Comments (7)
Hi,
That can be related to several reasons.
- Search your malware/AV index and check if all the relevant fields are being correctly extracted (action, signature, dest, etc)
- Check if your malware data model includes the index where you have the AV data in the datamodel constraints (usually via a macro
cim_Malware_indexes
) - Check if your malware datamodel is accelerated.
Which method are you using to collect the AV data? Depending on the configuration, syslog servers can add a timestamp at the beginning of the event. This available version is currently not considering that. I'm working to release a new version of the TA to address this.
from ta-kaspersky.
@diogofgm can you provide a sample that contains the mentioned fields?
from ta-kaspersky.
There are a few event types from where I believe we can map the needed fields for the malware DM for ES. (GNRL_EV_ATTACK_DETECTED,GNRL_EV_VIRUS_FOUND,etc)
Example:
LEEF:1.0|KasperskyLab|SecurityCenter|10.x.x|GNRL_EV_ATTACK_DETECTED|cat=KLSC EVC_EV_DESC=Event type: Network attack detected\r\nApplication\Name: Unknown\r\nUser: , , (Active user)\r\nComponent: Network Attack Blocker\r\nResult\Description: <action>\r\nResult\Name: <signature>\r\nObject: TCP from xxx.xxx.xxx.xxx to devTime=9999-99-99 99:99:99 devTimeFormat=yyyy-MM-dd HH:mm:ss EVC_EV_DISP_HOST_NAME=<dest_name> src=<dest_ip> identSrc=xxx.xxx.xxx.xxx identNetBios= XXXXXXX EVC_EV_KL_PRODUCT_DISPVER=10.x.x.x EVC_EV_KL_PRODUCT_NAME=KES EVC_EV_KL_PRODUCT_VER=10.x.x.x
from ta-kaspersky.
any samples in CEF format??
@diogofgm
from ta-kaspersky.
@diogofgm
Greetings. Do you think you could send me some logs you have used from kaspersky. I need the ones that are in CEF format, but I can't find them anywhere, and I need all the variants
from ta-kaspersky.
Hi @Kbayero
Currently I do not have access to any sample logs. The only place I have access to Kaspersky logs they are still using LEEF for kaspesrky logs 😞 From my experience, vendors usually lack detailed information regarding log formats and fields in their product docs, so its not always simple to get my hand on log samples to work with let alone all the variants.
from ta-kaspersky.
@diogofgm De todas formas muchas gracias, sus registros LEEF me han servido para ver algunas de las formas de ese formato, de todas formas voy a seguir buscando, deben aparecer
from ta-kaspersky.
Related Issues (11)
- splunk enterprise security HOT 13
- Signature field coverage
- Build sourcetype for syslog
- Fields are not renamed to follow CIM HOT 4
- Events indexed without sourcetype renaming HOT 6
- Build extractions for CEF format HOT 1
- can't see anything related to CEF HOT 1
- regex issues HOT 1
- Problem extracting data (Fields related) HOT 15
- Any Graph not shown data HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ta-kaspersky.