You can use formats and patterns to include specific information into the detection alerts generated by Kaspersky CyberTrace.
Formats are strings that determine the format of an alert or pattern. Patterns are special wildcards that you can use when specifying formats. A pattern is replaced by actual data when an alert is generated.
Record context format
The %RecordContext% format specifies how context fields must be added to an alert. You can specify a format for this pattern in the service alerts settings.
You can use the following patterns in the %RecordContext% format:
The name of the field in the feed.
The value of the field.
The %RecordContext% format determines the format of the context fields passed in a detection alert.
For example, if %RecordContext% is %ParamName%=%ParamValue%, then for a feed with the "Ip" and "Geo" fields, the following string can be produced (note the space character between the data of the two fields): "Ip=192.0.2.100 Geo=ru,br,ua,cz,us".
Actionable field context format
The %ActionableFields% format specifies how actionable fields must be added to an alert. You can set a separate format for this pattern in the detection alerts context settings.
You can use the following patterns in the %ActionableFields% format:
The name of the actionable field.
The value of the actionable field.
The %ActionableFields% format determines the format of the actionable fields passed in a detection alert.
For example, if %ActionableFields% is %ParamName%:%ParamValue%, and the cn1 and cn2 fields are specified for the feed, then the following string can be produced: "cn1:Example Device cn2:Example Environment".
Detection alerts format
You can specify this format in the detection alerts format settings.
You can use the following patterns in this format:
Category of the detected object.
Context of the alert, as described in the "Record context format" section above.
The level of confidence. This value is taken from the indicator confidence value of a feed that contains matched indicators from the detection alert.
The link to the Kaspersky CyberTrace Web page that contains information about the detected indicator.
Detected indicator (a URL, hash, or IP address) that caused the alert.
Actionable fields, as described in the "Actionable field context format" section above.
Event source identifier. This is the name that you specified for the event source.
The identifier of the preconfigured event source is Default.
Current date and time in the Mon DD HH:MM:SS format.
Date and time when Kaspersky CyberTrace received the detection event from the SIEM system.
Sign of whether the detection was made as a result of retrospective scan.
This pattern is a name of the regular expression. It is substituted by a value extracted from the event field that matches a regular expression. For example, if a regular expression has the name RE_URL, the pattern for it is %RE_URL%, and the generated alert holds the value that matched this regular expression.
The following is an example of the OutputSettings > EventFormat element:
%Date% event_name=%Category% source=%SourceId% matchedIndicator=%MatchedIndicator% url=%RE_URL% ip=%RE_IP% md5=%RE_MD5% sha1=%RE_SHA1% sha256=%RE_SHA256% usrName=%RE_USERNAME% indicatorInfo=%IndicatorInfo% confidence=%Confidence%%RecordContext% |
The format above generates the following alert:
Apr 16 09:05:41 eventName=KL_Malicious_Hash_MD5 source=ExampleSource matchedIndicator=C912705B4BBB14EC7E78FA8B370532C9 url=- src=192.0.2.4 ip=192.0.2.23 md5=C912705B4BBB14EC7E78FA8B370532C9 sha1=- sha256=- usrName=ExampleUser indicatorInfo=https://127.0.0.1/indicators?value=C912705B4BBB14EC7E78FA8B370532C9 confidence=100 MD5=C912705B4BBB14EC7E78FA8B370532C9 SHA1=8CBB395D31A711D683B1E36842AE851D5D000BAD SHA256=F6E62E9B3AF38A6BF331922B624844AAEB2D3658C4F0A54FA4651EAA6441C933 file_size=2989 first_seen=10.07.2016 23:53 last_seen=13.04.2020 08:08 popularity=1 threat=HEUR:Trojan.Win32.Generic |
Patterns for ArcSight
For detection alerts, use the following format:
|
In addition to the general patterns, the detection alerts format for ArcSight uses the following patterns with regular expression names:
%DST_IP%—Destination IP address.%DeviceIp%—IP address of the endpoint device where the event occurred.%RE_HASH%—Hash contained in the event.%RE_URL%—URL contained in the event.%Device%—Device vendor.%Product%—Device name.%UserName%—Name of the user that was active on the endpoint device.%Id%—Identifier of the event.Patterns for RSA NetWitness
The values of the detection alerts formats must correspond to the formats set in the v20_cybertracemsg.xml file. If you change the formats, edit the v20_cybertracemsg.xml file accordingly.
The following is an example of the detection alert format:
|
In addition to the general patterns, the detection alerts format for RSA Net Witness uses the following patterns with regular expression names:
%RE_URL%—URL contained in the event.%RE_HASH%—Hash contained in the event.%DST_IP%—Destination IP address.%SRC_IP%—Source IP address.%DeviceIp%—IP address of the endpoint device where the event occurred.%Device%—Device vendor.%DeviceAction%—Action taken by the device.%UserName%—Name of the user that was active on the endpoint device.