You can use formats and patterns to include specific information into the service alerts generated by Kaspersky CyberTrace.
Formats are strings that determine the format of an alert or pattern. Patterns are special wildcards that you can use when specifying formats. A pattern is replaced by actual data when an alert is generated.
Record context format
The %RecordContext% format specifies how context fields must be added to an alert. You can specify this format in the service alerts settings.
You can use the following patterns in the %RecordContext% format:
The name of the field in the feed.
The value of the field.
The %RecordContext% format determines the format of the context fields passed in a service alert.
The fields are specific for each type of service alert. For example, if %RecordContext% is %ParamName%=%ParamValue%, and a feed is updated, the following string can be produced: "feed=Phishing_URL_Data_Feed.json records=200473".
Service alerts format
You can specify this format in the service alerts settings.
You can use the following patterns in this format:
Context of the alert, as described in the "Record context format" section above.
Current date and time in the Mon DD HH:MM:SS format.
The following is an example of the service alerts format:
%Date% alert=%Alert%%RecordContext% |
If a feed update alert is generated, the example above produces the following alert:
Apr 16 09:05:41 alert=KL_ALERT_UpdatedFeed feed=Phishing_URL_Data_Feed.json records=200473 |
Patterns for ArcSight
Kaspersky CyberTrace Service sends service alerts in the CEF format. The alert formats for ArcSight must comply with the requirements of the CEF format.
Use the following format:
|
In the format above, 4 (or another value from 1 to 10) is the level (severity) of the service alerts from Kaspersky CyberTrace.
Patterns for RSA NetWitness
The values of the service alerts formats must correspond to the formats set in the v20_cybertracemsg.xml file. If you change the formats, edit the v20_cybertracemsg.xml file accordingly.
Page top