About filtering criteria for sending events to SIEM

February 27, 2024

ID 198320

You can specify filtering rules for detection events by using Kaspersky CyberTrace. Each filtering rule is set in the Matching > Event source filters section. The indicator attribute name is set from the indicator database, and filtering conditions and filtering values are specified in the Field name drop-down list, the Condition drop-down list, and the Value text box, respectively. Note that if the detected indicator does not have the attribute specified in the filtering rule, this indicator is considered as meeting the filtering criteria.

Kaspersky CyberTrace will send detection events only if the flag for sending detection events to the SIEM solution (the ioc_supplier_send_match_event attribute from the indicator database) is set to true and all fields of a feed record that matched the indicator meet the filtering criteria.

If you disable saving of detection events while applying filtering criteria for sending events to SIEM, the detection events containing the indicators that do not comply with the specified criteria will be lost.

The table below lists filtering conditions that can be applied to detection events:

Possible filtering conditions

Filtering condition

Description

Equal to a specific value

The indicator attribute is equal to the specified value.

To apply this condition, select value is equal to OR field is not present in the Condition drop-down list, and then specify a single value in the Value text box.

Equal to at least one of several values

The indicator attribute must contain one or more of the specified values.

To apply this condition, select value is one of (separated by a new line) OR field is not present in the Condition drop-down list, and then specify several values in the Value text box.

Do not specify empty values. Each new value must be separated from the previous value by a new line.

Belonging to a range of numeric values

The indicator attribute must contain a value in the specified range.

To apply this condition, select value is equal to OR field is not present in the Condition drop-down list, and then specify a range of values in the Value text boxes. Notice that the range boundaries are included.

The values must be integers.

Belonging to a range of numeric values that are greater than or equal to the specified value

The indicator attribute must contain a value that is greater than or equal to the specified value.

To apply this condition, select value is more than (inclusive) OR field is not present in the Condition drop-down list, and then specify a single value in the Value text box.

The value must be an integer.

Belonging to a range of numeric values that are less than or equal to the specified value

The indicator attribute must contain a value that is less than or equal to the specified value.

To apply this condition, select value is less than (inclusive) OR field is not present in the Condition drop-down list, and then specify a single value in the Value text box.

The value must be an integer.

Belonging to a range of dates

The indicator attribute must contain a date in the specified range.

To apply this condition, select date is in range (inclusive) OR field is not present in the Condition drop-down list, and then specify a range of dates in the Value text boxes.

You can use a %NOW% value (this template is case-insensitive) that contains a current system time for both range boundaries. You may add a number to this value or subtract a number (for example, specify %NOW%-7 for the left boundary and %NOW% for the right boundary).

In addition, you can choose an arbitrary number of days or one of the following preset values for boundaries as the relative values to %NOW%:

  • 1 day ago
  • 7 days ago
  • 30 days ago

Belonging to a range of dates that are greater than or equal to the specified value

The indicator attribute must contain a date that is equal to or greater than the specified value.

To apply this condition, select date is more than (inclusive) OR field is not present in the Condition drop-down list, and then specify a date in the Value text box.

You can use a %NOW% value (this template is case-insensitive) that contains a current system time for the left boundary of the range. You may add a number to this value or subtract a number.

In addition, you can choose one of the following preset values for the boundary (this value is relative to %NOW%):

  • 1 day ago
  • 7 days ago
  • 30 days ago

Belonging to a range of dates that are less than or equal to the specified value

The indicator attribute must contain a date that is less than or equal to the specified value.

To apply this condition, select date is less than (inclusive) OR field is not present in the Condition drop-down list, and then specify a date in the Value text box.

You can use a %NOW% value (this template is case-insensitive) that contains a current system time for the right boundary of the range. You may add a number to this value or subtract a number.

In addition, you can choose one of the following preset values for the boundary (this value is relative to %NOW%):

  • 1 day ago
  • 7 days ago
  • 30 days ago

Equal to a non-empty value

The indicator attribute must contain any non-empty value.

To apply this condition, select value is non-empty in the Condition drop-down list.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.