System event types based on Asset Management technology

This section provides a description of system event types associated with Asset Management technology (see the table below).

System event types based on Asset Management technology (AM)

Code

Title of event type

Registration conditions

4000005003

Detected new device with the address $owner_ip_or_mac

Asset Management monitoring mode resulted in the automatic addition of a new device based on a detected IP address or MAC address that has not been specified for other devices in the table.

When registering the event, the application may simultaneously register the risk named Unauthorized device for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $owner_ip_or_mac – IP or MAC address of the device.
  • $asset_name – assigned name of the device.
  • $assigned_mac – assigned MAC address (if defined).
  • $owner_ip – assigned IP address (if defined).
  • $asset_id – ID of the device.

4000005004

Received new information about device with the address $owner_ip_or_mac

Asset Management monitoring mode resulted in the automatic update of device information based on data obtained from traffic.

The following variables are used in the title and description of an event type:

  • $owner_ip_or_mac – IP or MAC address of the device.
  • $asset_name – name of the device.
  • $updated_params – list of updated information.
  • $asset_id – ID of the device.

4000005005

IP address $owner_ip conflict detected

In Asset Management monitoring mode, the application detected the use of an IP address by a different device than the device for which this IP address was specified.

The following variables are used in the title and description of an event type:

  • $owner_ip – IP address.
  • $challenger_asset_name – name of the device that used the IP address.
  • $challenger_mac – MAC address of the device that used the IP address.
  • $asset_name – name of the device in whose settings the IP address was specified.
  • $owner_mac – MAC address of the device in whose settings the IP address was specified.
  • $challenger_ips_list – list of other IP addresses of the device that used the IP address.
  • $asset_id – ID of the device in whose settings the IP address was specified.
  • $challenger_id. – ID of the device that used the IP address.

4000005006

Detected traffic from address $owner_ip_or_mac, which is assigned to a device with the Archived status

In Asset Management monitoring mode or based on data received from an EPP application, activity was detected from a device that was assigned the Archived status.

When registering the event, the application may simultaneously register the risk named Unauthorized device for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $owner_ip_or_mac – IP or MAC address of the device.
  • $asset_name – name of the device.
  • $last_seen_timestamp – date and time when the device was last seen in the network.
  • $asset_id – ID of the device.

4000005007

A new IP address $new_ip_addr was detected for the device with MAC address $owner_mac

In Asset Management monitoring mode, a new IP address used by a device was detected.

The following variables are used in the title and description of an event type:

  • $new_ip_addr – detected IP address.
  • $owner_mac – MAC address of the device.
  • $asset_name – name of the device.
  • $owner_ips_list – list of other IP addresses of the device.
  • $asset_id – ID of the device.

4000005008

MAC address $owner_mac was added to the device with IP address $owner_ip

Asset Management monitoring mode resulted in the automatic addition of a MAC address for a network interface for which only an IP address was specified (the device had the Unauthorized or Archived status).

The following variables are used in the title and description of an event type:

  • $owner_mac – detected MAC address of the device.
  • $owner_ip – IP address of the device.
  • $asset_name – name of the device.
  • $asset_id – ID of the device.

4000005009

IP address $owner_ip was added to the device with MAC address $owner_mac

Asset Management monitoring mode resulted in the automatic addition of an IP address for a network interface for which only a MAC address was specified (the device had the Unauthorized or Archived status).

The following variables are used in the title and description of an event type:

  • $owner_ip – detected IP address of the device.
  • $owner_mac – MAC address of the device.
  • $asset_name – name of the device.
  • $asset_id – ID of the device.

4000005010

Detected new MAC address $new_mac_addr for device with the IP address $owner_ip

Asset Management monitoring mode resulted in the detection of a new MAC address used by a device (autoupdate of address information is disabled for the device).

The following variables are used in the title and description of an event type:

  • $new_mac_addr – detected MAC address.
  • $owner_ip – IP address of the device.
  • $asset_name – name of the device.
  • $asset_id – ID of the device.

4000005011

Change of MAC address $owner_mac to $challenger_mac detected in device information received from EPP application

The MAC address of a device was updated according to data received from an EPP application.

The following variables are used in the title and description of an event type:

  • $owner_mac – old MAC address of the device.
  • $challenger_mac – new MAC address of the device.
  • $asset_name – name of the device.
  • $asset_id – ID of the device.

4000005012

New address information for device $asset_name found in data received from EPP program

New address information of a device was detected in data received from an EPP application. This type of event is registered if a change in device address information was not processed by the application as an event with code 4000005009 or 4000005010.

