Parsing Kaspersky CyberTrace detection events in McAfee Enterprise Security Manager

This section describes how to parse Kaspersky CyberTrace detection events that have the following format:

Kaspersky CyberTrace Detection Event| date=%Date% reason=%Category% detected=%MatchedIndicator% act=%DeviceAction% dst=%RE_IP% src=%SRC_IP% hash=%RE_HASH% request=%RE_URL% dvc=%DeviceIp% sourceServiceName=%Device% suser=%UserName% msg:%RecordContext%

Note that if you change the format of Kaspersky CyberTrace detection events, you have to change the Kaspersky CyberTrace parser rules in McAfee Enterprise Security Manager.

To parse a detection event, enter the following data in the Advanced Syslog Parser Rule dialog box:

• In the General tab, enter the following data:
  • Name: Kaspersky_CyberTrace_DetectionEvent
  • Tags: Select the tags that define the rule (that is, they will be used while filtering events)
  • Rule Assignment Type: User Defined 1
  • Description: The Kaspersky CyberTrace detection event
• In the Parsing tab, enter the following data:
  • Provide content strings: Kaspersky CyberTrace Detection Event
  • Sample Log Data: Provide an example of a URL detection event. For example:

    Kaspersky CyberTrace Detection Event| date=Oct 12 16:13:23 reason=KL_BotnetCnC_URL detected=http://fakess123bn.nu act=REQUEST_URL dst=192.168.1.0 src=192.168.2.0 hash=776735A8CA96DB15B422879DA599F474 request=http://fakess123bn.nu dvc=192.168.3.0 sourceServiceName=FireWall suser=UserName msg:popularity=5 geo=vn, in, mx threat=Trojan.Win32.Waldek

  • Add the following regular expressions for parsing events:

  Name	Regular Expression
  ct_date	date\=(\S+\s\d+\s\S+)
  ct_reason	reason\=(.*)\sdetected
  ct_indicator	detected\=(.*)\sact
  ct_dev_action	act\=(.*)\sdst
  ct_dst	dst\=(\S+)
  ct_src	src\=(\S+)
  ct_hash	hash\=(\S+)
  ct_request	request\=(.*)\sdvc
  ct_dev_ip	dvc\=(\S+)
  ct_serviceName	sourceServiceName\=(.*)\ssuser
  ct_username	suser\=(.*?)\smsg
  ct_context	msg\:(.*)$

  • In the Field Assignment tab, enter the following data:

  Field	Expression
  Action	"0"
  First Time	Drag ct_date in this field
  URL	Drag ct_request in this field
  Destination IP	Drag ct_dst in this field
  Device_Action	Drag ct_dev_action in this field
  Hash	Drag ct_hash in this field
  Host	Drag ct_dev_ip in this field
  Message_Text	Drag ct_context in this field
  Object	Drag ct_indicator in this field
  Return_Code	Drag ct_reason in this field
  Service_Name	Drag ct_serviceName in this field
  Severity	"80"
  Source IP	Drag ct_src in this field
  Source User	Drag ct_username in this field

  McAfee ESM renames the Object field to ObjectID.

  • In the Mapping tab, enter the following data:
    • In the time data table, use the following data:

  Time Format	Time Fields
  %b %d %H:%M:%S	First time

  • In the actions table, use the following data:

  Action Key	Action Value
  0	Success

  • In the severity table, use the following data:

  Severity Key	Severity Value
  80	80

After specifying the above values, do the following:

1. In the Default Policy list, select the Kaspersky CyberTrace device, and then enable the Kaspersky_CyberTrace_DetectionEvent rule.
2. Select File > Save to save the current state.
3. Select Operations > Rollout to roll out the policy.
4. Reinitialize the Kaspersky CyberTrace device.
5. Select Operations > Modify Aggregation Settings to change the aggregation rules for Kaspersky CyberTrace service events.

   The Modify Aggregation Settings dialog box appears.

6. Specify the following values:
   • Set Field 2 to Object.
   • Set Field 3 to Return_Code.
7. Click OK.
8. Confirm the rollout request.