Working with event definitions
CYBERQUEST ships with a full event dictionary built around Windows operating systems. The dictionary is under continuous expansion, and future platform releases will start including event dictionaries for all major supported technologies.
A list of all events available at the time of editing this document can be found in Appendix: Event Dictionary.
Unlike other SIEM solutions on the market, CYBERQUEST's dictionary is open, which means at any time you can edit, export and delete existing event definitions, or create and import new ones -- building your own dictionary supporting technologies you have under management.
The event dictionary can be accessed from Web Interface by navigating to Settings > Event Dictionary. The page opens, listing defined objects. Here you can manage existing definitions and from Actions menu, import an object or create a new definition from scratch.
To export a definition, press button next to it. The export is saved as a proprietary CQO file. Likewise, to import a definition select in Actions menu.
To edit details for a specific object, press button next to it. Edit event definition window opens allowing you to change the Name and Description, correct the Script or enable/disable the object.
To delete an event from the list, press button next to it. As a measure of precaution, you will be asked to confirm deletion.
Events can be searched in the Quick Filter bar by event ID, event name, or its description.
Creating a new event definition
In Event Definitions page, select from Actions menu. Add Event Dictionary configuration page opens allowing you to create the new definition.
All fields are free text, which permits complete freedom on defining a new event. The template contains up to 150 custom fields to add. As a general recommendation, it is advisable to define a company-wide standard for issuing EventIDs, event names and platforms for all the applications in scope.
When you finished creating the parser, press button to save changes.