I've used the addon but malware center is showing nothing about ta-kaspersky HOT 7 CLOSED

Hi,
That can be related to several reasons.

• Search your malware/AV index and check if all the relevant fields are being correctly extracted (action, signature, dest, etc)
• Check if your malware data model includes the index where you have the AV data in the datamodel constraints (usually via a macro cim_Malware_indexes)
• Check if your malware datamodel is accelerated.

Which method are you using to collect the AV data? Depending on the configuration, syslog servers can add a timestamp at the beginning of the event. This available version is currently not considering that. I'm working to release a new version of the TA to address this.

from ta-kaspersky.

@diogofgm can you provide a sample that contains the mentioned fields?

from ta-kaspersky.

There are a few event types from where I believe we can map the needed fields for the malware DM for ES. (GNRL_EV_ATTACK_DETECTED,GNRL_EV_VIRUS_FOUND,etc)
Example:
LEEF:1.0|KasperskyLab|SecurityCenter|10.x.x|GNRL_EV_ATTACK_DETECTED|cat=KLSC EVC_EV_DESC=Event type: Network attack detected\r\nApplication\Name: Unknown\r\nUser: , , (Active user)\r\nComponent: Network Attack Blocker\r\nResult\Description: <action>\r\nResult\Name: <signature>\r\nObject: TCP from xxx.xxx.xxx.xxx to devTime=9999-99-99 99:99:99 devTimeFormat=yyyy-MM-dd HH:mm:ss EVC_EV_DISP_HOST_NAME=<dest_name> src=<dest_ip> identSrc=xxx.xxx.xxx.xxx identNetBios= XXXXXXX EVC_EV_KL_PRODUCT_DISPVER=10.x.x.x EVC_EV_KL_PRODUCT_NAME=KES EVC_EV_KL_PRODUCT_VER=10.x.x.x

from ta-kaspersky.

any samples in CEF format??
@diogofgm

from ta-kaspersky.

@diogofgm
Greetings. Do you think you could send me some logs you have used from kaspersky. I need the ones that are in CEF format, but I can't find them anywhere, and I need all the variants

from ta-kaspersky.

Hi @Kbayero

Currently I do not have access to any sample logs. The only place I have access to Kaspersky logs they are still using LEEF for kaspesrky logs 😞 From my experience, vendors usually lack detailed information regarding log formats and fields in their product docs, so its not always simple to get my hand on log samples to work with let alone all the variants.

from ta-kaspersky.

@diogofgm De todas formas muchas gracias, sus registros LEEF me han servido para ver algunas de las formas de ese formato, de todas formas voy a seguir buscando, deben aparecer

from ta-kaspersky.