A fixed set of event types are used for receiving events of Kaspersky Industrial CyberSecurity for Networks in Kaspersky Security Center. The types of events in Kaspersky Security Center correspond to the specific types of events in Kaspersky Industrial CyberSecurity for Networks and can be registered as Kaspersky Security Center incidents depending on the severities of the events (see the figure below).
Types of events in Kaspersky Security Center for receiving events of Kaspersky Industrial CyberSecurity for Networks
Displayed name of the event type |
Registration as a Kaspersky Security Center incident |
Corresponding event type code in Kaspersky Industrial CyberSecurity for Networks |
|---|---|---|
Test event (DPI) |
no |
4000000001 |
Test event (NIC) |
no |
4000000002 |
Test event (IDS) |
no |
4000000003 |
Test event (AM) |
no |
4000000004 |
Unauthorized network interaction detected |
no |
4000002601 |
System command detected |
Only events with the Critical severity level |
4000002602 |
No traffic at monitoring point |
no |
4000002700 |
TCP protocol anomaly detected: content substitution in overlapping TCP segments |
yes |
4000002701 |
Process Control rule violation |
Only events with the Critical severity level |
4000002900 |
Intrusion Detection rule from the system set of rules was triggered |
no |
4000003000 |
Intrusion Detection rule from the custom set of rules was triggered |
no |
4000003001 |
Symptoms of ARP spoofing detected in ARP replies |
yes |
4000004001 |
Symptoms of ARP spoofing detected in ARP requests |
yes |
4000004002 |
New device detected in network |
yes |
4000005003 |
New device settings detected |
no |
4000005004 |
IP address conflict detected |
yes |
4000005005 |
Activity detected from asset with Archived status |
no |
4000005006 |
New IP address of device detected |
yes |
4000005007 |
New MAC address of device detected |
yes |
4000005010 |
IP address added to device |
no |
4000005009 |
MAC address added to device |
no |
4000005008 |
IP protocol anomaly detected: data conflict when assembling IP packet |
yes |
4000005100 |
IP protocol anomaly detected: fragmented IP packet size exceeded |
yes |
4000005101 |
IP protocol anomaly detected: the size of the initial fragment of the IP packet is less than expected |
yes |
4000005102 |
IP protocol anomaly detected: mis-associated fragments |
yes |
4000005103 |
PLC Project Control: detected read of unknown block from PLC |
no |
4000005200 |
PLC Project Control: detected read of known block from PLC |
no |
4000005201 |
PLC Project Control: detected write of new block to PLC |
no |
4000005202 |
PLC Project Control: detected write of known block to PLC |
no |
4000005203 |
PLC Project Control: detected read of unknown project from PLC |
no |
4000005204 |
PLC Project Control: detected read of known project from PLC |
no |
4000005205 |
PLC Project Control: detected write of new project to PLC |
no |
4000005206 |
PLC Project Control: detected write of known project to PLC |
no |
4000005207 |
Correlation rule event registered |
Only events with the Critical severity level |
8000000000, 8000000001, 8000000002, 8000000003 |
Maximum number of reported events has been reached |
yes |
– |
User event based on Deep Packet Inspection technology |
Only events with the Critical severity level |
– |
User event based on External technology |
yes |
– |