Respected Contributor.
Respected Contributor.
709 views

Kaspersky event categorization

Hi Community,

I installed the Kaspersky DB Connector, and it's working great now.

I've seen that important values are in Flex String1 and Device Custom String1, and thus events from Kaspersky are not shown in the Anti-Virusd information, dashboard, report etc.

How do I insert these 'useful' variables into different fields, and show these information on Dashboard( arcsight foundation default dashboard)?

Do I have to do categorization in the events?

If so, how do I do that?

Thank you.

Labels (2)
0 Likes
6 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Kaspersky event categorization

You could probably get away with using a map file to get the value from deviceCustomeString1 etc and set the relevant fields. Are the fields you want to use currently populated with anything?

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Kaspersky event categorization

Thanks dear, and Good morning .

I'm  very new to Arcsight, and I have no idea about some of the things. I could see the all fields in Flex String1 field, and these events are not into any of the dashboards, nor the reports etc. Does that mean it is not populated?

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Kaspersky event categorization

Could you post a screenshot of the Event Inspector so we can see how the event is being parsed?

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Kaspersky event categorization

Sure pal,

Here is the Flex string part and Device custom string.

Since Arcsight supported Kaspersky DB, I thought events would be categorized and would directly go into the List, but Anti-Virus Dashboard, and virus list information shows empty.

KAS1.png

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Kaspersky event categorization

What about the fields you are expecting to see populated?

0 Likes
Highlighted
Established Member..
Established Member..

Re: Kaspersky event categorization

I know Kaspersky categrorization is not that good.

As Richard mentioned, map files are useful here and modify your antivirus data monitors to match the conditions.

default content is heavily depends on categorizations.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.