Configuring the format for detection alerts
Detection alerts are outgoing alerts that hold information about detected matches with indicators.
The Format tab of the Settings → Detection alerts page allows you to specify the format for outgoing detection alerts.
The Format tab of the Settings → Detection alerts page
We do not recommend changing the format of alerts manually. Instead, select the check boxes with the patterns that you want to use in the alerts, and Kaspersky CyberTrace will update the format automatically.
The tab consists of two subsections:
- Service fields
The values of these fields are patterns generated by Kaspersky CyberTrace.
Select the check boxes with the patterns that you want to use in outgoing detection alerts. Kaspersky CyberTrace will update the format in the Alert format field automatically.
- Values extracted from the event
The values of these fields are extracted from the incoming events, with regular expressions defined for the event source.
Select the check boxes with the patterns that you want to use in outgoing detection alerts. Kaspersky CyberTrace will update the format in the Alert format field automatically.
Setting event and alert formats for specific SIEM systems
The correct format of events and detection alerts depends on your SIEM system. If you change the format of events or alerts in Kaspersky CyberTrace, you may also need to update your integration with the SIEM system.
- For ArcSight, you may need to update the event formats and actionable fields.
- For QRadar, you may need to add parsing for new fields.
- For RSA NetWitness, you may need to specify how new fields are parsed (see also RSA NetWitness troubleshooting).
- For LogRhythm, you may need to specify how new fields are parsed.