This section describes how to parse Kaspersky CyberTrace service events that have the following format:
Kaspersky CyberTrace Service Event| date=%Date% alert=%Alert% msg:%RecordContext%
Note that if you change the service events format, you have to change the parsing service event rules in McAfee Enterprise Security Manager.
To parse a service event, enter the following data in the Advanced Syslog Parser Rule dialog box:
Adding a data source
The Add Data Source dialog box appears.
McAfee Enterprise Security Manager receives all events from Kaspersky CyberTrace. If McAfee Enterprise Security Manager cannot parse an event, the event displays as unknown.
Configuration of the data source
McAfee ESM suggests that you roll out the policy you have set.
Rollout dialog box
Selecting Policy editor
Policy Editor window
Kaspersky_CyberTrace_ServiceEvent
Kaspersky CyberTrace Service Event| date=Apr 17 19:08:28 alert=KL_ALERT_UpdatedFeed msg:feed=Demo_Botnet_CnC_URL_Data_Feed.json records=3907
Name |
Regular Expression |
---|---|
|
|
|
|
|
|
Parsing tab
Field |
Expression |
---|---|
Action |
|
Description |
Drag |
Severity |
|
Return_Code |
Drag |
First Time |
Drag |
Field Assignment tab
You can add other fields here by clicking the + button.
Time Format |
Time Fields |
---|---|
|
|
Action Key |
Action Value |
---|---|
|
|
Severity Key |
Severity Value |
---|---|
|
|
Mapping tab
Kaspersky CyberTrace
device, and then enable the Kaspersky_CyberTrace_ServiceEvent
rule.Enabling a rule
Rolling out a policy
Kaspersky CyberTrace
device in McAfee ESM.Field 2
, set the value Return_Code
, and then click OK.Modify Aggregation Settings