Viewing the table of event types
The event types provided in the application are displayed under Settings → Event types in the application web interface.
The table of event types contains system event types. These event types are created by the application during installation and cannot be deleted from the list. Various sets of system event types are used for the event registration technologies employed in the application.
Some system event types can be used as the basis for configuring user-defined settings of events that will be used when registering events in specific cases. User settings can be defined for the following event types:
- Event type based on Deep Packet Inspection technology with the code 4000002900 – for registering events based on Process Control rules.
- Event type based on External technology with the code 4000005400 – for registering events using the Kaspersky Industrial CyberSecurity for Networks API.
User-defined settings take priority when registering events. The settings defined in system event types are used if no user settings are defined.
The following settings are available for event types:
- Code – unique number (identifier) of the event type. In the event types table, the number is displayed together with the event title in the Code and title column. In the table of registered events, the event type identifier is displayed in the Event type column.
- Title – contents of the event title presented as text and/or variables. System event types may utilize specific variables only for these event types (for example, the
$systemCommandShortvariable in the event type for Command Control technology) or common variables that can also be used in user-defined settings (for example, the$top_level_protocolvariable in the event type for Network Integrity Control technology). In the event types table, the content of the title is displayed together with the event type number in the Code and title column. In the table of registered events, the text of the title and/or received values of variables are displayed in the Title column. - Base score is the initial value for calculating the score of the registered event. If an event type can have different base scores, then the maximum value is displayed. This setting is displayed in the event types table.
- Technology – technology used for event registration. This setting is displayed in the event types table.
- Description – additional text that describes the event type. Like the title, a description may contain variables. This setting is not displayed in the event types table (you can view the description in the details area of the selected event type). In the table of registered events, the text of the description and/or received values of variables are displayed in the Description column.
- <Recipient connector name> – name of the connector that the application uses to forward events to the recipient system. The application sends recipient systems only those types of events that are configured for forwarding through the connector. Each connector configured to forward events to the third-party systems is displayed in a separate column of the risk types table. This setting is not displayed in the details area for the selected event type.
- Event regeneration period – maximum period of time after which an event is allowed to be registered again. If the conditions for event registration are repeated before the specified time period elapses, a new event is not registered but the counter for the number of repeats of the previously registered event is increased and the date and time of the last occurrence of the event is updated. After this period elapses, the application will register a new event of this type when the event registration conditions are repeated. The repeat event timeout period begins when an event of this type is last registered. For example, if the defined time period is 8 hours and the conditions for registering this type of event are detected two hours after the previous event, a new event will not be registered. A new event will be registered when the event registration conditions are detected after 8 or more hours. This setting is not displayed in the event types table (you can view and configure this setting in the details area of the selected event type).
For registered events, the event regenerate period may occur earlier than the specified period. Re-registration of an event is allowed earlier than the defined period if the Resolved status is assigned to the event, and if the computer performing Server functions was restarted.
- Save traffic – this setting enables or disables automatic saving of traffic when an event is registered. This setting is not displayed in the event types table (you can view and configure this setting in the details area of the selected event type).
If automatic saving of traffic is disabled, you can manually load traffic some time after registration of an event of this type. When the application receives a request to load traffic, it searches network packets in traffic dump files that were temporarily created by the application. If relevant network packets are found in the traffic dump files, they are loaded after first being saved in the database.
When viewing the event types table, you can use the configuration, filter, search, and sorting functions.
