Step 2. Importing Kaspersky CyberTrace rules and events
August 22, 2024
ID 200294
This section describes how you can import files that contain Kaspersky CyberTrace rules and events to LogRhythm.
If for any reason the import fails, you can configure adding Kaspersky CyberTrace events and Kaspersky CyberTrace rules manually.
To import files with Kaspersky CyberTrace rules to LogRhythm:
- For each file of the
mperule_%event_name%.xml
format from theintegration/logrhythm/events/
directory, perform the following actions:- Open the file in a text editor.
- Replace the values of both the
MPERuleToMST > MsgSourceTypeID
and theMsgSourceType > MsgSourceTypeID
elements with the log source type ID that you made a note of in the previous step.For example,
<MsgSourceTypeID>1000000001</MsgSourceTypeID>
must change to<MsgSourceTypeID>%CYBERTRACE_ID%</MsgSourceTypeID>
, where%CYBERTRACE_ID%
stands for the log source type ID of Kaspersky CyberTrace. - Save the file.
- Open LogRhythm Console.
- Select Deployment Manager > Tools > Knowledge > MPE Rule Builder.
The Rule Builder form opens.
- For each file edited in step 1 above, perform the following actions:
- Select File > Import.
- In the Import Actions window, click Yes.
If the import succeeds, the Rule Import Status window opens.
- On the toolbar of the Rule Builder form, click the Open rule library () button.
The Rule Browser window opens.
- Double-click the event that was imported in step b.
A window with rule settings opens.
Note that the imported rule arrives in LogRhythm in the
Development
status and may not appear in the list of all rules. You can configure display in the Rule Browser window that opens by selecting View > Show Development rules. - In the General settings window that opens, in the Rule Status section, select Production or Test.
- Click Save.
The corresponding common events and MPE Rules will be added to LogRhythm for all events. The full list of the events is described in the section about adding Kaspersky CyberTrace events. The full list of MPE rules and their settings is described in the section about adding Kaspersky CyberTrace rules.
Some of the imported Kaspersky CyberTrace events might have a low Risk Rating according to the LogRhythm classification. Depending on the filters configuration, LogRhythm might ignore such events. Please check the classification and make sure that the Risk Rating of imported events allows LogRhythm to accept and process them correctly.