Displaying actionable fields in FortiSIEM

This section describes how to display an actionable field in events that FortiSIEM receives from Kaspersky CyberTrace. The threat_score field is used as an example.

You can insert some fields into outgoing events separately from the context of feed records. You can name these fields in the outgoing events as you like. These fields are referred to as actionable; they are listed in the ActionableFields element of a feed description in the kl_feed_service.conf configuration file.

First, you edit the kl_feed_service.conf configuration file to make the threat_score field actionable in Kaspersky CyberTrace. Second, you edit the parsing rules in FortiSIEM to display events from Kaspersky CyberTrace correctly.

Editing the kl_feed_service.conf configuration file

To make the threat_score field actionable in Kaspersky CyberTrace:

1. Open the kl_feed_service.conf configuration file for edit.
   • In Linux, the kl_feed_service.conf file is located in the /opt/kaspersky/ktfs/etc directory.
   • In Windows, the kl_feed_service.conf file is located in the %CyberTrace_installDir%\bin directory.
2. In the Configuration > OutputSettings > EventFormat element, specify the following value:

   <![CDATA[Kaspersky Lab|Kaspersky CyberTrace|1.0|2|8|reason=%Category%;detected=%MatchedIndicator%;act=%DeviceAction%;dst=%RE_IP%;src=%SRC_IP%;md5=%RE_MD5%;sha1=%RE_SHA1%;sha2=%RE_SHA256%;request=%RE_URL%;dvc=%DeviceIp%;sourceServiceName=%Device%;suser=%UserName%;%ActionableFields%msg=%RecordContext%]]>

3. In the Configuration > OutputSettings > ActionableFieldContextFormat element, specify the following value:

   %ParamName%=%ParamValue%;

4. To element <Feed filename="IP_Reputation_Data_Feed.json" enabled="true" type="default">, add the following data:

   <ActionableFields> <ActionableField name="threat_score" output_name="kl_threat_score"/> </ActionableFields>

5. Save the kl_feed_service.conf file.
6. Restart Kaspersky CyberTrace Service (a component of Kaspersky CyberTrace) by running the following command:
   • /opt/kaspersky/ktfs/etc/init.d/kl_feed_service restart (in Linux)
   • %CyberTrace_installDir%\bin\kl_control.bat restart (in Windows)

You can reconfigure and restart Kaspersky CyberTrace Service by using Kaspersky CyberTrace Web.

Editing parsing rules for events from Kaspersky CyberTrace

To edit in FortiSIEM the rules for parsing events from Kaspersky CyberTrace:

1. Open the FortiSIEM web console.
2. Select Admin > Device Support > Parser.
3. Open the CyberTrace_Event item in the list of parsers.

   The Event Parser Definition window opens containing the data of the CyberTrace_Event parser.

4. Change the data as follows:
   • In the Test Event field, specify the following value:

     Kaspersky Lab|Kaspersky CyberTrace|1.0|2|8|reason=KL_DETECTION_TEST_EVENT;detected=%MatchedIndicator%;act=test_msg;dst=8.8.8.8;src=10.0.15.56;md5=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;sha1=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;sha2=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;request=http://test.test;dvc=127.0.0.5;sourceServiceName=TEST_DEVICE;suser=test_user;kl_threat_score=100;msg=there_is_some_context:true and_more:true Kaspersky Lab|Kaspersky CyberTrace|1.0|1|4|alert=KL_TEST_ALERT;msg=there_is_some_context:true and_more:true

   • In the Parser XML field, specify the following value:

     <eventFormatRecognizer>

     <![CDATA[Kaspersky\sLab\|Kaspersky\sCyberTrace]]>

     </eventFormatRecognizer>

     <patternDefinitions>

     <pattern name="patVbar" ><![CDATA[[^|]*]]></pattern>

     <pattern name="patStrQuote" ><![CDATA[[^" \\]+]]></pattern>

     </patternDefinitions>

     <parsingInstructions>

     <collectFieldsByRegex src="$_rawmsg" >

     <regex>

     <![CDATA[<:patVbar>\|<:patVbar>\|<_ver:patVbar>\|<_event:patVbar>\|<eventSeverity:patVbar>\|<_body:gPatMesgBody>]]>

     </regex>

     </collectFieldsByRegex>

     <choose>

     <when test='$_event = "2"' >

     <setEventAttribute attr="eventType" >Kaspersky CyberTrace detection event</setEventAttribute>

     </when>

     <when test='$_event = "1"' >

     <setEventAttribute attr="eventType" >Kaspersky CyberTrace service event</setEventAttribute>

     </when>

     </choose>

     <collectFieldsByKeyValuePair kvsep="=" sep=";" src="$_body" >

     <attrKeyMap attr="alertName" key="alert" />

     <attrKeyMap attr="threatCategory" key="reason" />

     <attrKeyMap attr="detectedIndicator" key="detected" />

     <attrKeyMap attr="srcAction" key="act" />

     <attrKeyMap attr="destIpAddr" key="dst" />

     <attrKeyMap attr="srcIpAddr" key="src" />

     <attrKeyMap attr="hashMD5" key="md5" />

     <attrKeyMap attr="hashSHA1" key="sha1" />

     <attrKeyMap attr="hashSHA2" key="sha2" />

     <attrKeyMap attr="uriQuery" key="request" />

     <attrKeyMap attr="dvcIpAddr" key="dvc" />

     <attrKeyMap attr="serviceName" key="sourceServiceName" />

     <attrKeyMap attr="user" key="suser" />

     <attrKeyMap attr="msg" key="msg" />

     <attrKeyMap attr="threatScore" key="kl_threat_score" />

     </collectFieldsByKeyValuePair>

     </parsingInstructions>

5. Click Reformat.
6. Click Validate to validate the XML data in the Parser XML field.
7. Click Test.

   A window for testing the entered data opens.

8. In the Test Event Parser window, click Test.

   If the test result window contains error messages:

   1. Contact your technical account manager (TAM) to reconcile the contents of the Test Event field and the contents of the Parser XML field.
   2. Click Back and specify the correct data in the Test Event field and in the Parser XML field.
   3. Test the data again.
9. Click Back.
10. In the Event Parser Definition window, select the Enabled check box.
11. Click Save.
12. In the Admin > Device Support > Parser section, click Apply, and in the message box that opens click Yes to agree to the changes.

Now events from Kaspersky CyberTrace are displayed correctly in FortiSIEM.