Step 8 (optional). Creating notifications about incoming service events

You can create notifications about issues with Kaspersky CyberTrace by configuring alert rules.

To create notifications about service events from Kaspersky CyberTrace in QRadar:

1. Run QRadar Console.
2. Select any of the Offenses, Log Activity, or Network Activity tabs, and then select Rules.
3. In the Actions drop-down list, select New Event Rule.

   

   The Rules page

   The Rule Wizard page opens.

4. On the Rule Wizard page, click Next to select the source from which you want the rule to be generated.

   

   The Rules Wizard window

5. Select Events, and then click Next.
6. On the Rule Test Stack Editor page, perform the following actions:
   • Add the following test conditions for a new rule:
     • when the event(s) were detected by one or more of these log sources
     • when the event matches this search filter
   • For each specified condition, set a logical and operator.
   • For the when the event(s) were detected by one or more of these log sources condition, specify a Log Source that is equal to KL_Threat_Feed_Service_v2. If this event source is absent, add Kaspersky CyberTrace Service as a log source.
   • For the when the event matches this search filter condition, specify a filter for comparing Event Name with the value of the event source name by performing the following actions:
     1. In the list of the event fields, select Event Name.
     2. In the list of conditions, select Equals.
     3. Click Browse to choose the name of the service event for which the rule is created.

   

   Adding filters

   1. Click Add+, and then Submit.

      If the necessary event is absent, add it to the QRadar Identifiers (QID) list.

   • Enter the name of the rule, and then select the way in which this rule will be applied to the incoming events (Local or Global). For more information about the Local and Global rules, see IBM documentation.
   • Select the group that you need for the rule.
   • Add a description for the rule.

   

   The Rule Editor window

   • Click Next.
7. On the Rule Response page, perform the following actions:
   • Select Notify.
   • If necessary, specify a limit on whether a rule triggers, in the Response Limiter section.
   • Check the Enable Rule section.

   

   The Rule Editor page

   • Click Next
8. On the Rule Summary page, make sure that all settings are specified correctly, and then click Finish.

   

   The Rule Summary page

   The rule will now be added to the Rules list.

   

   The Rules list

The added rule generates a notification about an incoming service event. You can browse these notifications by clicking the Messages drop-down list. Also, notifications are displayed in QRadar Console as a pop-up notification.

The Messages drop-down list

You can configure the display of notifications on the Dashboard tab.

System notifications on the Dashboard tab

To configure the display of notifications on the Dashboard tab:

1. Select the Dashboard tab.
2. In the Add Item drop-down list, select System Notifications.

   

   Adding system notifications on the Dashboard tab