This section describes how to configure Kaspersky CyberTrace for integration with McAfee ESM.
To configure Kaspersky CyberTrace for integration with McAfee ESM:
For McAfee ESM, the port is 514.
Click Next.
Regular expressions for integration with McAfee ESM
Indicator type |
Rule name |
Regular expression |
Additional options |
---|---|---|---|
CONTEXT |
Device |
deviceExternalId\=(.*?)\s |
|
CONTEXT |
DeviceAction |
act\=(.*?)\s |
|
CONTEXT |
DeviceIp |
deviceTranslatedAddress\=(.*?)\s |
|
HASH |
RE_HASH |
([\da-fA-F]{32,64}) |
Extract all: True |
IP |
RE_IP |
dst\=(.*?)\s |
|
URL |
RE_URL |
(?:\:\/\/)((?:\S+(?::\S*)?+@)?(?:(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-*)*[a-z\x{00a1}-\x{ffff}0-9]*)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-)*+[a-z\x{00a1}-\x{ffff}0-9]++)*(?:\.(?:[a-z\x{00a1}-\x{ffff}\-0-9]{2,}+)))(?:\.*:\d{2,5})?+(?:\.*\/[^\s\"\<\>]*+)?+) |
Extract all: True |
IP |
SRC_IP |
src\=(.*?)\s |
|
CONTEXT |
UserName |
duser\=(.*?)\s |
|
Replacement rule for integration with McAfee ESM
Events format for integration with McAfee ESM
Field |
Value |
---|---|
Alert events format |
|
Detection events format |
|
Records context format |
Note the space before |
Actionable fields context format |
Note the space before |
Save the changes.