This section describes how to parse Kaspersky CyberTrace detection events that have the following format:
Kaspersky CyberTrace Detection Event| date=%Date% reason=%Category% detected=%MatchedIndicator% act=%DeviceAction% dst=%RE_IP% src=%SRC_IP% hash=%RE_HASH% request=%RE_URL% dvc=%DeviceIp% sourceServiceName=%Device% suser=%UserName% msg:%RecordContext%
Note that if you change the format of Kaspersky CyberTrace detection events, you have to change the Kaspersky CyberTrace parser rules in McAfee Enterprise Security Manager.
To parse a detection event, enter the following data in the Advanced Syslog Parser Rule dialog box:
Kaspersky_CyberTrace_DetectionEvent
Kaspersky CyberTrace Detection Event| date=Oct 12 16:13:23 reason=KL_BotnetCnC_URL detected=http://fakess123bn.nu act=REQUEST_URL dst=192.168.1.0 src=192.168.2.0 hash=776735A8CA96DB15B422879DA599F474 request=http://fakess123bn.nu dvc=192.168.3.0 sourceServiceName=FireWall suser=UserName msg:popularity=5 geo=vn, in, mx threat=Trojan.Win32.Waldek
Name |
Regular Expression |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Field |
Expression |
---|---|
Action |
|
First Time |
Drag |
URL |
Drag |
Destination IP |
Drag |
Device_Action |
Drag |
Hash |
Drag |
Host |
Drag |
Message_Text |
Drag |
Object |
Drag |
Return_Code |
Drag |
Service_Name |
Drag |
Severity |
|
Source IP |
Drag |
Source User |
Drag |
McAfee ESM renames the Object
field to ObjectID
.
Time Format |
Time Fields |
---|---|
|
|
Action Key |
Action Value |
---|---|
|
|
Severity Key |
Severity Value |
---|---|
|
|
After specifying the above values, do the following:
Kaspersky CyberTrace
device, and then enable the Kaspersky_CyberTrace_DetectionEvent
rule.Kaspersky CyberTrace
device.The Modify Aggregation Settings dialog box appears.
Field 2
to Object
.Field 3
to Return_Code
.