Displaying actionable fields in FortiSIEM
April 11, 2024
ID 181725
This section describes how to display an actionable field in events that FortiSIEM receives from Kaspersky CyberTrace. The threat_score
field is used as an example.
You can insert some fields into outgoing events separately from the context of feed records. You can name these fields in the outgoing events as you like. These fields are referred to as actionable; they are listed in the ActionableFields
element of a feed description in the kl_feed_service.conf configuration file.
First, you edit the kl_feed_service.conf configuration file to make the threat_score
field actionable in Kaspersky CyberTrace. Second, you edit the parsing rules in FortiSIEM to display events from Kaspersky CyberTrace correctly.
Editing the kl_feed_service.conf configuration file
To make the threat_score
field actionable in Kaspersky CyberTrace:
- Open the kl_feed_service.conf configuration file for edit.
- In Linux, the kl_feed_service.conf file is located in the
/opt/kaspersky/ktfs/etc
directory. - In Windows, the kl_feed_service.conf file is located in the
%CyberTrace_installDir%\bin
directory.
- In Linux, the kl_feed_service.conf file is located in the
- In the
Configuration > OutputSettings > EventFormat
element, specify the following value:<![CDATA[Kaspersky Lab|Kaspersky CyberTrace|1.0|2|8|reason=%Category%;detected=%MatchedIndicator%;act=%DeviceAction%;dst=%RE_IP%;src=%SRC_IP%;md5=%RE_MD5%;sha1=%RE_SHA1%;sha2=%RE_SHA256%;request=%RE_URL%;dvc=%DeviceIp%;sourceServiceName=%Device%;suser=%UserName%;%ActionableFields%msg=%RecordContext%]]>
- In the
Configuration > OutputSettings > ActionableFieldContextFormat
element, specify the following value:%ParamName%=%ParamValue%;
- To element
<Feed filename="IP_Reputation_Data_Feed.json" enabled="true" type="default">
, add the following data:<ActionableFields>
<ActionableField name="threat_score" output_name="kl_threat_score"/>
</ActionableFields>
- Save the kl_feed_service.conf file.
- Restart Kaspersky CyberTrace Service (a component of Kaspersky CyberTrace) by running the following command:
/opt/kaspersky/ktfs/etc/init.d/kl_feed_service restart
(in Linux)%CyberTrace_installDir%\bin\kl_control.bat restart
(in Windows)
You can reconfigure and restart Kaspersky CyberTrace Service by using Kaspersky CyberTrace Web.
Editing parsing rules for events from Kaspersky CyberTrace
To edit in FortiSIEM the rules for parsing events from Kaspersky CyberTrace:
- Open the FortiSIEM web console.
- Select Admin > Device Support > Parser.
- Open the CyberTrace_Event item in the list of parsers.
The Event Parser Definition window opens containing the data of the
CyberTrace_Event
parser. - Change the data as follows:
- In the Test Event field, specify the following value:
Kaspersky Lab|Kaspersky CyberTrace|1.0|2|8|reason=KL_DETECTION_TEST_EVENT;detected=%MatchedIndicator%;act=test_msg;dst=8.8.8.8;src=10.0.15.56;md5=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;sha1=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;sha2=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;request=http://test.test;dvc=127.0.0.5;sourceServiceName=TEST_DEVICE;suser=test_user;kl_threat_score=100;msg=there_is_some_context:true and_more:true
Kaspersky Lab|Kaspersky CyberTrace|1.0|1|4|alert=KL_TEST_ALERT;msg=there_is_some_context:true and_more:true
- In the Parser XML field, specify the following value:
<eventFormatRecognizer>
<![CDATA[Kaspersky\sLab\|Kaspersky\sCyberTrace]]>
</eventFormatRecognizer>
<patternDefinitions>
<pattern name="patVbar" ><![CDATA[[^|]*]]></pattern>
<pattern name="patStrQuote" ><![CDATA[[^" \\]+]]></pattern>
</patternDefinitions>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg" >
<regex>
<![CDATA[<:patVbar>\|<:patVbar>\|<_ver:patVbar>\|<_event:patVbar>\|<eventSeverity:patVbar>\|<_body:gPatMesgBody>]]>
</regex>
</collectFieldsByRegex>
<choose>
<when test='$_event = "2"' >
<setEventAttribute attr="eventType" >Kaspersky CyberTrace detection event</setEventAttribute>
</when>
<when test='$_event = "1"' >
<setEventAttribute attr="eventType" >Kaspersky CyberTrace service event</setEventAttribute>
</when>
</choose>
<collectFieldsByKeyValuePair kvsep="=" sep=";" src="$_body" >
<attrKeyMap attr="alertName" key="alert" />
<attrKeyMap attr="threatCategory" key="reason" />
<attrKeyMap attr="detectedIndicator" key="detected" />
<attrKeyMap attr="srcAction" key="act" />
<attrKeyMap attr="destIpAddr" key="dst" />
<attrKeyMap attr="srcIpAddr" key="src" />
<attrKeyMap attr="hashMD5" key="md5" />
<attrKeyMap attr="hashSHA1" key="sha1" />
<attrKeyMap attr="hashSHA2" key="sha2" />
<attrKeyMap attr="uriQuery" key="request" />
<attrKeyMap attr="dvcIpAddr" key="dvc" />
<attrKeyMap attr="serviceName" key="sourceServiceName" />
<attrKeyMap attr="user" key="suser" />
<attrKeyMap attr="msg" key="msg" />
<attrKeyMap attr="threatScore" key="kl_threat_score" />
</collectFieldsByKeyValuePair>
</parsingInstructions>
- In the Test Event field, specify the following value:
- Click Reformat.
- Click Validate to validate the XML data in the Parser XML field.
- Click Test.
A window for testing the entered data opens.
- In the Test Event Parser window, click Test.
If the test result window contains error messages:
- Contact your technical account manager (TAM) to reconcile the contents of the Test Event field and the contents of the Parser XML field.
- Click Back and specify the correct data in the Test Event field and in the Parser XML field.
- Test the data again.
- Click Back.
- In the Event Parser Definition window, select the Enabled check box.
- Click Save.
- In the Admin > Device Support > Parser section, click Apply, and in the message box that opens click Yes to agree to the changes.
Now events from Kaspersky CyberTrace are displayed correctly in FortiSIEM.