Comments (7)
Hi,
That can be related to several reasons.
- Search your malware/AV index and check if all the relevant fields are being correctly extracted (action, signature, dest, etc)
- Check if your malware data model includes the index where you have the AV data in the datamodel constraints (usually via a macro
cim_Malware_indexes
) - Check if your malware datamodel is accelerated.
Which method are you using to collect the AV data? Depending on the configuration, syslog servers can add a timestamp at the beginning of the event. This available version is currently not considering that. I'm working to release a new version of the TA to address this.
from ta-kaspersky.
@diogofgm can you provide a sample that contains the mentioned fields?
from ta-kaspersky.
There are a few event types from where I believe we can map the needed fields for the malware DM for ES. (GNRL_EV_ATTACK_DETECTED,GNRL_EV_VIRUS_FOUND,etc)
Example:
LEEF:1.0|KasperskyLab|SecurityCenter|10.x.x|GNRL_EV_ATTACK_DETECTED|cat=KLSC EVC_EV_DESC=Event type: Network attack detected\r\nApplication\Name: Unknown\r\nUser: , , (Active user)\r\nComponent: Network Attack Blocker\r\nResult\Description: <action>\r\nResult\Name: <signature>\r\nObject: TCP from xxx.xxx.xxx.xxx to devTime=9999-99-99 99:99:99 devTimeFormat=yyyy-MM-dd HH:mm:ss EVC_EV_DISP_HOST_NAME=<dest_name> src=<dest_ip> identSrc=xxx.xxx.xxx.xxx identNetBios= XXXXXXX EVC_EV_KL_PRODUCT_DISPVER=10.x.x.x EVC_EV_KL_PRODUCT_NAME=KES EVC_EV_KL_PRODUCT_VER=10.x.x.x
from ta-kaspersky.
any samples in CEF format??
@diogofgm
from ta-kaspersky.
@diogofgm
Greetings. Do you think you could send me some logs you have used from kaspersky. I need the ones that are in CEF format, but I can't find them anywhere, and I need all the variants
from ta-kaspersky.
Hi @Kbayero
Currently I do not have access to any sample logs. The only place I have access to Kaspersky logs they are still using LEEF for kaspesrky logs
from ta-kaspersky.
@diogofgm De todas formas muchas gracias, sus registros LEEF me han servido para ver algunas de las formas de ese formato, de todas formas voy a seguir buscando, deben aparecer
from ta-kaspersky.
Related Issues (11)
- splunk enterprise security HOT 13
- Signature field coverage
- Build sourcetype for syslog
- Fields are not renamed to follow CIM HOT 4
- Events indexed without sourcetype renaming HOT 6
- Build extractions for CEF format HOT 1
- can't see anything related to CEF HOT 1
- regex issues HOT 1
- Problem extracting data (Fields related) HOT 15
- Any Graph not shown data HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ta-kaspersky.