Parsing Kaspersky CyberTrace detection events in McAfee Enterprise Security Manager

This section describes how to parse Kaspersky CyberTrace detection events that have the following format:

Kaspersky CyberTrace Detection Event| date=%Date% reason=%Category% detected=%MatchedIndicator% act=%DeviceAction% dst=%RE_IP% src=%SRC_IP% hash=%RE_HASH% request=%RE_URL% dvc=%DeviceIp% sourceServiceName=%Device% suser=%UserName% msg:%RecordContext%

Note that if you change the format of Kaspersky CyberTrace detection events, you have to change the Kaspersky CyberTrace parser rules in McAfee Enterprise Security Manager.

To parse a detection event, enter the following data in the Advanced Syslog Parser Rule dialog box:

In the General tab, enter the following data:
- Name: Kaspersky_CyberTrace_DetectionEvent
- Tags: Select the tags that define the rule (that is, they will be used while filtering events)
- Rule Assignment Type: User Defined 1
- Description: The Kaspersky CyberTrace detection event

In the Parsing tab, enter the following data:

Provide content strings: Kaspersky CyberTrace Detection Event
Sample Log Data: Provide an example of a URL detection event. For example:
Kaspersky CyberTrace Detection Event| date=Oct 12 16:13:23 reason=KL_BotnetCnC_URL detected=http://fakess123bn.nu act=REQUEST_URL dst=192.168.1.0 src=192.168.2.0 hash=776735A8CA96DB15B422879DA599F474 request=http://fakess123bn.nu dvc=192.168.3.0 sourceServiceName=FireWall suser=UserName msg:popularity=5 geo=vn, in, mx threat=Trojan.Win32.Waldek
Add the following regular expressions for parsing events:

Name	Regular Expression
`ct_date`	`date\=(\S+\s\d+\s\S+)`
`ct_reason`	`reason\=(.*)\sdetected`
`ct_indicator`	`detected\=(.*)\sact`
`ct_dev_action`	`act\=(.*)\sdst`
`ct_dst`	`dst\=(\S+)`
`ct_src`	`src\=(\S+)`
`ct_hash`	`hash\=(\S+)`
`ct_request`	`request\=(.*)\sdvc`
`ct_dev_ip`	`dvc\=(\S+)`
`ct_serviceName`	`sourceServiceName\=(.*)\ssuser`
`ct_username`	`suser\=(.*?)\smsg`
`ct_context`	`msg\:(.*)$`

In the Field Assignment tab, enter the following data:

Field	Expression
Action	`"0"`
First Time	Drag `ct_date` in this field
URL	Drag `ct_request` in this field
Destination IP	Drag `ct_dst` in this field
Device_Action	Drag `ct_dev_action` in this field
Hash	Drag `ct_hash` in this field
Host	Drag `ct_dev_ip` in this field
Message_Text	Drag `ct_context` in this field
Object	Drag `ct_indicator` in this field
Return_Code	Drag `ct_reason` in this field
Service_Name	Drag `ct_serviceName` in this field
Severity	`"80"`
Source IP	Drag `ct_src` in this field
Source User	Drag `ct_username` in this field

McAfee ESM renames the Object field to ObjectID.

In the Mapping tab, enter the following data:
- In the time data table, use the following data:

Time Format	Time Fields
`%b %d %H:%M:%S`	`First time`

In the actions table, use the following data:

Action Key	Action Value
`0`	`Success`

In the severity table, use the following data:

Severity Key	Severity Value
`80`	`80`

After specifying the above values, do the following:

In the Default Policy list, select the Kaspersky CyberTrace device, and then enable the Kaspersky_CyberTrace_DetectionEvent rule.
Select File > Save to save the current state.
Select Operations > Rollout to roll out the policy.
Reinitialize the Kaspersky CyberTrace device.
Select Operations > Modify Aggregation Settings to change the aggregation rules for Kaspersky CyberTrace service events.
The Modify Aggregation Settings dialog box appears.
Specify the following values:
- Set Field 2 to Object.
- Set Field 3 to Return_Code.
Click OK.
Confirm the rollout request.

Page top