Support

Support for business applications

Kaspersky CyberTrace

Installation and integration guides

Part 2: Integrating Kaspersky CyberTrace with an event source

Integration with McAfee Enterprise Security Manager

Parsing Kaspersky CyberTrace service events in McAfee Enterprise Security Manager
Kaspersky CyberTrace
Нет результатов
Online Help
FAQ System requirements Download Contact support Recovery tools Product videos

Parsing Kaspersky CyberTrace service events in McAfee Enterprise Security Manager

April 11, 2024

ID 183379

This section describes how to parse Kaspersky CyberTrace service events that have the following format:

Kaspersky CyberTrace Service Event| date=%Date% alert=%Alert% msg:%RecordContext%

Note that if you change the service events format, you have to change the parsing service event rules in McAfee Enterprise Security Manager.

To parse a service event, enter the following data in the Advanced Syslog Parser Rule dialog box:

  1. In the main window of McAfee Enterprise Security Manager, click Configuration.
  2. In the Physical Display tree, select a Receiver device, and then click Add Data Source.

    Add Data Source button in McAfee.

    Adding a data source

    The Add Data Source dialog box appears.

  3. In the Add Data Source dialog box, enter the following data:
    • Data Source Vendor: Generic
    • Data Source Model: Advanced Syslog Parser
    • Data Format: Default
    • Data Retrieval: SYSLOG (Default)
    • Enabled: Parsing
    • Name: Kaspersky CyberTrace
    • IP: The IP address of the computer from which Kaspersky CyberTrace will send events
    • Syslog Relay: None
    • Mask: 0
    • Require syslog TLS: Cleared
    • Port: 514
    • Support Generic Syslogs: Log "unknown syslog" event

      McAfee Enterprise Security Manager receives all events from Kaspersky CyberTrace. If McAfee Enterprise Security Manager cannot parse an event, the event displays as unknown.

    • Time Zone: Select the time zone you need
    • Encoding: None

    Edit Data Source window in McAfee.

    Configuration of the data source

  4. (Optional) Click Advanced to specify parameters for the data source in the Advanced options dialog box.
  5. Click OK.

    McAfee ESM suggests that you roll out the policy you have set.

    Rollout window in McAfee.

    Rollout dialog box

  6. Select Kaspersky CyberTrace, and then click the Policy Editor toolbar button.

    Policy Editor button in McAfee.

    Selecting Policy editor

  7. In the Policy Editor window, select the Advanced Syslog Parser Rules rule type.
  8. Click NewAdvanced Syslog Parser Rule.

    New → Advanced Syslog Parser Rule menu item in McAfee.

    Policy Editor window

  9. To create a parser for parsing feed updating events, enter the following data in the Advanced Syslog Parser Rule dialog box:
    • In the General tab, enter the following data:
      • Name: Kaspersky_CyberTrace_ServiceEvent
      • Tags: Select the tags that define the rule (that is, they will be used while filtering events)
      • Rule Assignment Type: User Defined 1 or another user defined type
      • Description: The Kaspersky Lab CyberTrace service event
    • In the Parsing tab, enter the following data:
      • Provide content strings: Kaspersky CyberTrace Service Event
      • Sample Log Data: Provide an example of a feed updating event. For example (in a single line, without newline symbols):

        Kaspersky CyberTrace Service Event| date=Apr 17 19:08:28 alert=KL_ALERT_UpdatedFeed msg:feed=Demo_Botnet_CnC_URL_Data_Feed.json records=3907

      • Add the following regular expressions in the Parsing tab:

    Name

    Regular Expression

    ct_service_name

    alert\=(\S+)(?=\s)

    ct_context

    (msg.*)(?=$)

    ct_date

    date\=(\S+\s\d+\s\S+)

    Parsing tab in McAfee.

    Parsing tab

    • In the Field Assignment tab, enter the following data:

    Field

    Expression

    Action

    "0"

    Description

    Drag ct_context in this field

    Severity

    "60" or another value you choose

    Return_Code

    Drag ct_service_name in this field

    First Time

    Drag ct_date in this field

    Field Assignment tab in McAfee.

    Field Assignment tab

    You can add other fields here by clicking the + button.

    • In the Mapping tab, enter the following data:
      • In the time data table:

    Time Format

    Time Fields

    %b %d %H:%M:%S

    First time
    • In the actions table:

    Action Key

    Action Value

    0

    Success
    • In the severity table:

    Severity Key

    Severity Value

    60

    60

    Mapping tab in McAfee.

    Mapping tab

  10. Click Finish to save the policy.
  11. In the Default Policy list, select the Kaspersky CyberTrace device, and then enable the Kaspersky_CyberTrace_ServiceEvent rule.

    Enabled shortcut menu item in McAfee.

    Enabling a rule

  12. Select FileSave to save the current state.
  13. Select OperationsRollout to roll out the policy.

    Operations → Rollout menu item in McAfee.

    Rolling out a policy

  14. When prompted, agree to reinitialize the Kaspersky CyberTrace device in McAfee ESM.
  15. Select the OperationsModify Aggregation Settings menu item to change Kaspersky CyberTrace service events aggregation rules.
  16. In Modify Aggregation Settings, in Field 2, set the value Return_Code, and then click OK.

    Modify Aggregation Settings window in McAfee.

    Modify Aggregation Settings

  17. Confirm the rollout request.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.