Kaspersky Machine Learning for Anomaly Detection

Settings and an example of JSON file containing a configuration for the Event Processor service

The configuration file is created by a technical specialist of the Customer, a Kaspersky employee, or a certified integrator. The system administrator uploads the Event Processor configuration file when configuring the Event Processor service settings.

When re-uploading a configuration file in which other event parameters are defined, the event parameters defined in the previous configuration file will become unavailable for configuration in the application web interface.

The CEF Connector receives information about each detected event from external systems in CEF format:

CEF:<CEF format version>|<name of the external system vendor>|<name of the external system application>|<version of the external system application>|<unique identifier of the event type>|<event description>|<event severity level>|<parameter 1>=<value of parameter 1> ... <parameter N>=<value of parameter N>

where:

  • CEF:<CEF format version>|<name of the external system vendor>|<name of the external system application>|<version of the external system application>|<unique identifier of the event type>|<event description>|<event severity level>| is the event header.
  • <parameter 1>=<value of parameter 1> ... <parameter N>=<value of parameter N> is the event body containing the sequence of <event parameter>=<event parameter value> pairs.

The configuration file describes the parameters in the events received by the CEF Connector. The names of event parameters in Kaspersky MLAD may coincide with the names of parameters received in CEF format by the CEF Connector. If necessary, you can specify other names for the parameters to be processed in Kaspersky MLAD according to certain rules. The rules for mapping event parameters are defined in the mapping_fields parameter of the configuration file.

The nodes and links parameters of the configuration file are intended to describe the method for constructing the event search results graph. The graph displays the relationships between event parameters whose nodes are defined in the nodes parameter and whose arcs are defined in the links parameter.

The configuration file contains the following settings:

  • timestamp_field: the name of the setting for indicating the date and time in events that CEF Connector receives from an external system.
  • timestamp_scale: the unit of time for events.
  • sep: separator between the parameters of values in events received by the CEF Connector.
  • sep_kv: separator between the key and value in events received by the CEF Connector.
  • sep_cef_caption: separator in the header of events received by the CEF Connector.
  • mapping_fields: rules for mapping event parameters received by the CEF Connector to the names of event parameters to be processed in Kaspersky MLAD. If necessary, you can specify the conditions for writing event parameters in Kaspersky MLAD depending on the values of other parameters received by the CEF Connector. This parameter is optional.
  • fields: list of event parameters processed by the Event Processor service. The names of these parameters may coincide with the names of parameters received in CEF format, or may coincide with the names of parameters defined in the rules using the mapping_fields parameter.
  • nodes: the group of settings that describe event parameters relationship graph nodes by using the following settings:
    • name: the name of the event parameter corresponding to the graph node.
    • depth: the order (left to right) of displaying the graph node in event history.
    • tooltip: enables templates. templates: defines the tooltip displayed when you hover over the node.
    • fieldShortCut: defines an alternate name for the event parameter. The event parameters relationship graph displays the alternate name in brackets next to the value of the parameter corresponding to the graph node. This parameter is optional.
  • links: a group of settings that describe graph arcs (event parameters relationships) by using the following settings:
    • source: the name of the first event parameter that creates a link on the graph.
    • target: the name of the second event parameter that creates a link on the graph.
    • tooltip: enables templates. The templates setting defines the tooltip displayed when you hover over the node. You can use the following variables with double curly braces:
      • Any parameter in the fields event parameter list.
      • onIntervalActivationsCount: the number of event detections in the event stream during the period defined when viewing the events history.
      • onIntervalLastActivationTimestamp: the date and time when the event was last detected in the event stream for the period defined when viewing the events history.
      • lastActivationTimestamp: the date and time when the event was last detected in the event stream.
      • totalActivationsCount: the number of event detections in the event stream.
    • isGraphGroup: defines how to display a connection on the event parameters relationship graph. If this parameter is set to true, events with different values of the parameters that are not used as the graph nodes are displayed as one event group. If the parameter is set to false, events with different values of the parameters are displayed as different events. The default value of this parameter is false.

Below is an example of a JSON file containing a configuration for the Event Processor service. The file contains a description of the event parameters for the Event Processor. According to the values specified in the mapping_fields parameter, events with the following event parameters will be displayed in Kaspersky MLAD:

  • EventType: corresponds to the cat parameter in an event received by the CEF Connector.
  • User_Name: corresponds to the cs1 parameter if the value user is received for the cs1Label parameter.
  • Destination_Host: corresponds to the cs1 parameter if the value destination is received for the cs1Label parameter.
  • Access_Result: corresponds to the cs1 parameter if the value access is received for the cs1Label parameter.
    { "timestamp_field": "TimeStamp", "timestamp_scale": "ms", "sep": " ", "sep_kv": "=", "sep_cef_caption": "|", "mapping_fields": { "cat": "User_Host", "cs1": {"map_label": "cs1Label", "values": {"user": "User_Name", "destination": "Destination_Host", "access": "Access_Result"}} }, "fields": [ "User_Host", "User_Name", "Destination_Host", "Access_Result" ], "nodes": [ { "name": "User_Name", "depth": 0, "tooltip": { "templates": [ "User: {{User_Name}}" ] }, "fieldShortCut": "User" }, { "name": "User_Host", "depth": 1, "tooltip": { "templates": [ "User host: {{User_Host}}" ] }, "fieldShortCut": "Src" }, { "name": "Destination_Host", "depth": 2, "tooltip": { "templates": [ "Destination: {{Destination_Host}}" ] }, "fieldShortCut": "Dst" } ], "links": [ { "source": "User_Name", "target": "User_Host", "tooltip": { "templates": [ "{{User_Name}} » {{User_Host}}", "Count: {{onIntervalActivationsCount}}" ] }, "isGraphGroup": true }, { "source": "User_Host", "target": "Destination_Host", "tooltip": { "templates": [ "{{User_Host}} » {{Destination_Host}}", "DeviceEventClassID: {{Access_Result}}", "Count: {{onIntervalActivationsCount}}" ] } } ] }