Parsing Kaspersky CyberTrace detection events in McAfee Enterprise Security Manager
April 11, 2024
ID 183378
This section describes how to parse Kaspersky CyberTrace detection events that have the following format:
Kaspersky CyberTrace Detection Event| date=%Date% reason=%Category% detected=%MatchedIndicator% act=%DeviceAction% dst=%RE_IP% src=%SRC_IP% hash=%RE_HASH% request=%RE_URL% dvc=%DeviceIp% sourceServiceName=%Device% suser=%UserName% msg:%RecordContext%
Note that if you change the format of Kaspersky CyberTrace detection events, you have to change the Kaspersky CyberTrace parser rules in McAfee Enterprise Security Manager.
To parse a detection event, enter the following data in the Advanced Syslog Parser Rule dialog box:
- In the General tab, enter the following data:
- Name:
Kaspersky_CyberTrace_DetectionEvent
- Tags: Select the tags that define the rule (that is, they will be used while filtering events)
- Rule Assignment Type: User Defined 1
- Description: The Kaspersky CyberTrace detection event
- Name:
- In the Parsing tab, enter the following data:
- Provide content strings: Kaspersky CyberTrace Detection Event
- Sample Log Data: Provide an example of a URL detection event. For example:
Kaspersky CyberTrace Detection Event| date=Oct 12 16:13:23 reason=KL_BotnetCnC_URL detected=http://fakess123bn.nu act=REQUEST_URL dst=192.168.1.0 src=192.168.2.0 hash=776735A8CA96DB15B422879DA599F474 request=http://fakess123bn.nu dvc=192.168.3.0 sourceServiceName=FireWall suser=UserName msg:popularity=5 geo=vn, in, mx threat=Trojan.Win32.Waldek
- Add the following regular expressions for parsing events:
Name
Regular Expression
ct_date
date\=(\S+\s\d+\s\S+)
ct_reason
reason\=(.*)\sdetected
ct_indicator
detected\=(.*)\sact
ct_dev_action
act\=(.*)\sdst
ct_dst
dst\=(\S+)
ct_src
src\=(\S+)
ct_hash
hash\=(\S+)
ct_request
request\=(.*)\sdvc
ct_dev_ip
dvc\=(\S+)
ct_serviceName
sourceServiceName\=(.*)\ssuser
ct_username
suser\=(.*?)\smsg
ct_context
msg\:(.*)$
- In the Field Assignment tab, enter the following data:
Field
Expression
Action
"0"
First Time
Drag
ct_date
in this fieldURL
Drag
ct_request
in this fieldDestination IP
Drag
ct_dst
in this fieldDevice_Action
Drag
ct_dev_action
in this fieldHash
Drag
ct_hash
in this fieldHost
Drag
ct_dev_ip
in this fieldMessage_Text
Drag
ct_context
in this fieldObject
Drag
ct_indicator
in this fieldReturn_Code
Drag
ct_reason
in this fieldService_Name
Drag
ct_serviceName
in this fieldSeverity
"80"
Source IP
Drag
ct_src
in this fieldSource User
Drag
ct_username
in this fieldMcAfee ESM renames the
Object
field toObjectID
.- In the Mapping tab, enter the following data:
- In the time data table, use the following data:
Time Format
Time Fields
%b %d %H:%M:%S
First time
- In the actions table, use the following data:
Action Key
Action Value
0
Success
- In the severity table, use the following data:
Severity Key
Severity Value
80
80
After specifying the above values, do the following:
- In the Default Policy list, select the
Kaspersky CyberTrace
device, and then enable theKaspersky_CyberTrace_DetectionEvent
rule. - Select File > Save to save the current state.
- Select Operations > Rollout to roll out the policy.
- Reinitialize the
Kaspersky CyberTrace
device. - Select Operations > Modify Aggregation Settings to change the aggregation rules for Kaspersky CyberTrace service events.
The Modify Aggregation Settings dialog box appears.
- Specify the following values:
- Set
Field 2
toObject
. - Set
Field 3
toReturn_Code
.
- Set
- Click OK.
- Confirm the rollout request.