Contains parameters for a specific event source.
The regular expressions and event normalization rules specified in the configuration file are grouped by event sources that are represented by Source elements. Usually these event sources are devices that issue events, which afterward are checked by Kaspersky CyberTrace Service. Every Source element contains a set of rules. There can be one or more Source elements in the InputSettings > RegExps element.
Note that event normalization rules are applied first and regular expressions are applied afterward.
Special event source
There must be an event source with the default identifier (<Source id="default">). Rules of the default event source have lower priority than rules specific to the event source.
The regular expressions of the default event source for finding URLs, IP addresses, and hashes are universal; that is, they can be used for parsing events issued by most devices. They can be used for parsing events that contain multiple URLs, but cannot be used, for example, for parsing events that contain URLs with no protocol specified. The use of universal regular expressions lowers the performance of Kaspersky CyberTrace Service, compared to using device-specific regular expressions. Also, the universal regular expressions do not handle the dispersal, in an event, of different parts of a URL (for example, the host and the path). The universal regular expressions for finding hashes can extract character sequences that actually are not hashes.
Path
Domains > Domain > InputSettings > RegExps > Source
Attributes
This element has the following attributes.
Source element attributes
Attribute |
Description |
|---|---|
|
A unique identifier of the event source. In detection events, the identifier of the event source can be referred to by the %SourceId% pattern. |
|
The IP address of the event source. If an event has arrived from an event source that has the specified IP address, the event is processed by using the rules contained in this The attribute cannot be set for the |
|
The host name of the event source. The value of the host name is extracted from the event. In syslog events, the host name follows the timestamp (https://tools.ietf.org/html/rfc5424). For example, in the event If an event has arrived from an event source that has the specified host name and the IP address of the event source is not among those specified in the The attribute cannot be set for the |
|
The regular expression that is used to determine if an event comes from the source. The specified regular expression is applied to an event. If the regular expression matches the event one or more times, the event is considered to be from the source. In this case, the event is processed by using the rules contained in this The attribute cannot be set for the |
Nested elements
This element is a container for the following nested elements:
Regular expressions that are used to parse incoming events originating from this source.
Each regular expression is a separate element with the name of the regular expression.
Rules for modifying incoming events.
Example
The following is an example of this element.
<Source id="CustomSource" ip="192.0.2.15"> <RE_MD5 type="MD5" extract="all">([\da-fA-F]{32})</RE_MD5> <RE_SHA1 type="SHA1" extract="all">([\da-fA-F]{40})</RE_SHA1> <RE_SHA256 type="SHA256" extract="all">([\da-fA-F]{64})</RE_SHA256> <NormalizingRules> ... </NormalizingRules> </Source> |