Support

Support for business applications

Kaspersky CyberTrace

User guides

Working with events in RSA NetWitness

Creating notifications about incoming service events
Kaspersky CyberTrace
Нет результатов
Online Help
FAQ System requirements Download Contact support Recovery tools Product videos

Creating notifications about incoming service events

April 11, 2024

ID 196725

You can create notifications about incoming Kaspersky CyberTrace service events by configuring alert rules.

To create notifications about service events from Kaspersky CyberTrace in RSA NetWitness:

  1. On the RSA NetWitness menu, select the Monitor > Reports and then select Manage > Rules.

    Manage → Rules window in RSA NetWitness.

    Manage > Rules form

  2. In the Groups section, select CyberTrace_Rules.

    CyberTrace rules in RSA NetWitness.

    CyberTrace rules

  3. In the Rules section, click the Add split button (Add split button in RSA NetWitness.). In the drop-down list, select NetWitness Platform DB.

    The Build Rule window opens.

  4. In the Build Rule window, specify the following settings:
    • In the Name field, specify the name of the rule.

      You can specify any name.

    • In the Summarize field, specify the value different from None, if you want to aggregate events.
    • In the Select field, specify the fields that contain values are used in notifications.

      In service events, Kaspersky CyberTrace uses the msg and action fields.

    • In the where field, specify the notification conditions. For example:

      device.type='cybertrace' && action contains 'KL_ALERT'

      This condition contains all Kaspersky CyberTrace service events.

    • If necessary, fill in the rest fields as you choose.

    Build Rule window in RSA NetWitness.

    The Build Rule window

  5. Click the Test Rule button to make sure that checking the specified rules is performed correctly.

    Test Rule window in RSA NetWitness.

    The Test Rule window

  6. Click Save to save the rule.
  7. Click Use, and in the window that opens select Alert and then Select.

    Use Rule window in RSA NetWitness.

    The Use Rule window

    The Create/Modify Alert window opens.

  8. In the Create/Modify Alert window, specify the following settings:
    • In the Data Source field, select an event source with Kaspersky CyberTrace events.
    • In the Description field, specify the alert description.

      You can specify any description.

    • In the Severity field, specify the severity of the alert.
    • In the Notification field, specify the following settings:
      • The way that RSA NetWitness will send notify you about alerts.
      • The body of the alert.

    Create/Modify Alert window in RSA NetWitness.

    The Create/Modify Alert window

  9. Click Create to save the rule.

    The rule will now be added to the Alert list of the Manage > Alerts tab.

  10. To browse all alerts that comply with the created rule, click the View Alerts button (View Alerts button in RSA NetWitness.).

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.