The following variables are used in the title and description of an event type:

  • $asset_name – name of the device.
  • $unaccepted_epp_addresses – address information.
  • $asset_id – ID of the device.

4000005013

Conflict detected in addresses of devices $conflicted_epp_assets after data received from EPP program

Based on data received from an EPP application, a conflict was detected in the addresses of multiple devices in Kaspersky Industrial CyberSecurity for Networks. According to data from the EPP application, the addresses belong to the same device.

The following variables are used in the title and description of an event type:

  • $conflicted_epp_assets – devices with conflicting addresses detected.
  • $unaccepted_epp_addresses – addresses that belong to the same device.

4000005014

Subnet $subnet_mask added based on data from EPP application

After data was received from an EPP application, a new subnet was automatically added to the list of known subnets. The subnet is added to an address space in which the data source may be the integration server that received data from an EPP application. If there are several of these address spaces available, the application chooses the address space that contains the most suitable subnet for automatically adding a new nested subnet.

The following variables are used in the title and description of an event type:

  • $subnet_mask – subnet address.
  • $subnet_type – subnet type.

4000005200

PLC Project Control: detected read of unknown block from PLC $asset_name

PLC Project Control read/write monitoring resulted in a detected read of an unknown block of a project from a PLC (if there is no saved information about this block).

When registering the event, the application may simultaneously register the risk named Reading unknown block of project from PLC for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $asset_name – name of the device.
  • $block_name – name of the block.
  • $saved_date_time – date and time when the operation was detected.

4000005201

PLC Project Control: detected read of known block from PLC $asset_name

PLC Project Control read/write monitoring resulted in a detected read of a known block of a project from a PLC (if there is saved information about this block but the received information does not match the latest saved information about this block).

When registering the event, the application may simultaneously register the risk named Reading known block of a project from PLC for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $asset_name – name of the device.
  • $block_name – name of the block.
  • $saved_date_time – date and time when the block was saved in the application.

4000005202

PLC Project Control: detected write of new block to PLC $asset_name

PLC Project Control read/write monitoring resulted in a detected write of an unknown block of a project from a PLC (if there is no saved information about this block).

When registering the event, the application may simultaneously register the risk named Writing new block of project to PLC for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $asset_name – name of the device.
  • $block_name – name of the block.
  • $saved_date_time – date and time when the operation was detected.

4000005203

PLC Project Control: detected write of known block to PLC $asset_name

PLC Project Control read/write monitoring resulted in a detected write of a known block of a project from a PLC (if there is saved information about this block but the received information does not match the latest saved information about this block).

When registering the event, the application may simultaneously register the risk named Writing known block of project to PLC for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $asset_name – name of the device.
  • $block_name – name of the block.
  • $saved_date_time – date and time when the block was saved in the application.

4000005204

PLC Project Control: detected read of unknown project from PLC $asset_name

PLC Project Control read/write monitoring resulted in a detected read of an unknown project from a PLC (if there is no saved information about this project).

When registering the event, the application may simultaneously register the risk named Reading unknown project from PLC for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $asset_name – name of the device.
  • $saved_date_time – date and time when the operation was detected.

4000005205

PLC Project Control: detected read of known project from PLC $asset_name

PLC Project Control read/write monitoring resulted in a detected read of a known project from a PLC (if there is saved information about this project but the received information does not match the latest saved information about this project).

When registering the event, the application may simultaneously register the risk named Reading known project from PLC for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $asset_name – name of the device.
  • $saved_date_time – date and time when the project was saved in the application.

4000005206

PLC Project Control: detected write of new project to PLC $asset_name

PLC Project Control read/write monitoring resulted in a detected write of a new project to a PLC (if there is no saved information about this project).

When registering the event, the application may simultaneously register the risk named Writing new project to PLC for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $asset_name – name of the device.
  • $saved_date_time – date and time when the operation was detected.

4000005207

PLC Project Control: detected write of known project to PLC $asset_name

PLC Project Control read/write monitoring resulted in a detected write of a known project to a PLC (if there is saved information about this project but the received information does not match the latest saved information about this project).

When registering the event, the application may simultaneously register the risk named Writing known project to PLC for this device. In this case, the risk is associated with the event.

The following variables are used in the title and description of an event type:

  • $asset_name – name of the device.
  • $saved_date_time – date and time when the project was saved in the application.

4000000004

Test event (AM)

A test network packet was detected (with the device activity detection method enabled).

Page top