Content and properties of CEF messages about user activity in the web interface

The header of each message contains the following information:

All fields of the CEF message have the "<key>=<value>" format. The keys, as well as their values contained in a message, are presented in the table below.

Event information in CEF messages

Event type

Event name and description

Key and description of its value

sensors

Managing the Sensor component

Connecting the Sensor component to the Central Node server, modifying component settings.

  • dvs = <IP address of the server>.
  • eventId = <ID of the event>.
  • rt = <event date and time>.
  • src = <IP address of the user>.
  • suser = <user name>.
  • cs1 = <event type>.

sb

Configuring integration with the Sandbox component

Connecting the Sandbox component to the Central Node server.

  • dvs = <IP address of the server>.
  • eventId = <ID of the event>.
  • rt = <event date and time>.
  • src = <IP address of the user>.
  • suser = <user name>.
  • cs1 = <event type>.

ex_integration

Configuring integration with external systems

Configuring integration with external systems.

  • dvs = <IP address of the server>.
  • eventId = <ID of the event>.
  • rt = <event date and time>.
  • src = <IP address of the user>.
  • suser = <user name>.
  • cs1 = <event type>.

ksn_kpsn_mdr

Participation in KSN, KPSN and MDR

Configuring participation in Kaspersky Security Network, enabling or disabling the usage of Kaspersky Private Security Network, and configuring integration with Kaspersky Managed Detection and Response.

  • dvs = <IP address of the server>.
  • eventId = <ID of the event>.
  • rt = <event date and time>.
  • src = <IP address of the user>.
  • suser = <user name>.
  • cs1 = <event type>.

yara

Managing YARA rules

Operations with YARA rules.

  • dvs = <IP address of the server>.
  • eventId = <ID of the event>.
  • rt = <event date and time>.
  • src = <IP address of the user>.
  • suser = <user name>.
  • cs1 = <event type>.
  • device external ID = <ID of the host in distributed solution mode>.
  • cs1label = <name of the uploaded file>

ioc

Managing indicator of compromise

Operations with IOC rules.

  • dvs = <IP address of the server>.
  • eventId = <ID of the event>.
  • rt = <event date and time>.
  • src = <IP address of the user>.
  • suser = <user name>.
  • cs1 = <event type>.
  • deviceExternalID = <identifier of the host in distributed solution mode>.

ids

Managing IDS rules

Operations with IDS rules.

  • dvs = <IP address of the server>.
  • eventId = <ID of the event>.
  • rt = <event date and time>.
  • src = <IP address of the user>.
  • suser = <user name>.
  • cs1 = <event type>.
  • deviceExternalID = <identifier of the host in distributed solution mode>.

taa

Managing TAA rules

Operations with TAA (IOA) rules.

  • dvs = <IP address of the server>.
  • eventId = <ID of the event>.
  • rt = <event date and time>.
  • src = <IP address of the user>.
  • suser = <user name>.
  • cs1 = <event type>.

prevention

Managing prevention rules

Operations with prevention rules.

  • dvs = <IP address of the server>.
  • eventId = <ID of the event>.
  • rt = <event date and time>.
  • src = <IP address of the user>.
  • suser = <user name>.
  • cs1 = <event type>.

exclusions

Managing scan exclusions

Operations with scan exclusion rules.

  • dvs = <IP address of the server>.
  • eventId = <ID of the event>.
  • rt = <event date and time>.
  • src = <IP address of the user>.
  • suser = <user name>.
  • cs1 = <event type>.

tasks

Managing tasks

Operations with tasks.

  • dvs = <IP address of the server>.
  • eventId = <ID of the event>.
  • rt = <event date and time>.
  • src = <IP address of the user>.
  • suser = <user name>.
  • cs1 = <event type>.

network_isolation

Network isolation of Endpoint Agent hosts

Network isolation of Endpoint Agent hosts.

  • dvs = <IP address of the server>.
  • eventId = <ID of the event>.
  • rt = <event date and time>.
  • src = <IP address of the user>.
  • suser = <user name>.
  • cs1 = <event type>.

settings

Settings

Modifying Central Node server settings.

  • dvs = <IP address of the server>.
  • eventId = <ID of the event>.
  • rt = <event date and time>.
  • src = <IP address of the user>.
  • suser = <user name>.
  • cs1 = <event type>.

settings

Settings

The set of virtual machine operating systems is changed to <version of the operating system set>.

  • dvs = <IP address of the server>.
  • eventId = <ID of the event>.
  • rt = <event date and time>.
  • src = <IP address of the user>.
  • suser = <user name>.
  • cs1 = <event type>.

mt

Managing CN, PCN and SCN servers

Modifying the settings of Primary Central Node and Secondary Central Node servers in distributed solution and multitenancy mode.

  • dvs = <IP address of the server>.
  • eventId = <ID of the event>.
  • rt = <event date and time>.
  • src = <IP address of the user>.
  • suser = <user name>.
  • cs1 = <event type>.

user_account

Managing user accounts

Actions on user accounts.

  • dvs = <IP address of the server>.
  • eventId = <ID of the event>.
  • rt = <event date and time>.
  • src = <IP address of the user>.
  • suser = <user name>.
  • cs1 = <event type>.

notifications

Sending notifications

Configuring email notifications.

  • dvs = <IP address of the server>.
  • eventId = <ID of the event>.
  • rt = <event date and time>.
  • src = <IP address of the user>.
  • suser = <user name>.
  • cs1 = <event type>.

license

License

Managing the license key.

  • dvs = <IP address of the server>.
  • eventId = <ID of the event>.
  • rt = <event date and time>.
  • src = <IP address of the user>.
  • suser = <user name>.
  • cs1 = <event type>.

If an operation is performed on over 30 objects simultaneously, only one entry is logged for this operation. The entry includes the information about the operation and the number of objects on which it was performed.

Page top