In Kaspersky Industrial CyberSecurity for Networks, you can configure the types of registered events. Event types define the settings used when registering events, including their titles, descriptions, base scores, and registration settings. The event types provided in the application are displayed under Settings → Event types in the application web interface.
The table of event types contains system event types. These event types are created by the application during installation and cannot be deleted from the list. Various sets of system event types are used for the event registration technologies employed in the application.
Some system event types can be used as the basis for configuring user-defined settings of events that will be used when registering events in specific cases. User settings can be defined for the following event types:
User-defined settings take priority when registering events. The settings defined in system event types are used if no user settings are defined.
The following settings are available for event types:
Code– unique number (identifier) of the event type. In the event types table, a number is displayed together with the event title. In the table of registered events, the event type identifier is displayed in the Event type column.
Base score is the initial value for calculating the score of the registered event. If an event type can have different base scores, then the maximum value is displayed.
Title – contents of the event title presented as text and/or variables. System event types may utilize specific variables only for these event types (for example, the $systemCommandShort variable in the event type for Command Control technology) or common variables that can also be used in user-defined settings (for example, the $top_level_protocol variable in the event type for Network Integrity Control technology). In the event types table, the title contents are displayed after the event type identifier. In the table of registered events, the text of the title and/or received values of variables are displayed in the Title column.
Description – additional text that describes the event type. Like the title, a description may contain variables. This setting is not displayed in the event types table (you can view the description in the details area of the selected event type). In the table of registered events, the text of the description and/or received values of variables are displayed in the Description column.
<Recipient connector name>– name of the connector that the application uses to forward events to the recipient system. The application sends recipient systems only those types of events that are configured for forwarding through the connector.
Regeneration period – maximum period of time after which an event is allowed to be registered again. If the conditions for event registration are repeated before the specified time period elapses, a new event is not registered but the counter for the number of repeats of the previously registered event is increased and the date and time of the last occurrence of the event is updated. After this period elapses, the application will register a new event of this type when the event registration conditions are repeated. The repeat event timeout period begins when an event of this type is last registered. For example, if the defined time period is 8 hours and the conditions for registering this type of event are detected two hours after the previous event, a new event will not be registered. A new event will be registered when the event registration conditions are detected after 8 or more hours. This setting is not displayed in the event types table (you can view and configure this setting in the details area of the selected event type).
For registered events, the event regenerate period may occur earlier than the specified period. Re-registration of an event is allowed earlier than the defined period if the Resolved status is assigned to the event, and if the computer performing Server functions was restarted.
Save traffic – this setting enables or disables automatic saving of traffic when an event is registered. This setting is not displayed in the event types table (you can view and configure this setting in the details area of the selected event type).
If automatic saving of traffic is disabled, you can manually load traffic some time after registration of an event of this type. When the application receives a request to load traffic, it searches network packets in traffic dump files that were temporarily created by the application. If relevant network packets are found in the traffic dump files, they are loaded after first being saved in the database.