1. Click the Add rule button under Ignore rules.
     2. Specify a regular expression in the Ignore events that contain this value text box.
4. Click the Save button.

The new normalization rule appears in the list of normalization rules.

Editing a normalization rule

To edit a normalization rule:

1. Click the Normalization rules tab.
2. Locate the required normalization rule.
3. Change values in the text boxes, as required.
4. Click the Save button.

The updated normalization rule appears in the list of normalization rules.

Deleting a normalization rule

To delete a normalization rule:

1. Click the Normalization rules tab.
2. Click the (Delete) button next to the normalization rule that you want to delete.
3. Click the Save button.

The deleted normalization rule disappears from the list of normalization rules.

Page top