Browsing events from Kaspersky CyberTrace in AlienVault USM / OSSIM

This section describes how to browse events from Kaspersky CyberTrace in AlienVault USM / OSSIM.

To browse events from Kaspersky CyberTrace in the AlienVault USM / OSSIM web interface:

1. In a browser, open the AlienVault USM / OSSIM web interface.
2. Select Analysis > Security events (SIEM).
3. In the Data Sources drop-down list, select Kaspersky CyberTrace.

   AlienVault USM / OSSIM displays events received from Kaspersky CyberTrace.

   

   Events received from Kaspersky CyberTrace

AlienVault USM / OSSIM displays Kaspersky CyberTrace events of two types, which are designated in the Event Name column of the event list:

• Service events

  Click the button in the last column of the table (). For service events, the following data is displayed (as shown in the figure below):

  • The Userdata1 field contains the service event itself.
  • The Userdata2 field contains the context of the event, if any.
• Detection events

  Click the button in the last column of the table (). For detection events, the following data is displayed (as shown in the figure below):

  • The Userdata1 field contains the feed that is involved in the detection process.
  • The Userdata2 field contains the detected indicator.
  • The Userdata3 field contains the context of the feed record that is involved in the detection process.

    The Userdata3 field contains up to 1024 symbols, so it may not contain the whole context. The whole event (including the context) is contained in the RAW LOG field.

  

  Detection event data

Page top