Step 3. Configuring CyberTrace for interaction with ArcSight

February 27, 2024

ID 174019

This section describes how to configure CyberTrace for interaction with ArcSight during normal work.

To configure CyberTrace for interaction with ArcSight:

  1. Open Kaspersky CyberTrace Web.
  2. Select the Settings > Service tab.
  3. In the Connection settings section, for Service listens on, select the IP address and port that Kaspersky CyberTrace Service listens on for incoming events. The IP address and port are set when ArcSight Forwarding Connector is installed (its default value is 127.0.0.1:9999).
  4. Select the Matching tab, and then select the Edit default rules link.

    The Default properties form opens.

  5. On the Normalization rules tab, do the following:
    • In the To replace field, enter the symbol sequence \=
    • In the Replace with field, enter the symbol =

    After you make the changes, the Normalization rules tab must look like the following:

    Normalization rules tab.

    Normalization rules tab

  6. Select the Regular expressions tab. This tab contains universal regular expressions that match URLs (with protocol), hashes, IP addresses (src and dst), device name, vendor name, device IP address, user name, and event ID. Change these regular expressions to match the events.
  7. Close the Default properties form.
  8. On the Events format tab, in the Alert events format field, enter the following string:

    CEF:0|Kaspersky|Kaspersky CyberTrace for ArcSight|2.0|1|CyberTrace Service Event|4| reason=%Alert% msg=%RecordContext%

  9. In the Detection events format field, specify the following string:

    CEF:0|Kaspersky|Kaspersky CyberTrace for ArcSight|2.0|2|CyberTrace Detection Event|8| reason=%Category% dst=%DST_IP% src=%DeviceIp% fileHash=%RE_HASH% request=%RE_URL% sourceServiceName=%Device% sproc=%Product% suser=%UserName% msg=CyberTrace detected %Category% externalId=%Id% %ActionableFields% cs5Label=MatchedIndicator cs5=%MatchedIndicator% cn3Label=Confidence cn3=%Confidence% cs6Label=Context cs6=%RecordContext%

ArcSight and actionable fields

The following actionable fields are used in Kaspersky Data Feeds. You can review the actionable fields on the Settings > Feeds tab.

  • For Demo Botnet CnC URL Data Feed and Botnet CnC URL Data Feed:

    Field name

    Output

    CEF field

    mask

    cs1

    deviceCustomString1

    first_seen

    flexString1

    flexString1

    last_seen

    flexString2

    flexString2

    popularity

    cn2

    deviceCustomNumber2

    threat

    cs3

    deviceCustomString3

    urls/url

    cs4

    deviceCustomString4

    whois/domain

    cs2

    deviceCustomString2

  • For Demo Malicious Hash Data Feed and Malicious Hash Data Feed:

    Field name

    Output

    CEF field

    first_seen

    flexString1

    flexString1

    last_seen

    flexString2

    flexString2

    popularity

    cn2

    deviceCustomNumber2

    threat

    cs3

    deviceCustomString3

    urls/url

    cs4

    deviceCustomString4

    file_size

    fsize

    file_size

  • For Demo IP Reputation Feed and IP Reputation Data Feed:

    Field name

    Output

    CEF field

    first_seen

    flexString1

    flexString1

    last_seen

    flexString2

    flexString2

    popularity

    cn2

    deviceCustomNumber2

    threat_score

    cn1

    deviceCustomNumber1

    domains

    cs2

    deviceCustomString2

    urls/url

    cs4

    deviceCustomString4

    files/threat

    cs3

    deviceCustomString3

  • For Malicious URL Data Feed:

    Field name

    Output

    CEF field

    mask

    cs1

    deviceCustomString1

    first_seen

    flexString1

    flexString1

    last_seen

    flexString2

    flexString2

    popularity

    cn2

    deviceCustomNumber2

    files/threat

    cs3

    deviceCustomString3

    category

    cs4

    deviceCustomString4

    whois/domain

    cs2

    deviceCustomString2

  • For Mobile Malicious Hash Data Feed:

    Field name

    Output

    CEF field

    first_seen

    flexString1

    flexString1

    last_seen

    flexString2

    flexString2

    popularity

    cn2

    deviceCustomNumber2

    threat

    cs3

    deviceCustomString3

    file_size

    fsize

    file_size

  • For Phishing URL Data Feed:

    Field name

    Output

    CEF field

    mask

    cs1

    deviceCustomString1

    first_seen

    flexString1

    flexString1

    last_seen

    flexString2

    flexString2

    popularity

    cn2

    deviceCustomNumber2

    industry

    deviceFacility

    deviceFacility

    whois/domain

    cs2

    deviceCustomString2

  • For Mobile Botnet Data Feed:

    Field name

    Output

    CEF field

    threat

    cs3

    deviceCustomString3

  • For APT URL Data Feed:

    Field name

    Output

    CEF field

    detection_date

    flexString1

    flexString1

    publication_name

    cs3

    deviceCustomString3

  • For APT IP Data Feed:

    Field name

    Output

    CEF field

    detection_date

    flexString1

    flexString1

    publication_name

    cs3

    deviceCustomString3

  • For APT Hash Data Feed:

    Field name

    Output

    CEF field

    detection_date

    flexString1

    flexString1

    publication_name

    cs3

    deviceCustomString3

  • For IoT URL Data Feed:

    Field name

    Output

    CEF field

    mask

    cs1

    deviceCustomString1

    first_seen

    flexString1

    flexString1

    last_seen

    flexString2

    flexString2

    popularity

    cn2

    deviceCustomNumber2

    files/threat

    cs3

    deviceCustomString3

Clearing ArcSight fields occupied by information from Kaspersky Data Feeds

If you want to use a CEF field for data other than information from Kaspersky Data Feeds, you must clear this field.

To clear a CEF field:

  1. Select the Settings tab of Kaspersky CyberTrace Web.
  2. Select the Feeds tab.
  3. In the Filtering rules for feeds section, make sure the Kaspersky tab is selected, and then click the Kaspersky Threat Data Feed that contains the field that you want to clear.
  4. In the Actionable fields section, find the Output field containing the name of the CEF field that you want to clear.
  5. Click the Delete icon (Delete (trash can) icon in ArcSight.) next to the Output field that you found in the previous step.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.