OutputSettings

Contains output settings for the General tenant.

Defines the address and port of the event target software to send the outgoing events to, and the format of the outgoing events.

Path

OutputSettings

Attributes

This element has no attributes.

Nested elements

To specify values for EventFormat, RecordFieldContextFormat, ActionableFieldContextFormat, and AlertFormat, you may need to learn more about event format patterns.

This element is a container for the following nested elements:

• EventFormat

  Specifies the format of outgoing events.

  The EventFormat element is mandatory.

• RecordFieldContextFormat

  Specifies how context fields must be added to an event.

  The RecordFieldContextFormat element is mandatory.

• ActionableFieldContextFormat

  Specifies how actionable fields must be added to an event.

  The ActionableFieldContextFormat element is mandatory.

• AlertFormat

  Specifies the format for outgoing events that inform the event target software of the Kaspersky CyberTrace Service state.

  The AlertFormat element is optional. If it is absent from the configuration file, no notification is made.

• ConnectionString

  Specifies the IP address and port (or the Windows-named pipe) to which the service will send outgoing events.

  The ConnectionString element is mandatory.

  For more information about this element, see the "OutputSettings > ConnectionString" subsection below.

• AlertConnectionString

  Specifies the IP address (or host) and port to which the service will send service alerts.

  The AlertConnectionString element is optional.

  For more information about this element, see the "OutputSettings > AlertConnectionString" subsection below.

• FinishedEventFormat

  Specifies the format of the informational event that is generated for each processed event.

  The FinishedEventFormat element is mandatory.

  For more information about this element, see the "OutputSettings > FinishedEventFormat" subsection below.

OutputSettings > ConnectionString

Specifies the IP address (or host) and port to which the service will send service alerts.

The string is formatted as <ip_address>:<port> (if an IP address and port are used) or as \\.\pipe\<pipe_name> (if a Windows-named pipe is used).

You can use an IPv4 or an IPv6 address.

OutputSettings > AlertConnectionString

Specifies the IP address (or host) and port to which the service will send service alerts.

The value of this element is formatted as <ip_address>:<port> (if an IP address and port are used) or as \\.\pipe\<pipe_name> (if a Windows-named pipe is used). The IP address must consist of four decimal octets, each separated by a dot. The value in each octet must be less than 256.

The AlertConnectionString element is optional. If the element is omitted, the enabled attribute with the false value is used for this element.

This element has the following attributes:

AlertConnectionString element attributes

OutputSettings > FinishedEventFormat

Specifies the format of the informational event that is generated after an event is processed.

If this parameter is enabled, Kaspersky CyberTrace will generate an informational event for each event that it processes. An informational event is generated even if there were no detections.

The FinishedEventFormat element is mandatory.

The value of this element specifies the event format. You can use the %RecordContext% pattern and regular expression names in the format.

The %RecordContext% pattern will provide the following fields, if used:

• category

  It is "LookupFinished" for events of this type.

• sent_events

  The number of events sent to a SIEM solution.

• total

  Concatenation of the following substrings formed for every category assigned to detection events:

  <category>:<number_of_detections>;

  If there were no detections, the sent_events parameter is set to 0, and the total string is empty.

This element has the following attributes:

FinishedEventFormat element attributes

Example

The following is an example of this element.