Event format settings
April 11, 2024
ID 169253
You can manage the settings for formats of events in the CyberTrace web user interface by selecting the Settings tab and then the Events format tab. Depending on the item selected in the drop-down list with all available tenants in the upper-left area of the window, you edit either the general event format settings (if General is selected) or the event format settings for a particular settings tenant (if a particular settings tenant is selected).
Kaspersky CyberTrace events formats
On the Events format tab, you can specify the formats of detection events, alert events, record context, and actionable fields context. Learn more about event formats and patterns.
We do not recommend changing the format of events format manually. Select the check boxes with the patterns that you want to use in outgoing events and Kaspersky CyberTrace will update the format automatically.
Some event sources may require that you change the event format, depending on your integration (see subsection "Setting event formats for specific event sources" below).
This tab has the following text fields:
- Alert events format—Specify the format for outgoing events that inform the event target software of the state of Kaspersky CyberTrace Service.
- Detection events format—Specify the format for outgoing detection events.
This section consists of two subsections:
- Service fields
Values of these fields are patterns generated by Kaspersky CyberTrace.
Select the check boxes with the patterns that you want to use in outgoing detection events. Kaspersky CyberTrace will update the format automatically.
- Values extracted from the event
Values of these fields are extracted from the incoming events with regular expressions defined for the event source.
Select the check boxes with the patterns that you want to use in outgoing detection events. Kaspersky CyberTrace will update the format automatically.
- Service fields
- Records context format—Specify the format in which the names and values of the feed fields are inserted into outgoing events.
- Actionable fields context format—Specify the format in which the names and values of the actionable feed fields are inserted into outgoing events.
Setting event formats for specific SIEM solutions
The correct format of alert and detection events depends on your SIEM solution. If you change the format of events in CyberTrace, you may also need to update your integration with the SIEM solution.
For ArcSight:
- You may need to update the event formats and actionable fields.
For QRadar:
- You may need to add parsing for new fields.
For RSA NetWitness:
- You may need to specify how new fields are parsed (see also RSA NetWitness troubleshooting).
For LogRhythm:
- You may need to specify how new fields are parsed.
